Blocking access to the C drive

Block c:\ drive by setting Shared PC in Configuration Profiles - Link
- Note that this blocks local caching of OneDrive for Business files

Prevent Run command via PowerShell - Link - Users - run in 64 bit
Hide the c: drive - Link

======================================================================

Working on Vanilla machine

Script Name - Block_C_Drive_Explorer.ps1

Set-executionpolicy bypass
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoRun /t REG_DWORD /d 1
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoDrives /t REG_DWORD /d 4
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoFileUrl /t REG_DWORD /d 1
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search /V SearchboxTaskbarMode /t REG_DWORD /d 0
shutdown -r -t 00


To gain access if needed -
PowerShell -
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search /V SearchboxTaskbarMode /t REG_DWORD /d 2

Restart the device

This enables the Search Bar.
You can then access C:\ and Regedit from the Search Bar


Testing
Assigned to user04 - member of the group - AAD_Sec_User_Script_Block_C_Drive_Run_Explorer
Device 3211 - member of  AAD_Sec_Device_Script_Block_C_Drive_Run_Explorer

Script set to NOT run as logged on user
Device should reboot automatically as part of the script.









Shows as Failed.
Diagnostics created


Saturday - 5:30


=======================================================================

Updated script deployment properties -


Updated User group to include user03

Logged on as user03

Failed

======================================================================

Updated script - removed the set-executionpolicy

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoRun /t REG_DWORD /d 1
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoDrives /t REG_DWORD /d 4
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoFileUrl /t REG_DWORD /d 1
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search /V SearchboxTaskbarMode /t REG_DWORD /d 0
shutdown -r -t 00

Updated deployment -
Run as logged in user - NO

Added user pilot02
Restarted device - logged in as pilot02



====================================================================

Created intunewin

Added user - user01



















Script -
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoRun /t REG_DWORD /d 1







=============================================================

Two line version - Needs Reboot to apply

New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Force

New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name NoRun -Value 1 -PropertyType DWORD -Force




========================================================================

Block C drive in Explorer - Link

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoRun /t REG_DWORD /d 1
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoDrives /t REG_DWORD /d 4
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoFileUrl /t REG_DWORD /d 1
shutdown -r -t 00

Remove the Search Bar - Link
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search /V SearchboxTaskbarMode /t REG_DWORD /d 0
























Block C drive - Working
Device - ADMIN-942333211

Script name - Block_C_Drive.ps1
Assigned to device group

Script -
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name NoDrives -Value 4 -PropertyType DWORD -Force




=======================================================================
 
New PowerShell test -
Disable Run command - two line script
 - Link





=======================================================================

PowerShell script - Disable Run Command - No groups assigned.







======================================================================

Prevent Run -


Combos -

Run as user - Yes - Assign to Devices - 64 bit No - Needs reboot
Run as user - Yes - Assign to Users - 64 bit No - Next
Run as user - Yes - Assign to Both - 64 bit No - Reboot - Fails

Run as user - Yes - Assign to Devices - 64 bit Yes
Run as user - Yes - Assign to Users - 64 bit Yes - Fails
Run as user - Yes - Assign to Both - 64 bit Yes



Run as user - No - Assign to Devices - 64 bit No
Run as user - No - Assign to Users - 64 bit No
Run as user - No - Assign to Both - 64 bit No

Run as user - No - Assign to Devices - 64 bit Yes
Run as user - No - Assign to Users - 64 bit Yes
Run as user - No - Assign to Both - 64 bit Yes


Script - Disable_Run_Command.ps1
New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Force
New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name NoRun -Value 1 -PropertyType DWORD -Force













=======================================================================

Working PowerShell -
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoRun /t REG_DWORD /d 1


New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Force

New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name NoRun -Value 1 -PropertyType DWORD -Force



New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name NoDrives -Value 4 -PropertyType DWORD -Force



Disable Run - HKCU - Apply to group of computers and group of users
Run in 64 bit -








Devices - Scripts -


Add - Windows 10


Name -
Windows 10 Corporate - Block C drive and Run command

Description -
PowerShell script to block the C drive and Run command

Next



Script location - Browse for and select the script we created
Run this script using the logged on credentials - Yes
Enforce script signature check - No
Run script in 64 bit PowerShell host - No


Assignments -
Add groups -


Search for and select the groups to be assigned the PowerShell script.
In this example, I am selecting the groups
AAD_Sec_Device_Category_Windows10_Corporate
AAD_Sec_User_Windows10_Corporate
Select


The Assignments will update
Next


Review and add -
Add




Result -























Hide c drive via Registry key - Link

What I've done for our shared devices is created a registry key with powershell, all in HKEY_LOCAL_MACHINE.
Registry key: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer
Create a new DWORD: NoDrives
Value data (for C drive): 4






https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/38025277-onedrive-kfm-hide-c-drive-as-default-windows-10 

 Profile applies to users - so apply to a user group -

User Config>Policies>Admin Templates>Windows Components/File Explorer>Hide these specified drives in My Computer - Set to restrict C drive only

User Config>Policies>Admin Templates>Startmenu and Taskbar>Remove Run menu from Start Menu - Set to enabled











=====================================================================

Shared PC blocks C drive, but also blocks OneDrive for Business












No comments:

Post a Comment

Subscribe to: Post Comments (Atom)