I'm trying to secure shared devices in our environment by preventing users from writing files to the root of the C: drive. We have these devices set up with the Shared multi-user Device policy in Intune, and any files in user profiles get deleted after sign out. I thought it would be straightforward to limit writing access, but I've hit a wall. I can adjust permissions, but I'm worried that could lead to problems. I even attempted to hide the C: drive through policy, but that didn't work as expected. Does anyone have advice on how to effectively restrict writing to the C: drive?
1 Answer
It sounds like you're on the right track. By default, users shouldn't be able to write to the C: drive unless they're admins. One way to enhance security is to remove 'Authenticated Users' from the permissions on the root of C: so they can't create folders there. You can use a PowerShell script to adjust the ACLs and remove the AppendData right for that group. Just make sure you're careful not to mess with admin rights or system permissions.
That makes sense, I’ll implement this. Thanks for the guidance!