How to Disable Local Drive Mapping in RDP Sessions Using Microsoft Intune

Intune Settings Catalog Template: Block Client Drive Redirection (Session Host)

1) Profile basics (recommended naming standard)

Intune admin center → Devices → Windows → Configuration profiles → Create profile
Platform: Windows 10 and later
Profile type: Settings catalog
Name: Block Client Drive Redirection - RDS Sessions
Description (example):
Enables "Do not allow drive redirection" to prevent local drives (C:, USB) from mapping into RDP/Cloud PC/AVD sessions. Target: Session Hosts / Cloud PCs.

This policy corresponds to the “Do not allow drive redirection” setting under Remote Desktop Services device/resource redirection. (Microsoft Learn)

2) Configuration settings (the one setting you need)

Configuration settings → Add settings
Search: drive redirection
Select:
Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Device and Resource Redirection → Do not allow drive redirection
Set to: Enabled (Microsoft Learn)

What it does (important behavior):

When enabled, client drive redirection is blocked in Remote Desktop Services sessions. (Microsoft Learn)
It can also affect clipboard file copy redirection behavior (file copy via clipboard scenarios). (Microsoft Learn)

3) Scope tags (optional, but use correctly)

Scope tags are for admin delegation and visibility, not for targeting devices/users.

Scope (tags): Add something like Security-Hardening or RDS-AVD
Pair it with RBAC role assignments so only the right admin team can manage/see these profiles. (Microsoft Learn)

Assignments: what to target and how to roll out

Recommended targeting

For RDS/AVD, treat this as a session-host control:

Best practice: assign to a device group (session hosts / Cloud PCs), not a user group.

Examples:

All AVD Session Hosts - Prod
All Windows 365 Cloud PCs - Prod
All RDSH Servers - Prod

Rollout rings (instead of “Monitor/Enforce”)

Configuration profiles do not have a Monitor/Enforce toggle. Use deployment rings:

Pilot
- Include: Pilot-Test-Devices (small session host subset)
Broad
- Include: “Pre-Prod” or “IT” host pool
Production
- Include: all session hosts / all Cloud PCs

Use Exclusions for break-glass / testing where needed (example: RDS-Exceptions).

Validation and proof (fast + audit-friendly)

A) User experience check

Force policy delivery:
- Intune → device → Sync
Start a new RDP/AVD/Cloud PC session
File Explorer inside the session: verify no redirected client drives (no “C on ”, no USB drives).

B) On-device verification (best evidence)

This policy maps to an ADMX-backed setting that writes:

Registry path:
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
Value: fDisableCdm (DWORD)
- 1 = drive redirection blocked (Microsoft Learn)

C) Reporting in Intune

Devices → Configuration → select the profile → review Device assignment status (Succeeded / Error / Pending).

Operational notes for RDP, Cloud PC, and AVD

Host-side vs client-side controls (do not mix them up)

The Settings Catalog policy above is host-side (session host / Cloud PC OS).
Microsoft also supports client-side redirection controls for Windows App / Remote Desktop app using Intune app configuration policies, and the most restrictive setting wins if there’s a conflict. (Microsoft Learn)

Practical takeaway:
For high assurance, keep the host-side block as the authoritative control, and only add client-side restrictions where you need extra granularity.

Troubleshooting checklist (when drives still show up)

Confirm you targeted the right device(s)
- For AVD: target the session host VM(s), not the user.
Confirm policy applied
- Registry fDisableCdm=1 check. (Microsoft Learn)
Confirm you tested a new session
- Log off/on (or reboot session host if you are validating during maintenance).
Check competing controls
- AVD host pool RDP properties or other GPOs can also influence redirection; conflicts resolve to the most restrictive when using client-side policy + host-side config. (Microsoft Learn)

Rollback plan (clean and safe)

Change the setting to Not configured/Disabled (depending on your intended end-state), or
Remove the assignment / retire the profile for that ring
Re-sync device, then start a new session to validate

Microsoft’s AVD guidance uses the same setting path and supports toggling Enabled/Disabled depending on requirements. (Microsoft Learn)

X Facebook LinkedIn Copy Email Pinterest Reddit Telegram ChatGPT SMS

How to Monitor Device Enrollment in Microsoft Intune (+ PowerShell Automation)

How to Manage Offline Files in Windows Using Intune | Step-by-Step Guide

Step-by-Step Guide to Adding a Custom Domain and Configuring DNS for Microsoft 365

Google Dorks Cheat Sheet 2026: Find PDFs, Docs & Educational Resources Fast

Enable Component Updates in Microsoft Edge with Intune for Stronger Browser Security

Implementing and Managing Windows LAPS for Microsoft Entra ID with Intune

Leave a Reply Cancel reply