Client drive redirection for group of users

%3CLINGO-SUB%20id%3D%22lingo-sub-1511666%22%20slang%3D%22en-US%22%3EClient%20drive%20redirection%20for%20group%20of%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1511666%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20we%20publish%20a%20WVD%20desktop%20to%20all%20users%20%26amp%3B%20need%20to%20have%20the%20client%20drive%2C%20clip%20board%20mapping%20disabled%20for%20all.%20But%20there%20will%20be%20a%20group%20of%20users%20who%20need%20access%20to%20client%20drive%20%26amp%3B%20clip%20board.%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20Remote%20desktop%20session%20host%20policy%20to%20enable%2Fdisable%20redirection%20in%20Computer%20configuration%20(Machine%20policy)%2C%20same%20is%20not%20available%20in%20User%20configuration.%26nbsp%3B%3C%2FP%3E%3CP%3ESame%20with%20registry%20%22%3CSPAN%3EHKEY_LOCAL_MACHINE%5C%3C%2FSPAN%3E%3CSPAN%3ESOFTWARE%5CPolicies%5CMicrosoft%5CWindows%20NT%5CTerminal%20Services%22.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EWhat%20are%20the%20option%20available%20in%20WVD%20without%20having%20separate%26nbsp%3Bdesktop%20with%20another%20set%20of%20VM%20only%20for%20client%20drive%20mapping%20to%20users%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1515087%22%20slang%3D%22en-US%22%3ERe%3A%20Client%20drive%20redirection%20for%20group%20of%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1515087%22%20slang%3D%22en-US%22%3EOne%20option%20you%20may%20try%20is%20to%20use%20the%20winstation%20permission%20setting%20for%20specific%20users.%20You%20can%20set%20it%20with%20RDS%20wmi%20provider%20Win32_TSAccount%20on%20TerminalName%3D%22rdp-sxs%22.%20You'll%20need%20to%20do%20this%20for%20each%20VM.%3CBR%20%2F%3EAs%20local%20resource%20redirection%20uses%20virtual%20channel%2C%20you%20can%20allow%2Fdeny%20WINSTATION_VIRTUAL%20to%20control%20resource%20redirection.%3CBR%20%2F%3EDeny%20will%20take%20precedence%20over%20allow.%20it%20will%20work%20if%20you%20allow%20everyone%20for%20redirection%20during%20publishing%2C%20then%20use%20wmi%20to%20add%20user%2Fuser%20groups%20whom%20you%20want%20to%20deny%20redirection.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fwin32%2Ftermserv%2Fwin32-tspermissionssetting%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fwin32%2Ftermserv%2Fwin32-tspermissionssetting%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fwin32%2Ftermserv%2Fwin32-tsaccount%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fwin32%2Ftermserv%2Fwin32-tsaccount%3C%2FA%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1519189%22%20slang%3D%22en-US%22%3ERe%3A%20Client%20drive%20redirection%20for%20group%20of%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1519189%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F181812%22%20target%3D%22_blank%22%3E%40Soo%20Kuan%20Teo%3C%2FA%3E%26nbsp%3BThank%20you%2C%20I%20will%20configure%20and%20test%20this%20option%20and%20let%20you%20know%20how%20it%20goes.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1704846%22%20slang%3D%22en-US%22%3ERe%3A%20Client%20drive%20redirection%20for%20group%20of%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1704846%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F181812%22%20target%3D%22_blank%22%3E%40Soo%20Kuan%20Teo%3C%2FA%3E%26nbsp%3B%2C%20explored%20this%20option%2C%20its%20not%20feasible%20to%20apply%20this%20on%20each%20VM%20in%20large%20enterprise.%26nbsp%3B%3C%2FP%3E%3CP%3EBetter%20option%20I'm%20expecting%20it%20as%20a%20feature%20for%20user%20policy%20which%20can%20be%20filtered%20for%20active%20directory%20groups.%20or%20may%20be%20in%20future%20via%20user%20Azure%20AD%20policy.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

When we publish a WVD desktop to all users & need to have the client drive, clip board mapping disabled for all. But there will be a group of users who need access to client drive & clip board. 

We have Remote desktop session host policy to enable/disable redirection in Computer configuration (Machine policy), same is not available in User configuration. 

Same with registry "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services". 

What are the option available in WVD without having separate desktop with another set of VM only for client drive mapping to users?

3 Replies
One option you may try is to use the winstation permission setting for specific users. You can set it with RDS wmi provider Win32_TSAccount on TerminalName="rdp-sxs". You'll need to do this for each VM.
As local resource redirection uses virtual channel, you can allow/deny WINSTATION_VIRTUAL to control resource redirection.
Deny will take precedence over allow. it will work if you allow everyone for redirection during publishing, then use wmi to add user/user groups whom you want to deny redirection.
https://docs.microsoft.com/en-us/windows/win32/termserv/win32-tspermissionssetting
https://docs.microsoft.com/en-us/windows/win32/termserv/win32-tsaccount

@Soo Kuan Teo Thank you, I will configure and test this option and let you know how it goes. 

@Soo Kuan Teo , explored this option, its not feasible to apply this on each VM in large enterprise. 

Better option I'm expecting it as a feature for user policy which can be filtered for active directory groups. or may be in future via user Azure AD policy.