none
Disabling OneDrive

    Question

  • I work in a large organisation where we have implemented Office 365 and use SharePoint And OneDrive4Business as our only file-storage.

    Since we work with sensitive data we would like to remove the opportunitet to use a private OneDrive - both in Explorer and the Office-programs.

    I don't have edit rights in Group Policy Management and the guy responsible says that it is not possible. Something that I am not willing to accept just by his word when it is possible in Local Group Policy Editor.

    We are running Windows Server 2012 R2.

    Can someone please tell me exactly what policy to set to achieve  this so that I can tell him? Or perhaps (to my surprise) just confirm that you cannot?

    Thursday, February 16, 2017 1:56 PM

Answers

  • It is possible to disable OneDrive via Group Policy at any level in Active Directory, including at site, domain and/or OU level.  You will have to download the latest Group Policy template file (which includes OneDrive.admx - and it's corresponding language file OneDrive.adml) from Microsoft into the Group Policy Central Policy Store.  It's possible he did not do this step.  Then, in the GPMC, go to Computer Configuration > Policies > Administrative Templates > Windows Components > OneDrive > and enable the option "Prevent the usage of OneDrive for storage".   You have now disabled OneDrive.

    Administrative Templates (.admx) for Windows 10 and Windows Server 2016


    Best Regards, Todd Heron | Active Directory Consultant

    Thursday, February 16, 2017 3:07 PM

All replies

  • It is possible to disable OneDrive via Group Policy at any level in Active Directory, including at site, domain and/or OU level.  You will have to download the latest Group Policy template file (which includes OneDrive.admx - and it's corresponding language file OneDrive.adml) from Microsoft into the Group Policy Central Policy Store.  It's possible he did not do this step.  Then, in the GPMC, go to Computer Configuration > Policies > Administrative Templates > Windows Components > OneDrive > and enable the option "Prevent the usage of OneDrive for storage".   You have now disabled OneDrive.

    Administrative Templates (.admx) for Windows 10 and Windows Server 2016


    Best Regards, Todd Heron | Active Directory Consultant

    Thursday, February 16, 2017 3:07 PM
  • Hi,
     
    Am 16.02.2017 um 14:56 schrieb SoranDK:
    > I don't have edit rights in Group Policy Management and the guy
    > responsible says that it is not possible. Something that I am not
    > willing to accept [...]
     From a security perspective: He is right.
    "Prevent the usage of OneDrive for storage" is only functional if
    explorer.exe (Shell/API) is used. Any other Shell or Process that is not
    using explorer.exe for e.g. open/save dialogues, does not restrict the
    access to it.
     
    This restriction is close to senseless, because its some kind of
    security by obscurity.
     
    Uninstall the Application, as Nedim said. Why hiding something and
    hoping no one can find it, if you can remove it entirely?
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Privacy and Telemetry on Windows 10 - gp-pack PaT
     
    Thursday, February 16, 2017 4:28 PM
  • Hi,

    Just checking in to see if the information provided was helpful. And if the replies as above are helpful, we would appreciate you to mark them as answers, please let us know if you would like further assistance.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, February 20, 2017 9:47 AM
    Moderator
  • But is it not also possible to hide the options in Open/Save with:

    User Configuration\Administrative Templates\Office 2016\Miscellaneous\Block signing into Office
    -> ACTIVE -> None allowed
    User Configuration\Administrative Templates\Office 2016\Miscellaneous\Show Ondrive Sign in
    -> Disabled

    Tuesday, February 21, 2017 1:11 PM
  • Hi,

    You can also type in this uninstall command (%SystemRoot%\SysWOW64\OneDriveSetup.exe /uninstall) and dump it in a batch file/script that runs as a computer level GPO. It will uninstall OneDrive from the System

    I have tried this locally on my own machine but OneDrive is still an option in Open/Save in Office 2016.


    • Edited by SoranDK Thursday, February 23, 2017 10:55 AM Missed quote
    Tuesday, February 21, 2017 1:15 PM
  • Am 21.02.2017 um 14:11 schrieb SoranDK:
    > But is it not also possible to hide the options in Open/Save with:
     
    Its still the explorer API. Use Gimp or Totalcommander ... you will see
    and get everything, that explorer restricts. Within this tools you can
    not only save files, you can copy paste them aswell, it is a shell(!)
     
    Hiding in Shell is just a challenge between the Admin and the creativity
    of the user. Gimp and TC are not allowed? No worry, there are 1.000.000
    other tools using java or other compents for open/save. Eventually 10%
    can be used by simply unzip, but one single App out of the whole, can
    destroy your concept.
     
    Thats why I said: In theory he is right, the question is if your way is
    enough in practise.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    GET Privacy and DISABLE Telemetry on Windows 10 - gp-pack PaT
     
    Tuesday, February 21, 2017 6:28 PM
  • Am 21.02.2017 um 14:11 schrieb SoranDK:
    > But is it not also possible to hide the options in Open/Save with:
     
    Its still the explorer API. Use Gimp or Totalcommander ... you will see
    and get everything, that explorer restricts. Within this tools you can
    not only save files, you can copy paste them aswell, it is a shell(!)
     
    Hiding in Shell is just a challenge between the Admin and the creativity
    of the user. Gimp and TC are not allowed? No worry, there are 1.000.000
    other tools using java or other compents for open/save. Eventually 10%
    can be used by simply unzip, but one single App out of the whole, can
    destroy your concept.
     
    Thats why I said: In theory he is right, the question is if your way is
    enough in practise.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    GET Privacy and DISABLE Telemetry on Windows 10 - gp-pack PaT
     

    I get your point... I would of course prefer to remove it completely but the uninstall does not seem to work for me.

    The users we have are pretty basic and it is not because they want to use a private OneDrive - they just end up there by mistake. So even just limiting the access would be an improvement :-)

    Thursday, February 23, 2017 11:25 AM
  • Hi,
     
    Am 23.02.2017 um 12:25 schrieb SoranDK:
    > I get your point... I would of course prefer to remove it completely
    > but the uninstall does not seem to work for me.
     
    You need to kill onedrive.exe process, then run uninstall, change
    permissions on file and RENAME the OneDriveSetup.exe.
     
    --- RemoveOneDrive.bat ---
    cmd /c taskkill /f /im OneDrive.exe
    C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall
    takeown /f C:\Windows\SysWOW64\OneDriveSetup.exe
    cacls C:\Windows\SysWOW64\OneDriveSetup.exe /E /G Benutzer:F
    ren C:\Windows\SysWOW64\OneDriveSetup.exe OneDriveSetup.org.exe
     
    --- RemoveOneDrive.bat ---
     
    > The users we have are pretty basic
     
    Do not build security on the believe in the fairy tale of stupid users
    ... better think, there are at least 100% potentially intruders ;-)
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    GET Privacy and DISABLE Telemetry on Windows 10 - gp-pack PaT
     
    Thursday, February 23, 2017 5:44 PM
  • To sum up all suggestions were rejected by the admin... It would effect OneDrive for Business aswell he claimed without having to back it but...

    Oh well... Long live OneDrive...

    Monday, March 20, 2017 3:52 PM