How to setup and configure OneDrive using GPOs

Configuring OneDrive through Group Policy is the standard way to enforce consistent sync behavior across domain-joined machines without relying on users to configure anything themselves. You can control which folders sync, how the client signs in, how much bandwidth it uses, and whether users can connect personal accounts. All of this is controlled from a single GPO linked to the appropriate OU.

How to configure ADMX templates for OneDrive

Before you can configure any OneDrive policy in the Group Policy Management Console (GPMC), the OneDrive Administrative Templates must be installed. Without them, the OneDrive policy node will not appear in the GPMC.

The OneDrive sync client ships with its own ADMX template. You will find the files in one of two locations depending on how OneDrive was installed:

• Per-machine installation:
Click to copy script
C:\Program Files\Microsoft OneDrive\<version>\adm\
• Per-user installation:
Click to copy script
C:\Users\<username>\AppData\Local\Microsoft\OneDrive\<version>\adm\

The adm\ folder contains two files, OneDrive.admx and OneDrive.adml. The ADMX file defines the Group Policy settings themselves. The ADML file provides the display language strings that appear in the GPMC. If you only copy the ADMX file, the policies will load but display placeholder text instead of readable setting names. If the sync client is not installed on your management workstation, download the latest OneDrive setup package from Microsoft, install it on a test machine, and copy the files from there.

How to add ADMX files to the Group Policy Central Store

The Central Store is a folder on your primary domain controller (DC) that all Group Policy Management Consoles on your network read from. Storing templates here means every admin sees the same policies without needing local ADMX installations.

1. On your DC, open File Explorer and navigate to \\<your-domain-name>\SYSVOL\<your-domain-name>\Policies\.
2. If a PolicyDefinitions folder does not already exist here, create one.
3. Copy OneDrive.admx into \\<domain>\SYSVOL\<domain>\Policies\PolicyDefinitions\.
4. In the PolicyDefinitions folder, create a subfolder and copy OneDrive.adml into that subfolder.
5. Open the GPMC on any workstation and navigate to Computer Configuration > Policies > Administrative Templates. If the templates loaded correctly, you will see an OneDrive node in the left pane.

Finding your tenant ID before configuring OneDrive policies

Several critical OneDrive Group Policy settings require your organization's Tenant ID as a parameter value, specifically known folder move and silent account configuration. If you enter an incorrect GUID, these policies appear to apply successfully but produce no visible result on endpoints, which is one of the most common sources of confusion in OneDrive GPO deployments.

There are three reliable ways to find your tenant ID:

Using the Azure portal

1. Go to portal.azure.com and sign in with a Global Administrator or appropriate admin account.
2. Navigate to Microsoft Entra ID.
3. In the overview page, copy the Tenant ID field.

Using the Microsoft 365 admin center

1. Sign in at admin.microsoft.com.
2. Go to Settings > Org settings > Organization profile.
3. The Tenant ID appears here as a read-only field.

Using PowerShell

How to configure OneDrive Files On-Demand via Group Policy

Files On-Demand allows users to see all their OneDrive files in File Explorer without downloading them to local storage. Enforcing this setting via GPO ensures a consistent experience across all domain-joined machines, regardless of whether individual users have adjusted their own OneDrive settings.

The registry key that this policy writes is:

• HKLM\SOFTWARE\Policies\Microsoft\OneDrive (Computer scope)

• HKCU\SOFTWARE\Policies\Microsoft\OneDrive (User scope)
• Value name: FilesOnDemandEnabled
• Value data: 1 (enabled), 0 (disabled)

To configure Files On-Demand via GPO:

1. Open the GPMC and navigate to the GPO you want to edit, or create a new one.
2. Right-click the GPO and select Edit.
3. Navigate to Computer Configuration > Policies > Administrative Templates > OneDrive.
4. Double-click Use OneDrive Files On-Demand.
5. Set it to Enabled and click OK.
6. Close the GPMC and run gpupdate /force on a test machine.
7. Open File Explorer on that machine and sign into OneDrive. Files should appear with cloud status icons rather than being fully downloaded.

Computer vs. User Configuration scope for Files On-Demand

The Files On-Demand policy exists under Computer Configuration and not User Configuration. This distinction matters operationally: Computer Configuration policies apply to the machine when it starts up, before any user logs in. User Configuration policies apply when a specific user logs on.

For Files On-Demand, using Computer Configuration means the setting applies to every user who signs into that machine regardless of their OneDrive preferences. If you configure the same setting under User Configuration instead, it applies only to the specific user objects targeted by the GPO, which is useful if you need different behavior for different user groups on the same hardware. If you place the policy under User Configuration and target it at a machine OU, it will not apply, because machine objects do not process User Configuration settings. When a policy silently fails to apply, the wrong scope is the first thing to verify.

How to set up a OneDrive known folder move

Known folder move (KFM) redirects the Windows known folders to OneDrive so their contents are automatically synced. KFM is one of the highest-value OneDrive GPO settings for most organizations because it protects user data on endpoints without requiring any user action.

There are two policies that handle this:

• KFMSilentOptIn (OneDrive_KFMSilentOptIn): Redirects known folders without showing the user a prompt. This is the policy to use for bulk deployments.
• KFMOptInWithWizard (OneDrive_KFMOptIn): Displays a prompt asking users to opt in to the redirection.

For managed environments, you can use KFMSilentOptIn, but ensure that Silent Account Configuration is in effect so users are signed into OneDrive before the folder redirection applies.

To configure KFMSilentOptIn:

1. Open the GPMC and navigate to Computer Configuration > Policies > Administrative Templates > OneDrive.
2. Double click Silently move Windows known folders to OneDrive.
3. Set the policy to Enabled.
4. In the Tenant ID field, paste the Tenant ID you copied.
5. Optionally, enable Show notification to users after folders have been redirected so users see a brief confirmation after the redirect occurs.
6. Click OK, close the editor, and run gpupdate /force on a test machine.
7. Verify by checking that the Desktop, Documents, and Pictures folders in File Explorer show the OneDrive sync status icon.

How to configure key OneDrive GPO settings

Three foundational policies control how the OneDrive sync client behaves at sign-in and startup. Configuring all three consistently is the baseline for a reliable OneDrive deployment across your domain.

Silent account configuration

This policy signs users into the OneDrive sync client automatically using their Windows credentials. When a user logs on to a domain-joined machine, OneDrive detects their Microsoft Entra ID identity and signs in without prompting for credentials. This is the policy that makes KFM and other tenant-specific settings possible. It lives under Computer Configuration > Policies > Administrative Templates > OneDrive > Silently sign in users to the OneDrive sync app with their Windows credentials.

AutoStart policy

OneDrive by default launches at user login, but in some environments where the sync client was manually stopped or removed from startup, you can enforce this via GPO. The policy Prevent users from changing the OneDrive sync app sign-in controls where users can stop OneDrive from running. For most deployments, the default behavior is correct and requires no explicit GPO change.

Scope selection

The following table maps the most common OneDrive policies to their correct GPO scope:

Monitoring OneDrive sync health and managing bandwidth through Group Policy

Enabling sync health reporting

The policy OneDrive_EnableSyncAdminReports enables the OneDrive Sync Health dashboard in the SharePoint Admin Center. When enabled, each client reports its sync status to a central view accessible to admins.

1. In the GPMC, navigate to Computer Configuration > Policies > Administrative Templates > OneDrive.
2. Click Enable OneDrive sync health reports for sync admin and apply the policy.
3. The corresponding registry key is: HKLM\SOFTWARE\Policies\Microsoft\OneDrive, value EnableSyncAdminReports set to 1.
4. In the Microsoft 365 admin center, go to Reports > Usage > OneDrive Sync Health or via the SharePoint Admin Center under Health > Sync to view the reporting dashboard.

Bandwidth management

The following policies let you throttle OneDrive's upload and download throughput to protect network capacity:

• Limit the sync app upload rate to a percentage of throughput: This caps upload bandwidth as a percentage of available throughput, adapting dynamically as conditions change. Navigate to Computer Configuration > Policies > Administrative Templates > OneDrive > Limit the sync app upload rate to a percentage of throughput and configure this.
• Set maximum upload throughput: This sets a fixed kilobytes-per-second ceiling for uploads. This is useful when you need a hard cap rather than a dynamic percentage.
• Set maximum download throughput: This sets a fixed kilobytes-per-second ceiling for downloads.

For environments where most sync activity should happen outside business hours, configure these policies to throttle aggressively during the day and set no limit overnight.

Sync update ring configuration via GPO

The OneDrive sync client updates automatically, but setting the sync app update ring policy controls which release channel each machine receives:

• Insider: This is suitable for a test group and includes the latest features first.
• Production: This is the default channel for most endpoints.
• Deferred (Enterprise): This is recommended for stability-critical environments such as call centers, clinical workstations, or any environment where unexpected behavior is disruptive.

You can find this policy at Computer Configuration > Policies > Administrative Templates > OneDrive > Set the sync app update ring. Select Deferred for managed environments where stability outweighs having the latest features.

Troubleshooting common OneDrive GPO issues including KFM failures and policy not applying

Even a correctly configured GPO can fail to apply on endpoints for reasons that have nothing to do with the policy settings themselves. Here are the most common scenarios and how to diagnose them:

• Policy not applying after configuration: The most common causes are GPO link status, WMI filter misconfiguration, or GPO inheritance blocking. Check the following:
• Confirm the GPO is linked to the correct OU and that the link is enabled.
• Check whether GPO inheritance is blocked on the OU containing the target machines. Navigate to the OU in the GPMC, right-click, and look for the Block Inheritance option.
• Confirm WMI filters are not excluding your machines. Under the GPO's Scope tab, check the WMI Filtering section.
• On the endpoint, run gpresult /r to confirm whether the GPO appears under Applied Group Policy Objects or Denied Group Policy Objects.
• KFM silently failing: Check the registry key HKLM\SOFTWARE\Policies\Microsoft\OneDrive\AllowTenantList or KFMSilentOptIn to confirm if the policy wrote correctly. If the registry key is absent, the GPO either did not apply or is in the wrong scope.
• Registry keys not being written: Run gpresult /h report.html for a detailed HTML report showing applied and denied policies, and the reason for denial. Look for the relevant OneDrive policy and check the Details column for CSE (Client-Side Extension) errors.
• B2B Sync blocked by GPO: If your organization uses Microsoft Entra ID B2B to collaborate with external tenants, you may find that external users cannot sync shared libraries. Check whether the policy Allow syncing OneDrive accounts for only specific organizations is configured and whether the external tenant's ID is included in the allowlist.

Using GPO troubleshooting tools to verify policy application

The two tools you will use most often are gpresult and the Resultant Set of Policy (RSoP) snap-in.

Using gpresult

1. On the target machine, open Command Prompt as administrator.
2. Run gpresult /r for a console summary, or gpresult /h C:\gpresult.html for a full HTML report.
3. In the output, locate Applied Group Policy Objects under the COMPUTER SETTINGS section. Your OneDrive GPO should appear here if it was applied. If it appears under Denied Group Policy Objects, the reason column tells you why.

Using RSoP

1. Press Win + R, type rsop.msc, and press Enter.
2. The snap-in calculates and displays the effective policy for the current user and machine.
3. Navigate to Computer Configuration > Administrative Templates > OneDrive to see whether individual OneDrive policies show as Enabled, Disabled, or Not Configured, and which GPO is the winning source for each setting.

Registry verification

As a secondary check, manually inspect the keys that OneDrive GPO settings write by manually opening regedit and navigating there to confirm the values present there. Most OneDrive Computer Configuration policies write to HKLM\SOFTWARE\Policies\Microsoft\OneDrive.

Scale OneDrive management beyond what GPMC can handle

The native GPMC workflow works for single GPO changes but gets difficult to manage as your environment grows. Applying a new OneDrive policy to 20 OUs means 20 manual linking steps and verifying applied policies across hundreds of machines requires running gpresult on each one individually.

ADManager Plus provides a centralized GPO management console that simplifies this across your domain:

• Manage and link GPOs across multiple OUs simultaneously from an intuitive interface without opening the GPMC on each admin workstation.
• View GPO settings across OUs, and trigger a force update on selected machines directly from the console.
• Run a Resultant Set of Policy report to see the effective policy applied to any container without running gpresult manually on each endpoint.
• Delegate GPO tasks to help desk staff without granting full domain admin rights. Create scoped help desk roles with specific permitted GPO actions and assign them to technicians limited to the OUs they are responsible for.

FAQs

1. How do you set up OneDrive for a group?

Use Group Policy to deploy OneDrive settings to a group of users or machines by linking a GPO to the relevant OU. Start by installing the OneDrive ADMX templates on your DC, then enable silent account configuration so users are signed in automatically, and enable known folder move to redirect Desktop, Documents, and Pictures to OneDrive without user involvement.

2. How do I enable sync health reporting for OneDrive GPO?

Enable the EnableSyncAdminReports policy under Computer Configuration > Policies > Administrative Templates > OneDrive > Enable OneDrive sync health reports for sync admin. This writes EnableSyncAdminReports = 1 to HKLM\SOFTWARE\Policies\Microsoft\OneDrive. Once applied, sync status for all endpoints appears in the OneDrive Sync Health dashboard under Reports > Usage > OneDrive Sync Health in the Microsoft 365 admin center. Allow 24 to 72 hours for data to populate after first enabling the policy.

3. How do you disable OneDrive via GPO?

To prevent OneDrive from running on domain-joined machines, navigate to Computer Configuration > Policies > Administrative Templates > OneDrive and enable Prevent the usage of OneDrive for file storage. This disables the sync client entirely and removes OneDrive from File Explorer. To block only personal account sync while allowing work accounts, use the Allow syncing OneDrive accounts for only specific organizations policy and specify your Tenant ID as the permitted organization.

4. What is the downside to using OneDrive?

The most common operational pain point in managed environments is the MFA limitation on Silent Account Configuration. When MFA is enforced on user accounts, OneDrive cannot sign in silently at login because there is no UI to complete the second-factor prompt. The result is that KFM never activates on those machines and the workaround is hybrid Azure AD join, which satisfies MFA claims via a Primary Refresh Token at machine startup. Bandwidth consumption during initial sync can also be significant on slower connections; you can use the upload and download throttle policies covered in the monitoring section to control this.