A notable security-focused change is coming to Azure Virtual Desktop (AVD) that administrators should be aware of. Microsoft has announced that device redirections—such as clipboard, drive, USB, and printer redirection—will soon be disabled by default on all new AVD host pools. This is a significant shift from the current behavior where these redirections are automatically enabled unless explicitly configured otherwise.
What’s Changing?
Currently, when administrators create a new AVD host pool, redirection features like copy-paste, drive mapping, and local printer access are enabled by default. These settings often go unnoticed during deployment, and users enjoy full redirection functionality out of the box.
However, Microsoft is changing the defaults:
- Clipboard redirection will default to disabled.
- Drive redirection (including USB drives) will default to disabled.
- USB redirection will default to disabled.
- Printer redirection will default to disabled.
📌 Important: Existing host pools will not be impacted. These changes only apply to new host pools created after the update is implemented.
Why the Change?
This update is part of Microsoft’s Secure Future Initiative, a broader effort to make Microsoft services secure by default. By disabling redirection features up front, Microsoft aims to help reduce the attack surface for remote desktop environments and prevent unintentional data leakage between client devices and virtual desktops.
These redirection features, while useful, can introduce risk—especially in regulated industries or sensitive environments. For instance, redirected drives might allow users to move corporate data to unmanaged personal USB drives, or redirected printers could lead to documents being printed in unauthorized locations.
As someone who regularly speaks at events and delivers AVD training, I often remind administrators that default values aren’t always secure. Many deployments leave default redirections enabled, only to discover later that client-side drives are accessible within the session—sometimes unintentionally.
Where to Find and Configure These Settings
To manage redirection settings:
- Navigate to your AVD host pool in the Azure portal.
- Go to Settings > RDP Properties.
- Under Device redirection, you’ll find options for:
- Clipboard
- Drive
- USB
- Printer
Each of these has an info bubble that links to detailed Microsoft documentation. For example, the redirectclipboard:i:1 setting (currently enabled by default) will change to redirectclipboard:i:0 (disabled by default).
Additionally, there are granular controls available to limit clipboard transfers by direction and data type. This option is configured at the OS level and not part of the RDP Redirections.
What Should You Do?
If you rely on these redirection features in your AVD deployments, you’ll need to explicitly enable them in new host pools once this update goes live. This requires updating RDP Properties accordingly.
Now is a good time to:
- Review your current redirection settings.
- Document any organizational redirection requirements.
- Prepare scripts or templates to apply your preferred settings to future host pools.
Final Thoughts
This is a welcome change for environments prioritizing security and compliance. While it may add an extra configuration step for admins, it reinforces the principle of least privilege and helps prevent risky default behaviors from being overlooked. Stay tuned for the official release date of this change. In the meantime, make sure your teams are aware and ready to adjust configurations in new host pools.
Links:
Free Azure guide! Subscribe to the newsletter
https://subscribepage.io/rbsIjt
A Beginner’s Guide to the AZ-900
https://www.udemy.com/course/beginners-guide-az-900/?referralCode=C74C266B74E837F86969
Zero to Hero with Azure Virtual Desktop
Hybrid Identity with Windows AD and Azure AD
Windows 365 Enterprise and Intune Management
