Basics of OneDrive Group Policies

Should I Change Group Policy Settings in OneDrive for a Small Company?

Group policies for my small company? Isn't that shooting sparrows with cannons?

No, regardless of whether you have 5, 10, 500 or 3000 users. The basics are the same for everyone. Only the deployment differs. In this article, I’ll only describe the rollout of group policies, without the big deployment tools.

You’ll learn how to equip computers with OneDrive group policies. Then you’ll learn to carry out these steps:

1. Individual group policies can be activated.
2. Activated group policies must be tested and perhaps modified.
3. The changes are then exported.
4. The exported data can then be imported to other devices.

Of course, this only makes sense if the number of devices is low. Only steps 1-3 are necessary to test the group policies on a local device.

Changing OneDrive Group Policy Prerequisites

You must be running Windows 10/11 Pro or higher. The group policies do not run under Windows X Home. You therefore need Windows X Pro.

The tools you need include the Local Group Policy Editor, the Registry Editor, and Notepad. The first two come with Windows 10/11 Pro or higher. You also need a USB stick to distribute the changes.

Some administrators will ask themselves, “Why should I use one or the other OneDrive group policy for a handful of employees?” One example of this is that you can give instructions to use “Files OnDemand,” but this is then ignored by employees. With a group policy, however, you can enforce the instruction, and the employee cannot change this setting. Some group policies really make sense and that's exactly why I wrote this article.

Where Can I Find the Group Policies for OneDrive?

Almost all group policies for Windows can be downloaded from Microsoft sites, but not the OneDrive group policies. Microsoft distributes OneDrive group policies automatically with every installation of OneDrive or every update of the sync client. There are only eighteen files with a total size of 1.1 MB, which is almost nothing compared to the complete OneDrive update of 277 MB.

Where Can I Find the OneDrive Sync Client Under Windows?

The answer of course is, “It depends.” There are three versions of the OneDrive app for Windows. A 32-bit version, a 64-bit version and a version for ARM processors. When installing Windows, it therefore depends on which processor you have in your device; and the correct setup is supplied for Windows. Of course, other (newer) setups may have been made by the administration when the image was created.

This means that you can look into the depths of the operating system on any device with OneDrive installed.

In the early days of the OneDrive Sync Client, the program itself, the configuration, and the logs were saved in the user directory:

C:\Users\[User]\Appdata\local\Microsoft\OneDrive\

Initially, OneDrive was a 32-bit program with its corresponding DLLs as well. On 8/4/2021, Microsoft delivered the preview of the 64-bit program with version 21.062.0328.0001.

Later, the somewhat protected version was used, and the programs can be found in the respective folders such as:

C:\Program Files x86\Microsoft OneDrive\ for the 32-bit version, or

C:\Program Files\Microsoft OneDrive\ for the 64-bit version.

This installation path is also referred to as device installation, which can be useful if, for example, several users share one device. This reduces the volume and time considerably, as only one installation is installed and not several. This installation path also applies to the automatic update (approx. 274 MB) of the Sync Client.

These tables describe where to find OneDrive programs and the configuration files:

or
 

When we see where the programs are in Explorer (Figure 3), we are not far from the group policies. A double-click on the currently installed version of the OneDrive client opens a large library of 916 files in 150 folders (274 MB). And inside the top directory "adm" are the group policies.

Group Policies Are Made Up of Two Components

Look at Figure 4 as you digest the information in this section.

• A file that contains the processing for Windows (OneDrive.admx) (1).
• A file listing the explanation (OneDrive.adml) (2).

Figure 4 shows that you can find the explanations for the OneDrive group policies in seventeen languages (3). Depending on the installation and the languages added, if you want to change a default group policy, you must use an adml file for each language. In my example below, I’ll discuss the American language and the German language version of the adml files.

Copy Action

For a group policy to be executable, the admx and adml files must be copied to the Windows folder C:\Windows\PolicyDefinitions. To do this, you also need admin rights on the device where you want to try it out. In medium-sized and large companies, the rollout is carried out from a central store with programs such as Microsoft Intune. Figure 5 shows the modified files in a local installation.

OneDrive.admx (1) must be copied to the PolicyDefinitions(4) folder. If a file with the same name already exists, it must be overwritten.

The English-language OneDrive.adml (2) must be copied to the folder (en-US) below the PolicyDefinitions folder (5). If a file with the same name already exists, it must be overwritten.

The same procedure must be followed for the country-specific variants (in this case German). The German-language OneDrive.adml in the de folder (3) must be copied to the German-language folder (de-DE) below the PolicyDefinitions folder (6). If a file with the same name already exists, it must be overwritten.

This shows the copy action in table form.

Local Group Policy Editor

Now you can start the Local Group Policy Editor. To do this, type "Edit Group Policy" in the search window and start the program in the Local Group Policy Editor as shown in Figure 6.

Group policies work either for the respective device (1) and/or for the respective user (3). There are therefore two areas (1+3) where these OneDrive group policies can be displayed.

Basics of How a Group Policy Works

A group policy has three states:

• Not configured
• Enabled
• Disabled

Some group policies do not need to be configured; they have a default setting. If a group policy is activated, you must first pay close attention to the meaning of the name, as some group policies prohibit something, and some allow something. Figure 6 shows some group policies with the status "Enabled", many with the status "Not configured." To activate/deactivate a group policy, select the group policy and double-click on it. I’ve opened one to edit in Figure 7.

Note: This article deals with the basics of group policies, but not with individual OneDrive group policies. Those are described in other articles.

Testing the Activated/Deactivated Group Policies

If you have decided to use OneDrive group policies and then roll them out, this is actually the most important part. Testing.

Many OneDrive group policies are active immediately, some require a reboot, others have a delayed effect depending on the settings. It is important to log the result (screenshots) because otherwise users will be surprised by the changes if they are not communicated to them.

Windows Registry

Where are the group policy settings saved?

If a group policy is active, the question arises as to where these states are saved. The answer is quite simple: In the Windows registry of every Windows device.

The registry is the database that Windows needs to function properly. It contains not only the settings to different drivers for the respective device, but also all installed programs or apps can be found here, as well as all group policies, not just those of OneDrive. So here is a warning:

Unintentional changes to the registry database can result in your device no longer starting. So be careful when manipulating the registry.

Why do we need the registry for our scenario?

A partial export of the data generated with the group policies can be exported with the registry editor and re-imported on another device. The effort is therefore only worthwhile if there are only a few devices involved. If you use Microsoft Intune (cloud) / Microsoft Configuration Manager (on-premises) or a similar program, which distributes the group policies set there, you can skip the registry information.

The registry has five different branches:

• HKEY_CLASSES_ROOT
• HKEY_CURRENT_USER → HKCU
• HKEY_LOCAL_MACHINE → HKLM
• HKEY_USERS
• HKEY_CURRENT_CONFIG

The descriptions of the group policies on Learn.Microsoft.com shows you where the OneDrive group policies are stored in the registry.

Go to the tabular listing of OneDrive group policies sorted by STRING_ID.

When I was interested in the group policies, I naturally found the group policies descriptions page I just mentioned. I had a look at the German description. And compared it with the German group policy editor. And none, really none of the group policies matched.

Why?

If the Microsoft OneDrive product group in Redmond has thought about how to make life easier for administrators with a function, then they should talk to the Windows product group. The Help should describe exactly what a group policy should do when it is implemented in Windows. A programmer probably gives the new group policy a name. (And that's why some names are so cryptic).

Since Windows supports different languages, this group policy name and the description are then translated into the different languages by the Windows team. The people in the OneDrive product group wrote down the functionality with the technical writers in Learn.Microsoft.com == Github. Up to this point, everything still worked. But then this page (https://learn.microsoft.com/en-us/sharepoint/use-group-policy#continue-syncing-on-metered-networks) was translated by the technical writers' team using an automatic program to this page in German (IT-Administratoren: Verwenden von OneDrive-Richtlinien zum Steuern von Synchronisierungseinstellungen - SharePoint in Microsoft 365 | Microsoft Learn). We had one English-language version that was correct, but sixteen automatically translated versions that didn't fit at all. Different teams, different programs. Different translations. And the chaos for the OneDrive group policies was perfect. I then thought about what similarities there were. There is only one binary file (admx), but different translated files, and the only common element of these XML files is the string id. See Figure 8.

Figure 9 shows the German representation:

Microsoft then took up this idea to use string IDs (which are equal in all languages) to make the current page suitable for all languages. Unfortunately, there are now many errors on this page and there are no Group Policy Translation Guidelines, but I have been assured that there will be an update.

Making the OneDrive Registry Edits

Once again, in addition to abbreviations on the Microsoft site:

HKCU are all the settings that apply to the user, while HKLM refers to the device.

Back to the registry. In the search field next to the Windows icon, type "Registry Editor" and then press Enter. You’ll see Figure 10.

Figure 10 shows OneDrive registry settings for the current user. The left-hand side shows the structure, and you can move there manually, or enter the following line at the top (the line below the menus) and press Enter.

Computer\HKEY_CURRENT_USER\Software\Policies\Microsoft\OneDrive

From the File menu choose Export and save the branch: OD Current User.reg

Files with the extension .reg are simple text files and can be opened with Notepad.

Figure 12 shows an active group policy for the local machine.

Similar to the previous example (below Figure 10), navigate to:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\OneDrive

From the File menu choose Export and save the branch as shown in Figure 13: OD Local machine.reg

Combine the Exported Current User and Local Machine Reg Files

You can combine both files to save time later when importing. To do this, copy the header from (1) and then the contents of (2) and (3) into a new file (see Figure 14) and save the new file: OD User AND Local Machine.reg

You save this file on a memory stick, on a network drive, if available, in OneDrive for Business or a document library on SharePoint, where all other users also have access.

Roll-out for Small Companies

Remember I said near the beginning of this article that this technique is only suitable for small companies. Because now you have to log in as a local administrator on each device, call up the Registry Editor and import the file OD User AND Local Machine.reg. Then reboot because some group policies require this. Done. Then it's off to the next computer.

Summary

There are other settings in the Windows registry for OneDrive group policies. I will describe these in future articles on specific OneDrive group policies here on Tekkigurus.com. However, if you deploy with Microsoft Intune or similar tools, you can, as mentioned at the beginning, forget the information with the registry.

As an administrator, however, you should use a separate computer and test the group policies locally on your test computer before you implement these group policies for others. Suggestion: If you switch to the OneDrive Insider Ring, you will have more time for testing and implementation of new or changed group policy changes from the OneDrive team.

Tools you need:

• Group Policy Editor
• Registry Editor
• Notepad

Links to Other Group Policy Articles

• Group Policy: Excluded File Extension in OneDrive Personal