USB Redirections Disabled For New AVD Host Pools

Microsoft never stops enhancing the security and usability of its cloud services. As part of these ongoing efforts, a significant change has been announced in July 2025 – the disabling of specific redirections in newly created Azure Virtual Desktop (short AVD) host pools by default. This change specifically targets clipboard, drive, opaque low-level USB, and printer redirections.

In this blog post, we’ll explore the impact behind disabling these redirections, the implications for security, and how you can manage redirection settings in your AVD environment to balance security with functionality. We will also delve into the various types of peripheral and resource redirections available over the Remote Desktop Protocol (short RDP) to provide a comprehensive understanding of the subject.

Understanding Redirections in AVD

Redirections are mechanisms that allow data transfer between the AVD session and the user’s local device. They include the clipboard, drive(s), USB, and printer redirections, as well as other peripherals. These functionalities are designed to provide a seamless remote experience, comparable to using a local device, thus enhancing productivity and efficiency as well as reducing complex driver installation on the session host.

Types of Redirections

  • Clipboard redirection: Enables copy-paste operations between the user’s local device and the virtual desktop.
  • Drive redirection: Allows access to local drives from within the virtual session.
  • Opaque low-level USB redirection: Transports the raw communication of a USB peripheral without interpreting or optimizing it for remote scenarios (COM ports or USB to serial adapter as an example).
  • Printer redirection: Permits the use of local printers to print documents from the virtual desktop.
  • Peripheral reflection: Reflects peripherals connected to the local device into the remote session, including keyboards, mice, webcams, and more.
  • Data sharing: Shares and transfers data between the local device and a remote session for the clipboard.
  • State reflection: Reflects the local device state into a remote session, such as battery status and location.
  • Application splitting: Splits the functionality of an application across the local device and a remote session, such as with Microsoft Teams.

The Security Enhancement: Disabling Select Redirections

Effective July 2025, all newly created host pools in AVD will have clipboard, drive, opaque low-level USB, and printer redirections disabled by default. This move is targeted at minimizing the risk of data exfiltration and malware injections, making the AVD environment more secure out of the box.

NOTE: It is important to note that existing host pools will not be affected by this change, but administrators should review their settings to ensure compliance with current security standards by Microsoft.

Why Is This Change Important?

  • Minimizing security risks: Disabling these redirections by default reduces attack vectors associated with unauthorized data transfer and malicious activity.
  • Reducing malware injections: Redirections can be exploited to inject malware or transfer harmful files between local devices (USB drives) and the virtual environment.

Managing Redirection Settings

While the default setting enhances security, there are some use cases where enabling redirections is necessary. You can enable these redirections as needed to meet specific user requirements. Here’s how:

  1. Sign in to the Azure portal.
  2. In the search bar, type Azure Virtual Desktop and select the matching service entry.
  3. Select Host pools, then select the host pool you want to configure.
  4. Select RDP Properties, then select Device redirection or Advanced.
  5. Edit each setting separately (under Device redirection) or the RDP properties (under Advanced) to enable the desired redirection settings.
  6. Save Changes to apply the configuration.

Controlling Opaque Low-Level USB Redirection

Opaque low-level USB redirection is controlled by the RDP property usbdevicestoredirect:s:<value>, where <value> is the device instance path in the format USB\<Vendor ID and Product ID>\<USB instance ID>.

For a AVD host pool, you can control USB redirection behaviour by setting the RDP property value as follows:

  • Use class GUIDs to redirect or not redirect an entire class of USB peripherals.
  • Use the wildcard * as the value will redirect most peripherals that don’t have high-level redirection mechanisms or drivers installed.
  • Combine these values to customize redirection settings for different peripheral types.

Example syntax:usbdevicestoredirect:s:*;{<DeviceClassGUID>};<USBInstanceID>;<-USBInstanceID>
Refer to Microsoft’s documentation for more examples and further guidance.

Conclusion

Microsoft’s decision to disable specific redirections by default in newly created AVD host pools represents a crucial step in enhancing security. This proactive measure significantly reduces risks associated with data exfiltration and malware injections. By carefully managing redirection settings, you can find the right balance between maintaining security and meeting the functional needs of users.

For a detailed guidance on peripheral and resource redirections in AVD , refer to Peripheral and resource redirection.

You might also like
Tags: Azure Virtual Desktop, Microsoft, Microsoft Azure, Security

More Similar Posts