In this tutorial, I will demonstrate how to disable local drive redirection using group policy. Enabling the GPO ‘Do not allow drive redirection‘ prevents the mapping of client drives in a Remote Desktop Services session (drive redirection).
The local drive redirection in Azure Virtual Desktop (AVD) allows users to access their local drives while working in a remote session. This feature is also known as drive mapping or drive redirection.
Most organizations often hide mapped drives from RDP sessions to prevent users from accidentally accessing data or damaging system files. As a best practice, WVD/Cloud PC users must be prevented from accessing mapped drives in an RDP session.
By default, in an AVD session, an RD Session Host server maps client drives automatically upon connection. All the mapped drives appear in the session folder tree in File Explorer or Computer. To stop local drives from being mapped in RDP, you can configure a GPO.
Although you can disable the client drive redirection using the registry, the group policy lets you apply this change on bulk Windows devices joined to an active directory domain. If you’ve configured the client drive redirection with registry for WVD or some other local methods, the group policy will override the local registry and will disable the client drive redirection feature.
Prerequisites
- Creating a new GPO requires you to log in as an administrator on your Active Directory server.
- Ensure the MMC and the Group Policy Object Editor snap-in are available on your Active Directory server.
- Before implementing the GPO on an entire domain or organizational unit level, I suggest testing it on a small subset of users or devices. Applying the GPO to the domain will disable client drive redirection for all users.
- After successful testing, you can consider linking this GPO to the OU with the AVD session host computer accounts for turning off the local drive redirection feature.
Create a GPO to disable Local Drive Redirection
Let’s start by creating a new GPO to disable the local drive redirection for Windows devices. On your Active Directory server, open the Group Policy Management console.
In the Group Policy Management console, expand the domain, right-click Group Policy Objects and select New. Enter the policy name as ‘Disable Local Drive Redirection‘ and click OK. Next, right-click this newly created GPO and select Edit.
In the Group Policy Management Editor, navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection. Right-click the policy setting ‘Do not allow drive redirection‘ and select Edit.
The group policy setting ‘Do not allow drive redirection‘ specifies whether to prevent the mapping of client drives in an RDP session. If you enable this policy, client drive redirection is not allowed in the remote desktop service sessions. In addition, the clipboard file copy redirection is also restricted for users.
To disable the local drive redirection, set ‘Do not allow drive redirection‘ policy to Enabled. Click Apply and OK.
Linking the Group Policy to an OU
After creating the GPO to turn off the local drive direction, the next step is to link this GPO to an OU if you haven’t already. You can also link it to the domain, but doing so will apply the policy settings applicable to every computer in the domain, so it is not advised.
Based on my experience, the best approach is to choose a test OU consisting of AVD users or cloud PC users, link the GPO, and test the policy settings. The group policy can also be applied to an OU with the AVD session host computer accounts or cloud PC devices.
Refresh the Group Policies
You can update the group policy on the client computers to speed up your testing. There are multiple ways to perform the group policy update on remote computers. On a test client machine, you can manually perform the group policy update by running the gpupdate /force command.
End-user Experience
After the devices successfully update the group policies, the final step is to verify if the local drive redirection is disabled. Sign in to a Windows device and connect to a cloud PC or log in to an Azure Virtual Desktop session. Now open File Explorer and select This PC from the left pane. All the mapped drives that previously appeared in the session should be gone now.
Still Need Help?
If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.