Configure OneDrive Known Folder Move via Microsoft Intune

By |

Last Updated on 25/02/2026 by Alex

🆕📢Update
This post covers the core OneDrive KFM settings and will absolutely still get the job done. However, if you want to get the most out of your OneDrive deployment, I’d recommend checking out my newer post Maximise your OneDrive: Recommended Profile Settings via Intune, which covers a much wider set of policies including disk space management, sync health reporting, shortcut exclusions, Files On Demand and more, all in a ready to import Settings Catalog profile.

OneDrive Known Folder Move is one of those things that every organisation deploying Microsoft 365 should have in place. Without it, users’ Desktop, Documents and Pictures folders live only on their local machine, meaning a device failure, a rebuild or even just switching to a new laptop can result in data loss. KFM solves that by silently redirecting those folders to OneDrive in the background, keeping everything backed up and accessible without any user action required.

In this post we’ll walk through how to configure OneDrive KFM via Microsoft Intune using an Administrative Templates configuration profile, covering the core settings to get you up and running. As always, treat the values used here as a starting point and adjust them to suit your organisation’s requirements. For a full list of available OneDrive policies, check out the Microsoft documentation here.

Table Of Contents
  1. Objectives
  2. Obtaining the Azure AD tenant ID
  3. Creating the OneDrive Configuration Profile
  4. End-User Experience

Objectives

  • Setup OneDrive for Business for end-users
  • Enable KFM (Known Folder Move)
  • Block end-users from reverting known folders configuration to their PC
  • Block personal OneDrive accounts
  • Restrict OneDrive client to sync only specific Azure AD tenant
  • Enable Files On-Demand

Obtaining the Azure AD tenant ID

To be able to set up the Known Folder Move and restrict the OneDrive client to one tenant, we need to retrieve the Entra ID tenant ID, to do this, sign in to the Entra ID Portal, select Entra ID, then Properties and the Tenant ID will be present, copy the ID, we will need it (For the purpose of this post, I will blur out the ID):

Gathering the Tenant ID to deploy OneDrive KFM via Intune.

Creating the OneDrive Configuration Profile

Now that we have the Tenant ID, we’ll create the Configuration Profile that will configure the OneDrive policy settings, sign in to the Intune Portal, go to Devices, then Configuration Profiles and select Create Profile:

Creating the OneDrive configuration profile within Intune.

Select Windows 10 and later for platform and Administrative Templates for Profile:

Type in a relevant Name and Description:

On the Configuration Settings page, select All Settings and type in ‘OneDrive’ to find all of the OneDrive available settings:

Based on the above objectives, we’ll create the appropriate settings, I will break these down per objective.

Setup OneDrive for Business for end-users

Find the setting ‘Silently sign in users to the OneDrive sync client with their Windows Credentials’ and set this to Enabled:

Enable KFM (Known Folder Move)

Find the setting ‘Silently move Windows known folders to OneDrive‘, set this to Enabled, enter in the Tenant ID as located earlier and choose whether to display a notification to users:

Block end-users from reverting known folders configuration to their PC

Find the setting ‘Prevent users from redirecting their Windows known folders to their PC‘ and set this to Enabled:

Block personal OneDrive accounts

Find the setting ‘Prevent users from syncing personal OneDrive accounts‘ and set this to Enabled:

Restrict OneDrive client to sync only specific Azure AD tenant

Find the setting ‘Allow syncing OneDrive accounts for only specific organizations‘, set this to Enabled and enter in the Tenant ID(s):

Enable Files On-Demand

Find the setting ‘Use OneDrive Files On-Demand‘ and set this to Enabled:

Settings Check

Following the above, the profile should look like this:

As always, it’s recommended to deploy the profile to a test group of users to confirm all is well.

End-User Experience

Once the Configuration Profile has been assigned to an end-user and checked in with the Intune service, the end-user will see the following notifications:

Known folder move, redirecting Desktop, Documents and Picture folders to OneDrive:

When attempting to sync to another OneDrive for Business account:

When attempting to sync a personal OneDrive account:

Users are unable to move known folders back to their PC:

Enjoy!

Related Posts

Scroll to Top