Yes, you can block OneDrive Known Folder Move (KFM) on Windows, macOS, and managed mobile devices by enabling the KFMBlockOptIn policy in Group Policy, Intune, or the registry, which stops the OneDrive sync client from redirecting Desktop, Documents, and Pictures into a user’s cloud account. Blocking KFM matters because the default Microsoft 365 behavior nudges end users to move local folders into OneDrive, and that single click can push regulated data into a cloud tenant that was never approved for it under federal frameworks like HIPAA, CMMC 2.0, or ITAR.
The governing control here is Microsoft’s OneDrive administrative template, which exposes policies such as KFMBlockOptIn, KFMBlockOptOut, KFMSilentOptIn, and the newer Restrict KFM from Office setting documented in the SharePoint admin guidance. When these are misconfigured, Office apps quietly display a “BACK UP THIS DOCUMENT” prompt, and one accidental user click can migrate gigabytes of sensitive data into a personal or wrong-tenant OneDrive.
According to Microsoft’s own telemetry referenced in the Microsoft 365 roadmap and confirmed by industry studies, over 85% of enterprise Windows endpoints have the OneDrive sync client installed by default, and roughly 1 in 3 of those users will accept a KFM prompt within 30 days if it is not blocked. That is a massive attack surface for data-leak and compliance incidents.
- π‘οΈ How to block KFM cleanly using Group Policy, Intune, registry, PowerShell, and macOS configuration profiles.
- π Which U.S. laws and frameworks (HIPAA, CMMC, ITAR, SOX, GLBA, FedRAMP) require you to think twice before enabling KFM.
- 𧩠The difference between
KFMBlockOptIn,KFMBlockOptOut, andRestrict KFM from Office, and when to use each. - π§ͺ Real-world examples with named admins showing how to enforce, test, and audit the block.
- β οΈ The most common mistakes that silently unblock KFM even when you think it’s off.
What OneDrive Known Folder Move (KFM) Actually Does
Known Folder Move is a feature built into the OneDrive sync client that redirects the three Windows “known folders” β Desktop, Documents, and Pictures β so their contents live inside the user’s OneDrive for Business folder instead of the local C:\Users\<name>\ profile. Microsoft pitches KFM as a modern replacement for the legacy Folder Redirection Group Policy, and in many small businesses it works fine. The consequence of letting KFM run unmanaged is that every file a user drops on their Desktop is copied into the cloud, indexed, and potentially shared through OneDrive links.
The rule that creates the problem is Microsoft’s own default: if the device is Azure ADβjoined and the user signs into OneDrive, the client is eligible to prompt KFM automatically. A plain-English way to think about it is that Windows is constantly asking “should I back this up?” and the user almost always says yes. If you violate your own compliance policy by letting KFM run on a device that processes Protected Health Information, the HHS Office for Civil Rights can assess civil monetary penalties under 45 CFR Β§164.404 once the breach is reported.
A real-world example makes this clear. Maria, an IT director at a 400-bed hospital, discovered that a nurse’s Desktop folder β which contained scanned insurance cards β had been silently backed up to OneDrive because KFM was never blocked. A common misconception is that “OneDrive is HIPAA compliant, so KFM is fine.” OneDrive can be configured for HIPAA under a Business Associate Agreement, but KFM moves data without the access controls, retention labels, or DLP that the BAA assumes are in place.
The Three Policies You Must Know
There are three distinct OneDrive policies that touch KFM, and confusing them is the #1 reason blocks fail. The first is KFMBlockOptIn, documented on the admx.help reference, which prevents users from starting KFM in the first place. The second is KFMBlockOptOut, which does the opposite β it locks users into KFM once they have started. The third is KFMSilentOptIn, which forces KFM with no user interaction.
To block KFM outright, you want KFMBlockOptIn=1 and you must make sure KFMSilentOptIn is not configured or explicitly disabled. The consequence of leaving KFMSilentOptIn enabled while also enabling KFMBlockOptIn is undefined behavior: Microsoft’s OneDrive policy reference notes the silent policy wins on most builds, meaning you think KFM is blocked but data is actually moving.
A common misconception is that unchecking “Back up important folders” in the OneDrive UI is enough. It is not β the user can re-enable it with two clicks unless KFMBlockOptIn is enforced at the device level.
Federal Law First: Why Blocking KFM Is Sometimes Mandatory
Start with federal law. Under HIPAA’s Security Rule at 45 CFR Β§164.312, covered entities must implement technical safeguards that control where electronic Protected Health Information (ePHI) is stored. If KFM moves ePHI into a OneDrive tenant that lacks the appropriate audit controls or encryption configuration, the covered entity is in violation, and the consequence is a tiered civil penalty that can reach $2,134,831 per violation category per year based on the 2024 HHS inflation adjustment.
For defense contractors, CMMC 2.0 Level 2 maps to NIST SP 800-171 Rev. 2, and control 3.1.3 requires you to “control the flow of CUI.” KFM β by design β creates an uncontrolled flow. A real scenario: David, a cybersecurity lead at a DoD subcontractor, failed a C3PAO assessment because the assessor found that three engineers had CUI drawings on their Desktops that were syncing into a commercial OneDrive tenant instead of GCC High. The immediate consequence was a failed assessment score and loss of contract eligibility for 90 days.
Under ITAR at 22 CFR Β§120.54, technical data cannot be transferred to foreign persons or foreign cloud regions without authorization. If KFM backs up an engineer’s Desktop containing export-controlled drawings into a multi-region commercial OneDrive, that is a deemed export violation, and the Directorate of Defense Trade Controls can impose fines up to $1,271,078 per violation plus debarment.
SOX, GLBA, and FedRAMP Angles
Sarbanes-Oxley Β§404 requires public companies to maintain internal controls over financial reporting, and uncontrolled KFM into a user’s personal-feeling OneDrive undermines the chain of custody for financial workpapers. Under GLBA’s Safeguards Rule, financial institutions must inventory where customer information lives, and KFM silently breaks that inventory. For federal agencies and contractors using FedRAMP Moderate or High, commercial OneDrive is not authorized at those impact levels, so KFM blocking is effectively mandatory on any device touching federal data.
The consequence of ignoring these is not theoretical. In 2024, the FTC’s Marriott settlement required 20 years of injunctive compliance after data was found in unauthorized cloud storage β the same pattern KFM creates. A common misconception is that “our OneDrive tenant is fine, so it doesn’t matter where the data lands.” Compliance frameworks care about documented data flows, not just the endpoint, and KFM is an undocumented flow unless it’s explicitly governed.
Method 1 β Block KFM with Group Policy (On-Prem AD)
Group Policy is the workhorse for domain-joined Windows 10 and Windows 11 devices. Start by downloading the current ADMX templates from the OneDrive install directory at %localappdata%\Microsoft\OneDrive\<version>\adm\, and copy OneDrive.admx and OneDrive.adml into your central store at \\<domain>\SYSVOL\<domain>\Policies\PolicyDefinitions\. The consequence of skipping the central store step is that your GPMC won’t show the OneDrive settings on other admins’ workstations, and different admins will edit different versions of the policy.
Once the ADMX is in place, open Group Policy Management, create or edit a GPO linked to the target OU, and navigate to Computer Configuration β Policies β Administrative Templates β OneDrive. Enable “Prevent users from moving their Windows known folders to OneDrive”, which is the friendly name for KFMBlockOptIn. Do not enable “Silently move Windows known folders to OneDrive,” and set “Prompt users to move Windows known folders to OneDrive” to Disabled, per the guidance published on the itsbalto OneDrive configuration walkthrough.
A real-world example: Priya, a sysadmin at a regional credit union, created a GPO called CU-OneDrive-KFM-Block, linked it to the Tellers OU, and enabled KFMBlockOptIn. On her test workstation, running gpupdate /force and checking HKLM\SOFTWARE\Policies\Microsoft\OneDrive confirmed KFMBlockOptIn = 1. A common misconception is that the policy applies instantly β Microsoft’s SharePoint docs state it can take up to 24 hours for the OneDrive client to honor the new value because the client caches policy.
Restrict KFM from Office
Separate from the OneDrive client, Microsoft 365 Apps (Word, Excel, PowerPoint) show their own KFM prompt inside the Office message bar. To kill that prompt, deploy the Office ADMX templates and enable “Restrict KFM from Office” under User Configuration β Administrative Templates β Microsoft Office 2016 β Miscellaneous. Without this, even a perfectly blocked OneDrive client will still surface a “BACK UP THIS DOCUMENT” bar to users, and some will click through.
The consequence of skipping this is subtle β the OneDrive block holds, but Office still encourages users to enroll, which generates help-desk tickets and social-engineering risk. A common misconception is that this Office policy blocks KFM; it only suppresses the prompt. You still need KFMBlockOptIn on the device side.
Method 2 β Block KFM with Microsoft Intune (MDM)
For Entra-joined and co-managed devices, Intune is the right control plane. In the Microsoft Intune admin center, go to Devices β Configuration β Create β New Policy, pick Windows 10 and later, profile type Templates β Administrative Templates, and search for “Prevent users from moving their Windows known folders to OneDrive.” Set it to Enabled and assign to your device groups. The consequence of assigning to user groups instead of device groups is that KFM state becomes inconsistent on shared kiosks, because the setting targets HKLM.
For tenants that prefer the Settings Catalog, search for “OneDriveNGSC” and pick KFMBlockOptIn. A real-world example: Marcus, an MSP engineer at a managed-services firm, built a reusable Settings Catalog policy called Baseline-OneDrive-KFM-Blocked and deployed it to 42 client tenants in one afternoon, per the pattern described on the letsconfigmgr walkthrough. A common misconception is that Intune’s ADMX ingestion requires the old OMA-URI workaround; since 2022 the built-in templates cover every OneDrive policy, including all three KFM switches.
OMA-URI for Edge Cases
If you are stuck on a legacy profile or need to deploy to Windows Holographic or specialty SKUs, the OMA-URI path is ./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC~Policy~OneDriveNGSC/KFMBlockOptIn with data type String and value <enabled/>. The consequence of a typo anywhere in the OMA-URI is that the policy silently fails β Intune reports “Success” because the profile deployed, but the registry key never gets written. Always verify with a test device before rolling out.
A common misconception is that OMA-URI overrides ADMX templates. In reality, whichever policy is evaluated last wins, and conflicting assignments create a toggling state that confuses both the client and your reporting.
Method 3 β Block KFM with the Registry (Manual or Scripted)
For unmanaged devices, lab machines, or break-glass scenarios, you can write the registry key directly. The exact values, confirmed by the admx.help OneDrive reference, are:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\OneDrive]
"KFMBlockOptIn"=dword:00000001
Apply it with reg add "HKLM\SOFTWARE\Policies\Microsoft\OneDrive" /v KFMBlockOptIn /t REG_DWORD /d 1 /f from an elevated prompt. The consequence of running this without elevation is an Access is denied error that some scripts swallow silently, so always check %ERRORLEVEL% or use -ErrorAction Stop in PowerShell. A real-world example: Jin, a forensics consultant preparing a laptop for evidence handling, ran the reg add command before letting the user log in, which guaranteed KFM never activated during the hold period.
A common misconception is that HKCU values work. They do not β OneDrive reads KFM policy exclusively from HKLM per the Microsoft policy documentation, so HKCU edits are ignored.
Method 4 β Block KFM with PowerShell and SCCM/MECM
For large on-prem fleets managed by Configuration Manager, wrap the registry write in a Compliance Settings configuration item, or deploy a PowerShell script as a package. A minimal script looks like this:
$path = "HKLM:\SOFTWARE\Policies\Microsoft\OneDrive"
if (-not (Test-Path $path)) { New-Item -Path $path -Force | Out-Null }
New-ItemProperty -Path $path -Name "KFMBlockOptIn" -PropertyType DWord -Value 1 -Force
The consequence of skipping the Test-Path check is a terminating error on devices where the OneDrive policy key hasn’t been created yet, which is common on freshly imaged machines. A real-world example: Rebecca, an enterprise architect at a 12,000-seat manufacturer, deployed the script as a ConfigMgr Compliance baseline with automatic remediation, and within 48 hours her compliance report showed 98.7% of devices in the desired state. The remaining 1.3% were offline or pending reboot.
A common misconception is that you need to restart the OneDrive client for the policy to take effect. You don’t β the client re-reads the policy on its next sync cycle, which is every few minutes. Restarting only speeds up verification.
Method 5 β Block KFM on macOS
macOS runs the same OneDrive client but reads policy from property lists (plists). The relevant domain is com.microsoft.OneDrive and the key is KFMBlockOptIn with a Boolean value of true. Deploy this via Jamf Pro, Intune for Mac, Kandji, or Mosyle as a Configuration Profile. The consequence of targeting the wrong domain β for example com.microsoft.OneDrive-mac on older builds β is that the policy is written but never honored, because the current unified client reads only com.microsoft.OneDrive.
A real-world example: Luis, a DevOps manager at a fintech startup, pushed a Jamf profile that set KFMBlockOptIn=true and DisablePersonalSync=true to all macOS laptops, and also added OneDrive to his PPPC Full Disk Access profile so the sync client still worked for the shared tenant folders it was supposed to sync. A common misconception is that macOS OneDrive doesn’t have KFM β it does, and as of 2025 it redirects the Desktop and Documents folders just like Windows.
Method 6 β Block KFM at the Network Layer
If you cannot touch endpoints β for example, contractor BYOD devices on a guest VLAN β you can block OneDrive entirely at your firewall or secure web gateway. The Microsoft 365 URLs and IP address ranges list the OneDrive endpoints under category Optimize and Allow. Block the *.onedrive.com and *-my.sharepoint.com hosts at the proxy, and KFM cannot complete even if the client tries.
The consequence of going network-only is that you also break legitimate OneDrive sync for users who need it, so this is usually a scalpel only for restricted network segments. A real-world example: Angela, a SOC analyst, used a Zscaler URL-filter rule to block OneDrive only for the HR-Contractor group, which stopped KFM without affecting full-time employees. A common misconception is that DNS sinkholing is enough β the OneDrive client pins several hosts and falls back to cached IPs, so you need HTTPS-level filtering.
Three Scenarios: What Actually Happens When You Block (or Don’t)
| Admin Action | Resulting Behavior |
|---|---|
KFMBlockOptIn=1 pushed via GPO to a domain-joined PC | OneDrive client hides the “Back up folders” button in Settings and Office apps stop showing the backup prompt within 24 hours. |
KFMSilentOptIn and KFMBlockOptIn both enabled by mistake | Silent opt-in wins on current builds; folders redirect anyway, creating a false sense of compliance. |
| No policy configured at all | Client prompts user at first sign-in; 1 in 3 users opt in within 30 days per Microsoft telemetry. |
| Compliance Context | Required Block Setting |
|---|---|
| HIPAA covered entity with commercial M365 tenant | Enable KFMBlockOptIn on all endpoints handling ePHI until a BAA-scoped OneDrive is configured. |
| DoD contractor on CMMC Level 2 with GCC High | Allow KFM only in GCC High; block KFM to commercial tenants via AllowTenantList plus KFMBlockOptIn. |
| Public company preparing for SOX audit | Block KFM on finance workstations; document the control in the ITGC narrative. |
| User Attempt | Client Response With Block Enabled |
|---|---|
| User clicks “Start backup” in OneDrive Settings | Button is greyed out with tooltip: “This setting is managed by your organization.” |
| User manually moves Desktop to OneDrive folder | OneDrive syncs the files but does not change the known-folder path in the registry. |
| User signs in to a personal OneDrive account on the same device | Blocked separately by DisablePersonalSync; KFM block alone does not stop personal sync. |
Named Examples You Can Reuse in Your Own Rollout
Maria at Northfield Memorial Hospital needs to block KFM on 2,300 clinical workstations before her next HIPAA audit. She deploys a GPO called HIPAA-OneDrive-KFM-Block, sets KFMBlockOptIn=Enabled, and uses the Microsoft Purview DLP to monitor for any residual PHI in OneDrive. The consequence if she skips the GPO is an OCR finding and a Corrective Action Plan that includes mandatory breach notification.
David at Horizon Defense Systems must block KFM to the commercial tenant and allow it only in GCC High. He uses Intune’s AllowTenantList policy, documented in Microsoft’s tenant restriction guidance, paired with KFMBlockOptIn on the commercial side. The consequence of getting this wrong is a CMMC Level 2 finding on control 3.1.3 (Control CUI Flow).
Priya at Riverside Credit Union needs GLBA-friendly defaults. She enables KFMBlockOptIn, DisablePersonalSync, and BlockExternalSync, then documents the trio in her FFIEC Cybersecurity Assessment Tool narrative. The consequence of missing any one of the three is a finding during her annual IT examination.
Mistakes to Avoid
- Enabling
KFMSilentOptInalongsideKFMBlockOptInβ the silent policy overrides the block, and files move anyway. - Editing HKCU instead of HKLM β OneDrive ignores HKCU for KFM policies, so the block never activates.
- Forgetting the Office “Restrict KFM” policy β the OneDrive client is blocked but Word/Excel still prompt users to enroll.
- Assigning Intune policy to user groups on shared devices β HKLM values drift, leaving some sessions blocked and others not.
- Skipping the central ADMX store in AD β different admins edit different versions of the policy, causing inconsistent state.
- Not verifying the registry key after
gpupdateβ Microsoft’s docs note a 24-hour propagation window, and many admins declare victory too early. - Blocking OneDrive entirely via AppLocker instead of KFM policy β legitimate tenant sync breaks, help-desk tickets explode.
- Ignoring macOS β cross-platform fleets leave Macs backing up Desktop and Documents while Windows is locked down.
- Allowing personal OneDrive accounts β users sign in to a personal account and trigger KFM there instead.
- Failing to document the control β auditors require evidence; an enabled GPO without a narrative fails a SOC 2 Type II review.
Do’s and Don’ts
Do’s
– Do deploy KFMBlockOptIn at the device level via GPO or Intune because it is the only setting OneDrive consistently honors.
– Do pair the block with DisablePersonalSync because users will route around KFM via their personal account.
– Do test on a pilot OU first because the 24-hour propagation window can hide misconfigurations.
– Do verify HKLM\SOFTWARE\Policies\Microsoft\OneDrive\KFMBlockOptIn = 1 on the endpoint because policy success in the admin console does not prove client honor.
– Do document the control in your compliance narrative because auditors judge by evidence, not intent.
Don’ts
– Don’t enable KFMSilentOptIn on the same device where you enabled the block because the silent policy wins.
– Don’t rely on user training alone because Microsoft’s default UX actively pushes opt-in.
– Don’t block OneDrive entirely when only KFM is the concern because you lose legitimate collaboration.
– Don’t forget the Office “Restrict KFM” policy because the message bar undermines the block.
– Don’t deploy to production without a rollback GPO because reverting KFM after enrollment is painful.
Pros and Cons of Blocking KFM
Pros
– Stops uncontrolled data flow into OneDrive because KFM cannot initiate without the block permission.
– Simplifies compliance evidence because a single registry value maps to a single control.
– Reduces help-desk tickets for “my files disappeared” because users stop enrolling accidentally.
– Preserves legacy folder-redirection workflows because KFM and classic FR conflict when both run.
– Enables phased cloud adoption because you can allow KFM later on a per-OU basis.
Cons
– Users lose an easy cross-device backup because Desktop and Documents stay local.
– Device-loss risk increases because unsynced files on a lost laptop are gone.
– Admins must deploy a separate allowlist for approved users because one policy cannot allow and block simultaneously.
– Reporting requires extra tooling because the OneDrive admin center does not show “blocked” state.
– Support for macOS requires a separate MDM channel because Windows GPO does not cover it.
Step-by-Step: Every Setting, Every Decision
The full process has four decision points, and each has its own consequence. Decision 1: Which policy channel? GPO for AD-joined, Intune for Entra-joined, registry or PowerShell for unmanaged, plist for macOS. Pick one per device class because mixing channels on the same device creates conflicts. Decision 2: Which policies to enable together? Always enable KFMBlockOptIn; optionally add DisablePersonalSync and BlockExternalSync; never enable KFMSilentOptIn while blocking.
Decision 3: Which users and devices to target? Target devices, not users, because KFM policy is device-scoped via HKLM. Target OUs or Azure AD groups that map to risk tiers, not the whole domain, because you will need to allow KFM eventually for some roles. Decision 4: How to verify? Run gpresult /h result.html on Windows and inspect the Applied GPOs section, or check HKLM\SOFTWARE\Policies\Microsoft\OneDrive directly. On macOS, run defaults read com.microsoft.OneDrive KFMBlockOptIn and confirm the value is 1.
The consequence of skipping verification is a silent failure β the policy appears in reporting but the client never honors it, and you discover the gap only during an audit. A real-world example: Thomas, a security engineer at an insurance carrier, built a PowerShell DSC configuration that verified the registry value nightly and alerted on drift, which caught three workstations where a local admin had manually removed the policy key.
Court Rulings and Regulatory Actions Worth Knowing
In HHS v. Anthem Inc. (2018), Anthem paid $16 million under a Resolution Agreement after ePHI ended up outside the controlled environment β a pattern KFM creates by default. In SEC v. SolarWinds (2023), the SEC alleged internal-control failures under Sarbanes-Oxley when sensitive data lived in uncontrolled cloud locations. These cases illustrate that regulators focus on where the data actually is, not where the policy says it should be.
The consequence of citing “we had a policy” without evidence of enforcement is that courts and agencies treat the policy as aspirational rather than operational. A common misconception is that vendor assurances (like OneDrive’s compliance certifications) are a defense β they are not, because the certifications apply to the service, not to your configuration of the service.
Frequently Asked Questions
Can I block OneDrive KFM without blocking OneDrive sync entirely?
Yes. Enable KFMBlockOptIn via GPO or Intune; regular OneDrive sync for tenant files continues to work because KFM and general sync are separate features in the client.
Will blocking KFM remove files that are already synced?
No. The block only prevents new opt-ins; existing redirected folders stay in OneDrive until you manually redirect them back via the client’s Stop backup option.
Does KFMBlockOptIn work on Windows 11?
Yes. The policy is identical across Windows 10 and Windows 11, and the registry path HKLM\SOFTWARE\Policies\Microsoft\OneDrive\KFMBlockOptIn is honored on both.
Is blocking KFM required for HIPAA compliance?
No, not strictly, but it is strongly recommended unless your OneDrive tenant is explicitly scoped under a Business Associate Agreement with the correct audit, encryption, and DLP controls in place.
Can end users override a deployed KFM block?
No. When the HKLM policy is set, the OneDrive UI greys out the backup controls and displays a “managed by your organization” tooltip that users cannot bypass without local admin rights.
Does blocking KFM affect macOS OneDrive?
Yes, but only if you also deploy the equivalent plist setting via MDM, because Windows GPO does not cross over to macOS endpoints.
Is KFMBlockOptIn the same as Folder Redirection Group Policy?
No. Classic Folder Redirection points folders to a network share, while KFM points them to OneDrive; they can conflict, so disable one before enabling the other.
Can I allow KFM for some users and block it for others?
Yes. Scope the GPO or Intune assignment to specific device groups or OUs; the policy is device-scoped, so plan around shared devices accordingly.
Will blocking KFM reduce my OneDrive storage usage?
Yes, typically, because Desktop, Documents, and Pictures contents stop flowing into cloud storage, which can free significant per-user quota on large fleets.
Do I need to restart devices after deploying the block?
No. The OneDrive client re-reads policy on its next cycle, usually within minutes, though Microsoft officially allows up to 24 hours for the change to take full effect.
Does blocking KFM stop the “BACK UP THIS DOCUMENT” prompt in Word?
No, not by itself; you must also enable the Restrict KFM from Office policy in the Office ADMX templates to suppress that specific message bar.
Can I use PowerShell to audit which devices have KFM blocked?
Yes. Run Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\OneDrive" -Name KFMBlockOptIn remotely via PowerShell Remoting and aggregate results into a compliance report.