Dear Team,
Your issue is due to a limitation in AVD USB redirection behavior — the usbdevicestoredirect
and devicestoredirect
policies do not fully block device redirection in all cases, especially for certain USB classes like HID, smartcard, or serial emulated devices, depending on how the USB redirection is implemented.
Here's what you're missing:
- AVD (Azure Virtual Desktop) only supports USB redirection via RemoteFX USB redirection on certain clients. This doesn't allow blocking specific devices reliably, especially HID or smartcard-type devices like RFID readers.
Your policy line:
makefile
Copy
usbdevicestoredirect:s:-usb\vid_16c0&pid_27db
— is likely being ignored because:
It's incorrectly formatted or not applied at the client level properly (not just session host).
The device class isn't handled correctly by the AVD agent (e.g., if it's not a true USB HID device).
**Device is redirected before filtering takes place**, due to the AVD client's default behavior.
Fix / Workaround:
Use Group Policy (GPO) on the client machine to completely block redirection of USB devices or specific device classes:
nginx
Copy
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > RemoteFX USB Device Redirection
Enable: "Allow RDP redirection of other supported RemoteFX USB devices from this computer" Then disable it.
Alternatively, use FSLogix or Conditional Access policies to enforce redirection policies based on session host or user.
If you're using msrdc.exe, try launching it with --disable-usb-redirection
or equivalent flag if supported.
Bottom Line:
AVD doesn't give full granular control over USB redirection yet. Use GPO to block USB redirection globally, or redesign the workflow to authenticate locally and launch the AVD session after RFID authentication completes. Trying to “partially” block the device mid-session often fails.
Let me know your exact OS/client setup if you want a specific GPO or PowerShell fix.Your issue is due to a limitation in AVD USB redirection behavior — the usbdevicestoredirect
and devicestoredirect
policies do not fully block device redirection in all cases, especially for certain USB classes like HID, smartcard, or serial emulated devices, depending on how the USB redirection is implemented.
Here's what you're missing:
AVD (Azure Virtual Desktop) only supports USB redirection via RemoteFX USB redirection on certain clients.
This doesn't allow blocking specific devices reliably, especially HID or smartcard-type devices like RFID readers.
Your policy line:
makefile
Copy
usbdevicestoredirect:s:-usb\vid_16c0&pid_27db
— is likely being ignored because:
It's incorrectly formatted or not applied at the client level properly (not just session host).
The device class isn't handled correctly by the AVD agent (e.g., if it's not a true USB HID device).
**Device is redirected before filtering takes place**, due to the AVD client's default behavior.
Fix / Workaround:
- Use Group Policy (GPO) on the client machine to completely block redirection of USB devices or specific device classes:
Enable: "Allow RDP redirection of other supported RemoteFX USB devices from this computer"Computer
Then disable it. Alternatively, use FSLogix or Conditional Access policies to enforce redirection policies based on session host or user. If you're using msrdc.exe, try launching it with--disable-usb-redirection
or equivalent flag if supported.
Bottom Line:
AVD doesn't give full granular control over USB redirection yet. Use GPO to block USB redirection globally, or redesign the workflow to authenticate locally and launch the AVD session after RFID authentication completes. Trying to “partially” block the device mid-session often fails.
Let me know your exact OS/client setup if you want a specific GPO or PowerShell fix.