Sunday, December 8, 2024
Intune

MEM – Configure OneDrive KFM via Intune

In this post, we will demonstrate how to set up OneDrive KFM (Known Folder Move) for Business via Microsoft Intune. As always, the following is for example purposes only, further restrictions might be required from your organisation, you can view a full list and descriptions of the available policies here.

Objectives

  • Setup OneDrive for Business for end-users
  • Enable KFM (Known Folder Move)
  • Block end-users from reverting known folders configuration to their PC
  • Block personal OneDrive accounts
  • Restrict OneDrive client to sync only specific Azure AD tenant
  • Enable Files On-Demand

Obtaining the Azure AD tenant ID

To be able to set up the Known Folder Move and restrict the OneDrive client to one tenant, we need to retrieve the Azure AD tenant ID, to do this, sign in to the Azure AD portal, select Azure Active Directory, then Properties and the Tenant ID will be present, copy the ID, we will need it (For the purpose of this post, I will blur out the ID):

Gathering the Tenant ID to deploy OneDrive KFM via Intune.

Creating the OneDrive Configuration Profile

Now that we have the Tenant ID, we’ll create the Configuration Profile that will configure the OneDrive policy settings, sign in to the MEM Admin Center portal, go to Devices, then Configuration Profiles and select Create Profile:

Creating the OneDrive configuration profile within Intune.

Select Windows 10 and later for platform and Administrative Templates for Profile:

Type in a relevant Name and Description:

On the Configuration Settings page, select All Settings and type in ‘OneDrive’ to find all of the OneDrive available settings:

Based on the above objectives, we’ll create the appropriate settings, I will break these down per objective.

Setup OneDrive for Business for end-users

Find the setting ‘Silently sign in users to the OneDrive sync client with their Windows Credentials’ and set this to Enabled:

Enable KFM (Known Folder Move)

Find the setting ‘Silently move Windows known folders to OneDrive‘, set this to Enabled, enter in the Tenant ID as located earlier and choose whether to display a notification to users:

Block end-users from reverting known folders configuration to their PC

Find the setting ‘Prevent users from redirecting their Windows known folders to their PC‘ and set this to Enabled:

Block personal OneDrive accounts

Find the setting ‘Prevent users from syncing personal OneDrive accounts‘ and set this to Enabled:

Restrict OneDrive client to sync only specific Azure AD tenant

Find the setting ‘Allow syncing OneDrive accounts for only specific organizations‘, set this to Enabled and enter in the Tenant ID(s):

Enable Files On-Demand

Find the setting ‘Use OneDrive Files On-Demand‘ and set this to Enabled:

Settings Check

Following the above, the profile should look like this:

As always, it’s recommended to deploy the profile to a test group of users to confirm all is well.

End-User Experience

Once the Configuration Profile has been assigned to an end-user and checked in with the Intune service, the end-user will see the following notifications:

Known folder move, redirecting Desktop, Documents and Picture folders to OneDrive:

When attempting to sync to another OneDrive for Business account:

When attempting to sync a personal OneDrive account:

Users are unable to move known folders back to their PC:

Enjoy!