Group Policy settings you configure for OneDrive sync may not apply to client computers. Users can still change sync settings, or the sync client ignores your policy restrictions. This occurs when the OneDrive Group Policy administrative template files are missing, outdated, or not linked to the correct organizational unit. This article explains why policy settings fail to reach the sync client and provides a step-by-step fix to deploy the correct OneDrive ADMX files and verify policy application.
Key Takeaways: Deploying OneDrive Group Policy Correctly
- OneDrive ADMX files from Microsoft: Download and install the latest OneDrive ADMX templates on your domain controller or Central Store.
- Group Policy Management Console > Default Domain Policy: Link the OneDrive policy settings to the correct organizational unit that contains the target computers.
- gpupdate /force on client: Force a policy refresh and verify that OneDrive settings appear under Computer Configuration > Administrative Templates > OneDrive.
Why Group Policy Settings Do Not Reach the OneDrive Sync Client
Group Policy settings for OneDrive are delivered through administrative template files (ADMX). These files define the registry keys that the OneDrive sync client reads at startup. If the ADMX files are missing from the Central Store or the local PolicyDefinitions folder, the Group Policy console will not display any OneDrive-specific policies. Without the policies, you cannot configure settings such as silent account configuration, sync restrictions, or Known Folder Move.
Another common cause is linking the Group Policy object to the wrong organizational unit. Policy settings must be linked to an OU that contains the computer accounts, not user accounts, because OneDrive policies are computer-based. If the GPO is linked to a user OU, the sync client will never receive the settings. Additionally, the sync client version must match the ADMX version. Using a OneDrive ADMX from 2022 with a 2024 sync client may result in unrecognized policy keys.
OneDrive Sync Client Version Requirements
The OneDrive sync client must be version 19.002 or later to support Group Policy. Older versions ignore policy registry keys. To check the client version, right-click the OneDrive cloud icon in the system tray, select Settings, and note the version number under the About tab. If the client is outdated, update it through Microsoft 365 Apps or by downloading the latest OneDrive installer from Microsoft.
Steps to Fix Group Policy Settings Not Reaching OneDrive
Follow these steps in order to ensure Group Policy settings are correctly deployed and applied to the OneDrive sync client.
- Download the latest OneDrive ADMX files from Microsoft
Go to the Microsoft Download Center and search for “OneDrive Group Policy Administrative Templates.” Download the ZIP file that contains the OneDrive.admx and OneDrive.adml files. Extract the files to a temporary folder on your domain controller or a management workstation. - Copy the ADMX files to the Central Store
On your domain controller, navigate to%SystemRoot%\sysvol\domain\Policies\PolicyDefinitions. If the PolicyDefinitions folder does not exist, create it. Copy OneDrive.admx to the PolicyDefinitions folder. Copy OneDrive.adml to thePolicyDefinitions\en-USsubfolder (or the appropriate language folder). This makes the policy available to all domain controllers. - Create or edit a Group Policy object for OneDrive settings
Open Group Policy Management Console. Create a new GPO named “OneDrive Sync Settings” or edit an existing GPO that targets the computers. Navigate to Computer Configuration > Administrative Templates > OneDrive. If you do not see the OneDrive folder, the ADMX files were not copied correctly. Verify the file locations. - Configure the desired OneDrive policies
Within the OneDrive folder, set policies such as “Silently sign in users to the OneDrive sync client with their Windows credentials” or “Use OneDrive Files On-Demand.” Set each policy to Enabled and configure the options as needed. For example, enable “Silently configure OneDrive” and enter the tenant ID and SharePoint URL. - Link the GPO to the correct organizational unit
In Group Policy Management Console, right-click the OU that contains the computer accounts for your users. Select Link an Existing GPO and choose the OneDrive Sync Settings GPO. Do not link the GPO to a user OU. Only computer OUs receive computer-based policy settings. - Force a Group Policy update on a test client
On a test computer that belongs to the target OU, open a command prompt as administrator and rungpupdate /force. Restart the computer. After the restart, open the registry editor and navigate toHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\OneDrive. Verify that the registry keys match the policies you configured. - Restart the OneDrive sync client
Right-click the OneDrive icon in the system tray and select Close OneDrive. Open OneDrive from the Start menu. The sync client reads the policy registry keys at startup. Check that the settings you configured are applied, such as silent sign-in or Files On-Demand being enabled.
If OneDrive Still Ignores Group Policy Settings
OneDrive policy settings are not visible in Group Policy Management Console
If the OneDrive folder does not appear under Administrative Templates, the ADMX files were not copied to the correct location. Verify that OneDrive.admx exists in %SystemRoot%\sysvol\domain\Policies\PolicyDefinitions and OneDrive.adml exists in the language subfolder. If you are using a local policy editor on a non-domain computer, copy the files to %SystemRoot%\PolicyDefinitions instead.
Policy registry keys exist but OneDrive ignores them
The OneDrive sync client version may be too old. Update the client to the latest version from the Microsoft 365 admin center or by running the OneDrive setup executable with the /update switch. After the update, restart the client and verify the policy keys are read. Also confirm that the policy keys are under HKEY_LOCAL_MACHINE, not HKEY_CURRENT_USER, because OneDrive policies are computer-based.
Group Policy reports that settings are applied but users can still change sync options
Some OneDrive policy settings require that the sync client is configured before the user signs in. If the user already signed in before the GPO was applied, the policy may not take effect. Sign the user out of OneDrive, run gpupdate /force, restart the computer, and have the user sign in again. For settings like “Prevent users from changing the location of their OneDrive folder,” the policy will block the change only after a fresh sign-in.
| Item | Correct Deployment | Common Mistake |
|---|---|---|
| ADMX file location | Central Store or local PolicyDefinitions folder | ADMX files left in download folder without copying |
| GPO link target | Computer OU containing target machines | GPO linked to user OU or root domain |
| Sync client version | Version 19.002 or later | Client version 18.xxx or earlier |
| Policy refresh method | gpupdate /force followed by reboot | Only gpupdate without restart |
After completing the steps above, Group Policy settings will reach the OneDrive sync client. Verify the applied policies by checking the registry keys or by observing the sync client behavior. For advanced control, consider using Intune policy settings for OneDrive in addition to Group Policy, especially for hybrid or cloud-only environments.