You can’t save work files here and other assorted errors


When you use App Protection Policies in Intune for Windows 10 devices you will want to ring fence your applications and to manage and protect your organization’s data within an application.

When creating the App Protection rule you’ll add in the apps you want to protect. I have a simple example as part of my Keep it Simple with Intune series here.

As you can see below, I have attempted to save my Word file to OneDrive storage. Since I have added OneDrive to my App Protection Policy as a Protected App, along with my Microsoft 365 apps, then the document can only be saved as a Work document.

Note also, that the File Ownership is set on all files and folders in OneDrive as company protected.

When atttempting to save the file I received the following error.

You can't save the work here. Please choose another location, or change the file to Personal.

If I try and save via the Save icon in Word I received a slightly different error.

The file can only be saved to a work location. Please save it in a location that your organization has approved for work files.

And, if I try to open a document I will get the error.

This file can only be openeded from a work location. Please move it to a location that your organization has approved for work files.

If you take a look in Task Manager, under the Details tab, you can turn on the column for Enterprise context. Here you can see that both Word and OneDrive are using the Enterprise context.

So what’s going on here. Well as part of the App Protection Policy configuration you need to set up your network boundary and define the cloud resources based on the applications being used. Microsoft has a list of the URLs which need to be defined here.

For OneDrive we need to tap into the Sharepoint Online URLs which are listed as follows:

  • contoso.sharepoint.com
  • contoso-my.sharepoint.com
  • contoso-files.sharepoint.com

Obviously we need to swap out contoso with our own domain details. These will be the domain you use in your onmicrosoft.com address.

As you can see from my App Protection Policy, I don’t have a network bounday configured. Network boundary – 0 configued, hence my problem.

So edit your Advanced settings and click the +Add link under Any network boundaries you add will show up here.

Chosse Cloud resources from the Boundary type and give the rule a Name.

Add in the URLs you need in the Value section, separated by a Pipe | and also add /*AppCompat*/ to the end of your rules.

So for example:

domain.sharepoint.com|domain-my.sharepoint.com|domain-files.sharepoint.com|/*AppCompat*/

The rule will be validated so any syntax problems will be result in a warning message.

With the rule defined and devices synched to pick up the policies, you’ll be able to save your work documents in the OneDrive storage as you originally intended.

One comment

  1. Okay, so i followed the step and I am still seeing this issue, Is there any tips on getting devices to sync. I think i may be having the problem because I am using an unenrolled device. I really don’t want to use Intune (it is causing nothing but issues for our small org. But I seem to be thrown into it anyway.

    Anyway, i made the changes above tp the app policy for unenrolled devices. i have rebooted a few times. i am still getting the error. I have double-checked the urls.

    i cant seem to find any other information about the error except this article. Would you have any other ideas?

Leave a Reply to Jeff Williams Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s