Windows Desktop restrictions

Applicable to: Windows 10 Desktops

This section contains the following topics:

• Configure Windows Desktop restrictions

• Creating a Allowlist for removable storage devices

Administrators can control OS information on managed Windows 10 Desktop devices by restricting user access to the following areas on a device:

• Control Panel
• Task Manager
• File Explorer
• Registry Editor

The above functions enables a user to make a lot of changes to their device. Using this feature, administrators have the ability to restrict access to these system level controls and thereby secure the access.

This feature requires Bridge. See Ivanti Bridge for details.

Configure Windows Desktop restrictions

Procedure

1. Go to Configuration > +Add.

2. Select Windows Desktop Restrictions configuration.

3. Enter a name for the configuration.

4. Enter a description.

5. In the Configuration Setup section, specify the remaining settings as described in the following table.

   
   
   

   Setting	What To Do
   Task Manager	Select the Deny access checkbox for the setting for which the access should be denied.
   Control Panel
   Registry Editor
   File Explorer	Select the Restrict Capabilities checkbox to restrict capabilities of File Explore. Example: Removal of map network drive. Click on the link provided to view the list of capabilities that are restricted.
   Removable storage
   Access mode for Removable Storage	Restrict Read Access: This prevents any access and is the most restrictive configuration. Restrict Write Access: This allows limited access, but prevents unauthorized removal of data or the ability to add viruses, etc. to the device.

6. Click Next.

7. Select one of the following distribution options:

   • All Devices
   • No Devices(default)
   • Custom
     
     
8. Click Done.
   
   

   For the configuration to take complete effect, the device should be rebooted after applying the configuration.

Creating a Allowlist for removable storage devices

If you want to create a Allowlist of permitted storage devices, complete the following steps first:

• Attach the USB storage devices you want to allow to a PC.
• Open Device Manager and click on the USB controller.
• Look at the settings for each controller for device information.
• Store the device information to use when creating your Allowlist.

To create Whitelist for removable storage device:

Procedure

1. In the Windows Desktop Restrictions configuration page, ensure that the options (Restrict Read Access and Restrict Write Access) under Removable Storage section are NOT selected.

2. Under the Whitelisted Removable Storage section, click +Add.

3. In the Add hardware IDs window, enter the hardware IDs for the USB device that needs to be allowed access.

4. Click Add. After adding the required hardware IDs, click Close.

   The list of Whitelisted hardware IDs is displayed under the Whitelisted Removable Storage section.

Recommended hardware IDs that must be added to the list -> STORAGE\Volume and wpdbusenum\fs.

To edit or delete a hardware ID from the list, select the Edit or Delete option under the Actions column.
For the configuration to take complete effect, the device should be rebooted after applying the configuration.

5. Click Save.