How to Configure Remote Desktop Disk Redirection on Windows Server 2019

How to Configure Remote Desktop Disk Redirection on Windows Server 2019

Remote Desktop disk redirection allows local drives, removable storage devices, and clipboard file transfers to appear within a Remote Desktop session on Windows Server 2019. When a user connects to an RD Session Host, their local drives (C:, D:, USB drives, etc.) can appear as mapped network drives in the remote session, enabling file access and transfer without the need for shared network folders or email attachments. Disk redirection is controlled through Group Policy, RDP file settings, and RD Session Host configuration.

Understanding Disk Redirection Types

There are several categories of disk-related redirection in Windows Server 2019 RDS. Drive redirection maps local hard drives, optical drives, and removable drives into the remote session. Clipboard redirection allows text, images, and files to be copied and pasted between the local and remote desktop. Plug and Play device redirection enables USB storage devices and other PnP devices to be used in the remote session. Smart card redirection passes through smart card readers for authentication within the session.

Enabling Drive Redirection via Group Policy

Drive redirection policies are configured under Computer Configuration in Group Policy Objects applied to RD Session Host servers, or under User Configuration for per-user settings. The most authoritative settings are under the computer configuration.

# GPO Path: Computer Configuration > Administrative Templates >
# Windows Components > Remote Desktop Services > RD Session Host > 
# Device and Resource Redirection

# Registry equivalents for the key drive redirection policies:
$TSPolicies = "HKLM:SOFTWAREPoliciesMicrosoftWindows NTTerminal Services"

# Allow drive redirection (set to 0 to allow, 1 to disable)
Set-ItemProperty -Path $TSPolicies -Name "fDisableCdm" -Value 0

# The client must also be configured to send drives
# In the RDP client (mstsc.exe), go to Local Resources tab > Local devices and resources > More
# Enable: Drives

Controlling Which Drives Are Redirected

You can control whether all drives, only fixed drives, only removable drives, or no drives are redirected. This is configured per-user in the RDP connection settings or enforced via Group Policy on the RDSH server.

# Disable redirection of specific drive types via Group Policy registry keys
# Disable all drive redirection
Set-ItemProperty -Path $TSPolicies -Name "fDisableCdm" -Value 1

# Disable only removable drive redirection (allow fixed drives)
# This is controlled in the client RDP file:
# drivestoredirect:s:DynamicDrives  -- redirects removable drives only
# drivestoredirect:s:*              -- redirects all drives
# drivestoredirect:s:C:;D:          -- redirects only C: and D:

# Example RDP file snippet for selective drive redirection
$RDPSettings = @"
drivestoredirect:s:C:;D:
redirectclipboard:i:1
redirectcomports:i:0
redirectsmartcards:i:1
"@
$RDPSettings | Out-File "C:RDPFilesselective_drives.rdp" -Append -Encoding ASCII

Disabling Drive Redirection for Security

In high-security environments, drive redirection should be disabled to prevent users from copying sensitive data from the RDS environment to their local machines. Disable it via Group Policy on the RDSH servers.

# Disable all drive redirection via registry (enforced server-side)
$TSPolicies = "HKLM:SOFTWAREPoliciesMicrosoftWindows NTTerminal Services"
Set-ItemProperty -Path $TSPolicies -Name "fDisableCdm" -Value 1

# Disable clipboard file copy (prevent Ctrl+C/Ctrl+V of files between sessions)
Set-ItemProperty -Path $TSPolicies -Name "fDisableClip" -Value 1

# Apply via GPO on the RDSH servers:
# Computer Configuration > Administrative Templates > Windows Components >
# Remote Desktop Services > RD Session Host > Device and Resource Redirection
# "Do not allow drive redirection" = Enabled
# "Do not allow clipboard redirection" = Enabled

Clipboard Redirection Configuration

Clipboard redirection allows users to copy and paste text, images, and files between their local desktop and the remote session. File clipboard redirection — copying files via the clipboard — is a separate setting from text/image clipboard redirection and can be controlled independently.

# Allow clipboard text but disable file transfer via clipboard
# This is done via Group Policy:
# "Restrict clipboard transfer from server to client" 
# "Restrict clipboard transfer from client to server"

# Registry keys for clipboard redirection
# Allow clipboard redirection
Set-ItemProperty -Path $TSPolicies -Name "fDisableClip" -Value 0

# Restrict clipboard to text and images only (no file transfer)
# This requires Group Policy Administrative Templates > 
# Windows Components > Remote Desktop Services > RD Session Host >
# Device and Resource Redirection >
# "Restrict clipboard transfer from server to client" = 1 (text only)

# Via RDP file settings
# redirectclipboard:i:1   = clipboard enabled
# redirectclipboard:i:0   = clipboard disabled

Configuring USB and Plug and Play Device Redirection

USB device redirection in standard RDS uses Plug and Play redirection, which supports specific device classes. Full USB redirection is available with RemoteFX USB redirection for USB devices not covered by PnP class drivers.

# Enable PnP device redirection
Set-ItemProperty -Path $TSPolicies -Name "fDisablePNPRedir" -Value 0

# Enable RemoteFX USB redirection (requires RemoteFX)
Set-ItemProperty -Path $TSPolicies -Name "fUsbRedirectionEnableMode" -Value 2
# Values: 0=disabled, 1=client only, 2=both client and server

# GPO path for RemoteFX USB redirection:
# Computer Configuration > Administrative Templates > Windows Components >
# Remote Desktop Services > RD Session Host > Remote Session Environment >
# RemoteFX USB Device Redirection

# View currently redirected devices in a session
# From inside the RDS session:
# Net use  -- shows redirected drives
# devmgmt.msc -- shows redirected PnP devices

Monitoring Redirected Drives in Sessions

Inside a remote desktop session, redirected local drives appear as mapped drives with labels like “C on CLIENTPC (\tsclientC)” in File Explorer. From the RDSH server’s perspective, these are network-accessible paths under the \tsclient namespace.

# Inside an RDS session - access client drives
# These paths work within the session:
# \tsclientC  -- client's C: drive
# \tsclientD  -- client's D: drive

# Copy a file from the server to the client's desktop (inside the session)
Copy-Item -Path "C:SharedDocsreport.pdf" -Destination "\tsclientCUsersPublicDesktop"

# From the server side, query active drive redirections
# Get session IDs on the local RDSH server
qwinsta /server:localhost

# Then use net use within a session to verify
# This needs to be run inside the session context

Auditing Drive Redirection Activity

For compliance and security auditing, enable Object Access auditing in Local Security Policy or Group Policy to track file access through redirected drives. Events are logged in the Security event log.

# Enable auditing of object access (includes redirected drive access)
# Via auditpol command
auditpol /set /subcategory:"File System" /success:enable /failure:enable
auditpol /set /subcategory:"Detailed File Share" /success:enable

# View recent security events related to file access
Get-EventLog -LogName Security -InstanceId 4663 -Newest 50 |
    Where-Object { $_.Message -like "*tsclient*" } |
    Select-Object TimeGenerated, Message | Format-List

Restricting Drive Redirection by User Group

Use per-user Group Policy or Group Policy Preferences with security group targeting to allow drive redirection for some users (e.g., administrators) while restricting it for general users.

# Using Group Policy Preferences with Item Level Targeting:
# User Configuration > Preferences > Windows Settings > Registry
# Create a registry item setting fDisableCdm = 0 or 1
# Set Item Level Targeting to match a specific security group

# Alternatively, use two GPOs:
# GPO1 (applied to all RDSH computers): Disable drive redirection (fDisableCdm=1)
# GPO2 (applied to specific user OU): Enable drive redirection (fDisableCdm=0, higher precedence)

# Check current drive redirection setting on an RDSH server
Get-ItemProperty -Path "HKLM:SOFTWAREPoliciesMicrosoftWindows NTTerminal Services" |
    Select-Object fDisableCdm, fDisableClip, fDisablePNPRedir

Conclusion

Remote Desktop disk redirection on Windows Server 2019 provides flexible options for enabling or restricting user access to local drives within remote sessions. The combination of Group Policy server-side enforcement, RDP file client-side configuration, and per-user targeting allows granular control appropriate for diverse security requirements. In high-security deployments, disabling drive and clipboard redirection prevents data exfiltration while still delivering applications and desktops to users. In standard deployments, selective drive redirection improves user productivity by enabling seamless file access across the local and remote environments.