You need to prevent certain file types from syncing to OneDrive for Business to reduce storage waste, enforce security policies, or stop unwanted file formats from reaching the cloud. By default, OneDrive syncs all files in the selected folders, but Microsoft 365 provides a Group Policy setting and a tenant-level policy to block extensions like .exe, .zip, or .ps1. This article explains how to configure file type blocking using the Microsoft 365 admin center and local Group Policy, and what happens when a blocked file is detected.
Key Takeaways: Block File Types in OneDrive Sync
- Microsoft 365 admin center > Settings > OneDrive > Sync: Enable “Block syncing of specific file types” and enter the extensions to block tenant-wide.
- Local Group Policy > OneDrive configuration > Block syncing specific file types: Set the policy to “Enabled” and list the file extensions (comma-separated) for targeted machines.
- User experience when a file is blocked: OneDrive shows a red error icon on the file and does not upload or download it; the file remains local but is excluded from sync.
How OneDrive File Type Blocking Works
OneDrive for Business can block specific file extensions from syncing at the client level. When a file with a blocked extension is placed in a synced folder, OneDrive skips it entirely — the file is not uploaded to the cloud, and if the file already exists in the cloud, it is not downloaded to the local machine. This blocking applies to both upload and download directions, so a user cannot bypass the restriction by moving a file into the folder from another location.
The feature is controlled by two separate mechanisms:
- Tenant-wide policy via the Microsoft 365 admin center: This setting applies to all users in your organization. It is the simplest way to block file types for everyone, but it requires Global admin or SharePoint admin privileges.
- Local Group Policy or registry: This method targets individual Windows devices and can be deployed through Group Policy Objects in an Active Directory domain. It allows per-machine control and can override the tenant setting if needed.
Blocked file types are identified by their extension, such as .exe, .msi, .bat, .ps1, .vbs, .zip, .rar, or .7z. You can block any extension, but common choices are executable files, script files, and compressed archives that might contain malware or consume excessive bandwidth.
Steps to Block File Types Using the Microsoft 365 Admin Center
This method applies the block to all users in your tenant. Follow these steps:
- Sign in to the Microsoft 365 admin center
Go to https://admin.microsoft.com and sign in with an account that has Global admin or SharePoint admin role. If you do not have these roles, the settings page will not be accessible. - Navigate to OneDrive settings
In the left navigation pane, select Settings, then click Org settings. On the Org settings page, scroll down to find OneDrive and click it. This opens the OneDrive settings panel. - Open the Sync tab
In the OneDrive settings panel, click the Sync tab. This tab contains all sync-related policies for your organization. - Enable file type blocking
Under the “Block syncing of specific file types” section, toggle the switch to On. A text box appears where you can enter the file extensions you want to block. - Enter the file extensions to block
Type each file extension on a separate line, without the leading dot. For example, to block executables and scripts, type:exe
msi
bat
ps1
vbs
You can also block compressed files like zip, rar, and 7z. There is no limit to the number of extensions, but each must be on its own line. - Save the policy
Click Save at the bottom of the panel. The change takes effect immediately for all users. Existing files that are already synced will remain in OneDrive, but new files with blocked extensions will not sync.
Steps to Block File Types Using Local Group Policy
Use this method if you need to block file types on specific computers, such as those outside your domain or for testing. This requires Windows Pro or Enterprise edition. The Group Policy setting is available after installing the OneDrive administrative template.
- Install the OneDrive administrative template
Download the latest OneDrive ADMX files from the Microsoft Download Center. Copy theOneDrive.admxfile toC:\Windows\PolicyDefinitionsand theOneDrive.admlfile toC:\Windows\PolicyDefinitions\en-US. If you are using a central policy store, copy the files there instead. - Open the Local Group Policy Editor
Press Win + R, typegpedit.msc, and press Enter. The Local Group Policy Editor window opens. - Navigate to the OneDrive policy path
Go to Computer Configuration > Administrative Templates > OneDrive. If you do not see the OneDrive folder, the ADMX files were not installed correctly. - Open the “Block syncing specific file types” policy
Double-click Block syncing specific file types. This policy controls which file extensions are blocked from syncing. - Enable the policy and enter extensions
Select Enabled. In the Options section, enter the file extensions separated by commas, with no spaces. For example:exe,msi,bat,ps1,vbs,zip,rar
Do not include leading dots or spaces. Click OK to save. - Apply the policy
Close the Local Group Policy Editor. The policy takes effect after the next Group Policy refresh or when the user signs out and back in. To force an immediate refresh, open a Command Prompt as administrator and rungpupdate /force.
What Happens When a Blocked File Is Detected
When a user places a file with a blocked extension into a synced OneDrive folder, the following occurs:
- File remains local: The file stays in the local folder but is not uploaded to the cloud. It appears with a red circle and white X overlay icon in File Explorer.
- No error notification: OneDrive does not show a pop-up or toast notification. The only indication is the red icon on the file itself.
- Existing cloud files are not removed: If a file with a blocked extension was already synced before the policy was applied, it remains in OneDrive. The policy only prevents new syncs.
- Blocked files are not downloaded: If a blocked file is added to a OneDrive folder on another device, it will not sync down to the local machine with the policy.
Common Issues When Blocking File Types
Blocked files still sync after applying the policy
If the tenant policy is set but files still sync, wait up to 24 hours for the change to propagate. For Group Policy, run gpupdate /force and restart the OneDrive app. If the issue persists, verify that the policy is not being overridden by a conflicting Group Policy at a higher level.
Blocking a file type also blocks files inside a compressed archive
Blocking an extension like .exe does not block .exe files that are inside a .zip archive. The archive itself is not scanned for internal content. To block .zip entirely, add zip to the blocked extensions list.
Users can rename a file to bypass the block
If a user renames a blocked file to a non-blocked extension, it will sync. This is a limitation of extension-based blocking. To prevent this, combine file type blocking with Data Loss Prevention policies that scan file content and block based on file signature, not just extension.
Blocked file types are not synced in the opposite direction
When a blocked file is added to OneDrive from a device without the policy, it will not sync down to a device that has the policy. The file appears in the OneDrive web interface but stays grayed out or missing on the local machine.
Tenant-Wide Policy vs Local Group Policy: Key Differences
| Item | Microsoft 365 Admin Center (Tenant-Wide) | Local Group Policy (Per-Device) |
|---|---|---|
| Scope | All users in the organization | Specific Windows machines where the policy is applied |
| Administration | Requires Global admin or SharePoint admin role | Requires local administrator rights on the device |
| Deployment | Configured in the browser, no software installation needed | Requires OneDrive ADMX templates and Group Policy Editor |
| Propagation time | Up to 24 hours | Immediate after gpupdate /force and OneDrive restart |
| Override capability | Cannot be overridden by users | Can be overridden by a conflicting higher-level Group Policy |
You can now block specific file types from syncing in OneDrive for Business using either the Microsoft 365 admin center for tenant-wide control or Local Group Policy for per-device restrictions. Next, review your organization’s data classification policies to determine which extensions pose the highest risk. Consider combining file type blocking with OneDrive retention labels and sensitivity labels for a more comprehensive data protection strategy.