You configured OneDrive for Business to block specific file types, but some devices in your organization continue to sync those blocked files. This inconsistency often occurs when the device is not receiving the latest policy updates or when a user has previously synced the files before the block was applied. This article explains why blocked file types can still sync to certain devices and provides the exact steps to enforce the block across all endpoints.
Key Takeaways: Enforce File Type Blocks in OneDrive for Business
- Microsoft 365 admin center > Settings > OneDrive > Sync: Controls tenant-wide sync restrictions, file type blocking, and Known Folder Move behavior.
- Windows Registry key HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Business1: Stores per-device sync policy settings; outdated values cause policy drift.
- Group Policy Administrative Templates > OneDrive > Block syncing specific file types: Applies file type block rules to domain-joined Windows devices via GPO.
Why Blocked File Types Still Sync on Some Devices
OneDrive for Business uses a combination of cloud-side policies and client-side configuration to enforce file type blocks. When you block a file extension in the Microsoft 365 admin center, the setting is stored in the tenant policy and pushed to the OneDrive sync app on each device during the next policy refresh cycle. However, several factors can prevent the block from taking effect on specific devices:
Policy Refresh Delay or Failure
The OneDrive sync app checks for updated policies every 24 hours by default, or when the app restarts. If a device has not restarted the sync app or remained offline for an extended period, it may retain the old policy that allows those file types. Additionally, network interruptions or proxy settings can block the policy download entirely.
Previously Synced Files Remain
File type blocks only prevent new files from syncing. Files that were already present in the user’s OneDrive before the block was applied remain synced and accessible. The block does not retroactively remove or stop syncing existing files of the blocked type.
Per-Device Registry or Group Policy Overrides
If an IT administrator configured local Group Policy or registry settings on a device, those settings can override the tenant policy. For example, a GPO that sets the “Block syncing specific file types” policy to “Not configured” allows all file types to sync regardless of the admin center setting.
Steps to Force File Type Block Enforcement Across All Devices
Follow these steps in order to ensure that blocked file types are enforced on every device in your organization.
- Verify the File Type Block in the Microsoft 365 Admin Center
Sign in to the Microsoft 365 admin center atadmin.microsoft.com. Go to Settings > Org settings > OneDrive > Sync. Under Block syncing specific file types, ensure the file extensions you want to block are listed. Add any missing extensions, then click Save. - Force a Policy Refresh on Affected Devices
On each device that still syncs blocked files, open the OneDrive sync app by clicking the cloud icon in the system tray. Hold the Ctrl key and right-click the OneDrive icon, then select Exit. Wait 10 seconds, then restart OneDrive from the Start menu. This triggers an immediate policy check. Alternatively, run the following command in Command Prompt as administrator:%localappdata%\Microsoft\OneDrive\OneDrive.exe /shutdownand then start OneDrive again. - Check and Remove Conflicting Group Policy Settings
On domain-joined devices, open the Local Group Policy Editor by runninggpedit.msc. Navigate to Computer Configuration > Administrative Templates > Microsoft OneDrive. Double-click Block syncing specific file types. If it is set to Enabled, verify the listed file types match the admin center. If it is set to Not configured or Disabled, the tenant policy will not apply. Set it to Not configured to allow the tenant policy to take effect, then rungpupdate /forcein Command Prompt. - Clear Stale Registry Values on the Device
Open Registry Editor as administrator. Navigate toHKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Business1. Look for a value named BlockFileTypes. If it exists and does not match your current block list, delete the value. Restart OneDrive. The sync app will recreate the value based on the latest tenant policy. - Use PowerShell to Enforce Policy Across All Users
Open Windows PowerShell as an administrator. Install the SharePoint Online Management Shell if not already installed:Install-Module -Name Microsoft.Online.SharePoint.PowerShell. Connect to SharePoint:Connect-SPOService -Url https://[tenant]-admin.sharepoint.com. RunSet-SPOTenant -ExcludedFileExtensions "exe,msi,zip"(replace with your blocked extensions). This sets the tenant-level file type block and overrides any local settings on devices that receive the policy. - Require the Latest OneDrive Sync App Version
In the admin center, go to Settings > Org settings > OneDrive > Sync. Under OneDrive sync app, set Minimum version to the latest stable release (e.g., 24.100.0523.0001). This ensures devices run a version that respects the file type block policy. Devices with older versions may ignore the block.
If OneDrive Still Syncs Blocked File Types After Applying the Fix
Blocked Files Were Synced Before the Policy Took Effect
Files that were already in OneDrive before you added the extension to the block list will remain synced. To remove them, use the OneDrive web interface: sign in to onedrive.live.com, locate the files with the blocked extension, and delete them. Users can restore deleted files from the Recycle Bin within 30 days, so also empty the second-stage recycle bin in SharePoint Admin Center if needed.
Device Uses a Non-Windows Operating System
The file type block policy applies to the OneDrive sync app on Windows, macOS, and mobile devices. However, macOS and mobile clients may have a delay of up to 48 hours before they respect the new policy. On macOS, force a sync by quitting OneDrive from the menu bar and restarting it. On iOS or Android, sign out of the OneDrive app and sign back in.
Third-Party Sync Tools Bypass OneDrive Policies
If users sync OneDrive files using third-party tools like rclone, webdav, or custom scripts, those tools do not respect the file type block policy. Audit your environment for any non-Microsoft sync clients and block them using Conditional Access policies in Azure AD.
File Type Block Methods: Admin Center vs Group Policy vs PowerShell
| Item | Microsoft 365 Admin Center | Group Policy (GPO) | PowerShell (SPO Management Shell) |
|---|---|---|---|
| Scope | Tenant-wide | Domain-joined Windows devices | Tenant-wide |
| Override behavior | Baseline policy; GPO can override | Overrides admin center if enabled | Overrides admin center and GPO |
| File extension format | Comma-separated without dots (exe,msi) | Comma-separated with or without dots | Comma-separated without dots |
| Requires sync app restart | Yes | Yes | Yes |
| Affects existing files | No | No | No |
You can now enforce file type blocks consistently across your organization by applying the tenant policy through the admin center or PowerShell and removing conflicting local settings. Next, review your Conditional Access policies to block non-Microsoft sync clients that bypass OneDrive restrictions. An advanced tip: use the SharePoint Online Management Shell cmdlet Get-SPOTenant to verify that the ExcludedFileExtensions property reflects your current block list before troubleshooting individual devices.