OneDrive Outlook Security Policies Troubleshooting with Event Logs Registry | Intune

OneDrive Office 365 Security Policies Troubleshooting

In this post, I will try to explain OneDrive Outlook Security Policies Troubleshooting with Event Logs Registry. The easiest and best way to configure Outlook security policies using Intune administrative template policies.

The following are the three policies that I configured to prevent the users from configuring personal account sync with OneDrive.

  • Prevent adding non-default Exchange account – Enabled
  • Prevent users from syncing personal OneDrive accounts – Enabled
  • Prevent users from adding e-mail account types – Enabled

NOTE! – Before the introduction of Administrative templates, we used to go through a very painful process to find the OMA-URI, CSP, string values, etc… as explained in the post – https://www.anoopcnair.com/restrict-personal-email-sync-intune/

Prevent users from syncing personal OneDrive accounts

This policy setting lets you block users from signing in with a Microsoft account to sync their personal OneDrive files. More details about enabling or disable options of this policy.

  • If you enable this setting, users will be prevented from setting up a sync relationship for their personal OneDrive account.
  • Users who are already syncing their personal OneDrive when you enable this setting won’t be able to continue syncing (and will be shown a message that syncing has stopped), but any files synced to the computer will remain on the computer.
  • If you disable or do not configure this setting, users can sync their personal OneDrive accounts.
OneDrive Outlook Security Policies Troubleshooting - OneDrive Outlook Security Policies Troubleshooting with Event Logs Registry
OneDrive Outlook Security Policies Troubleshooting – OneDrive Outlook Security Policies Troubleshooting with Event Logs Registry

Prevent adding non-default Exchange account

This policy allows you to prevent users from adding non-default Exchange accounts to existing Outlook profiles.

  • If you enable this policy setting, you will prevent users from adding non-default Exchange accounts via the Add New E-mail Account wizard.
  • If you disable or do not configure this policy setting, users can add non-default Exchange accounts to existing Outlook profiles.
OneDrive Office 365 Security Policies Troubleshooting - OneDrive Office 365 Security Policies Troubleshooting with Event Logs Registry
OneDrive Outlook Security Policies Troubleshooting – OneDrive Office 365 Security Policies Troubleshooting with Event Logs Registry

Prevent users from adding e-mail Account Types

Disables/Enables the option for adding an e-mail account of the associated type in the Server Types page of the E-mail Accounts dialog box. The following are the policy settings which I used to prevent users from adding personal email account types.

  • Prevent users from adding Exchange e-mail accounts
  • Prevent users from adding Exchange ActiveSync e-mail accounts
  • Prevent users from adding POP3 e-mail accounts
  • Prevent users from adding IMAP e-mail accounts
  • Prevent users from adding other types of e-mail accounts
Prevent users from adding e-mail Account Types
Prevent users from adding e-mail Account Types

Event Logs

Event IDs – 873, 866, 831, & 814 for Disable OneDrive personal sync.

Event ID 873 - MDM PolicyManager: ADMX ingestion starting new Admx ingestion. EnrollmentId (AAB267BF-EBF2-4649-822C-74511A4CC253), app name (OneDriveNGSCv2), setting type (Policy), unique Id (OneDriveNGSCv2).
Event ID 866 - MDM PolicyManager: ADMX Ingestion: EnrollmentId (AAB267BF-EBF2-4649-822C-74511A4CC253), app name (OneDriveNGSCv2), setting type (Policy), unique Id (OneDriveNGSCv2), area (NULL).
Event ID 814 - MDM PolicyManager: Set policy string, Policy: (DisablePersonalSync), Area: (OneDriveNGSCv2~Policy~OneDriveNGSC), EnrollmentID requesting merge: (AAB267BF-EBF2-4649-822C-74511A4CC253), Current User: (S-1-12-1-1245278575-1092210432-2695042466-3045220724), String: (), Enrollment Type: (0x6), Scope: (0x1).
Event ID 831 - MDM PolicyManager: Dedicated non-cached delayed notification (WNF): (0xA3BC10F5, 0xD891E2A) published for Policy: (DisablePersonalSync) in Area (OneDriveNGSCv2~Policy~OneDriveNGSC).

Event IDs 831, 814 for outlook configuration – L_Preventusersfromaddingemailaccounttypes

L_Preventusersfromaddingemailaccounttypes
L_Preventusersfromaddingemailaccounttypes
Event ID -  MDM PolicyManager: Set policy string, Policy: (L_Preventusersfromaddingemailaccounttypes), Area: (outlk16v2~Policy~L_MicrosoftOfficeOutlook~L_Miscellaneous), EnrollmentID requesting merge: (AAB267BF-EBF2-4649-822C-74511A4CC253), Current User: (S-1-12-1-1245278575-1092210432-2695042466-3045220724), String: (<enabled/><data id="L_PreventusersfromaddingExchangeemailaccounts" value="true" /><data id="L_PreventusersfromaddingEASemailaccounts" value="true" /><data id="L_PreventusersfromaddingPOP3emailaccounts" value="true" /><data id="L_PreventusersfromaddingIMAPemailaccounts" value="true" /><data id="L_Preventusersfromaddingothertypesofemailaccounts" value="true" />), Enrollment Type: (0x6), Scope: (0x1).
Event ID 831 - MDM PolicyManager: Dedicated non-cached delayed notification (WNF): (0xA3BC10F5, 0xD891E2A) published for Policy: (L_Preventusersfromaddingemailaccounttypes) in Area (outlk16v2~Policy~L_MicrosoftOfficeOutlook~L_Miscellaneous).

Registry Entry – OneDrive Outlook Security Policies

The following is the registry entry for OneDrive policy configuration. This helps you to validate to troubleshoot the issues related.

  • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\AAB267BF-EBF2-4649-822C-74511A4CC253\default\S-1-12-1-1245278575-1092210432-2695042466-3045220724\OneDriveNGSCv2~Policy~OneDriveNGSC
OneDrive policy configuration - OneDrive Office 365 Security Policies Troubleshooting with Event Logs Registry
OneDrive policy configuration – OneDrive Outlook Security Policies Troubleshooting with Event Logs Registry

The following is the registry entry for Microsoft Office Outlook to Prevent users from adding email account types. This helps you to validate to troubleshoot the issues related.

  • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\AAB267BF-EBF2-4649-822C-74511A4CC253\default\S-1-12-1-1245278575-1092210432-2695042466-3045220724\outlk16v2~Policy~L_MicrosoftOfficeOutlook~L_Miscellaneous
L_Preventusersfromaddingemailaccounttypes ==> <enabled/><data id="L_PreventusersfromaddingExchangeemailaccounts" value="true" /><data id="L_PreventusersfromaddingEASemailaccounts" value="true" /><data id="L_PreventusersfromaddingPOP3emailaccounts" value="true" /><data id="L_PreventusersfromaddingIMAPemailaccounts" value="true" /><data id="L_Preventusersfromaddingothertypesofemailaccounts" value="true" />
Microsoft Office Outlook Prevent users from adding email account types
Microsoft Office Outlook Prevent users from adding email account types

The following is the registry entry for Microsoft Office Outlook Prevent Nondefault Exchange Accounts. This helps you to validate to troubleshoot the issues related.

  • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\AAB267BF-EBF2-4649-822C-74511A4CC253\default\S-1-12-1-1245278575-1092210432-2695042466-3045220724\outlk16v2~Policy~L_MicrosoftOfficeOutlook~L_ToolsAccounts~L_Exchangesettings
Microsoft Office Outlook Prevent Nondefault Exchange Accounts
Microsoft Office Outlook Prevent Nondefault Exchange Accounts

Results – Intune Reports

I can see the policies got successfully deployed to 2 of the devices (Azure AD joined and Azure AD registered). It got failed on Azure AD Joined device probably because I logged in with local user account to that device.

OneDrive Office 365 Security Policies Troubleshooting with Event
OneDrive Outlook Security Policies Troubleshooting with Event

Resources

Leave a Comment

Your email address will not be published. Required fields are marked *