If you need to redirect USB device to your AVD or Windows 365 Machines like a 3D Mouse or similar devices, that are not just a flash drive, you will need to enable RemoteFX USB Redirection. While the AVD / W365 side is easy in Intune, the client side is actually not so easy… But let’s start with the AVD / W365 side.
Windows 365 config
To make this article more readable, I will just talk about Windows 365, but for AVD it’s basically the same process. First thing we need to do is to create the Intune Policy itself:
Give it a name:
And add the needed Settings. Note that you actually need to “Disable” the “Do not allow supported Plug and Play device redirection” Policy to enable it.
After that, just assign the policy to the CloudPCs of your choice:
And create the policy:
Client side
Now that we have the “server side” config applied to our Windows 365 CloudPCs, we need to enable the policy “Allow RDP redirection of other supported RemoteFX USB devices from this computer”
There is just one catch, the policy in Intune does not work… It’s actually stated in the W365 / AVD Docs, that you have to use GPOs to enable this policy:
So, what can we do now if we still want to use Intune to enable this policy, e.g. if we have cloud-native Entra joined devices, where we can’t really use GPOs?
Well, we have two options:
– The first (supported) option is to use a tool that I covered a while ago, LGPO.exe. – The other (potentially unsupported) option is to set the needed registry keys using a PowerShell script manually. (Jump to that section: here)
LGPO.exe
Let’s start with the officially supported option, even though in my opinion, it’s the little bit more complicated option.
First thing that we need to do, is to download the LGPO.zip from the “Microsoft Security Compliance Toolkit”: LGPO.exe – Local Group Policy Object Utility, v1.0 | Microsoft Community Hub
Next, we need to create an LGPO text file, which contains the policy that we want to configure. The file should contain the following information:
; Allow RDP redirection of other supported RemoteFX USB devices from this computer
Computer
Software\Policies\Microsoft\Windows NT\Terminal Services\Client
fUsbRedirectionEnableMode
DWORD:2Save this text file next to the LGPO.exe in a fresh folder and give it a name like “Remotefx_enable.txt” or similar:
Optionally, if we want to be able to disable the policy with the same package, we can add a second text file, which sets the policy to “Not Configured”
; Allow RDP redirection of other supported RemoteFX USB devices from this computer
Computer
Software\Policies\Microsoft\Windows NT\Terminal Services\Client
fUsbRedirectionEnableMode
DELETE
Next thing we need to do is create a Win32 App in Intune containing this two files. First thing we need, is the Win32 Content Prep Tool to create the .intunewin file: GitHub – microsoft/Microsoft-Win32-Content-Prep-Tool: A tool to wrap Win32 App and then it can be uploaded to Intune
Now that we have this ready, we can create our “app” in Intune.
Upload our intunewin file:
Give it some metadata about what the “app” will do:
In the Program tab, we need to specify the comand line that should be used. We need to enable the CSE for this policy and apply the LGPO text files.
Install:
LGPO.exe /t RemoteFX_enable.txt /e {4BCD6CDE-777B-48B6-9804-43568E23545D}
Uninstall:
LGPO.exe /t RemoteFX_NotConfigured.txt /e {4BCD6CDE-777B-48B6-9804-43568E23545D}
Nothing special in the requirements tab:
As a detection, I will use the policy regkey:
No special configuration needed for Supersedence, Dependencies, etc. So, the next step is to assign the app to a group of devices and create the app:
Registry
You are properly wondering, why not just create the registry key for this policy manually if for whatever reason the policy in Intune does not work. Well creating the regkey alone will not work either… Turns out the Terminalserver CSE that is triggered by enabling this policy via (L)GPO is doing some magic in the backend…
So, I decided to have a look at what happens when we enable this policy using procmon and found, that the CSE seems to set a few more registry keys that seems to enable a USB filter driver:
We can actually see this in the Device Manager as well, as soon as the policy is enabled, an additional driver file “TsUSBFlt.sys” is visible on our USB Controller:
Next thing that I did was comparing a registry snapshot from before and after enabling the policy using a cool little tool called “RegistryChangesView” which allowed me to determine which regkeys are set and needed to get it working:
Using this information, we are now able to export this settings into a .reg file to apply the keys:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\Client]
"fUsbRedirectionEnableMode"=dword:00000002
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{36fc9e60-c465-11cf-8056-444553540000}]
"UpperFilters"=hex(7):54,00,73,00,55,00,73,00,62,00,46,00,6C,00,74,00,00,00,\
00,00
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TsUsbFlt]
"BootFlags"=dword:00000004
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\usbhub\hubg]
"EnableDiagnosticMode"=dword:80000000
You may have spotted that the UpperFilters value looks a little bit strange, but this is just the visualization of the “REG_MULTI_SZ” datatype
I uploaded a sample PowerShell script to GitHub, if you want to test it yourself: Scripts/RemoteFX/RemoteFX USB Registry.ps1 at main · mmeierm/Scripts
If we want, we can deploy such a script using Intune either as a Remediation or as Platform script, depending on what you prefer (and have licensed :)). I will quickly show it as a Remediation script:
Just give it a name:
And upload our detection and remediation script and make sure to run it in 64bit PowerShell: Scripts/RemoteFX at main · mmeierm/Scripts
Assign and create it:
Result
Regardless of the option you choose, after a required reboot of the device, we should now be able to see the USB redirection icon in the connection bar, and I’m able to redirect for example my Arduino to flash a demo program on it:
Leave a Reply