🔐Stronger Security by Default in Azure Virtual Desktop – Easily Configure Redirections via RDP, Intune, or Group Policy

-

 



Introduction

Microsoft has recently updated the default security settings for Azure Virtual Desktop (AVD). As of now, when you create a new host pool, several device redirection features—such as clipboard sharing, drive access, USB devices, and printer redirection—are disabled by default.

This change is designed to reduce the risk of data exfiltration and malware injection, making AVD more secure out of the box. However, if your organization requires these features for productivity or workflow reasons, you can easily enable them manually.

In this guide, I’ll walk you through how to re-enable device redirection using the Azure portal.

🛠️ Step-by-Step: Enable Device Redirection in Azure Portal

  1. Log in to Azure Portal Go to and sign in with your administrator account.

  2. Navigate to Your Host Pool In the left-hand menu, search for "Azure Virtual Desktop" and select "Host pools". Click on the host pool you want to configure.

  3. Open RDP Properties Under the host pool settings, find and click on "RDP Properties".

  4. Go to the "Device redirection" Tab This tab contains all the redirection settings, including:

    • Clipboard

    • Drive storage

    • USB devices

    • Printers

    • Microphone

    • Camera

    • Smart cards

  5. Enable the Features You Need For each setting, choose "Enabled" from the dropdown menu. You can leave unnecessary features as "Disabled" to maintain security.

  6. Save Your Changes Click "Save" to apply the new configuration.



📋 Option 2: Configure via Microsoft Intune

If you're using Intune to manage devices, you can enable redirection settings using Administrative Templates:

Path in Intune: Devices > Configuration Profiles > Create Profile

  • Platform: Windows 10 and later

  • Profile type: Administrative Templates

  • Navigate to: Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection

From here, you can enable or disable specific redirection features such as clipboard, printers, and drives.


đŸ–„️ Option 3: Configure via Group Policy (GPO)

For environments using Active Directory, you can configure redirection settings via Group Policy:

GPO Path: Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection

This method allows centralized control over redirection policies across multiple machines or user groups.


⚠️ Important Reminder

These redirection features are disabled by default in all newly created host pools. This is part of Microsoft’s effort to improve security posture in AVD environments. If your users rely on features like clipboard sharing or USB access, make sure to manually enable them using one of the methods above.

Kommentarer

Skicka en kommentar

PopulÀra inlÀgg i den hÀr bloggen

🚀 IntuneWin – Deploying Win32 Apps via Intune 🎯

-
Bild
đŸ”č Benefits of IntuneWin: ✅ Seamless app packaging 📩 ✅ Automated deployment ⚙️ ✅ Centralized cloud management ☁️ ✅ Support for installation & uninstallation 🔄 The IntuneWin format is a method for preprocessing Windows Classic (Win32) applications. The tool transforms application installation files into the .intunewin format. Once you apply this tool to the app packaging folder, you can create an app enrollment configuration that enables advanced deployment features, such as OS version dependencies and uninstallation methods for remote application removal. Win32 apps in Intune size limit of 30 GB per app. To start the configuration 1- First you need to download the Microsoft Win32 Content Prep Tool :  Microsoft Win32 Content Prep Tool 2-  Unzip the tool to a folder, E, C , F etc drive (you can choose any folder you like). 3- Save your application  in the same folder as the Content Prep tools.  4- Now we will create the .intunewin package using PowerS...
Read more »

Boost Your Graphics Power med GPU-acceleration i Azure Virtual Desktop!

-
Bild
  🎯 Purpose Optimize performance for Remote Desktop sessions by enabling GPU acceleration and video optimization via Microsoft Intune or Group Policy (GPO). 🧠 Prerequisites & Requirements Required skills: Basic knowledge of Windows device management Experience with Microsoft Intune or Group Policy Understanding of Remote Desktop (RDP/AVD) concepts Technical requirements: Windows 10/11 on session hosts GPU-enabled VMs (e.g., NVv3, NVadsA10 v5, NCasT4_v3) Microsoft HEVC codec installed on client devices Proper GPU drivers installed (NVIDIA GRID or AMD) 1. Sign in Go to: https://intune.microsoft.com 2. Create or edit a configuration profile Go to Devices > Configuration profiles Click Create profile Select: Platform: Windows 10 and later Profile type: Settings catalog 3. Add settings Click Add settings and browse to: Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host ...
Read more »

Block Personal devices to acces to Desktop apps like teams, Onedrive etc and how to troubleshooting the issue.

-
Bild
  You can use Conditional Access to block users based on location, IP address, and more, but now we will talk about blocking access for users who are using personal devices 1. Navigate to Entra ID -> Protection -> Conditional Access and create a new policy. 2- Create new policy 3-   Name your policy Assign your policy to a user/group or to all users. If you assign the policy to all users, be sure to exclude the break-glass account. It's essential to always have a break-glass account in place. In case of an error, you could accidentally lock out all users, so make sure these accounts remain unaffected. 4- In the Target resources select All resources (formerly 'All cloud apps') 5- In the conditions: Device platforms: select which devices you want the policy to apply to. In my case i will select windows and MacOS  Client apps: check all boxes except Browser, which will block everything except the browser. Here’s the magic: In the Filter for devices, you can ...
Read more »