Skip to content

Modern EUC Home | Posts

Restrict Saving Files To Local Drives

A good question popped this week in my email. How do I prevent users from saving files to local drives, while still allow them to save to OneDrive folders?

I think a lot of organizations would like ( or are doing it already) to do this, but the answer may have some complexity to it that really depends on what you want to do.

First and foremost, I had to explain that OneDrive, and most of the other common cloud-based file storage systems, still store data locally and then sync the data to the cloud. With Windows 10 version 1709 and beyond, OneDrive has the Files on Demand option which allows to display cloud only files in File Explorer but if you click on it to use it or view it , it will be downloaded to the local device temporarily.

Then the second piece of the conversation involves explaining completely locking access to local drives might not be a great idea, as many applications use temporary files locally .

I then proceed to explain that if the purpose is to protect your data, then a better way is to implement Windows Information Protection which allows you to protect the files and automatically assign polices to files ( attached classification to them as corporate files)

Having said this, below is how you will lock everything, although I would allow a few exceptions ( c:\temp or c:\<user>\UserData ) for those times in which users need this and make it clear these files are not backed up.

OneDrive Settings

OneDrive is fully integrated into Windows 10, and therefore you can set OneDrive as the default save location for all data or just specific files.

You can find information on OneDrive settings on Microsoft OneDrive Documentation including how to do this with Microsoft Intune using Administrative templates. ( Manage OneDrive Settings and Use OneDrive policies to control sync settings )

Group Policy to Block a device

  • You can create a Group policy object and configure the settings to block / restrict access to one of several disks.
  • You can then link that GPO into the OU those devices are placed in.

Good source: Restrict Users to Store Data in Local Drive, Desktop, Document, Downloads Etc – Microsoft Q&A

Additional Resources:

Hope this helps ! — Send your ideas / suggestions / additions via Twitter to: @moderneuc