Local Drive redirection and peripheral devices such as cameras, USB drives, and printers are enabled for Windows 365 Cloud PCs. This feature allows users to seamlessly share data between their Cloud PC and local machine, enhancing flexibility and productivity.
While local drive redirection and peripheral device access enhance user convenience and productivity in Windows 365 Cloud PCs, they also pose potential security risks for enterprises. The data transfer between the Cloud PC and local devices could compromise sensitive company information.
Consequently, organizations must prioritize data protection by implementing measures to block local drive redirection. We will use the Intune admin center to disable local drive redirection to the Cloud PC. Let’s check the steps.
Create a Device Configuration Profile
Follow the steps below to create a Device configuration profile to disable local drive redirection:
- Sign in to the Intune admin center.
- Go to Devices > Configuration > Under Policies tab > click on Create.
- Select Platform as Windows 10 and later
- Profile type as Settings Catalog
- Click on the Create button.
Enter the Name and Description of the profile. Click on Next to proceed. For Example:
- Click on “+ Add settings“
- In the Settings picker, search for “drive redirection“.
- Click on the Category Administrative Templates\Windows Components\Remote Desktop Services \Remote Desktop Session Host\Device and Resource Redirection.
- Check the box for “Do not allow drive redirection“.
This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection). By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format <driveletter> on <computername>. You can use this policy setting to override this behavior. If you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed on computers running Windows Server 2003, Windows 8, and Windows XP. If you disable this policy setting, client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed. If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level.About Do not allow drive redirection setting.
- Use the toggle switch to Enable “Do not allow drive redirection“.
Click on Next.
Select “Add groups” and opt for an “Entra security group” containing either Windows 10/11 devices or Entra ID users. Adding devices to the group and targeting them accordingly is recommended for a controlled deployment. Once testing proves successful, you can expand the deployment by including additional devices in the group.
Review + create
Review the device configuration profile details on the Review + Create tab and click Create.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.
Monitoring “Disable Local Drive Redirection ” Policy
To monitor the deployment progress of a Device configuration profile, follow the below steps:
- Sign in to the Microsoft Intune admin center.
- Click on “Devices” and then click on “Configuration“.
- Choose the Device Configuration profile you want to work with, and at the top of the page, you’ll see a quick view of the Success, Failure, Conflict, Not Applicable, and In Progress status.
- Click on “View report” to access more detailed information.