This article will cover how to setup an application level policy for Windows 10.


  • A Microsoft 365 Business User
  • Global administrator credentials for Microsoft 365
  • Encrypting File System (EFS) Data Recovery Agent (DRA) Certificate. Please see this¬†Microsoft Document on how to set this up

The Process

  • Locate the Device policies card
  • Click Add policy

  • Enter a policy name
  • In Policy type, choose Application Management for Windows 10
  • In Device type, choose either Personal or Company Owned
  • 'Encrypt work files' and 'Prevent users from copying company data to personal files and force them to save work files to OneDrive for Business' are on by default, change this if you would like
  • Click on the down arrow next to 'Recover data on Windows devices'. You will need to create a Encrypting File System (EFS) Data Recovery Agent (DRA) Certificate, see the document linked in Requirements above

  • Click on the down arrow next to 'Protect additional network and cloud locations' if you want to add additional domains or SharePoint Online locations to make sure that files in all the listed apps will be protected. If you need to enter more than one item for either field, use a semicolon (;) between the items

  • Click Change next to 'Who will get these settings?' if you want to set something other than All users
  • Click Add