none
where it will effect if file Explorer shell protocol must run in protected mode

    Question

  • file Explorer shell protocol must run in protected mode- we want to know where it will effect and how to check when this setting enable and disable.

    Actually where it will limit the folders and files when protected mode is on, And if protected mode is off which folder and files are more, where can i see the the additional files and folder when protected mode is OFF.

    Thank You,

    Raja.

    • Edited by RajaReddyy Monday, October 17, 2016 7:46 AM
    Monday, October 17, 2016 7:40 AM

Answers

  • Hi Raja,
    I’m sorry, I assume that you have configured policy “file Explorer shell protocol must run in protected mode”, but can I ask where you configured it? I have not searched this setting on my DC, even there is no more information about it from Microsoft official documents, please share us more details if possible.
    The following explanation is found on the internet: The shell protocol will limit the set of folders applications can open when run in protected mode. Restricting files an application can open to a limited set of folders increases the security of Windows.
    Please see: https://www.stigviewer.com/stig/windows_server_2012_2012_r2_member_server/2015-06-26/finding/V-15683
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    And a related policy is Turn off shell protocol protected mode. About this policy, the explanation is:
    This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows.
    If you enable this policy setting the protocol is fully enabled, allowing the opening of folders and files.
    If you disable this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders.
    If you do not configure this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 18, 2016 2:32 AM
    Moderator
  • Hi,

    As explanation said in the last reply, if you disable this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders.

    Based on my understanding on this policy, protected mode is designed for the security of system files and settings and in my experience of protected mode of internet explorer, protected Mode builds on the new integrity mechanism to restrict write access to securable objects like processes, files, and registry keys with higher integrity levels. When run in Protected Mode, Internet Explorer is a low integrity process; it cannot gain write access to files and registry keys in a user's profile or system locations. 

    As no more information about policy “file Explorer shell protocol must run in protected mode”, we could refer to the similar information from article regarding to understand Protected Mode Internet Explorer as below:

    Understanding and Working in Protected Mode Internet Explorer

    https://msdn.microsoft.com/en-us/library/bb250462(v=vs.85).aspx

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 21, 2016 1:45 AM
    Moderator

All replies

  • Hi Raja,
    I’m sorry, I assume that you have configured policy “file Explorer shell protocol must run in protected mode”, but can I ask where you configured it? I have not searched this setting on my DC, even there is no more information about it from Microsoft official documents, please share us more details if possible.
    The following explanation is found on the internet: The shell protocol will limit the set of folders applications can open when run in protected mode. Restricting files an application can open to a limited set of folders increases the security of Windows.
    Please see: https://www.stigviewer.com/stig/windows_server_2012_2012_r2_member_server/2015-06-26/finding/V-15683
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    And a related policy is Turn off shell protocol protected mode. About this policy, the explanation is:
    This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows.
    If you enable this policy setting the protocol is fully enabled, allowing the opening of folders and files.
    If you disable this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders.
    If you do not configure this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 18, 2016 2:32 AM
    Moderator
  • Thank You for your replay.

    I was set this policy 

    Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> File Explorer -> "Turn off shell protocol protected mode" to "Disabled"

    But the result is same. I can not find any difference in disabled and enabled mode.

    Wednesday, October 19, 2016 6:31 AM
  • Hi,

    As explanation said in the last reply, if you disable this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders.

    Based on my understanding on this policy, protected mode is designed for the security of system files and settings and in my experience of protected mode of internet explorer, protected Mode builds on the new integrity mechanism to restrict write access to securable objects like processes, files, and registry keys with higher integrity levels. When run in Protected Mode, Internet Explorer is a low integrity process; it cannot gain write access to files and registry keys in a user's profile or system locations. 

    As no more information about policy “file Explorer shell protocol must run in protected mode”, we could refer to the similar information from article regarding to understand Protected Mode Internet Explorer as below:

    Understanding and Working in Protected Mode Internet Explorer

    https://msdn.microsoft.com/en-us/library/bb250462(v=vs.85).aspx

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 21, 2016 1:45 AM
    Moderator
  • Hi Raja,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 25, 2016 8:42 AM
    Moderator
  • Still we are testing the same with your explanation, thank you. Once we clear we will update the same.

    Thank you,

    Raja.

     
    Friday, October 28, 2016 8:39 AM
  • Hi Raja,
    As this thread has been quiet for a while, we will treat the ‘Answered’ reply as the helpful information. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
    BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 03, 2016 8:27 AM
    Moderator
  • Hi,

     Still we did not find any difference while disable and enabling this policy. We understand the policy but where can i see the difference in Disable and Enable mode.

    Checking in windows server 2012 R2.

    Thank You,
    Raja.


    • Edited by RajaReddyy Thursday, November 03, 2016 11:46 AM
    Thursday, November 03, 2016 11:45 AM
  • Hi,
    If there is no clear difference which is visible for users, I would suggest to check the event logs or use network/process monitor tool to capture the details for viewing the function of this rule after disabling/enabling this group policy.
    You, you could download the tools from:
    Process Monitor v3.31 https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx
    Microsoft Network Monitor 3.4 https://www.microsoft.com/en-sg/download/details.aspx?id=4865
    Best regards,
    Wendy

    Please remember to <b>mark the replies as answers</b> if they help <b> If you have feedback for TechNet Subscriber Support, contact <a href="mailto:tnmff@microsoft.com"> tnmff@microsoft.com</a>.

    Monday, November 07, 2016 1:32 AM
    Moderator