Prevent Users to Save Files on Local Drives Desktop using Intune MEM Policies

Let’s check how to Prevent Users to Save Files on local drives and desktops. Other policies help you to hide and disable all items on the desktop. You will have to use the combination of more than 1 policy to have a comprehensive solution.

The best option to configure all these policies is to use Intune Settings Catalog. You will also get a new option called Duplicate to create a copy of an existing setting catalog profile in the settings catalog profile.

You can prevent users from using My Computer to gain access to the content of selected drives. If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer. Still, they cannot open folders and access the contents.

Another policy explained in this post helps to Remove icons, shortcuts, and other default and user-defined items from the desktop. This includes Briefcase, Recycle Bin, Computer, and Network Locations. Deploying all these policies together will give you a complete solution. Check out the conclusion section to get more details.

NOTE! – But I should warn all the admins here that you are not giving optimal end-user experience when configuring all the policies. You will have to find a better balance between security and end-user experience.

• Intune Policy Tattooed Or Not Tattooed Windows CSP Policy
• Intune User Policy Troubleshooting Tips For Prevent Changing Theme
• Intune Logs Event IDs IME Logs Details For Windows Client Side Troubleshooting

Intune Policy to Prevent Users to Save Files on Local Drives

Let’s see how to configure Intune Policy to Prevent Users to Save Files on Local Drives. Let’s start creating the Intune policy straightaway.

You can perform registry changes to achieve the same results, but I won’t recommend doing the registry hack when a better option is available for you. You can also perform the policy deployments using Group Policy from Active Directory.

This policy configuration walkthrough is done from Intune MEM admin center portal.

• Login to Endpoint Manager Intune portal https://endpoint.microsoft.com/#home
• Navigate to Devices -> Windows -> Configuration profiles.
• Click on +Create Profile.

The Intune policy creation process is called profile creation. You can change policies from Create Profile blade. Don’t worry about the preview tag there near to settings catalog. Microsoft fully supports this type of policy.

• Select Platform: Select Windows 10 and later.
• Profile: Select Settings catalog.

Click on the Create button. For Example – You have to select the platform Windows 10 and later. You can enter the details such as the name of the Policy and settings in the next screens.

Once you click on Create button from the above page, you will need to enter the Name and Description of the setting catalog policy.

Enter the name of the policy Name – Restrict Users to Store Data in Local Drive Hide Desktop Files. And click on the next button to continue. I recommend using detailed descriptions so that colleagues can easily understand the details.

You can click on the +Add Settings link to bring up the new blade of the policy configuration wizard. This link will help with a new blade called the Settings Picker with a search box.

Settings catalog – With the settings catalog, you can choose which settings you want to configure. Click on Add settings to browse or search the catalog for the settings you want to configure.

NOTE! – Settings picker – Use commas “,” among search terms to lookup settings by their keywords – In this scenario, I used Prevent access to Drives from my Computer as a keyword.

The Browse by category in the Settings catalog is – Administrative Templates\Windows Components\File Explorer

1 results in the “File Explorer” subcategory – Select the settings catalog policy to prevent or disable access to local drives.
Setting name – Prevent access to drives from My Computer (User

You can close the Settings Picker blade to get the following screen on the Intune MEM Admin center portal. Make sure that you have enabled the policy settings called – prevent access to drives from my computer. You also need to pick one of the following combinations to make this policy work.

• Restrict A and B Drives only
• Restrict C drive only
• Restrict D drive only
• Restrict A, B, and C drives Only
• Restrict A, B, C, and D drives Only
• Restrict all Drives
• Do not Restrict Drives

NOTE! – Recommend you test these policies thoroughly in a staging environment and confirm the behavior before implementing this in production. It saves prevent access from My Computer. So what about other locations? Might you need to use the policies discussed in the below section of this post to achieve that?

Intune Policy Prevent Users to Save Files to Desktop

Now let’s check Intune settings catalog policy helps prevent users from saving files on the Desktop using Intune MEM. The policy explained below won’t restrict to saving files to the desktop but hides the desktops and disables all items on the desktop.

This Intune policy help to Remove icons, shortcuts, and other default and user-defined items from the desktop. You can control how the desktop icon is displayed in various places such as Briefcase, Recycle Bin, Computer, and Network Locations.

NOTE! – Just removing icons and shortcuts does not prevent the user from using another method to start the programs or opening the items they represent. So you might need to use this policy along with other policies discussed in this post.

Again from the +Add Settings option on the Settings catalog policy page, you can launch Settings picker. You can use commas “,” among search terms to lookup settings by their keywords. I used the keyword called “Hide and Disable All Items on the Desktop” for this policy.

You can see the policy category: Administrative Templates\Desktop and the “File Explorer” subcategory. The Setting name – Prevent access to drives from My Computer (User).

Make sure you close the setting picker blade after selecting the policy mentioned above. The next step is to enable the Hide and Disable All items on the desktop(user) policy. You can see more details about the next steps in the below sections of the post.

Intune Policy to Hide Items displayed in Places Bar – File Dialog Prevent Saving

Let’s learn how to Hide Items displayed in Places Bar – File Dialog using Intune MEM policies. This policy should be combined with other policies mentioned in the above sections of this post to have a comprehensive solution.

You also need to see “Items displayed in Places Bar” in User Configuration\Administrative Templates\Windows Components\Common Open File Dialog to remove the Desktop icon from the Places Bar. This will help prevent users from saving data to the Desktop.

The following are the policies available in Intune settings catalog from the settings picker. The keyword that I used to find this policy is Common Open File Dialog. You can check the above screenshot to understand the places bar when you use save as an option.

The policy category that I selected here is Administrative Templates\Windows Components\File Explorer\Common Open File Dialog. This policy category has all the policy settings, as you see below.

• Hide the common dialog back button (User) – Hide the Back button in the Open dialog box.
• Hide the common dialog places bar (User) – Removes the shortcut bar from the Open dialog box. 
• Hide the dropdown list of recent files (User) – Removes the list of most recently used files from the Open dialog box. If you disable this setting or do not configure it, the “File name” field includes a drop-down list of recently used files.

Items displayed in Places Bar (User) – Configures the list of items displayed in the Places Bar in the Windows File/Open dialog. If you enable this setting, you can specify from 1 to 5 items to be displayed in the Places Bar. The valid items you may display in the Places Bar are:

• Shortcuts to a local folder — (ex. C:\Windows)
• Shortcuts to remote folders — (\\server\share)
• FTP folders
• Web folders
• Common Shell folders.

The list of Common Shell Folders may be specified: Desktop, Recent Places, Documents, Pictures, Music, Recently Changed, Attachments, and Saved Searches. If you disable or do not configure this setting, the default list of items will be displayed in the Places Bar.

NOTE! – I have not tested this set of policies in my lab environment, and I can’t confirm how this works for sure. My recommendation is to test this in a lab/staging environment to confirm how this works.

Deploy Restrict Users to Store Data in Local Drive and Hide Desktop Files Intune Policy

Now, it’s time to deploy all the policies explained above. We have discussed three combinations of the policies here in this post.

• Restrict Users to Store Data in Local Drive
• Prevent access to drives from My Computer
• Items displayed in Places Bar (User), etc.

This section will help you assign the “the Policies” to the AAD User Group. You can refer to the following guide to Create Intune Settings Catalog Policy and deploy it only to a set of Intune Managed Windows 11 or Windows 10 devices using Intune Filters.

I could use “all users” deployment as an example for this particular policy deployment. I want to prevent saving files to desktops or to prevent access to local drives. You can click on the Next button and add the Scope Tags on the next page.

You will need to click on the next and create buttons to complete the policy creation process.

Prevent Users to Save Files on Local Drives and Desktop Event IDs 814

Let’s check event IDs to prevent users to Save Files on Local Drives. The Intune event ID 814 indicates that a STRING value is applied as part of this Policy on Windows 11 or Windows 10 devices. You can also see the exact value of the Policy being applied on those devices.

You can check the Event log path to confirm this – Applications and Services Logs – Microsoft – Windows – Devicemanagement-Enterprise-Diagnostics-Provider – Admin.

MDM PolicyManager: Set policy string, Policy: (NoViewOnDrive), Area: (ADMX_WindowsExplorer), EnrollmentID requesting merge: (D1E11663-BF69-4DD8-974A-BAD47E6EF433), Current User: (S-1-5-21-2901188661-3025291148-348095268-1124), String: (), Enrollment Type: (0x6), Scope: (0x1). data id=”NoDrivesDropdown” value=”4”

Policy: NoFileMRU, NoViewOnDrive, PlacesBar, NoBackButton, NoDesktop,

Registry Values Related Prevent Users to Save Files on Local Drives and Desktops

Now, let’s check the registry values related to Prevent Users to Save Files on Local Drives, hide desktop, etc. As you might have already noticed from the below registry entries before and after the policy deployment to Windows 10 and Windows 11 PCs.

There are two new registry entries/values that appeared. Those are ADMX Desktop and ADMX Windows Explorer. I have noted in the above section that I didn’t deploy the policy for Items displayed in Places Bar. So you won’t be able to see any traces of that particular policy.

This was the registry entry before applying the policies to the Windows Device. I have checked two registry paths for the completion of the test.

• Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\D1E11663-BF69-4DD8-974A-BAD47E6EF433\default\S-1-5-21-2901188661-3025291148-348095268-1124\
• Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\S-1-5-21-2901188661-3025291148-348095268-1124

After deploying the Prevent Users to Save Files on Local Drives, these are the registry entries, hide and disable all items on desktop policies. Again I checked both the registry paths as shared in the above paragraph. The new registry entries got added after applying the policies are:

• ADMX_Desktop
• ADMX_WindowsExplorer

Conclusion

After deploying the following policies, Prevent Users to Save Files on Local Drives, hide and disable all items on desktop, I couldn’t access Desktop from Windows Explorer quick access. I got the following error similar to disable control panel error.

Update 3rd Dec 2021 – I have tested OneDrive scenario after setting up this policy as per my latest post Silently Move Known Folders To OneDrive Using Intune Settings Catalog. After setting up this policy I was not able to open the OneDrive for Business application. OneDrive app also gave me the same error.

I got the same error when I tried to access the C drive from Windows Explorer and the RUN command. I tried to save files into the desktop, documents, pictures, etc., but all gave me the following error.

The operation has been canceled due to restrictions in effect on this computer. Please contact your system administrator.

I was not able to perform any right-click actions from the desktop. But I can enable open the files which are already there on the desktop.

NOTE! – After the restart of Windows PC, all the files stored on the desktop got removed or went hidden. So the policies look ok from my limited testing.

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.