Windows-itpro-docs: FileExplorerNamespaceRestrictions

@Niglb The first part of the topic explains how to configure it in Intune: https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps#configure-a-kiosk-in-microsoft-intune

Sure - just looking for the FileExplorerNamespaceRestrictions "Downloads" option - I could configure with a custom xml via intune. I assume FileExplorerNamespaceRestrictions will come to the portal interface.

@Niglb Oh, now I understand your question, sorry! I'll check on that -- I'm not sure if that new feature is available in the Intune portal yet.

@Niglb It isn't in Intune yet. I'll check on when we expect to see it in Intune, but the person I need to ask won't be back until 10/23. I'll let you know when I get an answer.

I've just tested it using CSP custom config : ./Device/Vendor/MSFT/AssignedAccess/Configuration and it does work, I can now access it from my Kiosk apps, however I cannot browse to it from File Explorer as it is hidden/disable in the Kiosk configuration. Is there a way to turn file explorer back on/provision start menu link for it?

@fdebout The FileExplorerNamespaceRestrictions setting only allows access to the Downloads folder from a file dialog box. Did you try adding File Explorer as one of the kiosk apps? Although I'm not clear why you'd want to -- a user can do a lot from File Explorer, it might defeat the purpose of locking the device down as a kiosk.

My client has an ask to allow USB drives in a kiosk - I'm testing various policies but cannot do this yet. Downloads may do the trick. Is this only available via XML or could we use the WMI bridge to hit the CSP?

Does the Downloads folder clear itself after a while or is this a manual action to perform?

@jdeckerms Yes I have a File Explorer app link in my start menu but it doesn't work, nothing happens when you select it. In our scenario Kiosk users often need to lookup brochures and specs for the products they sell on the suppliers websites and email or share it with their customers.
So far in my testing I can download the files to the downloads folder, and then as you mentioned, browse to it with a file dialog box in OWA for example. It's fine with Office documents as you can save them to OneDrive but for pdf docs there's no easy other way to re-open the downloaded file.

@Niglb I don't have a date when to expect the setting to be in Intune, but they do plan to add it.

Ok thank you - even as a standalone CSP we can hit outside the main assigned access XML.

My client would love to see USB drives too.

Hiya, any word on this one? Have a use case.

Cheers,

So far in my testing I can download the files to the downloads folder, and then as you mentioned, browse to it with a file dialog box in OWA for example. It's fine with Office documents as you can save them to OneDrive but for pdf docs there's no easy other way to re-open the downloaded file.

@fdebout Hi, can you elaborate more the use case in details steps? That would help understand the pain points.

@seanyen Hi, We are using a multi app kiosk profile on new PoS devices.
In this use case the staff using the PoS device occasionally has to download product brochures/tech specs from supplier's website (mostly pdf documents).
They can email this from Outlook web access as an attachment, opening a dialog box and browsing to the download location.
They cannot however access the document directly from explorer once it has been downloaded.
Typically what we would like is a shortcut on the start menu or task bar opening the download folder to make access to downloaded documents easier.
Florian

@fdebout Would it be useful to pin a shortcut (.lnk file) to Downloads folder in StartLayout in multi-app kiosk profile?

@jdeckerms

Hi,

Have your team given any update on this? Or is it possible to add it via OMA URI reference in the interim?

Many thanks

@seanyen I did try to add a shortcut to the download folder in the start menu but nothing happens when you click on the link.
I believe Explorer is blocked by default in the Kiosk AssignedAccess config. I also tried adding explorer to the authorised applications list which did not help either.

This is a huge pain point for me aswell.

Have many use cases where File Explorer is required on a kiosk be it for media playback or as a printing station.

FileExplorerNamespaceRestrictions seems to be the way to go but this is limited due to the fact it cannot be accessed directly by File Explorer

@Spefx @fdebout , I've been able to make this work. I've added a Shortcut of the downloads folder that links to the Kiosk account, after that I've added the shortcut to start menu. Note that I managed to get this working on a Kiosk machine that automatically logs in.

Has anybody ever done with a shared computer, version 1809? I have the built in kiosk profile with a standard exported start layout .xml applied. I then created another profile with custom uri ./Device/Vendor/MSFT/AssignedAccess/Configuration applied. I also had a default filenamespace restriction .xml. When I apply both at the same time I get a device conflict.

Can anybody possibly share their custom .xml for filenamespace ? I have the kiosk working as I want minus the saving to the downloads folder that I desperately need.

Any help would be appreciated. Thanks

I forgot to mention I used this url successfully for just a normal kiosk.
https://www.robinhobo.com/how-to-configure-windows-10-in-multi-app-kiosk-mode-with-microsoft-intune/

@officedocsbot assign @jvsam

Hi @jdeckerms, based on the ongoing discussion, will there be any updates to the documentation that will address issues raised here? Thank you.

This Issue has been for a few different things over its life-cycle.

Originally it was raised to determine if the "FileExplorerNamespaceRestrictions" could be controlled inside a intune device configuration profile - The answer at the time was no, however the "Allow access to Downloads folder" can now be configured directly inside of a intune profile.

The question then morphed into the use of File Explorer when a machine was in kiosk mode - specificly accessing the now enabled Downloads folder/USB Drives. i can confirm that the downloads folder can be accessed through File Explorer by adding "Explorer.exe" to a list of allowed apps and pinning a file explorer shortcut to the kiosk start menu. The question about USB/DVD Drives is still outstanding, i currently have an open Premier support call investigating USB/DVD Drives and will update this issue with any findings.

That's great to hear @Spefx and we definitely need to update the documentation. Thank you for clarifying this for us.

@Niglb, I will get this issue over to the Windows writing team for review. We want users to have the best Windows experience by ensuring the contents of the Microsoft Docs are accurate and up-to-date. Thanks.

@jvsam Perfect! I found love to be able to leverage FileExplorerNamespaceRestrictions for locations beyond Downloads - currently my client is asking for USB drive access while in Kiosk mode.

@Spefx Touching base and seeing if you had any new information on that support call you mentioned? I will be updating the information to add what's been discussed so far in here and would love to be able to add the USB/DVD information if possible. Thanks!

@NigelbrownIBM @TokyoScarab

Almost have enough to write a blog post about the tweaks i have needed to make to draw out the more complex kiosk requirements, Shame i dont have a blog. For the "External Media Access" issue Premier support was able to get it working, the "Workaround" revolved around changing some of the registry keys set when applying AssignedAccess.

Assigned Access sets the following registry keys, these need to be reversed or removed:
1) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer “NoRun”=dword:00000001”
2) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AllowedNavigation "AllowedStorageLocations" =dword:00000000
3) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AllowedEnumeration "AllowedStorageLocations" =dword:00000000

The following are caveats of this solution:

• Changing the above three registry keys will also open up the entire C: Drive, in my instance this was not desirable and as such i applied the following key to hide C: Drive access:
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  "NoDrives"="dword:00000004"
  _I could not completely restrict access using "NoViewOnDrive" without breaking Downloads folder_
• Need to acknowledge that allowing External Media increases the attack surface of the kiosks and should only be enabled on systems where there is a specific requirement.
• The "NoRun" key will come back - i enforced the registry keys through a Group Policy targeting the specific systems that needed External Media access
• Hopefully in the future this workaround gets tied up in a nice little bow with a provisioning package/intune flag to allow External Media.

Thanks
Spefx

@spefx this is fantastic - I had a call open as well but they didn't get me a work around. Any good methods to enforce these in an Intune only environment ? I can deploy a PowerShell script to set, but enforce my be a trick.

@Spefx That's really cool. I might not add those steps and wait for Microsoft to include a more streamlined way of adding USB / DVD support.

Haven't been able to get this work around to function - my devices are cloud only intune managed self deploying kiosk devices.

@TokyoScarab Agree, not really ready for Microsoft Docs as it is quite nuanced solution. Please note that my Premier Support call did not indicate if a more streamline solution was in scope of development.

Haven't been able to get this work around to function - my devices are cloud only intune managed self deploying kiosk devices.

@Niglb Intune should not really have a huge impact, happy to troubleshoot further but this is not likely to be the best format.

Thank you - more being able to apply these reg keys without group policy.

Hi @Spefx and @Niglb, just an update in case you haven't seen it, @TokyoScarab's suggested content update in the FileExplorerNamespaceRestrictions (_Microsoft Intune_) section is already deployed on the site. Although a lot of issues were discussed on this thread, do you have other suggestions for improvement related to this documentation before I close it?

Hi @Spefx and @Niglb, I believe we can consider this issue resolved, at least based on what we can support (related to how we can improve this documentation). For now we will close this issue, however, feel free to re-open if you have suggestions or ideas to improve the quality of this documentation. Thanks for being part of the Microsoft Docs community!

@officedocsbot close

@Spefx my email is [email protected] - I would love to get this working.

Haven't been able to get this work around to function - my devices are cloud only intune managed self deploying kiosk devices.

@Niglb Intune should not really have a huge impact, happy to troubleshoot further but this is not likely to be the best format.

I've attempted setting logon scripts, scheduled tasks, nothing has stuck...

Looks like Preview Builds now have this capability via XML! https://docs.microsoft.com/en-us/windows/configuration/kiosk-xml#preview-folder-access-sample-xml