Use Intune to Block Access to the C Drive
Blocking the C drive has always been one of the common restrictions that Group Policy admins enforced for standard user accounts. There are multiple reasons for restricting access to the C Drive for non admin users.
- The first is system stability because it prevents basic users from accessing, altering, or deleting critical system files on their computers, thus minimizing potential issues that disrupt desktop operations and initiate a help desk ticket.
- It reduces the chances of malware being introduced into the system and prevents users from installing unauthorized applications, opening suspicious files or clicking on malicious executables.
- Blocking the C drive in some cases may be required by compliance regulations to restrict user access to certain system resources.
- Keeping users out of the C drive can potentially simplify troubleshooting as it eliminates user file tampering.
- For shared desktop computers it can help protect the data of other users who have logged onto the device
Because Intune uses many of the same Windows Administrative Templates, it is easy to block C Drive access with Intune as well. Using the Microsoft Intune admin center, go to Devices > Configuration Profiles and click “Create profile.” Select “Windows 10 and later” as the Platform and Administrative Templates as the profile. Name the configuration profile and go to User Configuration > Windows Components > File Explorer as shown in the screenshot below.
Scroll down through the settings and select “Prevent access to drives from My Computer” and choose Enabled. You can then select the drives you wish to block access to as shown below.
Click OK and click next. Then assign the configuration profile to the designated groups and you are done.