500 Days of blocking Onedrive extensions

500 Days of blocking Onedrive extensions

I was mentioning in my latest blog, I would show how you can automate the company apps deployment, but first I would like you to show something brand new. This blog will be about how to prevent some files to be uploaded with Onedrive and not using the Onedrive admin center

Excluding extensions in the Onedrive admin center was the way to go to make sure some files are not synced with Onedrive. Of course, you don’t want certain files to be uploaded with Onedrive, like *.ost and maybe *.pst?

When configuring the rule like above, it can happen Onedrive just stops syncing because an error occurred and you will need to manually remove the files to make sure Onedrive does not stop syncing eventually.

There must be another way… And yes there will be, with the latest insider Onedrive (version 20.201.1005.0006) you will get a new adml file.  Just open the C:\Program Files (x86)\Microsoft OneDrive\20.201.1005.0008\adm\onedrive.adml file.

Did you notice the “EnableODIgnoreListFromGPOListBox” key? That’s very cool. You can configure it in your group policy (but it’s not working yet)

Source:

OneDrive | Exclude specific kinds of files from being uploaded

I was wondering if I already could create the necessary policy in Intune. Of course, this setting is not available in Intune (yet) because it isn’t working… First, we need to do some admx ingesting

Just like I did when the “forcesync” was not yet available in Intune. Create your own custom admx file and create a new custom made device configuration policy.

-OMA-URI: ./device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/OneDriveNGSCv2/Policy/OnedriveDisableExtensions

-Data Type:

String

-Value:

<?xml version="1.0" encoding="utf-8"?>
<!-- (c) 2016 Microsoft Corporation -->
<policyDefinitions xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">
  <policyNamespaces>
    <target prefix="OneDriveNGSC" namespace="Microsoft.Policies.OneDriveNGSC" />
    <using prefix="windows" namespace="Microsoft.Policies.Windows" />
  </policyNamespaces>
  <resources minRequiredRevision="1.0" />
  <categories>
    <category name="OneDriveNGSC" displayName="$(string.OneDriveNGSCSettingCategory)"/>
  </categories>
  <policies>
 <policy name="EnableODIgnoreListFromGPO" class="Machine" displayName="$(string.EnableODIgnoreListFromGPO)" explainText="$(string.EnableODIgnoreListFromGPO_help)" presentation="$(presentation.EnableODIgnoreListFromGPO_Pres)" key="SOFTWARE\Policies\Microsoft\OneDrive">
      <parentCategory ref="OneDriveNGSC" />
      <supportedOn ref="windows:SUPPORTED_Windows7" />
        <elements>
          <list id="EnableODIgnoreListFromGPOListBox" key="Software\Policies\Microsoft\OneDrive\EnableODIgnoreListFromGPO" additive="true"/>
        </elements>
    </policy>
  </policies>
</policyDefinitions>

Now we have the admx file implemented, we can configure the extensions we need to block.

OMA-URI: ./device/Vendor/MSFT/Policy/Config/OneDriveNGSCv2~Policy~OneDriveNGSC/EnableODIgnoreListFromGPO

Data Type:

String

Value:

<Enabled/><Data id="EnableODIgnoreListFromGPOListBox" value="*.ost&#xF000;*.ost"/>

Now we need to have some patience until the key is pushed to your device. Open regedit to check if the key is created in: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxDefault\40CB1E11-CF17-4DF8-A7EC-DBDBCFC9CA7B\OneDriveNGSCv2~Policy~OneDriveNGSC\EnableODIgnoreListFromGPO

Also check if the policy itself is also created.

It’s a shame it is not working for now. But please be patient, it will be in the near future. When it will be working you will notice some new icons (Thanx to Hans Brender..)

Conclusion:

It’s very cool there will be another option to prevent some file extensions to be synced with Onedrive. For now, it’s not working. I hope to see it working real soon. But now you know how you can push this setting to your devices with Intune (when the devices have the latest Onedrive insider build)

Leave a Reply

Your email address will not be published. Required fields are marked *