Let’s discuss Prevent Supported Plug and Play Device Redirection in Remote Desktop Services Sessions using Intune. Plug and Play Device Redirectionis a critical security and performance control for Remote Desktop Services (RDS).
Essentially, it determines whether a user can “plug” a device into their local computer (like a digital camera, a specialized media player, or a POS terminal) and have that device appear and function inside the remote session.
This policy can be enabled for several reasons. If a user can redirect a Plug and Play (PnP) storage device or a smartphone, they could easily copy sensitive corporate data from the remote server onto their personal hardware.
If a user plugs in a niche PnP device, the remote server needs a compatible driver to handle it. If the server doesn’t have it, the device fails. Admins use this policy to block redirection so they don’t have to spend hours hunting down and installing consumer-grade drivers on enterprise-grade servers.
Table of Contents
Prevent Supported Plug and Play Device Redirection in Remote Desktop Services Sessions using Intune
Malware Protection is ensured by blocking PnP redirection prevents potentially infected local devices from interacting with the corporate environment via the RDP channel. This policy Prevents the employee from dragging-and-dropping sensitive financial spreadsheets onto their phone’s internal storage.
- How to Set Deadline for Automatic Installation of Quality Updates on Windows Devices using Intune
- How to Track Windows Security Patch Installation Details using Intune Inventory
- How to Stop Automatic Driver Installation in Windows11
Sign with Intune Portal
As an Admin you can easily configure this policy on your tenant. For this Sign in to the Microsoft Intune Portal with Credentials. Navigate to Devices > Configuration > + Create > New Policy
Profile Choosing Step
After that you can choose appropriate platform and profile type. This is necessary step for policy creation and you cannot change profile and platform after creating profile. Here I would like to configure the policy to Windows 10 and later platform and settings catalog profile. Then click on the Create button.
Basic Tab
The basic tab is starting step of policy creation. On this tab, you have to give a name for the policy that you want to create. The name field is mandatory. Without giving a name, you can’t create a policy on the basic tab. You can also describe the policy, which description is not compulsory. Click on the next button.
Configuration Settings
The configuration tab allows you to select specific policy settings to manage your organisation’s devices. On this page, we click on the + Add Settings hyperlink. Then you will get a settings picker that will show different types of categories to select specific settings. Here, I choose Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection >Do not allow supported Plug and Play device redirection.
Disable Plug and Play Device Redirection
If you disable this policy setting, users can redirect their supported Plug and Play devices to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the supported Plug and Play devices to redirect to the remote computer.
Enable Plug and Play Device Redirection
If you enable this policy setting, users cannot redirect their supported Plug and Play devices to the remote computer.If you do not configure this policy setting, users can redirect their supported Plug and Play devices to the remote computer only if it is running Windows Server 2012 R2 and earlier versions.
Scope Tags
The next section is the Scope tag and which is not a compulsory step. It helps to assign this policy to a defined group of users or devices. Here, I skip the section and click on the next button.
Assignments
The next step is Assignments. In this section, you can specify which group the policy should be applied to. Our aim is to deploy this policy to a specific group; this step is essential. Look for the Add Groups option under the Include Groups section and click on it.
- After selecting the group, click Next to proceed to the next step.
- A list of available groups will appear and select the group you want to target.
Review + Create in Policy Creation
After the Assignments step, you’ll reach the final tab called Review + Create. In this section, you can see a summary of everything you enter in the previous steps such as details configuration assignment details etc. If you don’t need to change anything, just click on the Review + Create.
Device and User Check in Status
After creating a policy, we have to monitor that whether the policy was created successfully or not. To check this, you can either wait for up to 8 hours for the policy to apply automatically, or you can reduce the waiting time by manually syncing the policy through the Company Portal.
- It will show is this error successfully deployed or not.
- After syncing, you can check the policy’s status through the Intune Portal.
- To do this, go to Devices > Configuration Profiles.
- In the Configuration policy section, search for the name of the policy you created.
- Then you can get the details below from that Policy
Removing the Assigned Group from Plug and Play Device Redirection Policy Settings
If you want to remove the Assigned group from the policy, it is possible from the Intune Portal. To do this, open the Policy on Intune Portal and edit the Assignments tab and the Remove Policy.
To get more detailed information, you can refer to our previous post – Learn How to Delete or Remove App Assignment from Intune using by Step-by-Step Guide.
How to Delete Plug and Play Device Redirection Policy
You can easily delete the Policy from the Intune Portal. From the Configuration section, you can delete the policy. It will completely remove it from the client devices.
For detailed information, you can refer to our previous post – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP from 2015 onwards for 10 consecutive years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is also a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.