Title

The use of personal accounts for OneDrive synchronization must be disabled. (Cat II impact)

Discussion

OneDrive provides access to external services for data storage, which must be restricted to authorized instances. Enabling this setting will prevent the use of personal OneDrive accounts for synchronization.

Check Content

If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_CURRENT_USER Registry Path: \Software\Policies\Microsoft\OneDrive\ Value Name: DisablePersonalSync Value Type: REG_DWORD Value: 0x00000001 (1)

Fix Text

Configure the policy value for User Configuration >> Administrative Templates >> OneDrive >> "Prevent users from syncing personal OneDrive accounts" to "Enabled". Group policy files for OneDrive are located on a system with OneDrive in "%localappdata%\Microsoft\OneDrive\BuildNumber\adm\". Copy the OneDrive.admx and .adml files to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.

Additional Identifiers

Rule ID: SV-230564r918123_rule

Vulnerability ID: V-230564

Group Title: SRG-APP-000141

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.