Known Folder Move

Expanded Definition

Known Folder Move is a Microsoft OneDrive feature that redirects user folders such as Desktop, Documents, and Pictures into cloud-backed storage while preserving the familiar file path on the endpoint. In security terms, that means data that once lived only on a local machine may now be centrally synchronised, searchable, and recoverable across devices.

For NHI and secrets governance, the important distinction is not the backup function itself, but the exposure model it creates. A file containing an API key, certificate, or token can become accessible through synced storage, shared device profiles, retention tools, or downstream collaboration features. Definitions vary across vendors on where the boundary sits between endpoint storage, cloud storage, and managed content, so practitioners should treat Known Folder Move as a data-movement control with identity implications, not just a convenience feature. The NIST Cybersecurity Framework 2.0 is useful here because it frames the need to identify where sensitive data resides, protect it consistently, and govern access over time. The most common misapplication is assuming a local folder remains local after redirection, which occurs when administrators enable folder sync without reviewing what files users already stored there.

Examples and Use Cases

Implementing Known Folder Move rigorously often introduces user experience and data-governance tradeoffs, requiring organisations to weigh seamless recovery and mobility against broader content exposure and policy complexity.

• A developer saves a CI token in Documents, then Known Folder Move syncs it into OneDrive, making it recoverable from multiple endpoints and retention layers.
• A remote worker uses Desktop for working files, and a misconfigured sharing policy exposes screenshots containing credentials or temporary access links.
• An incident responder reviews endpoint artefacts, only to find the relevant evidence has already migrated into a cloud workspace with separate audit and legal-hold requirements.
• An identity team aligns folder redirection with the governance guidance in Ultimate Guide to NHIs to reduce the chance that secrets live in unmanaged user locations.
• A security architect maps the storage path to NIST Cybersecurity Framework 2.0 outcomes so endpoint sync settings, DLP, and access reviews stay aligned.

In practice, the term is also used in documentation about backup, migration, and device onboarding, but those adjacent uses are not identical. Folder redirection, cloud backup, and managed sync may overlap operationally while carrying different control expectations for retention, access, and incident response.

Why It Matters in NHI Security

Known Folder Move matters because secrets are often stored wherever users feel comfortable, not where controls are strongest. When those folders are redirected into cloud storage, the risk shifts from a single endpoint compromise to a broader access problem involving sync services, shared devices, account recovery, and inherited permissions. That is why it belongs in NHI governance conversations even though it is usually described as a productivity feature.

The NHI risk is amplified by the fact that Ultimate Guide to NHIs reports that 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools. If those same secrets are also sitting in redirected user folders, the organisation gains convenience while expanding the number of places a compromised credential can surface. Security teams should therefore pair folder redirection with DLP, endpoint classification, and explicit bans on storing credentials in user directories. The operational lesson is straightforward: if a folder is a landing zone for secrets, it needs the same governance as a vault-adjacent system. Organisations typically encounter this consequence only after a leak, at which point Known Folder Move becomes operationally unavoidable to investigate and contain.