OneDrive Known Folder Move for Hybrid Work

Introduction

In today's dynamic work environment, enabling seamless productivity for a hybrid workforce is paramount. Employees often move between devices, locations, and network conditions, requiring ubiquitous access to their critical work files. Microsoft OneDrive Known Folder Move (KFM) is a powerful feature designed to automatically synchronize and redirect Windows' well-known user profile folders—Desktop, Documents, and Pictures—to OneDrive for Business. This ensures that users' essential data is always backed up, accessible across devices, and protected within the Microsoft 365 cloud.

This article delves into the technical intricacies of implementing and managing OneDrive KFM, particularly for organizations adopting hybrid work models. We will explore the "why," "how," and "what next" of KFM, providing administrators and IT professionals with the knowledge required to deploy this feature efficiently and securely. If you're responsible for data management, user productivity, or endpoint security within a Microsoft 365 ecosystem, this guide offers practical insights to enhance your organization's hybrid work strategy.

Why this matters

The adoption of OneDrive KFM offers significant business and technical advantages for organizations navigating the complexities of hybrid work. From a productivity standpoint, users gain uninterrupted access to their critical files regardless of the device they use or their physical location. This eliminates the common frustration of files being "stuck" on a single workstation, fostering a more agile and efficient work experience.

From a data protection and compliance perspective, KFM automatically backs up essential user data to OneDrive, leveraging Microsoft 365's robust security, versioning, and compliance capabilities. This significantly reduces the risk of data loss due to hardware failure, ransomware attacks, or accidental deletion, helping organizations meet their data retention and regulatory obligations. Furthermore, centralizing user data simplifies e-discovery and data governance initiatives. Finally, by managing data systematically, KFM contributes to a more secure environment, reducing the risk associated with unmanaged local data stores and simplifying device migrations or replacements.

Key concepts

• OneDrive for Business: Microsoft's cloud storage service for organizations, integrated with Microsoft 365, offering secure file storage, sharing, and collaboration.
• Known Folders: Standard Windows user profile folders that typically store critical user data. These include Desktop, Documents, and Pictures. KFM can also extend to Music and Videos in some configurations, though Desktop, Documents, and Pictures are the most common targets.
• Folder Redirection: A Windows feature that allows the path of a known folder to be changed from its default local location to a network or cloud location. KFM automates this process specifically for OneDrive.
• Silent KFM: An enrollment process where Known Folder Move is initiated automatically for users without requiring their direct interaction or approval. This is typically configured via Group Policy or Microsoft Intune.
• Take Control of Known Folders: The process where OneDrive client detects that known folders are not managed by OneDrive and offers to move them. KFM policy can suppress or force this.
• Group Policy Objects (GPOs): A key tool in Active Directory environments for managing user and computer settings. OneDrive KFM can be configured using Administrative Templates deployed via GPOs.
• Microsoft Intune (Endpoint Manager): A cloud-based endpoint management service in Microsoft 365 that allows organizations to manage devices and applications. Intune is the preferred method for managing KFM in modern, cloud-first environments.
• Sync Client (OneDrive.exe): The client application on Windows and macOS devices responsible for synchronizing files between the local device and OneDrive for Business cloud storage.

Step-by-step implementation

Implementing OneDrive Known Folder Move for a hybrid workforce typically involves leveraging Microsoft Intune for cloud-managed devices or Group Policy for domain-joined devices. This guide focuses on Intune, as it aligns better with modern hybrid work strategies.

1. Ensure OneDrive Sync Client is deployed: Verify that the OneDrive sync client (OneDrive.exe) is installed and up-to-date on user devices. For Intune-managed devices, this can be deployed as a required Win32 app or is often pre-installed with Windows 10/11.
2. Configure OneDrive Sync Policy in Intune:

Navigate to the Microsoft Intune admin center (endpoint.microsoft.com). Go to Devices > Configuration profiles. Click Create profile. Select Platform: Windows and later and Profile type: Settings catalog. Give your profile a name (e.g., "OneDrive KFM Policy"). In Configuration settings, click Add settings. Search for "Known Folders" or "OneDrive" and add the following settings: Silently move Windows known folders to OneDrive: Set this to Enabled. Show notification to users after folders have been silently moved: Set this to Enabled (recommended for user awareness). Prevent users from redirecting their Windows known folders to their PC: Set this to Enabled (to prevent users from undoing KFM). Prompt users to move Windows known folders to OneDrive: Set this to Disabled if using silent KFM, otherwise Enabled to give users a choice. Configure Known Folders moving to OneDrive: Select the folders you wish to move (Desktop, Documents, Pictures). * Assign the profile to your target user or device groups.

1. Monitor Deployment:

After assignment, monitor the deployment status within Intune under Devices > Configuration profiles > [Your KFM Profile Name]. Look for successful deployments and troubleshoot any errors. Educate users on the change and provide resources for common questions.

Here's an example of using Microsoft Graph PowerShell to configure a relevant OneDrive setting. While KFM itself is primarily a device/user policy, related settings like storage limits or sync client settings can be managed via Graph.

Connect-MgGraph -Scopes "User.ReadWrite.All", "Files.ReadWrite.All"

# Example: Get current OneDrive sync settings for a user
# (This is illustrative; KFM is device policy, not direct user property via this Graph scope)
# You'd typically interact with device management policies for KFM.
Get-MgUser -UserId "user@yourdomain.com" | Select-Object Id, DisplayName, OnPremisesSyncEnabled

# Example for configuring OneDrive tenant-level settings (tenant admin context)
# For example, preventing users from syncing personal OneDrive accounts on corporate devices.
# This would typically be part of a larger device compliance or configuration profile in Intune.
# There isn't a direct Graph API for 'Silently move known folders' as it's a device/user policy.
# However, you might use Graph for reporting on OneDrive usage or related user properties.

# Example: List existing device configuration profiles in Intune (via Graph PowerShell)
# This shows how Graph interacts with Intune resources.
Get-MgDeviceManagementDeviceConfiguration | Select-Object DisplayName, Description, "@odata.type"

# To specifically manage OneDrive KFM through Graph to Intune, you'd target the 'deviceConfiguration' resource
# and specify the OMA-URI for the policy.
# For example, to find the policy for silent KFM:
# This often involves delving into OMA-URI settings within a Custom Configuration Profile in Intune.
# A simpler approach is using Settings Catalog as shown above.

Example configuration

Here's a JSON snippet representing a portion of an Intune Settings Catalog profile that configures OneDrive Known Folder Move. This is not the full profile, but focuses on the critical KFM settings.

{
    "@odata.type": "#microsoft.graph.windows10CustomConfiguration",
    "displayName": "OneDrive KFM Policy for Hybrid Work",
    "description": "Configures OneDrive Known Folder Move for Desktop, Documents, and Pictures.",
    "OMAURIs": [
        {
            "omaUri": "./User/Vendor/MSFT/Policy/Config/OneDriveNGSC~Policy~OneDrive/KFM_SilentOptIn",
            "settingDisplayName": "Silently move Windows known folders to OneDrive",
            "settingDisplayValue": "Enabled",
            "description": "Sets the policy to silently move known folders (Desktop, Documents, Pictures) to OneDrive.",
            "isEncrypted": false,
            "dataTypes": "string",
            "value": {
                "@odata.type": "#microsoft.graph.stringSetting",
                "value": "<enabled/><data id=\"KFM_SilentOptIn\" value=\"1\"/>"
            },
            "channel": "User"
        },
        {
            "omaUri": "./User/Vendor/MSFT/Policy/Config/OneDriveNGSC~Policy~OneDrive/KFM_SetAllowDisableFolderMove",
            "settingDisplayName": "Prevent users from redirecting their Windows known folders to their PC",
            "settingDisplayValue": "Enabled",
            "description": "Prevents users from stopping Known Folder Move or redirecting folders back to their local PC.",
            "isEncrypted": false,
            "dataTypes": "string",
            "value": {
                "@odata.type": "#microsoft.graph.stringSetting",
                "value": "<enabled/><data id=\"KFM_SetAllowDisableFolderMove\" value=\"1\"/>"
            },
            "channel": "User"
        },
        {
            "omaUri": "./User/Vendor/MSFT/Policy/Config/OneDriveNGSC~Policy~OneDrive/KFM_ShowNotification",
            "settingDisplayName": "Show notification to users after folders have been silently moved",
            "settingDisplayValue": "Enabled",
            "description": "Displays a notification to users upon successful Known Folder Move completion.",
            "isEncrypted": false,
            "dataTypes": "string",
            "value": {
                "@odata.type": "#microsoft.graph.stringSetting",
                "value": "<enabled/><data id=\"KFM_ShowNotification\" value=\"1\"/>"
            },
            "channel": "User"
        },
        {
            "omaUri": "./User/Vendor/MSFT/Policy/Config/OneDriveNGSC~Policy~OneDrive/KFM_ExcludeFoldersFromMove",
            "settingDisplayName": "Exclude specific known folders from being silently moved to OneDrive",
            "settingDisplayValue": "Not configured",
            "description": "This setting is left 'Not configured' to allow Desktop, Documents, and Pictures to be moved.",
            "isEncrypted": false,
            "dataTypes": "string",
            "value": {
                "@odata.type": "#microsoft.graph.stringSetting",
                "value": "<disabled/>"
            },
            "channel": "User"
        }
    ]
}

Common pitfalls

• Network Bandwidth Saturation: Initial KFM syncs, especially for users with large existing data in known folders, can consume significant network bandwidth, impacting user experience and network performance.
• Conflicting Policies: Overlapping or conflicting Group Policy Objects (GPOs) and Intune policies can lead to unpredictable behavior or KFM failing to apply. Ensure a clear ownership model for policy management.
• Full OneDrive Storage Quotas: If users hit their OneDrive storage quota (e.g., 1TB by default), KFM will fail to move or sync additional files, causing sync errors and potential data loss if not addressed.
• PST Files in Known Folders: Large Outlook PST files or other application-specific data files stored within Desktop or Documents folders can cause sync issues, performance degradation, or even corruption if synced across devices. Microsoft advises against syncing PST files.
• User Confusion and Resistance: Without proper communication and user education, silent KFM can lead to confusion, helpdesk calls, or users attempting to undo the folder redirection, creating more management overhead.
• Existing Folder Redirection: If known folders are already redirected by an existing Group Policy to a network share, KFM will generally fail or behave unexpectedly. Existing redirection policies must be removed or disabled before KFM can take effect.

Best practices

• Pilot Deployment: Always pilot KFM with a small, representative group of users before a broad rollout. This helps identify and resolve issues in a controlled environment.
• Phased Rollout: Consider a phased rollout approach for larger organizations. Start with users who have lower data volumes or those in specific departments, gradually expanding to the entire workforce.
• Communicate Clearly with Users: Provide clear, concise communication to users before, during, and after KFM implementation. Explain the benefits, what to expect, and where to find support, aligning with the principles of efficient change management.
• Address Network Impact: Plan for the initial data migration. Consider using OneDrive's BITS (Background Intelligent Transfer Service) integration or bandwidth throttling policies to manage network usage during the initial sync, especially for a hybrid workforce where home network conditions vary.
• Exclude Problematic Files: Proactively educate users to move large, transient, or application-specific files (like .pst, large video editing projects) out of known folders and into dedicated team sites or application-specific storage before KFM, ensuring a smoother sync experience and adhering to Well-Architected Framework principles for reliability.
• Monitor and Report: Utilize tools like the OneDrive Sync Admin Reports in the Microsoft 365 admin center to monitor KFM adoption, sync health, and identify potential issues, aligning with the Azure Well-Architected Framework's operational excellence pillar.
• Regularly Review Storage Quotas: Monitor OneDrive storage usage within your organization. Proactively increase quotas for users approaching limits or advise them on data cleanup to prevent sync failures.

Further reading

• Redirect and move Windows known folders to OneDrive
• Use Group Policy to control OneDrive sync client settings
• Deploy OneDrive apps using Microsoft Intune
• OneDrive Known Folder Move and Data Protection (Microsoft Learn Blog)