There are 2 methods for hiding the C: or any other drive, GPO and a Regedt32 tweak. ​ There's obvious benefits preventing access to browse the System Drive like being able to Explore to a file and run it. However hiding C: needs to be considered as only part of the solution to prevent access. Its still possible to open PowerShell and cmd then 'cd' without restrictions, create desktop shortcuts to a named file and many others. Even after locking all routes down the audio control icon, assuming the user requires sound control provides a route into browsing the system. ​ There are,It's# .Synopsis Remove access to C: ​ .Description ​ Removes access to the C:\ by setting NoDrives and the value of 4 in the registry or set the User GPO settings 'Prevent access to drives from My Computer'. ​ .Version #> #Hides C for all users including Administrator New-ItemProperty -path 'HKLM:/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/Explorer' -Name NoDrives -PropertyType DWORD -Value 4 ​ #Hides C for the user the setting is applied against. ​ New-ItemProperty -path 'HKCU:/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/Explorer' -Name NoDrives -PropertyType DWORD -Value 4 ​ User GPO Settings ​

Device Guard has the following requirements: Hardware Requirements UEFI Native Mode Windows 10/2016 x64 SLAT and Virtualization Extensions (Intel VT or AMD V) TPM ​ Windows Features Windows Defender Application Guard (Isolation mode prior to 1703) Hyper-V Platform (Not required after 1603) Hyper-V Hypervisor ​ GPO Settings Computer Configuration > Administrative Templates > System > Device Guard Turn on Virtualization Based Security (enable) Secure Boot and DMA Protection Enable Virtualization Based Protection of Code Deploy Code Integrity Policy (enable) C:\DeviceGuard\SIPolicy.p7b ​ (C:\DeviceGuard\SIPolicy.p7b is automatically copied and converted to C:\Windows\System32\Codeintegrity\) ​ From PowerShell execute Invoke-CimMethod -Namespace root/Microsoft/Windows/CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName update -Arguments @{filepath = "C:\Windows\system32\CodeIntegrity\SIPolicy.p7b"} The system will create SIPolicy.p7b and a reboot will enforce Device Guard. ​ To create a Device Guard Policy run the following. ​ <# .Synopsis ​ .Description ​ .Version #> #Sets Working Folder for DG $CIPolicyPath = "C:\DeviceGuard" ​ #C:\DeviceGuard\InitalScan.xml $IntialCIPolicy = $CIPolicyPath+"\initialScan.xml" ​ #C:\DeviceGuard\SIPolicy.p7b $CIPolicyBin = $CIPolicyPath+"\SIPolicy.p7b" ​ #C:\DeviceGuard\CIPolicy.txt - Output from initial policy audit $CIPolicyTxt = $CIPolicyPath+"\CIPolicy.txt" ​ #Creates SIPolicy.p7b based on the IntialCIPolicy.xml New-CIPolicy -Level FilePublisher -Fallback Hash -FilePath $IntialCIPolicy -UserPEs 3> $CIPolicyTxt -ScanPath C:\ ​ #Enforces UMCI Set-RuleOption -FilePath $IntialCIPolicy -Option 0 #Enforcement Mode enabled Set-RuleOption -FilePath $IntialCIPolicy -Option 3 -delete ​ #Converts the audit to a p7b file copies to C:\DeviceGuard\ #GPO is set to move SIPolicy.p7b to C:\Windows\System32\CodeIntegrity ConvertFrom-CIPolicy -XmlFilePath $IntialCIPolicy -BinaryFilePath $CIPolicyBin ​ #Enable DG to enforce Invoke-CimMethod -Namespace root/Microsoft/Windows/CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName update -Arguments @{filepath = "C:\Windows\System32\CodeIntegrity\SIPolicy.p7b"}