Enable or Restrict Folder Locations in File Explorer Using Intune Policy

Managing Allowed Folder Locations in File Explorer with Intune’s Settings Catalog

Controlling folder access in File Explorer is essential for enhancing security, data protection, and user productivity in an enterprise environment. With Microsoft Intune’s Settings Catalog Policy, administrators can efficiently define allowed folder locations, ensuring users access only authorized directories.

The Intune Settings Catalog provides a comprehensive and flexible way to configure device settings across Windows, iOS/iPadOS, and macOS. By leveraging this feature, IT teams can enforce access restrictions, maintaining data integrity while streamlining device management.

?? What is the Purpose of this Policy?

The Folder Locations in File Explorer setting allows administrators to control which folders a program can access on a device. If no specific folder is defined, programs have default access to all folders, which can pose security risks.

By configuring this policy in Intune, IT administrators can: ? Restrict access to unauthorized folders, ensuring only approved locations can be used. ? Enhance security by limiting which files programs can interact with. ? Improve compliance with organizational data protection policies.

?? Why Restrict Folder Access?

? Enhanced Security – Prevent unauthorized access to sensitive files by limiting folder availability.

? Centralized Management – Configure and enforce folder access policies across all managed devices.

? Data Protection – Minimize the risk of accidental data leaks by restricting unnecessary access.

? Improved User Productivity – Keep users focused by granting access only to relevant folders.

?? CSP Details: Understanding Configuration for Policy Deployment

After defining general folder location restrictions, it’s important to understand the CSP (Configuration Service Provider) details for policy creation and enforcement. CSPs play a crucial role in applying policies consistently across devices, ensuring that folder access rules are properly implemented.

In the next section, we will explore the detailed CSP configurations, including specific policy settings, implementation steps, and best practices for managing folder access via Microsoft Intune.

With Microsoft Intune, organizations can efficiently control File Explorer folder access, ensuring compliance, security, and operational efficiency. In this guide, we’ll explore how to configure and deploy this policy in Intune, making folder access secure and streamlined.

Creating a Profile in Microsoft Intune

To configure Folder Locations in File Explorer, you first need to create a profile in Microsoft Intune. Follow these steps:

1. Log in to the Microsoft Intune Admin Center.
2. Navigate to Devices > Configurations > Create > New Policy.
3. In the "Create a Profile" window:

1. Select Platform: Choose Windows 10 and later.Profile Type: Select Settings Catalog for a flexible configuration.
2. Click "Create" to finalize and proceed with the policy setup.

This profile will allow administrators to define which folder locations users can access in File Explorer, ensuring enhanced security and controlled data access.

Creating a Profile: Basics Settings

In the Basics section, provide a clear and descriptive name for the profile to ensure easy identification later. You can also include an optional description to outline the profile's purpose or additional details.

Once you've completed this step, click Next to proceed to the next configuration stage.

Refer to the screenshot below for a visual guide to these steps.

Configuring Settings – Using the Settings Picker

Once the basic profile details are set, the next step is to configure the policy settings in the Configuration tab. This section allows administrators to define specific restrictions and permissions for File Explorer.

Steps to Add Settings:

1. Click on the "Add Settings" hyperlink to open the Settings Picker window.

1. Scroll down and locate the File Explorer category.
2. Click on File Explorer, and a list of configurable settings will appear.
3. Select “Set Allowed Folder Locations” to define which folders users can access.
4. After selecting the setting, close the Settings Picker to save your selection.

This ensures that only approved folder locations are accessible, enhancing security and preventing unauthorized access to sensitive data.

Defining Allowed Folder Locations

Now, return to the Configuration Settings page, where the Allowed Folder Locations will be displayed.

In the Configuration Settings window, you have six options for setting up folder locations. In this case, I have selected Desktop, Documents, Pictures, Downloads, and Network locations to configure the allowed folder locations for this category.

Click Next to proceed.

The Scope Tag is an optional feature in Microsoft Intune that can be utilized during app deployment. Since you didn’t include any specific details for the deployment, you may skip this section. The Scope Tag simply helps assign apps or policies to specific groups, users, or regions within your organization.

Assignments: Applying Policies in Microsoft Intune

The Assignments section is a crucial step in any policy configuration within Microsoft Intune. This section allows you to specify which users or devices the policy will apply to, ensuring targeted and effective management.

Key Features of the Assignments Section:

1. Include and Exclude Options: The Assignments tab is divided into two parts:
2. Adding Groups:
3. Proceed to the Next Step:

This structured approach ensures that policies are applied to the right audiences, minimizing the risk of misconfiguration and enhancing overall policy management efficiency.

Review + Create

The final step in creating the policy is the "Review + Create" phase. This page provides a summary of the policy, including its basic details and configuration settings.

If any adjustments are needed, you can return to the previous sections to make edits. Once everything is confirmed, click "Create" to finalize the policy.

After submission, you will receive a confirmation notification indicating that the policy has been successfully created for the specified folder locations.

Monitoring Policy Status

Monitoring the policy status is a crucial step to ensure that your configuration has been successfully applied. Typically, policy deployment may take up to 8 hours to process. However, you can use the Company Portal Sync option to accelerate this process.

Steps to Check Policy Status:

1. After initiating Sync, allow some time for the policy to update.
2. Navigate to Devices > Configuration in the Microsoft Intune Admin Center.
3. Search for the policy name to review its deployment status.

Regularly monitoring the status helps verify successful deployment and troubleshoot any potential issues.

Client-Side Verification

The next step is client-side verification, which ensures that the policy has been successfully applied. This can be done using the Event Viewer, where you can track policy enforcement and troubleshoot any inconsistencies.

Navigating the Event Viewer:

1. Open Event Viewer on the device.
2. Go to: Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin.
3. Use the “Filter Current Log” option in the right pane to locate the specific policy entry more efficiently.

Policy Details

The MDM Policy Manager applies the policy under the Defender category, with key parameters that may vary depending on device configuration and policy assignment.

Example Policy Log Entry: The log may include details such as:

• Policy Name: SetAllowedFolderLocations
• Policy Area: File Explorer
• Enrollment ID requesting merge: (e.g., B1E9301C-8666-412A-BA2F-3BF8A55BFA62)
• Current User: Device
• Int Value: (e.g., 0x1F) – Represents the applied policy’s status. Any deviations may indicate configuration issues.
• Enrollment Type: (e.g., 0x6) – Defines the type of enrollment used, such as MDM-managed devices.
• Scope: (e.g., 0x0) – Specifies whether the policy applies at the device or user level.

Verification and Troubleshooting

1. Check the Event Viewer logs for policies related to SetAllowedFolderLocations.
2. Ensure the device has synced with Intune and verify assignments in the Intune Admin Center.
3. If discrepancies are observed:Compare logged parameters with expected values.Confirm that the policy is correctly assigned and active in Intune.Refer to Microsoft documentation for additional troubleshooting based on the log output.

This structured approach ensures accurate validation and troubleshooting, helping administrators confirm that folder access policies are properly enforced across devices.

More Information

For additional guidance on configuring the "Set Allowed Folder Locations" policy using Microsoft Intune, refer to the following resources on Microsoft Learn:

• FileExplorer Policy CSP – Provides details on configuring folder access in File Explorer through policy settings. https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-fileexplorer
• Enable Controlled Folder Access – Instructions on enhancing data protection by managing folder access with Microsoft Defender for Endpoint. https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders
• Customize Controlled Folder Access – Guidance on tailoring controlled folder access to protect valuable data from threats like ransomware. https://learn.microsoft.com/en-us/defender-endpoint/customize-controlled-folders
• Trusted Locations for Office Files – Information on managing trusted locations to ensure secure access to Office files. https://learn.microsoft.com/en-us/microsoft-365-apps/security/trusted-locations
• Configure Feature Updates Policy for Windows Devices in Intune – Details on setting up feature update policies to manage Windows device updates effectively. https://learn.microsoft.com/en-us/mem/intune/protect/windows-10-feature-updates

These resources provide comprehensive instructions on setting up, managing, and optimizing device configurations with Microsoft Intune, ensuring secure and efficient folder access control in File Explorer

Thank you!

??? Ricardo Barbosa

?? MCT Microsoft Certified Trainer | ?? Cloud Architect

?? Technology Director - https://altelix.com