Forum Discussion
Restrict USB storage and Printer passthrough
Is there a way to only allow specific USB devices to passthrough?
We have a requirement to allow specified USB storage devices to passthrough and specified printers to passthrough.
I fear I've become snowblind to a solution.
The best I can seem to do is restrict specific drive letters (manually map the drive letter for a disk on the local machine - then pass that drive letter through to session host).
The current RDP properties in use are:
Full RDP properties:
drivestoredirect:s:w\:x\:y\:z\:q\:;enablecredsspsupport:i:1;autoreconnection enabled:i:0;bandwidthautodetect:i:0;networkautodetect:i:0;videoplaybackmode:i:1;audiocapturemode:i:0;encode redirected video capture:i:0;redirected video capture encoding quality:i:1;audiomode:i:0;camerastoredirect:s:;devicestoredirect:s:;redirectclipboard:i:0;redirectcomports:i:0;redirectlocation:i:0;redirectprinters:i:1;redirectsmartcards:i:0;redirectwebauthn:i:0;usbdevicestoredirect:s:143dbec4-2a05-5ac3-860f-1bb97b597f32\;f887e71c-80a1-570b-9e5a-b002867df24e\;;use multimon:i:0;screen mode id:i:2;smart sizing:i:1;dynamic resolution:i:1
I hoped the above settings would restrict all USB devices except the ones specified in “USB device redirection”. However this isn’t the case. All installed printers and USB storage devices with any of the drive letters: w,x,y,z or q, are passed through to the host session.
I’ve attempted to restrict devices using:
- AVD RDP properties > USB device redirection
- GPO’s on the DC
- Endpoint manager > Devices > Configuration profiles
- Endpoint manager > Endpoint Security > Attack surface reduction profiles
None of the above seem to make any difference to AVD passthrough. I suspect because they’re focusing on endpoint management, and we don’t manage the endpoints with the installed USB devices?
I’ve looked at the RDP file on the client machine and that is showing the desired properties from AVD. But still doesn’t seem to make any difference.
I’ve raised a call with Microsoft. They’ve gone over the RDP properties and seem to think that it’s correctly configured, and that “USB device redirection” should be working.
I wonder if anyone one here has experienced the same or similar issues and if they were overcome?
Thanks
Paul
- Thanks askaresh, that's the drive letter passthrough we're implementing above. It's the only way I can currently restrict passthrough for USB storage. However it doesn't block unwanted USB storage devices.
I've actually had a response from MS escalation this morning and they've directed me to a 3rd party. I'll update if this provides a working solution.- Looking forward to what you hear back n the workaround or fix.
