Enforcing Intune Policy to Restrict Local Drive Storage and Enforce OneDrive Usage

Problem Statement

In many organizations, data security and compliance are critical concerns. One common challenge is ensuring that users do not save corporate data on their local drives, where it may be vulnerable to loss, theft, or non-compliance with data governance policies. Instead, organizations want to enforce saving files directly to OneDrive for Business, ensuring data is securely backed up and accessible across devices.

Microsoft Intune provides the capability to enforce policies that restrict local storage while directing users to save their files to OneDrive. This blog explores how to configure these policies effectively.

Resolution: Configuring Intune Policy to Restrict Local Drive Storage

To achieve this, we will configure Intune policies that:

• Prevent users from saving files to local drives (e.g., Desktop, Documents, Downloads).

• Enforce automatic redirection to OneDrive for Business.

• Apply the policies across all managed Windows 10/11 devices.

Step 1: Enable Known Folder Move (KFM) for OneDrive

Known Folder Move (KFM) ensures that Desktop, Documents, and Pictures are redirected to OneDrive. Here’s how to configure it via Intune:

1. Sign in to the Microsoft Intune Admin Center.

2. Navigate to Devices > Configuration profiles > Create profile.

3. Select:

   • Platform: Windows 10 and later

   • Profile type: Administrative Templates

4. Under Settings, search for OneDrive and configure the following policies:

   • Silently move Windows known folders to OneDrive → Enable

   • Prevent users from redirecting Windows known folders back to their PC → Enable

   • Prompt users to move Windows known folders to OneDrive → Enable (if needed)

5. Assign the policy to target users or device groups.

Step 2: Restrict Saving to Local Drives via Group Policy

To block users from saving files to their local drives, configure the following settings:

1. In Intune, create a new Configuration profile with the following settings:

   • Platform: Windows 10 and later

   • Profile type: Settings catalog

2. Search for File Explorer settings and enable:

   • Prevent users from adding files to the root of their Users’ Files folder

   • Prevent users from saving documents to their Desktop

   • Prevent users from saving files to local drives

3. Assign the policy to the relevant users or device groups.

Step 3: Enforce OneDrive as the Default Save Location

To make OneDrive the mandatory save location:

1. In Intune, navigate to Devices > Configuration profiles.

2. Create a new Administrative Template Profile.

3. Search for Use OneDrive as the default save location and set it to Enabled.

4. Assign it to the required user group.

Step 4: Monitor Policy Deployment

After deploying these policies, monitor compliance:

• In the Intune Admin Center, navigate to Reports > Device compliance.

• Verify that the policies are successfully applied and troubleshoot any failures.

Conclusion

By implementing these Intune policies, organizations can enforce a secure and compliant storage strategy by preventing local drive storage and ensuring all data is stored in OneDrive. This enhances data security, simplifies file access across devices, and reduces the risk of data loss due to local drive failures.

For further fine-tuning, administrators can integrate Conditional Access and DLP policies to strengthen data protection.

Would you like more details on troubleshooting policy deployment? Let us know in the comments!