Restrict USB storage and Printer passthrough

Copper Contributor

Is there a way to only allow specific USB devices to passthrough?

We have a requirement to allow specified USB storage devices to passthrough and specified printers to passthrough.

 

I fear I've become snowblind to a solution. 

The best I can seem to do is restrict specific drive letters (manually map the drive letter for a disk on the local machine - then pass that drive letter through to session host).

 

The current RDP properties in use are:

PRuscoe_0-1677079132051.png

 

Full RDP properties:

drivestoredirect:s:w\:x\:y\:z\:q\:;enablecredsspsupport:i:1;autoreconnection enabled:i:0;bandwidthautodetect:i:0;networkautodetect:i:0;videoplaybackmode:i:1;audiocapturemode:i:0;encode redirected video capture:i:0;redirected video capture encoding quality:i:1;audiomode:i:0;camerastoredirect:s:;devicestoredirect:s:;redirectclipboard:i:0;redirectcomports:i:0;redirectlocation:i:0;redirectprinters:i:1;redirectsmartcards:i:0;redirectwebauthn:i:0;usbdevicestoredirect:s:143dbec4-2a05-5ac3-860f-1bb97b597f32\;f887e71c-80a1-570b-9e5a-b002867df24e\;;use multimon:i:0;screen mode id:i:2;smart sizing:i:1;dynamic resolution:i:1

 

I hoped the above settings would restrict all USB devices except the ones specified in “USB device redirection”. However this isn’t the case. All installed printers and USB storage devices with any of the drive letters: w,x,y,z or q, are passed through to the host session.

 

I’ve attempted to restrict devices using:

  • AVD RDP properties > USB device redirection
  • GPO’s on the DC
  • Endpoint manager > Devices > Configuration profiles
  • Endpoint manager > Endpoint Security > Attack surface reduction profiles

 

None of the above seem to make any difference to AVD passthrough. I suspect because they’re focusing on endpoint management, and we don’t manage the endpoints with the installed USB devices?

I’ve looked at the RDP file on the client machine and that is showing the desired properties from AVD. But still doesn’t seem to make any difference.

 

I’ve raised a call with Microsoft. They’ve gone over the RDP properties and seem to think that it’s correctly configured, and that “USB device redirection” should be working.

 

I wonder if anyone one here has experienced the same or similar issues and if they were overcome?

 

Thanks

Paul

 

5 Replies

@PRusco1 For the USB storage redirection you will also need to enable storage redirection properties. I noticed that is disabled based on the values above..

askaresh_0-1677118530586.png

 

Thanks @askaresh, that's the drive letter passthrough we're implementing above. It's the only way I can currently restrict passthrough for USB storage. However it doesn't block unwanted USB storage devices.

I've actually had a response from MS escalation this morning and they've directed me to a 3rd party. I'll update if this provides a working solution.
Looking forward to what you hear back n the workaround or fix.
I would like to know if you managed to fix this.

Hi @NishithGupta

Apologies for not updating this a long time ago!

 

In short there is no currect ability of AVD which allows for the restriction of specific USB storage devices to passthrough to AVD session hosts.

 

Instead, there is the ability to allow all USB storage devices to passthrough as a "redirected network drive".

 

We were given the details of a 3rd party (DeviceTrust) that could help, but they couldn't avoid the fundamental design of AVD passing through storage as a redirected network drive.

 

This functionality would have a significant positive impact on the industry I work in - in the sense that we could really sell this a solution to customers. But this is a function that needs to be addressed by MS. I have raised support calls and a change request with MS (March 2023). I have had no feedback from MS regarding these. In my opinion, MS will not be paying attention to this change request until a large corporation requires it.

 

Please, nobody hold their breath for a solution.

 

Kind regards,

Paul