Get Smarter

There are a few key items you'll likely want to tune in OneDrive settings before setting it loose in your environment. As such. Microsoft gives you the ability to manage Intune settings in both Group Policy and Intune. Those settings are: Prompt users when they delete multiple OneDrive files on their local computer, Warn users who are low on disk space, Silently sign in users to the OneDrive sync app with their Windows credentials, Use OneDrive Files On-Demand and Coauthor and share in Office desktop apps (User).

To configure OneDrive settings using the Microsoft Intune Admin Center., navigate to Devices > Configuration > Create New Policy in the Microsoft Intune Admin Center. When creating the policy, select "Windows 10 and later" as the Platform and "Settings catalog" as the Profile type. After naming the policy, type "OneDrive" into the Settings picker and select the OneDrive options. You can then choose which of the settings you want to include in the policy as shown in the screenshot below. In this example, I have chosen six settings that serve important functions in OneDrive.

1. Prompt users when they delete multiple OneDrive files on their local computer

This is a data protection feature designed to prevent unintended bulk file deletions in OneDrive. When enabled, this setting triggers a warning prompt if a user attempts to delete multiple OneDrive files simultaneously. If a user tries to delete a large number of files larger at once that is larger than the configured threshold, they will see a pop-up message asking them to confirm the deletion action. The setting includes a configurable threshold that you can set to trigger the prompt as shown in the screenshot below.

        2. Warn users who are low on disk space

This setting monitors the local disk space on a user's device to prevent them from unexpectedly running out of storage, which could impact their ability to sync OneDrive files. It includes a configurable threshold, specified in GB, that triggers a warning notification to users when their available disk space falls below this set level as shown here below:

3. Silently sign in users to the OneDrive sync app with their Windows credentials

When enabled, this setting automatically authenticates users with their existing Windows login information to ensure a seamless Single Sign-On (SSO) experience, thus eliminating the need for manual credential entry.

4. Silently move Windows known folders to OneDrive

When enabled, this setting automatically redirects a user’s Windows known folders (such as Documents, Pictures, and Desktop) to OneDrive without user intervention. This aids in ensuring that important files are automatically backed up to the cloud by moving the contents of these folders to OneDrive. Once enabled, you must provide your tenant ID as shown below.

       5. Use OneDrive Files On-Demand

When enabled, this setting allows users to see and interact with all their OneDrive files in File Explorer without downloading them all to their device. Files are downloaded only when opened, which saves local disk space. Users can choose to make specific files or folders always available offline.

       6. Coauthor and share in Office desktop apps (User)

When enabled, this setting allows users to simultaneously work on the same document with colleagues, allowing users to edit them and see each other’s changes in real-time.

Using Group Policy

You can also manage these settings using Group Policy.  Five of the above settings are from the computer side. Navigate to Computer Configuration > Administrative Templates > OneDrive and enable any of the five settings shown in the screenshot below. Here, I have highlighted the “Prompt users when they delete multiple OneDrive files on their local computer” setting.

The remaining setting, “Coauthor and share in Office desktop apps (User)” is a user side setting. Navigate to User Configuration > Administrative Templates >OneDrive and enable the setting as shown in the screenshot below.

The remaining setting, “Coauthor and share in Office desktop apps (User)” is a user side setting. Navigate to User Configuration > Administrative Templates >OneDrive and enable the setting as shown in the screenshot below.

Windows shortcut keys are pre-defined keyboard combinations that allow users to perform various tasks and functions quickly and efficiently within the Windows operating system. Shortcut keys enable users to execute commands and navigate the system faster than using a mouse or touchpad. Windows shortcut keys may provide an alternative way to execute commands or access system functions that are normally restricted or blocked through traditional menus and interfaces. That’s why in some cases, it may be worthwhile to disable Windows keystrokes all together. You can do this using either Group Policy or Intune.

Disabling Windows Shortcut Keys using Group Policy

To disable Windows shortcut keystrokes in Group Policy you can create a GPO using the Group Policy Management Console. Then use Group Policy Editor and navigate to User Configuration > Administrative Templates > Windows Components > File Explorer and enable the policy setting titled “Turn off Windows key hotkeys” as shown in the screenshot below.

Then assign the GPO to the applicable users or groups.

Disabling Windows Shortcut Keys using Intune

You can also achieve the same result using the Microsoft Intune Admin Center. Navigate to Devices > Configuration profiles and click on create profile. Select Windows 10 and later as the platform and choose the Custom template. Enter a name for the profile and then add the following OMA-URI settings:

• Name: Enter a name for the setting.
• Description: Provide a description (optional).
• OMA-URI: ./Device/Vendor/MSFT/Policy/Config/KeyboardFilter/Enable
• Data type: Select Integer.
• Value: Enter 1 to enable Keyboard Filter.

Then assign the policy towards the designated users or groups and save it.

You can create a "Settings Page Visibility List" policy that allows administrators to show only specific pages in the Settings app. The secret here is the "showonly:" string that appears in the custom OMA-URI settings. In this example I will choose the only the following settings to remain visible.

• bluetooth: Bluetooth settings
• camera: Camera settings
• about: System information
• sound: Sound settings
• easeofaccess-audio: Ease of Access audio settings
• windowsupdate-action: Windows Update actions
• sound-devices: Sound devices settings
• apps-volume: App volume and device preferences
• easeofaccess-visualeffects: Ease of Access visual effects
• appsfeatures-app: Apps & features
• installed-apps: Installed apps list
• privacy-webcam: Privacy settings for webcam

Using the Microsoft Intune Admin Center, navigate to Devices > Configuration > Create > New Policy. Select Windows 10 and later as the Platform and Custom as the Profile type. Name the policy and click Add to configure the OMA-URI settings as shown below.

The OMA-URI path is OMA-URI:

./Device/Vendor/MSFT/Policy/Config/Settings/PageVisibilityList

Choose String as the Data Type. The string will include the following:

Value: showonly:bluetooth;camera;about;sound;easeofaccess-audio;windowsupdate-action;sound-devices;apps-volume;easeofaccess-visualeffects;appsfeatures-app;installed-apps;privacy-webcam

When completed the OMA-URI settings will look something like this:

Then assign the designated groups to the policy and save.

If you use Azure AD to host your user accounts, you may want to create conditional access policies for when employees attempt to access certain cloud applications. An example might be an enterprise resource planning solution, an employee benefits site or a password manager. A couple of conditions you can assign might be:

• Require MFA as an extra layer of authentication beyond passwords to reduce the risk of unauthorized access even if credentials are compromised.
• Require that access be only granted from Azure joined devices.

Conditional access policies allow you to safeguard sensitive information and apply stricter controls only where they're most needed. They may also aid in complying with various regulatory requirements and helps mitigate risks associated with remote work.

In this example I am going to create a conditional access policy for LastPass, a password management tool. To create a conditional access policy for a specific cloud application, sign into the Microsoft Intune Admin Center and navigate to Devices > Conditional Access. Click "New policy" to start configuring the new conditional access policy.

Give the policy a descriptive name and go to assignments. For users I chose a group comprised of all IT workers that regularly access many applications. I then selected the two LastPass cloud applications that our organization uses as shown in the screenshot below:

Then under Access Controls I will create two conditions for granted access. The first is MFA and the second is that the user must be using a compliant device as shown below.

For added security you can specify a sign in frequency under the Session category. Assigning a sign-in frequency requires users to re-authenticate periodically when accessing cloud applications or resources. As shown in the screenshot below, administrators can customize the frequency based on the sensitivity of the applications or data. In this case I am requiring users to reauthenticate each day.