Solved How can I prevent W11Pro users from signing into a personal Microsoft account, OneDrive, etc?


twdal

New member
Local time
3:57 AM
Posts
4
Visit site
OS
Windows 11 Pro
Scenario: Each Windows 11 Pro PC in a small 4 seat office has two Local users:
  • PCADMIN has admin privs
  • (Username like "Office" or "Bookkeeping") has Regular privs
The latter User has a Microsoft 365 Business Standard account for company email, the Office Suite, and access to a single Sharepoint folder shared by the boss for document collaboration (which I believe requires that OneDrive be signed into the MS365 biz account).

The challenge is Microsoft pushing users toward signing in with a Microsoft account, displaying a tempting "Backup Files" button in File Explorer, encouraging use of a personal OneDrive, and the dastardly "Allow my organization to manage my device" option. It is like an octopus constantly trying to grab the user.

The old GPO "Accounts: Block Microsoft accounts" seems to just remove any Microsoft accounts from the Sign-in Screen; it definitely does not prevent the user from signing into OneDrive.

Any solutions?
 

My Computer

System One

  • OS
    Windows 11 Pro
There's a GPO to disable OneDrive access (separate from banning MS Accounts):
 

My Computer

System One

  • OS
    Windows 7
depends on how much you want to block. in addition to @garlin response, you can also block Microsoft accounts via secpol

 

My Computer

System One

  • OS
    Windows 11 Pro
The GPO templates for OneDrive that come with Windows are outdated. If you grab the new templates (OneDrive.admx and the corresponding .adml) from the folder where OneDrive is installed and add them to your policy store, you get a lot more options, including:

1728504256843.png
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC12WSHi7
    CPU
    12th Gen Intel Core i7-1260P, 2100 MHz
    Motherboard
    NUC12WSBi7
    Memory
    64 GB
    Graphics Card(s)
    Intel Iris Xe
    Sound Card
    built-in Realtek HD audio
    Monitor(s) Displays
    Dell U3219Q
    Screen Resolution
    3840x2160 @ 60Hz
    Hard Drives
    Samsung SSD 990 PRO 1TB
    Keyboard
    CODE 104-Key Mechanical with Cherry MX Clears
    Antivirus
    Microsoft Defender
  • Operating System
    Linux Mint 21.2 (Cinnamon)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC8i5BEH
    CPU
    Intel Core i5-8259U CPU @ 2.30GHz
    Memory
    32 GB
    Graphics card(s)
    Iris Plus 655
    Keyboard
    CODE 104-Key Mechanical with Cherry MX Clears
Thanks to all three of you for responding!

The tutorial @garlin referred to says to go to this section in GPEDIT:

Code:
Computer Configuration > Administrative Templates > Windows Components > OneDrive

whereas

@pseymour points to this section in his screenshot:

Code:
Computer Configuration > Administrative Templates > OneDrive

Am I correct in guessing that by adding the OneDrive admx/l files per @pseymour 's suggestion this gave OneDrive its own section, and I can use GPOs in either section?

@dacrone, my concern about using "Accounts: Block Microsoft Accounts" is an article that Google found, where enabling the GPO for that in

Code:
Computer Configuration > Windows Settings > Security Settings > Local Polices > Security Options

will disable "Windows 10 Synchronization". I don't know if that applies to Windows 11 or to OneDrive, but if the latter I definitely need the MS365 OneDrive to sync the Sharepoint folder.

Otherwise, the list of what this SECPOL prevents is compelling.

block microsoft accounts.png

I'm always looking out for unintended consequences.

Thank you again.
 

My Computer

System One

  • OS
    Windows 11 Pro
@pseymour's ADMX template adds on extra domain-level settings. The lowest level "Windows Components > OneDrive" still applies as an absolute on/off switch, if needed.

If your client wants to use O365 services, allowing MSA sign-on is mandatory. But OneDrive service can be disabled on its own, regardless of whether they're logged on with MSA. For the domain level controls, you need to know what type of domain are they signed up for (tenant vs. Personal) to see if the policy is applicable or not.
 

My Computer

System One

  • OS
    Windows 7
@garlin, thank you for the clarification. The only O365 service my client needs is OneDrive/Sharepoint. They will not be using Entra ID.

An earlier test today revealed that even after enabling "Account:Block Microsoft Accounts" using GPEDIT I was able to perform the initial OneDrive setup, So am I correct in understanding that tasks like signing into OneDrive or signing into Word will NOT be prevented if I enable that GPO? When you wrote, "If your client wants to use O365 services, allowing MSA sign-on is mandatory", please cite an example of what services will be impacted.
 

My Computer

System One

  • OS
    Windows 11 Pro
I'm presuming for Sharepoint, they're using their MS Account to get access since they're not Entra ID. So you can't disable MS Account for them.
 

My Computer

System One

  • OS
    Windows 7
@pseymour's ADMX template adds on extra domain-level settings. The lowest level "Windows Components > OneDrive" still applies as an absolute on/off switch, if needed.

If your client wants to use O365 services, allowing MSA sign-on is mandatory. But OneDrive service can be disabled on its own, regardless of whether they're logged on with MSA. For the domain level controls, you need to know what type of domain are they signed up for (tenant vs. Personal) to see if the policy is applicable or not.
They're not domain-level settings, whatever that means. They control the OneDrive client whether you're connected to a domain or not.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC12WSHi7
    CPU
    12th Gen Intel Core i7-1260P, 2100 MHz
    Motherboard
    NUC12WSBi7
    Memory
    64 GB
    Graphics Card(s)
    Intel Iris Xe
    Sound Card
    built-in Realtek HD audio
    Monitor(s) Displays
    Dell U3219Q
    Screen Resolution
    3840x2160 @ 60Hz
    Hard Drives
    Samsung SSD 990 PRO 1TB
    Keyboard
    CODE 104-Key Mechanical with Cherry MX Clears
    Antivirus
    Microsoft Defender
  • Operating System
    Linux Mint 21.2 (Cinnamon)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC8i5BEH
    CPU
    Intel Core i5-8259U CPU @ 2.30GHz
    Memory
    32 GB
    Graphics card(s)
    Iris Plus 655
    Keyboard
    CODE 104-Key Mechanical with Cherry MX Clears
Solution possibly found

I enabled this GPO.

Local Group Policy > Computer Configuration > Administrative Templates > Windows Components > Microsoft Account > Block all consumer Microsoft account user authentication.

I also have configured this GPO:
Local Computer Policy > Computer Configuration > Windows Setup > Security Settings > Local Policies > Security Options > Accounts: Block Microsoft Accounts = Users can't add or log on with Microsoft accounts.
I did this because it prevents someone from creating a new Microsoft User Profile. If this GPO is not enabled, you can create one but then that user cannot sign in because of the "Block all consumer..." GPO.

As a result, if a user tries to sign into OneDrive using an MS account they're blocked. They CAN sign in to OneDrive if they use an MS365 for Biz account, which is what I want. User compliance with other prompts/promotions to sign in or switch to using a Microsoft account are also blocked.

I welcome other people testing to verify that this works and to find any unintended consequences.
 
Last edited:

My Computer

System One

  • OS
    Windows 11 Pro

Latest Support Threads

Back
Top Bottom