Recently, lot of my colleagues have this query, how can I block C drive for users but at the same time they should be able to access Desktop, Downloads, Network and other folders. 🤔 This requirement is basically from the users of AVDs or Windows 365 or Parallels Desktop basically for the Virtual machine users.
Now, this becomes an important requirement for organisations who are largely dependent on virtual machines or use shared desktops. The requirement to protect C drive from access is also due to saving it from malicious files, viruses and other attacks, some schools have the requirement to protect OS drive from students who try to test and experiment things on the OS drive.
Basically the requirement is - "Protect C drive from users and block the access"😯
I have seen lot of blogs and lot of scripts usage and others to block C drive access. Some try to import admx gpo settings and convert to configuration profile. All good posts and all the ways are correct based on your requirement. in this post I will just try to show you another easy way to prevent access to C drive, at the same time access to desktops and other folders are fine and no issues with OneDrive. I dont push any settings for OneDrive neither touch it. Its already on the device and after applying these settings it was still working.
I have tested these settings on an AVD of Windows 10 22h2 and Parallels desktop Windows 11 22h1. Both worked like a charm.☺️
Lets start with creating the settings
Open Intune portal and navigate to Devices --> Windows --> Configuration profiles --> Create Profile --> Windows 10 and later --> Settings catalog --> Provide proper Name & Description of the setting --> Click on Add Settings
This opens Settings Picker --> type File Explorer and select Administrative Templates\Windows Components\File Explorer
From the above select the 2 settings marked by checking them and then click on X button to close settings picker
Next Enable "Hide these specified drives in My computer (User)", this will open a drop down select the drive which you want to hide. I select C drive.
After this I have selected another setting to hide the manage item and enabled it, if you want you can opt it out.
Once again open Settings picker and select another setting to block recent items, this I felt necessary to block as if recent files are available for access people can still access C drive and i want to block it.
Open Settings Picker and go to Administrative templates\ Windows Components\File Explorer\Common Open File Dialog
From above select Hide the dropdown list of recent files (User)
Save these settings and assign to User group. This is very much important to keep in mind to assign it to user group otherwise the settings would fail as these all are user based setting.
So my first set of settings are done that I have settings now to hide C drive, but it does not meet my requirement to block access. If some user is a bit technical then they can still access C drive from File explorer by typing it or from Start menu Run.
Now, I will create another set of settings to block access to C drive and stop run from start menu. if you block Run from start menu it actually helps a lot as most technical people might use Run to launch lot of programs and drives.
Navigate to Devices --> Windows --> Configuration profile --> Create Profile --> Windows 10 and later --> Settings catalog --> Provide Name & description --> Add Settings
Opens Settings picker again - goto File Explorer - select Set Allowed Folder Locations (User)
When you Enable this you get a drop down to select the Folders which you want to allow user to access, choose according to requirement, I Selected Desktop, Documents, Pictures, Downloads, Network as Allowed access for folder locations of user.
Once this is done we would want to create another settings for allowed storage locations which is as follows
open settings picker again - File Explorer - Set Allowed Storage Locations (User)
Again, you will have drop down of options to select from, select based on your requirements, I select Local Drives which I feel is the best as it will allow to store your files on the local drives.
Also, i need to block Run on start menu, so i open settings picker and navigate to Administrative Templates\Start Menu and Taskbar. Select Remove Run menu from Start menu (User).
Enable the settings as below
Create this bundle of settings and assign it again to the similar user group.
Now once we have applied these settings it took me one reboot, one sync and 15 minutes to apply the settings to user. When I log into the Windows with my test user I have the experience as below for file explorer.
As you can see I am unable to see C drive, This PC and allowed folders are Desktop, Downloads, Documents, Pictures and Network.
If i had OneDrive Enabled on this account that would work too unfortunately i cant provide that screenshot for security reasons.
If you try to type c drive on explorer and access it you will see below error
If I try to access Run from Start menu I see the below error
Even if i try to save something in C drive I am unable to do it.
but save in Desktop or other folders is allowed yes.
you can also see that policy created are applied to the user Successfully which is why i can find user logged in and saw these blocked.
Great, so we achieved what we wanted, without any major issues. hope this will help you a lot with the requirement similar to me.😎
That's it from my side this time, see you soon with new content. Cheers🍻