Blocking RFID card reader USB redirection is not working as expected on AVD hostpool

Chandil 0 Reputation points
2025-03-28T19:55:22.27+00:00

My project uses an USB RFID card reader to authenticate and start the msrdc session to connect to AVD, I would need this RFID card reader to stay on the local client system, but in spite blocking the redirection of this particular device, it is still being redirected to the remote desktop. These two settings in advanced tab are not working either: devicestoredirect:s:*,-usb\vid_16c0&pid_27db and usbdevicestoredirect:s:-usb\vid_16c0&pid_27db

What am I missing?

Windows for business | Windows Client for IT Pros | Devices and deployment | System management components
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Smith Pham 2,670 Reputation points Independent Advisor
    2025-07-22T08:36:08.1866667+00:00

    Dear Team,

    Your issue is due to a limitation in AVD USB redirection behavior — the usbdevicestoredirect and devicestoredirect policies do not fully block device redirection in all cases, especially for certain USB classes like HID, smartcard, or serial emulated devices, depending on how the USB redirection is implemented.

    Here's what you're missing:

    1. AVD (Azure Virtual Desktop) only supports USB redirection via RemoteFX USB redirection on certain clients. This doesn't allow blocking specific devices reliably, especially HID or smartcard-type devices like RFID readers.

    Your policy line:

    makefile
    Copy
    usbdevicestoredirect:s:-usb\vid_16c0&pid_27db
    

    — is likely being ignored because:

    It's incorrectly formatted or not applied at the client level properly (not just session host).

      The device class isn't handled correctly by the AVD agent (e.g., if it's not a true USB HID device).
      
      **Device is redirected before filtering takes place**, due to the AVD client's default behavior.
      
    

    Fix / Workaround:

    Use Group Policy (GPO) on the client machine to completely block redirection of USB devices or specific device classes:

    nginx
    Copy
    Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > RemoteFX USB Device Redirection
    

    Enable: "Allow RDP redirection of other supported RemoteFX USB devices from this computer" Then disable it.

    Alternatively, use FSLogix or Conditional Access policies to enforce redirection policies based on session host or user.

    If you're using msrdc.exe, try launching it with --disable-usb-redirection or equivalent flag if supported.


    Bottom Line:

    AVD doesn't give full granular control over USB redirection yet. Use GPO to block USB redirection globally, or redesign the workflow to authenticate locally and launch the AVD session after RFID authentication completes. Trying to “partially” block the device mid-session often fails.

    Let me know your exact OS/client setup if you want a specific GPO or PowerShell fix.Your issue is due to a limitation in AVD USB redirection behavior — the usbdevicestoredirect and devicestoredirect policies do not fully block device redirection in all cases, especially for certain USB classes like HID, smartcard, or serial emulated devices, depending on how the USB redirection is implemented.

    Here's what you're missing:

    AVD (Azure Virtual Desktop) only supports USB redirection via RemoteFX USB redirection on certain clients.
    This doesn't allow blocking specific devices reliably, especially HID or smartcard-type devices like RFID readers.

    Your policy line:

    makefile
    Copy
    usbdevicestoredirect:s:-usb\vid_16c0&pid_27db
    

    — is likely being ignored because:

    It's incorrectly formatted or not applied at the client level properly (not just session host).

      The device class isn't handled correctly by the AVD agent (e.g., if it's not a true USB HID device).
      
      **Device is redirected before filtering takes place**, due to the AVD client's default behavior.
      
    

    Fix / Workaround:

    • Use Group Policy (GPO) on the client machine to completely block redirection of USB devices or specific device classes:
        
        Computer
      
      Enable: "Allow RDP redirection of other supported RemoteFX USB devices from this computer"
      Then disable it. Alternatively, use FSLogix or Conditional Access policies to enforce redirection policies based on session host or user. If you're using msrdc.exe, try launching it with --disable-usb-redirection or equivalent flag if supported.

    Bottom Line:

    AVD doesn't give full granular control over USB redirection yet. Use GPO to block USB redirection globally, or redesign the workflow to authenticate locally and launch the AVD session after RFID authentication completes. Trying to “partially” block the device mid-session often fails.

    Let me know your exact OS/client setup if you want a specific GPO or PowerShell fix.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.