Restrict USB storage and Printer passthrough
Is there a way to only allow specific USB devices to passthrough? We have a requirement to allow specified USB storage devices to passthrough and specified printers to passthrough. I fear I've become snowblind to a solution. The best I can seem to do is restrict specific drive letters (manually map the drive letter for a disk on the local machine - then pass that drive letter through to session host). The current RDP properties in use are: Full RDP properties: drivestoredirect:s:w\:x\:y\:z\:q\:;enablecredsspsupport:i:1;autoreconnection enabled:i:0;bandwidthautodetect:i:0;networkautodetect:i:0;videoplaybackmode:i:1;audiocapturemode:i:0;encode redirected video capture:i:0;redirected video capture encoding quality:i:1;audiomode:i:0;camerastoredirect:s:;devicestoredirect:s:;redirectclipboard:i:0;redirectcomports:i:0;redirectlocation:i:0;redirectprinters:i:1;redirectsmartcards:i:0;redirectwebauthn:i:0;usbdevicestoredirect:s:143dbec4-2a05-5ac3-860f-1bb97b597f32\;f887e71c-80a1-570b-9e5a-b002867df24e\;;use multimon:i:0;screen mode id:i:2;smart sizing:i:1;dynamic resolution:i:1 I hoped the above settings would restrict all USB devices except the ones specified in “USB device redirection”. However this isn’t the case. All installed printers and USB storage devices with any of the drive letters: w,x,y,z or q, are passed through to the host session. I’ve attempted to restrict devices using: AVD RDP properties > USB device redirection GPO’s on the DC Endpoint manager > Devices > Configuration profiles Endpoint manager > Endpoint Security > Attack surface reduction profiles None of the above seem to make any difference to AVD passthrough. I suspect because they’re focusing on endpoint management, and we don’t manage the endpoints with the installed USB devices? I’ve looked at the RDP file on the client machine and that is showing the desired properties from AVD. But still doesn’t seem to make any difference. I’ve raised a call with Microsoft. They’ve gone over the RDP properties and seem to think that it’s correctly configured, and that “USB device redirection” should be working. I wonder if anyone one here has experienced the same or similar issues and if they were overcome? Thanks Paul
