Detections
Analytics

18.10.52.1 Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client.

The recommended state for this setting is: Enabled.

Rationale:

Enabling this setting prevents users from accidentally (or intentionally) uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client.

Note: This security concern applies to any cloud-based file storage application installed on a workstation, not just the one supplied with Windows.

Impact:

Users can't access OneDrive from the OneDrive app and file picker. Windows Store apps can't access OneDrive using the WinRT API. OneDrive doesn't appear in the navigation pane in File Explorer. OneDrive files aren't kept in sync with the cloud. Users can't automatically upload photos and videos from the camera roll folder.

Note: If your organization uses Office 365, be aware that this setting will prevent users from saving files to OneDrive/SkyDrive.

Note #2: If your organization has decided to implement OneDrive for Business and therefore needs to except itself from this recommendation, we highly suggest that you also obtain and utilize the OneDrive.admx/adml template that is bundled with the latest OneDrive client, as noted at this link (this template is not included with the Windows Administrative Templates). Two alternative OneDrive settings in particular from that template are worth your consideration:

Allow syncing OneDrive accounts for only specific organizations - a computer-based setting that restricts OneDrive client connections to only approved tenant IDs.

Prevent users from synchronizing personal OneDrive accounts - a user-based setting that prevents use of consumer OneDrive (i.e. non-business).

Solution

To establish the recommended configuration, set the following Device Configuration Policy to Enabled:

To access the Device Configuration Policy from the Intune Home page:

Click Devices

Click Configuration profiles

Click Create profile

Select the platform (Windows 10 and later)

Select the profile (Custom)

Click Create

Enter a Name

Click Next

Configure the following Setting

Name: <Enter name>
Description: <Enter Description>
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/System/DisableOneDriveFileSync
Data type: Integer
Value: 1

Select OK

Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)

Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.

Default Value:

Disabled. (Apps and features can work with OneDrive file storage using the Next Generation Sync Client.)

See Also

https://workbench.cisecurity.org/benchmarks/14664

Item Details

References: CSCv7|13.4

Plugin: Windows

Control ID: ed9262231809f67c7c0aa6075f4e22f2da9ebbc6f9c1448b4bbf104cb13eee31