question

myquestforLearning avatar image
0 Votes"
myquestforLearning asked HannahXiong-MSFT commented

How to prevent access to the drives only when users is logging on to the VDI

We need to achieve the following.
User account ABC logs on to the Standard laptop, he should be able to access the C drive
Same User account ABC logs on to the VDI, he should not be able to access the C drive
GPO has the option to prevent access of the drives but I am thinking if I add the User in the restricting C drive access GPOs when he is logging on to the standard laptop, he will not be able to access the drives there as well.
Please suggest.

remote-desktop-serviceswindows-group-policyazure-virtual-desktop
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @myquestforLearning

Hope you are doing well.

May I know whether the provided information is helpful? If the reply is helpful, we would greatly appreciate it if you would accept it as answer.

Please let us know if you would like further assistance. Thanks.

Best regards,
Hannah Xiong

0 Votes 0 ·

Hi @myquestforLearning,

May I know how things are going from your end? Please feel free to post here if there is any question or concern.

Thanks a lot. Wish you a lovely day.

Best regards,
Hannah Xiong

0 Votes 0 ·
AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered myquestforLearning commented

Hi @myquestforLearning ,

it's possible to place the VDI computer objects in a dedicated OU in AD. Link the GPO just to this OU containing the VDI computers
A second option, if the first option doesn't work for you is to use Security Group filtering for the GPO.
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo

The linked article describes the way for users. But for computers it's the same way: Create a AD Group containing the computer objects instead of the user accounts.


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you Andreas
Lets suppose we are trying to configure the following policies. As both of these are User policies so if we keep the VDI computer objects in a dedicated OU, will it work?
!Prevent access to drives from My Computer - User Configuration \ Administrative Templates \ Windows Components \ File Explorer
Remove Task Manager User Configuration > Administrative Templates > System > Ctrl + Alt + Del Options

My Worry is that I dont want to stop standard users from accessing the C drive on normal laptops.

0 Votes 0 ·

I am thinking of using WMI filtering - to look for model = VMware* and apply the restrictive GPO
Is that a correct approach?

0 Votes 0 ·
JamesTighe avatar image
0 Votes"
JamesTighe answered

The VDI environment should have a GPO applied with Loopback Processing applied to the OU hosting the VDI machines. This will enable the VDI machines to apply user settings that have been applied to the Computer object.

Loopback processing can either "Replace" or "Merge".

Setting to Replace will overwrite any User Policies that the user may have scoped and then set the User Policies assigned to the computer object. Merge will merge the two together, keeping the user scoped policies whilst applying the user policies applied to the VDI machine.

This will allow you to have separate users setting for VDI users that will not affect normal laptop/desktop use. These user policies will only apply if the user is logging into a machine in an OU which is affected by a Loopback Policy GPO. This is the standard process for setting standardised permissions on a VDI environment.

Then set the standard Hide these specific drives in My Computer and Prevent access to drives from My Computer as needed.

For reference are you actually using VDI as in a Virtual Desktop Environment (VMware Horizon etc) or are you talking about standard VMware VMS?

James






5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered HannahXiong-MSFT edited

Hi @myquestforLearning,

Thank you so much for posting here.

  1. To prevent access to the drive, we could configure the setting Prevent access to drives from My Computer under User Configuration > Administrative Templates > Windows Components > File Explorer. As we could see, it is user configuration, so the GPO should be linked to the OU which contains the user accounts.

  2. But as for our requirement, we would like to apply the setting to different computers. That is to say, the dedicated settings should be applied to different computers. Normally the user account could be able to access the drive. So the only thing we will do is to prevent access to C drive when the user is logging on to the VDI.

We could check whether this solution could be helpful.

  1. Create the OU and put the user accounts into this OU. Then create the GPO and link it to the OU. Configure the policy Prevent access to drives from My Computer as needed.

  2. Configure the security filtering. Remove the authenticated users, and add the group (which we want to apply the policy) with Read and Apply permission.
    113099-image.png

  3. Besides, please add the security group which contains the VDI computers and grant the Read permission. Then the policy should be only applied to these VDI computers. For example:

113114-image.png

As mentioned, we are thinking of using WMI filtering. According to my experience, yes, it is an approach. We need to create the WMI filters so that the policy could only be applied to VDI machines.

Best regards,
Hannah Xiong



image.png (30.4 KiB)
image.png (59.8 KiB)
image.png (31.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.