MEM – Configure OneDrive KFM via Intune
In this post, we will demonstrate how to set up OneDrive KFM (Known Folder Move) for Business via Microsoft Intune. As always, the following is for example purposes only, further restrictions might be required from your organisation, you can view a full list and descriptions of the available policies here.
Objectives
- Setup OneDrive for Business for end-users
- Enable KFM (Known Folder Move)
- Block end-users from reverting known folders configuration to their PC
- Block personal OneDrive accounts
- Restrict OneDrive client to sync only specific Azure AD tenant
- Enable Files On-Demand
Obtaining the Azure AD tenant ID
To be able to set up the Known Folder Move and restrict the OneDrive client to one tenant, we need to retrieve the Azure AD tenant ID, to do this, sign in to the Azure AD portal, select Azure Active Directory, then Properties and the Tenant ID will be present, copy the ID, we will need it (For the purpose of this post, I will blur out the ID):
Creating the OneDrive Configuration Profile
Now that we have the Tenant ID, we’ll create the Configuration Profile that will configure the OneDrive policy settings, sign in to the MEM Admin Center portal, go to Devices, then Configuration Profiles and select Create Profile:
Select Windows 10 and later for platform and Administrative Templates for Profile:
Type in a relevant Name and Description:
On the Configuration Settings page, select All Settings and type in ‘OneDrive’ to find all of the OneDrive available settings:
Based on the above objectives, we’ll create the appropriate settings, I will break these down per objective.
Setup OneDrive for Business for end-users
Find the setting ‘Silently sign in users to the OneDrive sync client with their Windows Credentials’ and set this to Enabled:
Enable KFM (Known Folder Move)
Find the setting ‘Silently move Windows known folders to OneDrive‘, set this to Enabled, enter in the Tenant ID as located earlier and choose whether to display a notification to users:
Block end-users from reverting known folders configuration to their PC
Find the setting ‘Prevent users from redirecting their Windows known folders to their PC‘ and set this to Enabled:
Block personal OneDrive accounts
Find the setting ‘Prevent users from syncing personal OneDrive accounts‘ and set this to Enabled:
Restrict OneDrive client to sync only specific Azure AD tenant
Find the setting ‘Allow syncing OneDrive accounts for only specific organizations‘, set this to Enabled and enter in the Tenant ID(s):
Enable Files On-Demand
Find the setting ‘Use OneDrive Files On-Demand‘ and set this to Enabled:
Settings Check
Following the above, the profile should look like this:
As always, it’s recommended to deploy the profile to a test group of users to confirm all is well.
End-User Experience
Once the Configuration Profile has been assigned to an end-user and checked in with the Intune service, the end-user will see the following notifications:
Known folder move, redirecting Desktop, Documents and Picture folders to OneDrive:
When attempting to sync to another OneDrive for Business account:
When attempting to sync a personal OneDrive account:
Users are unable to move known folders back to their PC:
Enjoy!