You have configured a policy in the Microsoft 365 admin center to enforce Known Folder Move for your organization. However, some users still turn off folder backup in their OneDrive settings. This happens because the policy blocks the initial setup but does not continuously enforce the backup state after it is configured. This article explains why the policy does not prevent users from later disabling folder backup and provides the steps to re-enforce the setting using a Group Policy or a registry key.
Key Takeaways: Enforce Folder Backup Continuously
- Microsoft 365 admin center > Settings > OneDrive > Sync: Controls the initial Known Folder Move policy but does not prevent users from later turning off backup
- Group Policy > Computer Configuration > Administrative Templates > OneDrive > Prevent users from turning off Known Folder Move: Continuously blocks users from disabling folder backup after it is enabled
- Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\OneDrive\KFMOptInWithWizard: Alternative method to enforce the same restriction when Group Policy is not available
Why the Admin Center Policy Does Not Prevent Users From Turning Off Folder Backup
The Known Folder Move policy set in the Microsoft 365 admin center under Settings > OneDrive > Sync is a tenant-level configuration. Its primary purpose is to prompt users to move their Desktop, Documents, and Pictures folders to OneDrive during the first sync setup. After the user completes the wizard, the policy has no ongoing enforcement mechanism. The user can later open OneDrive settings, go to the Sync and backup tab, and click Stop backup for any folder. The admin center policy does not block this action.
The technical root cause is that the admin center policy writes a single registry value that triggers the initial wizard. It does not set the DisableKFMOnMachine or EnableKFMOnMachine policies that control the user interface behavior after setup. Without these registry keys, the OneDrive client treats folder backup as a user-configurable setting that can be changed at any time.
Steps to Prevent Users From Turning Off Folder Backup After Policy Enforcement
To continuously block users from disabling folder backup, you must deploy a local policy on each Windows device. The following methods apply the restriction through Group Policy or the Windows registry.
- Download and install OneDrive Group Policy templates
Download the OneDrive Group Policy administrative templates from the Microsoft Download Center. Copy the .adml and .admx files to your Central Store or the PolicyDefinitions folder on each device. The templates are required to see OneDrive settings in the Group Policy Editor. - Open the Local Group Policy Editor
Press Windows + R, type gpedit.msc, and press Enter. Navigate to Computer Configuration > Administrative Templates > OneDrive. - Enable the policy that prevents users from turning off Known Folder Move
Double-click Prevent users from turning off Known Folder Move. Set it to Enabled. Click OK. - Apply the policy to the device
Close the Group Policy Editor. Open a command prompt as Administrator and run gpupdate /force. This immediately applies the new policy without requiring a restart. - Verify that the registry key is set
Open Registry Editor. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\OneDrive. Confirm that the DWORD value KFMOptInWithWizard exists and is set to 1. If the value is missing or set to 0, the policy is not active.
Alternative Method: Set the Registry Key Directly
If your devices do not support Group Policy, you can set the same restriction by adding the registry key manually. Use a logon script or configuration management tool such as Microsoft Intune.
- Open Registry Editor
Press Windows + R, type regedit, and press Enter. - Navigate to the OneDrive policy key
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\OneDrive. If the OneDrive key does not exist, right-click the Microsoft key, select New > Key, and name it OneDrive. - Create the KFMOptInWithWizard DWORD
Right-click in the right pane, select New > DWORD (32-bit) Value. Name it KFMOptInWithWizard. Set the value data to 1 and click OK. - Restart OneDrive
Right-click the OneDrive cloud icon in the system tray and select Close OneDrive. Open OneDrive from the Start menu to restart it. The folder backup toggle will now be grayed out in settings.
If Users Still Turn Off Folder Backup After the Policy Is Applied
OneDrive Shows No Folder Backup Option or the Setting Is Still Editable
If the policy appears enabled but users can still change the folder backup setting, the registry key may be in the wrong location. Check that the KFMOptInWithWizard value is under HKEY_LOCAL_MACHINE and not HKEY_CURRENT_USER. The machine-level key is the only one that enforces the restriction. Also verify that OneDrive is version 19.192 or later. Older clients ignore this policy.
Folder Backup Stops After a Windows Update
Windows updates can reset certain Group Policy settings. After a feature update, run gpupdate /force again. If you used the registry method, the key persists across updates because it is stored in the registry. Reapply the policy if the setting reverts.
Users Have Local Administrator Rights and Override the Policy
A user with local administrator rights can open Registry Editor and delete or modify the KFMOptInWithWizard value. To prevent this, restrict access to the registry key using a security descriptor. In Group Policy, set the Restrict the registry security policy to deny write access to the OneDrive policy key for non-administrators. Alternatively, use a configuration management tool to monitor and reapply the key at each logon.
Admin Center Policy vs Local Policy: What Each Controls
| Item | Admin Center Policy | Local Group Policy / Registry |
|---|---|---|
| Scope | Entire tenant | Each Windows device |
| Enforcement timing | Only during the initial setup wizard | Continuous after setup |
| Blocks turning off backup | No | Yes |
| Configuration method | Microsoft 365 admin center | Group Policy Editor or Registry Editor |
| Requires device management | No | Yes |
The admin center policy is sufficient for guiding users through the initial folder backup setup. The local policy is required to prevent users from disabling folder backup after the initial configuration is complete. Deploy both policies for full enforcement.
You can now prevent users from turning off folder backup by deploying the Prevent users from turning off Known Folder Move Group Policy or the KFMOptInWithWizard registry key on each device. Next, verify that the policy persists after Windows updates by scheduling a periodic gpupdate task. As an advanced step, use Microsoft Intune to push the registry key to all managed devices, which eliminates the need for manual Group Policy deployment on each machine.