We help IT Professionals succeed at work.
Troubleshooting Question

Is there a way for users to decide which drives they will redirect into a RemoteApp?

83 Views
Last Modified: 2020-11-10
Hi experts.

When using standard RDP, users may decide which drives they redirect.
When using RemoteApps hosted on server 2016 or 2019, from a website like https://myts.mydom.com/rdweb I don't see a way for them to decide the same. Do you?

They cannot even modify the .rdp files that deployment creates since those are digitally signed.
Comment
Watch Question

Michael B. SmithManaging Consultant
CERTIFIED EXPERT

Commented:
Nope. A published app defines "exactly" (or pretty darn close) what environment the end-user gets.
CERTIFIED EXPERT
Distinguished Expert 2019

Author

Commented:
Michael, when you visit the landing page of the remoteapp host (https://.../rdweb), you have the choice to use remoteapps or a full session. For the full session, you may select to redirect drives, not which drives, but all or none. For the remoteapps, you don't even have a way to select that. That's very poor design, since even the admin publishing these remoteapps has no way of predefining that.

Since I cannot call this solved if just one person finds the same as me, I will have to use a Microsoft forum now in addition to this. What I want to have at least is be able to offer customers that connect to see the full session with the options they want. [No, they cannot use thee mstsc.exe for connecting, since they can only use https, not RDP, to connect to us].
Philip ElderTechnical Architect - HA/Compute/Storage
CERTIFIED EXPERT

Commented:
We don't allow redirected drives from the remote connected system to the RDS Session Hosts. That's just asking for trouble.
CoralonSenior Citrix Engineer
CERTIFIED EXPERT

Commented:
You can add a startup script to the RDP server with usrlogon.cmd https://www.experts-exchange.com/articles/9235/How-USRLOGON-CMD-processing-works.html
Combine that with a policy to hide drives, and you can control it to a limited extent.  

You would have the script delete the mappings of specific drives that you want to remove, and hide them also in case the user tries to map them again.  It's not 100%, and someone knowledgeable enough can work around it, but it for most users it is sufficient.  

The drive mappings are based on the virtual channel connection - out of the box it connects remote drives or it does not. From a policy perspective you may be able to block by drive type (i.e. network, physical drives, etc.)  (I know you can with Citrix or with VMware).

Coralon
CERTIFIED EXPERT
Distinguished Expert 2019

Author

Commented:
Hi.

@Coralon
I want the users to be able to decide which drives to redirect. It's not about limiting the drives in any way, but about giving them the option to decide which.
CoralonSenior Citrix Engineer
CERTIFIED EXPERT

Commented:
Ah.. then you're only real option would be some sort of script that presents them a list of drives they *could* connect, and popping it up with usrlogon.cmd, and then having it connect.

Coralon
CERTIFIED EXPERT
Distinguished Expert 2019

Author

Commented:
We are not on the same page. With remote apps, all drives are getting connected, no way around. If I wanted to offer them a script, it would need to be a remoteapp for itself and it would need to be able to disconnect anything they don't want to redirect right after they start it. Not good, since they shouldn't get connected in the first place, not even for a second, but at least a start - if it was possible.

Do you know how to disconnect \\tsclient\c using a command?
Philip ElderTechnical Architect - HA/Compute/Storage
CERTIFIED EXPERT

Commented:
No, I guess we are not.

You could put a .BAT on the desktop that they could double click on that had:
Net Use R: \\TSClient\C$

CERTIFIED EXPERT
Distinguished Expert 2019

Author

Commented:
There's no desktop, it's a remoteapp.
Your command takes an already present path and assigns a letter to it. Why would I? I don't want these \\tsclient\x connecting in the first place without user consent.

Seems hard to understand... Start mstsc and you have that option. Start a remoteapp and you don't.
Philip ElderTechnical Architect - HA/Compute/Storage
CERTIFIED EXPERT

Commented:
McKnife, this is a RemoteApp session to our RD Farm:

The first thing I do is open a File/Windows Explorer session via RemoteApp when I start my workday as there's a number of different apps run via RemoteApp.

The above is my Desktop that uses Redirected Folders so that everything on that desktop is also on my workstation desktop.

A .BAT file could be placed there that would allow a user to map their local drive to their RemoteApp session as per my comment above.

The only difference between logging on to a Session Host based desktop and a RemoteApp based desktop is the fact that in the latter the desktop environment gets virtualized.
CoralonSenior Citrix Engineer
CERTIFIED EXPERT

Commented:
I dug through the group policies again, and it looks like without Citrix or VMware, it's all or nothing as far as drive connections. With Citrix (and I believe VMware) you can configure it to allow access to the drives, but not automatically connect them.  

Coralon

CERTIFIED EXPERT
Distinguished Expert 2019

Author

Commented:
@Philip
I know about the possibility to host file explorer as a remoteapp.
"A .BAT file could be placed there that would allow a user to map their local drive to their RemoteApp session as per my comment above" - no. The clients don't offer SMB ports to the network, their shares cannot be reached.

Ok, here's the long story:

A customer of ours uses these remoteapps. The security policy of our customer is to only allow port 443 outgoing. So what we do is host the remoteapps since these can be reached using 443 only (rdp over https). Ok?
Now after all these years of doing so, our customer's admin finally realized that all the drives are being redirected no matter if they want it or not. They ask us to look for a way to selectively take drives with them, so that only one drive would be "exposed" to our system. Please note that it's no option not to connect any drives since they are exchanging data with us all the time using that redirected drive(s).

If they would allow port 3389 outgoing, they could use standard RDP and select which drives to take with them to the remote machine, but 3389 is a no-go for their policy. They are very strict about this and it will stay 443 only.
It's a dilemma.
CoralonSenior Citrix Engineer
CERTIFIED EXPERT

Commented:
Understandable, but unfortunately the technology isn't that specific.  There isn't any way to accomplish what they want.  With Citrix, you can specify the drive types, so that any combo of network, local, removable, etc. (any of the WMI drive types) from the client can be connected, or not connected.  VMware has the same capabilities.  
The drive connection capabilities are established during the session negotiation, and RDP only connects or doesn't.. no in between.  The best they can do directly with RDP is allow it and then disconnect the non-desired ones.
You could implement the hide drives & restrict drives policy, but that only affects drives that are connected as mapped drive letters, and only through MS utilities that follow the group policy.  (there are 3rd party utilities that don't follow the GPOs, and they will show & allow access despite the policies).
If they are that concerned, then I'd recommend blocking the drives, and going some other route to get access.  Maybe some sort of dedicated FTP over SSL server with limited access. :-\

Good luck, and I'm definitely curious if some other solution comes up that I'm not aware of :-)

Coralon
Philip ElderTechnical Architect - HA/Compute/Storage
CERTIFIED EXPERT

Commented:
McKnife, we've never had to open any other port on the firewall inbound other than HTTPS/443 to the RD Gateway server.

RDP is a tunnel that all others flow through.

When I first open File Explorer as above Devices and drives shows only the second drive attached to the session host as the C: drive is masked (not blocked) by Group Policy.

 I created this .BAT file:
That contains the above command though corrected to:
Net Use R: \\TSClient\C
I had the C$ in the above which is incorrect.

Double click and:
Then, double click on that and:

In conclusion, RDP acts much like a VPN tunnel. The pathway between my local machine here where I'm writing this and our RD Farm is just the RDP tunnel nothing else that runs via HTTPS/443.

I hope that clarifies things?

Everything is encapsulated by RDP. Everything.
CERTIFIED EXPERT
Distinguished Expert 2019

Author

Commented:
Ok, Philip, by writing \\tsclient\c$ (and not \\tsclient\c) before, you led me into believing that you are using a standard share connection and not rdp drive redirection.

I am aware of all that you write apart from the masking part. What policy do you use to mask/hide the redirected drives? (not that I think it will be of much use, since security by obscurity has never been our thing).
Philip ElderTechnical Architect - HA/Compute/Storage
CERTIFIED EXPERT

Commented:
There's a GPO setting to hide or restrict drives.

With redirected folders, restricting access to the C: drive is problematic so new user objects need to be staged in an OU where the restriction does not apply, logged on, and redirection verified before moving over to the production OU.

We use Software Restriction Policies to block *.exe and others in various C:\User locations.
CERTIFIED EXPERT
Distinguished Expert 2019

Author

Commented:
That policy will hide \\tsclient\c and so on? I doubt that, as it is just for drive letters. Did you use that?
Philip ElderTechnical Architect - HA/Compute/Storage
CERTIFIED EXPERT

Commented:
\\TSClient\C is the map back to the local machine connected to the RD environment. No masking there. The GPO applies to local drives that would appear in File/Windows Explorer in the user's context.
CERTIFIED EXPERT
Distinguished Expert 2019

Author

Commented:
Ok. That was a misunderstanding. I thought you were proposing a way to hide the drives \\tsclient\c, \\tsclient\d and later connect a chosen few (or one) of those with net use.

No, then it's not suitable as my goal is not met to offer the customers a choice what to expose to our RDS host.
Philip ElderTechnical Architect - HA/Compute/Storage
CERTIFIED EXPERT

Commented:
10-4.

Beyond the above I'm not aware of something that is able to do so.

Maybe Citrix, FSLogix, or other third party Remote Desktop product may but we're an all native shop here so I can't be sure.
CERTIFIED EXPERT
Distinguished Expert 2019

Author

Commented:
Look, it's as easy as this:
MS has programmed remoteapps that way. I was asking to make sure that I haven't overlooked something obvious.

There is no doubt that it is possible, since with standard rdp client (mstsc) it's possible already for the client to choose what is exposed. Oh well, too bad.
CERTIFIED EXPERT
Distinguished Expert 2019

Author

Commented:
Some progress:
At the server, in the registry below HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\CentralPublishedResources\PublishedFarms\QuickSessionCollection\Applications\*MyApp*
I see the parameter that is responsible ("drivestoredirect:s:*").

However, I may not edit it there. The change is not respected since this registry key contains a digital signature which will no longer match after editing (as I had feared in the first place).
So: question simply is: how do I create a registry key with modified content and correct signature?
Philip ElderTechnical Architect - HA/Compute/Storage
CERTIFIED EXPERT

Commented:
Try a User based GPO linked and enforced to a test sub-OU to your Users OU. Drop a test user in there.

Configure the needed registry setting in the GPO Prefs/Registry section.

Once edited, have the user account log on. Does it get the drive?

If there are multiple DCs then GPUpdate /Force (we script this via PoSh to hit all DCs starting with the local). Note, we use the GP Central Store to make things seamless as well as far as editing goes.
CERTIFIED EXPERT
Distinguished Expert 2019

Author

Commented:
As said, the settings are signed. I wrote in bold what's left to answer.
CERTIFIED EXPERT
Distinguished Expert 2019

Author

Commented:
Ok, I have created a signed rdp file using RDPsign.exe and I pushed the parameters to the registry. This works, but now the customers are coming with the next requirement: they would like to be the ones who decide what to redirect. So no matter what we configure, they have to trust us at the moment that we do it right and they don't like that.
I will give this a thought. Please wait with comments.
CoralonSenior Citrix Engineer
CERTIFIED EXPERT

Commented:
Good luck.. I'd love to see the solution you had come up with.  I have other thoughts on this last post, but I'll wait for you. 
CERTIFIED EXPERT
Distinguished Expert 2019

Author

Commented:
Ok, I had a good idea: I setup a WebDAV directory on the same server to simply share .rdp files with them. The RemoteApps are .rdp files, after all, which, when you click on a remoteapp icon, are downloaded to %temp%, executed and immediately deleted. I managed to get hold of one however, and now I can see what it takes to make use of port 443 for RemoteApps and could tune the redirectdrives line and then later could sign it again with RDPsign.exe.

So before this, we offered RemoteApp links they had to trust, now they have a webdav share which they can use to download the rdp files (and verify those, if need be) AND which they may also use as upload and download directory.
If I were at their side, I would be happy. Let me see what they say.
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions