Many of us have already adopted Enterprise File Sharing and Synchronization (EFSS) products. Many abound in the EUC space – ShareFile, DropBox, DataNow, Hightail, Box, to name just a few. Microsoft are aggressively marketing their own version – OneDrive, renamed from SkyDrive, presumably under pressure from real-life Bond villain Rupert Murdoch – and this aggressive stance has increased with the advent of Windows 10. If you’ve already got an EFSS solution integrated and working nicely, how do you get rid of the OneDrive integration so that your users don’t get confused and/or frustrated?
Microsoft appear to (for once) be quite understanding of this possible situation, and have provided Group Policy Objects to deal with this. Actually, there’s been a SkyDrive (later updated to OneDrive) GPO present for Windows 8.1/Server 2012 R2 for quite a while. The relevant settings are tucked away in Computer Configuration | Admin Templates | Windows Components | OneDrive.
The pertinent setting is the one highlighted above – Prevent the usage of OneDrive for file storage. According to the blurb, set this and you lose the OneDrive app, the link to it in the notification area, the Explorer integration and all of the other entry points to it (see below for some of the ones you may notice).
However, if we enable the GPO setting we mentioned earlier, we notice something strange – despite the fact that GPResult reports the GPO as being applied, all of the entry points are still there, which is rather odd.
Digging further into the GPO we are using reveals that perhaps the setting we are using only applies to Windows 8.1. A TechNet article has this telling quote:-
OneDrive Group Policies are only available through a Windows 2012 R2 domain controller to Windows 8.1 clients.
Is it possible that we’re still waiting for the setting to be made available on an enterprise basis with the promised Windows 10 RSAT and ADMX file update that’s supposed to be coming soon?
Further credence is lent to this theory by the way we can access the settings – and make them work – by firing up the local Group Policy Editor (gpedit.msc) on the Windows 10 endpoint and setting them this way.
But until the new RSAT and other tools for the enterprise come along, how can we deploy this to multiple endpoints in the meantime? Well, the easy way would be to set the policy through the local Group Policy Editor and use Process Monitor to capture the Registry value it sets. A quick ProcMon later, and we find this setting being the one changed by the mmc.exe process
HKLM\Software\Policies\Microsoft\Windows\OneDrive
DisableFileSyncNGSC
DWORD 1
Group Policy Preferences, anyone (or AppSense EM – I keep forgetting that, for the moment at least, I am still the AppSense Bigot)?
A quick bit of replication later, and we should be able to log on to our Windows 10 machine and have another look.
So that’s it for a quick rundown on getting rid of OneDrive for your enterprise users should you need to, at least until the proper GPOs and RSAT for Windows 10 are updated. It’s a bit annoying, though, that the setting looks destined to dwell in Computer Configuration – I would have much preferred to be able to switch off the access to it on a per-user basis, especially in RDS environments, but this being Microsoft we should be pleased we get any management capability at all these days.