Action Required – Configure Browser Policy to Preserve OneDrive and SharePoint Web Performance and Offline Capability

Updated October 20, 2025: We have updated the content to correctly reference Chromium 142. Thank you for your patience. 

[Introduction]

Upcoming privacy-related changes in Chromium-based browsers (Google Chrome and Microsoft Edge) will increase restrictions on local network access. When enforcement begins, users accessing OneDrive for Web (and some integrated Microsoft 365 experiences such as Microsoft Lists and SharePoint Document Libraries) will encounter a browser permission prompt for local network access unless the required policy is in place. If the permission is not allowed, performance optimizations and offline capabilities powered by OneDrive and Share Point will not be available. This communication provides required administrator actions to prevent loss of functionality.

[When this will happen:]

Chrome and Edge will roll out this privacy related change as part of Chromium 142 at the end of October 2025 (previously end of September).

[How this will affect your organization:]

If no action is taken:

1. Who is affected:
   • All users accessing OneDrive for Web, Microsoft Lists, and SharePoint Document Libraries via Chrome or Edge browsers.
   • Admins managing browser policies for Windows, macOS, and VDI environments.
2. What will happen:

   If no action is taken:

   • Users will see a new browser prompt requesting permission for local network access when opening OneDrive for Web and Lists.
   • If users do not click Allow, the following results occur on that device:
     • Performance acceleration will not be available (loss of faster data access behavior).
     • Offline functionality in OneDrive Web will not be available.
   • The experience will be slower and less resilient, and helpdesk contacts will increase due to unexpected prompts and missing offline capability.

   When the recommended browser policy is deployed in advance, the prompt is suppressed for the specified trusted Microsoft 365 endpoints and existing performance, and offline behavior are preserved. The policy prevents loss of existing capability and avoids user confusion.

   [What you need to do to prepare:]

   1. Identify Required Domains
      1. Include your organization’s SharePoint Online and OneDrive endpoints, for example: https://YOURTENANT-my.sharepoint.com or https://YOURTENANT.sharepoint.com
      2. Add additional sanctioned SharePoint Online host variations if applicable (e.g., specialized cloud environments). Avoid overly broad wildcards—conform to internal security governance.
   2. Configure Browser Policy
      1. Set the Chromium policy LocalNetworkAccessAllowedForUrls (Chrome Enterprise / Edge policy) to pre-authorize the listed domains.
      2. Apply via: ADMX / JSON for Windows; plist or configuration profile for macOS (Chrome and Edge).
      3. Roll out to all managed device groups (Windows, macOS, VDI as applicable).
      4. Even if the following policies are currently enabled by policy, deploy the allow-list to prevent future prompts and avoid user confusion.
         1. DisableNucleusSync
         2. DisableOfflineMode
   3. Remediation for Users Who Already Clicked Block
      1. Deploying the managed LocalNetworkAccessAllowedForUrls policy will override any prior per-user deny state and enforce the allow setting once the policy is applied to the device/profile; no end-user action is required after policy propagation.
      2. If you need immediate remediation before policy reaches the device, have the user open the affected OneDrive site, use the site (lock) icon, reset or change the local/network device access permission to Allow, then refresh.
   4. Ensure your Sync Client is updated to v.25.164

1. Per machine SKU: The Sync client will automatically apply the required permissions and policies for existing users in Chrome and Edge—no user action is needed.

2. Per user SKU: The Sync client will prompt users via a Windows Toast notification to enable these permissions. Users should follow the notification instructions to complete setup.

[Compliance considerations:]

Updated October 3, 2025: We have updated the timeline. Thank you for your patience. 

[Introduction]

Upcoming privacy-related changes in Chromium-based browsers (Google Chrome and Microsoft Edge) will increase restrictions on local network access. When enforcement begins, users accessing OneDrive for Web (and some integrated Microsoft 365 experiences such as Microsoft Lists and SharePoint Document Libraries) will encounter a browser permission prompt for local network access unless the required policy is in place. If the permission is not allowed, performance optimizations and offline capabilities powered by OneDrive and Share Point will not be available. This communication provides required administrator actions to prevent loss of functionality.

[When this will happen:]

Chrome and Edge will roll out this privacy related change as part of Chromium 141 at the end of October 2025 (previously end of September).

[How this will affect your organization:]

If no action is taken:

1. Who is affected:
   • All users accessing OneDrive for Web, Microsoft Lists, and SharePoint Document Libraries via Chrome or Edge browsers.
   • Admins managing browser policies for Windows, macOS, and VDI environments.
2. What will happen:

   If no action is taken:

   • Users will see a new browser prompt requesting permission for local network access when opening OneDrive for Web and Lists.
   • If users do not click Allow, the following results occur on that device:
     • Performance acceleration will not be available (loss of faster data access behavior).
     • Offline functionality in OneDrive Web will not be available.
   • The experience will be slower and less resilient, and helpdesk contacts will increase due to unexpected prompts and missing offline capability.

   When the recommended browser policy is deployed in advance, the prompt is suppressed for the specified trusted Microsoft 365 endpoints and existing performance, and offline behavior are preserved. The policy prevents loss of existing capability and avoids user confusion.

   [What you need to do to prepare:]

   1. Identify Required Domains
      1. Include your organization’s SharePoint Online and OneDrive endpoints, for example: https://YOURTENANT-my.sharepoint.com or https://YOURTENANT.sharepoint.com
      2. Add additional sanctioned SharePoint Online host variations if applicable (e.g., specialized cloud environments). Avoid overly broad wildcards—conform to internal security governance.
   2. Configure Browser Policy
      1. Set the Chromium policy LocalNetworkAccessAllowedForUrls (Chrome Enterprise / Edge policy) to pre-authorize the listed domains.
      2. Apply via: ADMX / JSON for Windows; plist or configuration profile for macOS (Chrome and Edge).
      3. Roll out to all managed device groups (Windows, macOS, VDI as applicable).
      4. Even if the following policies are currently enabled by policy, deploy the allow-list to prevent future prompts and avoid user confusion.
         1. DisableNucleusSync
         2. DisableOfflineMode
   3. Remediation for Users Who Already Clicked Block
      1. Deploying the managed LocalNetworkAccessAllowedForUrls policy will override any prior per-user deny state and enforce the allow setting once the policy is applied to the device/profile; no end-user action is required after policy propagation.
      2. If you need immediate remediation before policy reaches the device, have the user open the affected OneDrive site, use the site (lock) icon, reset or change the local/network device access permission to Allow, then refresh.
   4. Ensure your Sync Client is updated to v.25.164

1. Per machine SKU: The Sync client will automatically apply the required permissions and policies for existing users in Chrome and Edge—no user action is needed.

2. Per user SKU: The Sync client will prompt users via a Windows Toast notification to enable these permissions. Users should follow the notification instructions to complete setup.

[Compliance considerations:]

Updated September 15, 2025: We have updated the content. Thank you for your patience.

[Introduction]

Upcoming privacy-related changes in Chromium-based browsers (Google Chrome and Microsoft Edge) will increase restrictions on local network access. When enforcement begins, users accessing OneDrive for Web (and some integrated Microsoft 365 experiences such as Microsoft Lists and SharePoint Document Libraries) will encounter a browser permission prompt for local network access unless the required policy is in place. If the permission is not allowed, performance optimizations and offline capabilities powered by OneDrive and Share Point will not be available. This communication provides required administrator actions to prevent loss of functionality.

[When this will happen:]

Chrome and Edge will roll out this privacy related change as part of Chromium 141 at the end of September.

[How this will affect your organization:]

If no action is taken:

1. Who is affected:
   • All users accessing OneDrive for Web, Microsoft Lists, and SharePoint Document Libraries via Chrome or Edge browsers.
   • Admins managing browser policies for Windows, macOS, and VDI environments.
2. What will happen:

   If no action is taken:

   • Users will see a new browser prompt requesting permission for local network access when opening OneDrive for Web and Lists.
   • If users do not click Allow, the following results occur on that device:
     • Performance acceleration will not be available (loss of faster data access behavior).
     • Offline functionality in OneDrive Web will not be available.
   • The experience will be slower and less resilient, and helpdesk contacts will increase due to unexpected prompts and missing offline capability.

   When the recommended browser policy is deployed in advance, the prompt is suppressed for the specified trusted Microsoft 365 endpoints and existing performance, and offline behavior are preserved. The policy prevents loss of existing capability and avoids user confusion.

   [What you need to do to prepare:]

   1. Identify Required Domains
      1. Include your organization’s SharePoint Online and OneDrive endpoints, for example: https://YOURTENANT-my.sharepoint.com or https://YOURTENANT.sharepoint.com
      2. Add additional sanctioned SharePoint Online host variations if applicable (e.g., specialized cloud environments). Avoid overly broad wildcards—conform to internal security governance.
   2. Configure Browser Policy
      1. Set the Chromium policy LocalNetworkAccessAllowedForUrls (Chrome Enterprise / Edge policy) to pre-authorize the listed domains.
      2. Apply via: ADMX / JSON for Windows; plist or configuration profile for macOS (Chrome and Edge).
      3. Roll out to all managed device groups (Windows, macOS, VDI as applicable).
      4. Even if the following policies are currently enabled by policy, deploy the allow-list to prevent future prompts and avoid user confusion.
         1. DisableNucleusSync
         2. DisableOfflineMode
   3. Remediation for Users Who Already Clicked Block
      1. Deploying the managed LocalNetworkAccessAllowedForUrls policy will override any prior per-user deny state and enforce the allow setting once the policy is applied to the device/profile; no end-user action is required after policy propagation.
      2. If you need immediate remediation before policy reaches the device, have the user open the affected OneDrive site, use the site (lock) icon, reset or change the local/network device access permission to Allow, then refresh.
   4. Ensure your Sync Client is updated to v.25.164

1. Per machine SKU: The Sync client will automatically apply the required permissions and policies for existing users in Chrome and Edge—no user action is needed.

2. Per user SKU: The Sync client will prompt users via a Windows Toast notification to enable these permissions. Users should follow the notification instructions to complete setup.

[Compliance considerations:]