Some highly secure environments require you to prevent all USB devices that users might have connected to their client devices from being redirected to their remote desktops and applications. You can disable USB redirection for all desktop pools, for specific desktop pools, or for specific users in a desktop pool.
Use any of the following strategies, as appropriate for your situation:
- When you install Horizon Agent on a desktop image or RDS host, deselect the USB redirection setup option. (The option is deselected by default.) This approach prevents access to USB devices on all remote desktops and applications that are deployed from the desktop image or RDS host.
- In the console, edit the USB access policy for a specific pool to either deny or allow access. With this approach, you do not have to change the desktop image and can control access to USB devices in specific desktop and application pools.
Only the global USB access policy is available for published desktop and application pools. You cannot set this policy for individual published desktop or application pools.
- In the console, after you set the policy at the desktop or application pool level, you can override the policy for a specific user in the pool by selecting the User Overrides setting and selecting a user.
- Set the Exclude All Devices policy to true, on the Horizon Agent side or on the client side, as appropriate.
- Use Smart Policies to create a policy that disables the USB redirection Horizon Policy setting. With this approach, you can disable USB redirection on a specific remote desktop if certain conditions are met. For example, you can configure a policy that disables USB redirection when users connect to a remote desktop from outside your corporate network.
If you set the Exclude All Devices policy to true, Horizon Client prevents all USB devices from being redirected. You can use other policy settings to allow specific devices or families of devices to be redirected. If you set the policy to false, Horizon Client allows all USB devices to be redirected except those that are blocked by other policy settings. You can set the policy on both Horizon Agent and Horizon Client. The following table shows how the Exclude All Devices policy that you can set for Horizon Agent and Horizon Client combine to produce an effective policy for the client computer. By default, all USB devices are allowed to be redirected unless otherwise blocked.
|Exclude All Devices Policy on Horizon Agent||Exclude All Devices Policy on Horizon Client||Combined Effective Exclude All Devices Policy|
|false or not defined (include all USB devices)||false or not defined (include all USB devices)||Include all USB devices|
|false (include all USB devices)||true (exclude all USB devices)||Exclude all USB devices|
|true (exclude all USB devices)||Any or not defined||Exclude all USB devices|
If you have set Disable Remote Configuration Download policy to true, the value of Exclude All Devices on Horizon Agent is not passed to Horizon Client, but Horizon Agent and Horizon Client enforce the local value of Exclude All Devices.
These policies are included in the Horizon Agent Configuration ADMX template file (vdm_agent.admx). For more information, see "USB Settings in the Horizon Agent Configuration ADMX Template" in Horizon Remote Desktop Features and GPOs.