Few months ago ,Microsoft announced the preview of Administrative templates which include hundreds of settings that you can configure for Internet Explorer, OneDrive, remote desktop, Word, Excel, and other Office programs.
These templates give administrators a simplified view of settings similar to group-policy, but they're 100% cloud-based.
This feature supports Windows 10 and later operating system.
As part of mobile device management (MDM) solution, we can make use of these administrative templates (admx) and create configuration profiles to complete different tasks.
In this blog post ,we will see ,how to create device configuration profile with Onedrive settings and deploy to users/devices for the devices that are enrolled via intune MDM or auto pilot or Azure AD join devices.
One of the requirement that i ran into few weeks ago was ,to disable the change of onedrive location when user configure onedrive using corporate account.
1. Login to Intune portal (either via https://portal.azure.com or https://devicemanagement.microsoft.com/ )
2.I am using device management URL , Click on Device configuration ,click on create profile
Key in the Name ,Description ,Platform –>Windows 10 and later ,Profile Type—>Administrator Templates (Preview) ,click on create
Click on settings to configure Onedrive application settings
Under settings, you will see list of settings that can be configure for device,IE,office etc.
Search for Onedrive and select the policies that you want to configure for your Org.
I am going to configure the settings for onedrive that are marked in red arrow
click on each setting and choose enable
For setting: Prevent users from changing the location of their OneDrive folder ,you need to have your tenant ID which can be obtained from your Azure Active Directory.
Click on this URL https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Properties and copy directory ID value.
Enter the Tenant GUID and type the value 1 to enable.
Once the settings are configured, they will save automatically ,click on close on the right corner side of the window.
Now click on the policy that we created and click on assignments ,choose the AD sec group
Click on Save.
We have created device configuration setting for Onedrive and we will now monitor this on end-user PC.
End-user experience:
Login to windows 10 device ,if the device is not yet intune enrolled ,then perform enrollment using work/school account.
upon the enrollment success ,it will sync with intune to get profile ,apps etc .
After few min ,the policy will get loaded and make necessary changes to the registry (onedrive settings).
How to monitor the admx template settings that we pushed using registry ?
After the policy applied to device ,registry changes will be applied to HKEY_CURRENT_USER\Software\Policies\Microsoft\OneDrive .
When user try to configure the onedrive ,the change of location will be disabled by Admin (intune) and the default location will be C:\users\%username%\Azure AD tenant Name
Troubleshooting if the device configuration policy not applied ? Read the blog post https://blogs.technet.microsoft.com/configmgrdogs/2018/08/09/troubleshooting-windows-10-intune-policy-failures/
2 Comments
Hi, im interested on some of your pics for my OneDrive Deep Dive . Maybe you can send me.
Hi what onedrive pics are you referring to? Do you have intune subscription? If so you can get all settinga there. If you don't have subscription, you can create trail version and play with it.
Thanks
Eswar