Forum Discussion
Dynamic RDP Properties Based on User's Location and Device Type
Hello!
I am working with a client that currently uses Citrix SmartPolicies to update the RDP property of the remote machines based on if a user is connecting from a personal machine (not a client provided machine) and if the user is connecting from outside of the network (personal and client provided machine). So if, for example, they connect from a personal machine, the user cannot map printers, local drives, or have copy/paste functionality.
I write this to ask if there's a possible way to do this in Azure Virtual Desktop. We've looked at Liquidware's ProfileUnity solution which can update these RDP properties based on AVD Session host properties like WMI classes, registry values, and environment variables. However, the only real discernable value we could find at the moment is $env:CLIENTNAME. We are looking for a secondary value to base filter on as the CLIENTNAME could be hacked pretty easily.
Looking to see if anyone has had success in this type of scenario for a highly regulated company and what was your solution? If you used a third-party service, what was that service?
Thanks!
2 Replies
Seem not native supported but you may try on below:
1. Liquidware ProfileUnity (You already here)
- WMI queries
- Registry keys
- Environment variables
2. FSLogix with Conditional Access
While FSLogix doesn’t control RDP properties, pairing it with Microsoft Entra Conditional Access can help:
- Restrict access based on device compliance, location, or risk level
- Enforce MFA or block access from unmanaged devices
This doesn’t modify RDP redirection but can prevent access entirely under certain conditions.
3. Custom Scripts or Agents
- Set registry flags or environment variables
- Are read by session hosts to trigger conditional logic (e.g., via login scripts or scheduled tasks)I appreciate the response but I'm looking for any real-world implementations that have been put into place already and not necessarily 'potential' solutions. This customer requires dynamic allowance of certain activities and we need to factor in device type (managed vs unmanaged) and location. The devices are NOT yet managed in Intune.
Today, I fiddled with Defender for Cloud Apps (MCAS) and was successful with session control policies to stop copy/paste/print from a Windows App session in browser! I'm now looking at Microsoft Edge MAM policies in Intune to target users with a mix of Conditional Access to try and achieve the outcomes we're looking for.
