top of page
Search

(200) Microsoft Intune - Restrict Write Access to Desktop on Shared PCs

  • Writer: Mr B SOE way
    Mr B SOE way
  • Feb 13
  • 3 min read

A customer that I have been helping build their numerous of personas wanted to block write access to "Desktop", you would think that using the 'Shared PC' setting: Restrict Local Storage would do the job, unfortunately that restricts any access to all disks excepts 'Downloads' which isn't what the customer wanted.


Managed to get it working with PowerShell or Proactive remediations which I will cover below:


To target just a current user:

# Define the Desktop path for the current user
$DesktopPath = [System.IO.Path]::Combine($env:USERPROFILE, "Desktop")

# Get the current ACL (Access Control List)
$Acl = Get-Acl $DesktopPath

# Create a new access rule to Deny Write and Append Data
# Parameters: Identity, Rights, Access Control Type
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule(
    $env:USERNAME,
    "Write,AppendData",
    "Deny"
)

# Apply the rule to the ACL and save it back to the folder
$Acl.AddAccessRule($Ar)
Set-Acl $DesktopPath $Acl

Write-Host "Saving files to Desktop has been disabled for $env:USERNAME." -ForegroundColor Yellow

To target all users:


$UserProfiles = Get-ChildItem "C:\Users" | Where-Object { $_.PSIsContainer -and $_.Name -notmatch "Public|Default|All Users" }

foreach ($Profile in $UserProfiles) {
    $DesktopPath = Join-Path $Profile.FullName "Desktop"
   
    if (Test-Path $DesktopPath) {
        $Acl = Get-Acl $DesktopPath
        $Ar = New-Object System.Security.AccessControl.FileSystemAccessRule(
            $Profile.Name,
            "Write,AppendData",
            "Deny"
        )
        $Acl.AddAccessRule($Ar)
        Set-Acl $DesktopPath $Acl
        Write-Host "Locked Desktop for: $($Profile.Name)"
    }
}

To target a specific user like Staff:


# Directly target the 'Staff' profile folder
$StaffProfile = Get-Item "C:\Users\Staff" -ErrorAction SilentlyContinue

if ($StaffProfile) {
    $DesktopPath = Join-Path $StaffProfile.FullName "Desktop"
    
    if (Test-Path $DesktopPath) {
        $Acl = Get-Acl $DesktopPath
        
        # Create the Deny rule for the user 'Staff'
        $Ar = New-Object System.Security.AccessControl.FileSystemAccessRule(
            "Staff",
            "Write,AppendData",
            "Deny"
        )
        
        $Acl.AddAccessRule($Ar)
        Set-Acl $DesktopPath $Acl
        
        Write-Host "Successfully locked Desktop for: Staff" -ForegroundColor Green
    } else {
        Write-Warning "Desktop folder not found for Staff profile."
    }
} else {
    Write-Error "Profile folder 'Staff' does not exist in C:\Users."
}

For remediation scripts (Detect and Remediate) where user is Staff:


$StaffProfile = "C:\Users\Staff\Desktop"
$User = "Staff"

if (Test-Path $StaffProfile) {
    $Acl = Get-Acl $StaffProfile
    
    # Check if there is a 'Deny' rule for 'Write' or 'AppendData' for the Staff user
    $RuleFound = $Acl.Access | Where-Object {
        $_.IdentityReference -like "*$User" -and 
        $_.AccessControlType -eq "Deny" -and 
        ($_.FileSystemRights -match "Write" -or $_.FileSystemRights -match "AppendData")
    }

    if ($RuleFound) {
        Write-Host "Desktop is already locked for Staff."
        exit 0 # Compliant
    } else {
        Write-Host "Desktop is NOT locked for Staff."
        exit 1 # Non-Compliant - Triggers Remediation
    }
} else {
    # If the profile doesn't exist, we skip (or you can exit 0 if you don't want to error out)
    Write-Host "Staff profile not found. Skipping."
    exit 0 
}

$DesktopPath = "C:\Users\Staff\Desktop"
$User = "Staff"

if (Test-Path $DesktopPath) {
    try {
        $Acl = Get-Acl $DesktopPath
        
        # Define the Deny rule
        $Ar = New-Object System.Security.AccessControl.FileSystemAccessRule(
            $User,
            "Write, AppendData",
            "Deny"
        )
        
        $Acl.AddAccessRule($Ar)
        Set-Acl $DesktopPath $Acl
        Write-Host "Successfully applied Deny Write rule to Staff Desktop."
        exit 0
    } catch {
        Write-Error "Failed to set ACL: $($_.Exception.Message)"
        exit 1
    }
} else {
    Write-Warning "Target path $DesktopPath not found."
    exit 1
}

What happens if the device does the policy, when you right click and click "New" it comes with a folder requesting UAC permission.


How to revert these changes:


$UserProfiles = Get-ChildItem "C:\Users" | Where-Object { $_.PSIsContainer -and $_.Name -notmatch "Public|Default|All Users" }

foreach ($Profile in $UserProfiles) {
    $DesktopPath = Join-Path $Profile.FullName "Desktop"
   
    if (Test-Path $DesktopPath) {
        $Acl = Get-Acl $DesktopPath
       
        # Define the exact rule that was applied previously
        $Ar = New-Object System.Security.AccessControl.FileSystemAccessRule(
            $Profile.Name,
            "Write,AppendData",
            "Deny"
        )
       
        # Remove that specific rule from the ACL
        $Acl.RemoveAccessRule($Ar)
       
        # Apply the cleaned ACL back to the folder
        Set-Acl $DesktopPath $Acl
        Write-Host "Restored Desktop access for: $($Profile.Name)"
    }
}

 
 
 

Comments

bottom of page