Restrict Windows Drive Access to Protect Sensitive Data using Microsoft Intune

Key Takeaways

  • Prevents access through the Run dialog and Map Network Drive window.
  • Supports restricting individual drives or multiple drive combinations.
  • Does not block applications from accessing drives.
  • Does not prevent Disk Management from viewing or modifying drive properties.
  • Can be combined with the Hide These Specified Drives in My Computer policy for improved protection.

Let’s discussRestrict Windows Drive Access to Protect Sensitive Data using Microsoft Intune. Controlling access to local drives is an important part of securing Windows devices in an organization. The Prevent Access to Drives from My Computer policy in Microsoft Intune helps administrators restrict users from opening selected drives through File Explorer (My Computer). This can reduce the risk of unauthorized access to sensitive files stored on specific drives while maintaining a consistent user experience.

Table of Contents

Restrict Windows Drive Access to Protect Sensitive Data using Microsoft Intune

When this policy is enabled, users can still see the restricted drive icons in File Explorer, but they cannot open them or browse their contents. If a user attempts to access a restricted drive, Windows displays a message indicating that access has been blocked by a system policy. The restriction also applies when users try to access the drive through the Run dialog or the Map Network Drive window.

Intune Policy to Prevent Users to Save Files on Local Drives

Let’s see how to configure Intune Policy to Prevent Users to Save Files on Local Drives. Let’s start creating the Intune policy straightaway. You can perform registry changes to achieve the same results, but I won’t recommend doing the registry hack when a better option is available for you. This policy configuration walkthrough is done from Intune admin center.

Restrict Windows Drive Access to Protect Sensitive Data using Microsoft Intune -Fig.1
Restrict Windows Drive Access to Protect Sensitive Data using Microsoft Intune -Fig.1

The Intune policy creation process is called profile creation. You can change policies from Create Profile blade. Don’t worry about the preview tag there near to settings catalog. Microsoft fully supports this type of policy.

Patch My PC
  • Select Platform: Select Windows 10 and later.
  • Profile: Select Settings catalog.
  • Click on the Create button
Restrict Windows Drive Access to Protect Sensitive Data using Microsoft Intune -Fig.2
Restrict Windows Drive Access to Protect Sensitive Data using Microsoft Intune -Fig.2

Basic Tab

Once you click on Create button from the above page, you will need to enter the Name and Description of the setting catalog policy. Enter the name of the policy Name such as Restrict Users to Store Data in Local Drive Hide Desktop Files. And click on the next button to continue. I recommend using detailed descriptions so that colleagues can easily understand the details.

Restrict Windows Drive Access to Protect Sensitive Data using Microsoft Intune -Fig.3
Restrict Windows Drive Access to Protect Sensitive Data using Microsoft Intune -Fig.3

Configuration Settings

You can click on the +Add Settings link to bring up the new blade of the policy configuration wizard. This link will help with a new blade called the Settings Picker with a search box. With the settings catalog, you can choose which settings you want to configure. Click on Add settings to browse or search the catalog for the settings you want to configure.

  • Here I searched the Policy name and get from the Administrative Templates\Windows Components\File Explorer category
  • Then select the Policy Name Prevent access to drives from My Computer (User)

NOTE! – Settings picker – Use commas “,” among search terms to lookup settings by their keywords – In this scenario, I used Prevent access to Drives from my Computer as a keyword.

Restrict Windows Drive Access to Protect Sensitive Data using Microsoft Intune -Fig.4
Restrict Windows Drive Access to Protect Sensitive Data using Microsoft Intune -Fig.4

Disabled State of the Policy

By default, the Prevent Access to Drives from My Computer policy is Disabled. In this state, users can freely open and browse all available drives through File Explorer, provided they have the necessary permissions. If you want to continue, click Next.

Restrict Windows Drive Access to Protect Sensitive Data using Microsoft Intune -Fig.5
Restrict Windows Drive Access to Protect Sensitive Data using Microsoft Intune -Fig.5

Enable the Policy

You can close the Settings Picker blade to get the following screen on the Intune MEM Admin center portal. Make sure that you have enabled the policy settings called – prevent access to drives from my computer. You also need to pick one of the following combinations to make this policy work.

Settings Info
Restrict A and B Drives only
Restrict C drive only
Restrict D drive only
Restrict A, B, and C drives Only
Restrict A, B, C, and D drives Only
Restrict all Drives
Do not Restrict Drives
Restrict Windows Drive Access to Protect Sensitive Data using Microsoft Intune – Table.1
Restrict Windows Drive Access to Protect Sensitive Data using Microsoft Intune -Fig.6
Restrict Windows Drive Access to Protect Sensitive Data using Microsoft Intune -Fig.6

Scope Tags

Use Scope Tags to control which administrative groups can view and manage the Prevent Access to Drives from My Computer policy. Scope tags are especially useful in organizations with multiple IT teams or delegated administration. If scope tags are not required in your environment, you can leave this section unchanged and continue with the policy creation.

Restrict Windows Drive Access to Protect Sensitive Data using Microsoft Intune -Fig.7
Restrict Windows Drive Access to Protect Sensitive Data using Microsoft Intune -Fig.7

Assignment Settings

Assign the Prevent Access to Drives from My Computer policy to the appropriate Microsoft Entra user or device groups. Carefully review the targeted groups to ensure the drive restrictions are applied only to the intended users or devices.

In the Assignments section, click Add groups under Included groups and select the required user or device groups. Assigning the policy ensures it is applied only to the intended users or devices, such as test groups or production environments. Then click on the Next.

Restrict Windows Drive Access to Protect Sensitive Data using Microsoft Intune -Fig.8
Restrict Windows Drive Access to Protect Sensitive Data using Microsoft Intune -Fig.8

Review + Create Policy

On the Review + Create page, verify all configured settings for the Prevent Access to Drives from My Computer policy. Confirm that the selected drives, assignments, and other configuration options are correct before creating the profile.

  • Select Create to deploy the policy to the assigned groups.
Restrict Windows Drive Access to Protect Sensitive Data using Microsoft Intune -Fig.9
Restrict Windows Drive Access to Protect Sensitive Data using Microsoft Intune -Fig.9

Monitoring Status

After deployment, monitor the Prevent Access to Drives from My Computer policy from the Intune admin center. The monitoring page displays deployment results, including successful, pending, and failed device check-ins. Reviewing the policy status helps administrators quickly identify devices that require troubleshooting or additional investigation.

  • Navigate to Devices > Configuration > Policies and open the policy.
  • Review the Overview, Device status, User status, to confirm successful deployment.
  • If any devices show a failed or pending state, review the error details and ensure the device is online and has synchronized with Intune.
Restrict Windows Drive Access to Protect Sensitive Data using Microsoft Intune -Fig.10
Restrict Windows Drive Access to Protect Sensitive Data using Microsoft Intune-Fig.10

Client Side Verification

To verify policy application, open Event Viewer and navigate to Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin. Select Filter Current Log from the Actions pane and search for Event ID 814, which indicates that the Intune policy has been processed successfully.

Restrict Windows Drive Access to Protect Sensitive Data using Microsoft Intune -Fig.11
Restrict Windows Drive Access to Protect Sensitive Data using Microsoft Intune -Fig.11

Delete Policy Permanently

When the policy is no longer needed, you can permanently delete the Prevent Access to Drives from My Computer policy from Microsoft Intune. Before deleting it, ensure that it is no longer assigned to any users or devices to prevent configuration changes. After deletion, Intune stops managing this configuration.

  • Navigate to Devices > Configuration > Policies, select the policy, click the three-dot menu, and choose Delete. Confirm the deletion when prompted.

For detailed information, you can refer to our previous post – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.

Restrict Windows Drive Access to Protect Sensitive Data using Microsoft IntuneConfigure Windows Drive Access Restrictions using Intune Policy -Fig.12
Restrict Windows Drive Access to Protect Sensitive Data using Microsoft Intune -Fig.12

Remove Policy from Assigned Groups

If the drive restriction is no longer required, edit the Prevent Access to Drives from My Computer policy and remove the assigned Microsoft groups. Save the updated configuration so the policy is no longer targeted to those users or devices. After the next device synchronization, the drive access restrictions will be removed from the affected devices.

For detailed information, you can refer to our previous post How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.

Restrict Windows Drive Access to Protect Sensitive Data using Microsoft Intune -Fig.13
ConRestrict Windows Drive Access to Protect Sensitive Data using Microsoft Intune -Fig.13

Need Further Assistance or Have Technical Questions?

Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, join the WhatsApp Community  and the Whatsapp channel to get the latest news on Microsoft Technologies. We are there on Reddit as well.

Author

Anoop C Nair has been Microsoft MVP from 2015 onwards for 10 consecutive years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is also a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM,   Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc

8 thoughts on “Restrict Windows Drive Access to Protect Sensitive Data using Microsoft Intune”

  1. What if we wish to allow users to utilize OneDrive KFR so that their files will sync, but otherwise disallow c:\ access? Basically the SharedPC profile is too broad. It can obviously be done as you can access c:\users\$user\downloads even with the restriction on, sadly there’s no documentation I’ve been able to find on doing this.

    Reply
  2. Hi beesee,
    Yep exactly what I’m trying to achieve, basically Shared PC Mode with Local Storage Disabled BUT still allow OneDrive Sync.
    Plus the Shared PC Mode allows the Desktop to be disabled without hiding it, so we can still put things in Public Desktop and all icons can be seen, but stops you adding more icons.
    Cannot seem to get best of both worlds 🙁

    Reply
  3. This is a great article but even if I block C drive access.
    Along with it my One drive access is also blocked and I do not want that.

    Could you please suggest something ? I intend to block C drive but allow users to save their data on their one drive.

    Reply

Leave a Comment