This guide covers the steps to turn off client drive redirection with Intune. Organizations looking to prevent the mapping of client drives in a Remote Desktop Services session for their users can make use of an Intune policy to accomplish this task.
A feature commonly used in remote desktop protocols is local drive redirection, which allows users to access their local files while in a remote desktop session. With drive redirection configured by your administrator, the redirected drives appear as a network drive in File Explorer in your remote session.
For Azure Virtual Desktop, Microsoft recommends you configure drive redirection on your session hosts using Microsoft Intune or Group Policy, then control redirection using the host pool RDP properties.
Reasons for disabling local drive redirection
While convenient, enabling the local drive redirection capability can introduce various complexities and security concerns that organizations must consider.
- When local drive redirection is enabled, users may accidentally upload confidential documents to the remote session or download sensitive information to their local machines without realizing the implications.
- If the remote desktop session is compromised, attackers could gain access to local files, leading to potential data breaches.
Considering the above points, as a best practice, most organizations prefer to disable the local drive redirection feature for users. If you require users to access their data from a local computer during an RDP session, you should avoid deactivating the drive redirection feature.
It is true that you can deactivate client drive redirection using a group policy for your remote desktops on your Active Directory server. Alternatively, Intune offers a better solution to stop local drives from being mapped in RDP sessions for cloud PCs, AVDs, and enrolled Windows devices.
Prerequisites
- You’ll need a Microsoft Entra ID account that is assigned the Policy and Profile Manager built-in RBAC role.
- A group of devices for applying the Intune policy.
- A supported app and platform to connect to a remote session.
Turn off Client Drive Redirection with Intune
To begin, let’s create a new policy in Intune to turn off the client drive redirection. Sign in to the Microsoft Intune admin center. Go to Devices > Windows and under Manage Devices, select Configuration. Click on Create > New Policy.
On the Create a profile pane, choose the Platform as Windows 10 and later and Profile Type as Settings Catalog. Click Next.
On the Basics tab, specify the policy name and a brief description of the policy. This will make it easier for other Intune administrators to understand about this profile.
For instance, I have specified the following details for the profile:
- Policy Name: Turn off client drive redirection using Intune
- Description: This policy prevents local drives from being mapped for users during RDP
Click Next to continue.
In the Configuration Settings section, under Settings Catalog, click Add Settings. On the Settings picker window, type “drive redirection” in the search box and click Search.
You will find a single category to select, which is Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection.
Select the setting “Do not allow drive redirection” and close the settings picker window.
To disable drive redirection, toggle the switch ‘Do not allow drive redirection‘ to Enabled. That is it; now click Next to proceed to the next step.
In the Assignments tab, specify the Entra ID groups to assign the policy. You can target this policy to groups containing cloud PC devices or Azure Virtual Desktop hosts. We recommend deploying the profile to a few test groups first and then expanding it to more groups if the testing is successful. Select Next.
On the Review+Create tab, review all the settings you’ve configured for a deactivating client drive redirection feature. Click Create to create this policy in Intune.
After you create the above configuration policy in Intune, you’ll see a notification: “Policy created successfully.” This confirms that the policy has been created and is being applied to the groups we chose. The newly created configuration profile appears in Intune’s list of configuration profiles.
To speed up the policy assignments on endpoints, you can use several methods to force sync Intune policies on your Windows computers. This is required when testing a policy or app deployment, and you want clients to receive their assignments as soon as possible.
Monitor Disable Local Drive Redirection policy in Intune
After applying the policy to deactivate client drive redirection to your endpoints, you can track which devices successfully received the policy settings and which failed.
In the Intune admin center, select the policy and review the device and user check-in status. Under “Device and user check-in status,” you get to see the total number of devices that successfully received the policy settings.
In some cases, the policy may fail to apply to targeted groups. To resolve the issues, I recommend reviewing Intune logs on Windows computers.
End user experience: Verify drive redirection
The final step is to verify if the local drive redirection is disabled on client computers with the policy that we applied via Intune. I recommend restarting the computers for the settings to take effect.
Connect to a remote session using the Windows app or the Remote Desktop app on a platform that supports drive redirection. Once logged in, open File Explorer and select This PC from the left pane. All the mapped drives that previously appeared in the session should be gone now.
The first image below shows the cloud PC showing the mapped drive before the policy was applied. The second image shows that after disabling local drive redirection with an Intune policy, the previously mapped drives are no longer available for users.
In case the user attempts to manually map a drive, the Intune policy will prevent them from doing it. This demonstrates that the Intune policy can not only disable client drive redirection, but also prevent users from manually mapping drives.
Still Need Help?
If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.