OneDrive Personal Sync Is Not Blocked on Managed PCs

You manage Microsoft 365 for your organization and have configured policies to block syncing personal OneDrive accounts on company-owned Windows devices. Despite your settings, users can still sign in to a personal OneDrive account and sync files. This happens because the policy that blocks personal sync is separate from the policy that controls sync for the work or school OneDrive account. This article explains why personal sync remains active on managed PCs, where to find the correct policy setting, and how to enforce the block tenant-wide.

Why Personal OneDrive Sync Remains Active on Managed PCs

The OneDrive sync client for Windows supports two distinct account types: the work or school account tied to a Microsoft 365 tenant, and one or more personal Microsoft accounts. The sync client treats these account types separately. The sync settings in the Microsoft 365 admin center apply only to the work or school account. They do not affect the personal account functionality built into the same sync client.

When you configure the tenant-level sync policy in the admin center, you control features such as:

• Allowing or blocking syncing of OneDrive files only on PCs joined to specific domains
• Restricting syncing of specific file types
• Enabling or disabling Known Folder Move
• Setting sync upload and download limits

None of these settings include a switch to disable personal account sync. The personal account sync feature is a client-side capability that Microsoft deliberately left configurable only through local policy or registry settings. This design prevents a tenant admin from accidentally blocking users from syncing their personal files when the organization does not own those accounts.

How the Sync Client Handles Multiple Accounts

The OneDrive sync client can have up to two accounts added simultaneously on Windows 10 and Windows 11. One account must be a work or school account. The other can be a personal Microsoft account. The sync client creates separate sync folders for each account. The work or school folder is typically at C:\Users\username\OneDrive – CompanyName. The personal folder is at C:\Users\username\OneDrive. Users can add a personal account by clicking the OneDrive icon in the notification area, selecting Help & Settings > Settings, and then clicking Add an account. If the policy that blocks personal sync is not deployed, the sync client will allow this addition without any error.

Steps to Block Personal OneDrive Sync on Managed PCs

You must deploy a Group Policy setting, an Intune configuration profile, or a registry key to block personal account sync. The following method uses Group Policy on domain-joined Windows PCs.

1. Download the OneDrive Group Policy Administrative Template files
   Go to the Microsoft Download Center and search for “OneDrive Group Policy Administrative Template files.” Download the OneDrive.admx and OneDrive.adml files. The .adml file is language-specific, so select the correct locale for your organization.
2. Copy the template files to the Central Store or local PolicyDefinitions folder
   On a domain controller or the local PC where you will edit Group Policy, navigate to C:\Windows\PolicyDefinitions. Copy the OneDrive.admx file into that folder. Copy the OneDrive.adml file into the appropriate language subfolder, such as en-US.
3. Open the Group Policy Management Console and create or edit a GPO
   Run gpmc.msc. Right-click the organizational unit that contains your managed PCs and select Create a GPO in this domain, and Link it here. Give the GPO a descriptive name, such as “Block Personal OneDrive Sync.”
4. Navigate to the OneDrive policy setting
   In the Group Policy Management Editor, go to Computer Configuration > Administrative Templates > OneDrive. If you do not see the OneDrive folder, verify that the .admx and .adml files are in the correct locations and refresh the policy list.
5. Enable the setting “Prevent users from syncing personal OneDrive accounts”
   Double-click the policy. Select Enabled. Click OK. This policy sets the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\OneDrive\DisablePersonalSync to 1.
6. Link the GPO to the correct organizational unit
   Ensure the GPO is linked to the OU that contains the target computers. The setting is a computer-based policy, so it applies when the computer starts, regardless of which user signs in.
7. Run gpupdate /force on a test PC
   On a managed PC, open Command Prompt as administrator and run gpupdate /force. Restart the OneDrive sync client by right-clicking the OneDrive icon in the notification area and selecting Close OneDrive. Then launch OneDrive from the Start menu.

Alternative Method: Intune Configuration Profile

If your devices are enrolled in Microsoft Intune, you can deploy the same registry key using a custom configuration profile. Go to Devices > Configuration profiles > Create profile. Select Windows 10 and later as the platform, and Templates as the profile type. Choose Custom. Add a setting with the following values:

• Name: DisablePersonalSync
• OMA-URI: ./Device/Vendor/MSFT/Policy/Config/OneDrive~Policy~OneDrive/DisablePersonalSync
• Data type: Integer
• Value: 1

Assign the profile to the appropriate device group. The setting takes effect after the next sync cycle or after a device restart.

If OneDrive Still Allows Personal Sync After Applying the Policy

The policy setting is not applied because the GPO is not linked to the correct OU

Verify that the GPO is linked to the organizational unit that contains the computer accounts, not the user accounts. The setting is under Computer Configuration, so it applies to computers. If you linked the GPO to a user OU, the policy will not apply. Run gpresult /r on a target PC to confirm the GPO is listed under Applied Group Policy Objects.

The OneDrive sync client version is outdated

The policy setting requires OneDrive build 19.002.0101.0006 or later. Check the version by right-clicking the OneDrive icon in the notification area, selecting Help & Settings > Settings, and looking under About. If the version is older, update OneDrive by downloading the latest version from the Microsoft OneDrive website or deploying it via Microsoft 365 Apps updates.

The registry key is present but set to 0

Open Registry Editor on a managed PC and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\OneDrive. Look for the DisablePersonalSync DWORD. If the value is 0, the policy is not enabled. If the value is 1 but personal sync still works, check for a conflicting policy under Computer Configuration > Administrative Templates > OneDrive that is set to Not Configured or Disabled. A Disabled setting overrides an Enabled setting if multiple GPOs apply.

OneDrive Tenant Sync Settings vs Personal Sync Block: Key Differences

Item	Tenant Sync Settings (Admin Center)	Personal Sync Block (Group Policy / Intune)
Scope	All work or school OneDrive accounts in the tenant	All personal Microsoft accounts on managed Windows PCs
Configuration method	Microsoft 365 admin center > Settings > Org settings > OneDrive > Sync	Group Policy, Intune custom profile, or registry key
Target	Users and their work/school OneDrive folders	Windows device registry or policy store
Effect on existing personal sync	None	Removes personal account from sync client on next restart
Requires domain join or MDM	No	Yes

You now know that blocking personal OneDrive sync on managed PCs requires a separate Group Policy or Intune configuration. The tenant-level sync settings in the Microsoft 365 admin center do not affect personal accounts. After deploying the DisablePersonalSync policy, test on a representative PC by running gpupdate /force and restarting the OneDrive client. As an advanced step, consider also deploying the policy setting “Prevent users from changing the location of their OneDrive folder” to reduce user confusion if they attempt to move the work folder.