Printer Redirection – Productivity Booster and Security Gap

Productivity Guarantor and Security Gap
Printer redirection – productivity booster and security gap

I’m sure that a software developer simply built the term “Printer redirection” into a prototype. And because nobody has come up with a better idea, it’s remained to this day.

What’s behind it though? It’s simply a feature to allow printing from a remote desktop to a local printer. Combined with a universal driver on the remote desktop and decent print data compression, this creates the advantage that every user can easily and immediately print to their own printer, even though they might be working on a remote desktop hundreds or thousands of miles away. It would otherwise only be possible to print in home offices or smaller branch offices at considerable expense.

Now, IT’s dream in theory of having nothing to do with users’ local printers and keeping their remote desktop farm nice and tidy is unfortunately also security’s nightmare. Anyone who has a printer can simply print all the documents they can access to their own printer at home for example. No firewall, no VPN, no email scanner, no blacklisting can protect against this.

It’s the well-known struggle of finding a balance between productivity and security. Not every employee has to print when working remotely. The trick is to know easy and as-granular-as-possible ways to switch “Printer redirection” on and off. So, let’s have a look at the possibilities.

Deactivate Printer Redirection with the Remote Desktop Gateway Manager

1. On a Windows Server 2012 or higher, go to Administrative Tools and open the Remote Desktop Services folder

2. Select the Remote Desktop Gateway Manager

3. Select Connection Authorization Policies

4. Click on the policy RDG_CAP_ALLUsers and open the Device Redirection tab

5. Turn on “Disable device redirection for the following client device types” and check the box “Printers”.

Deactivate Printer Redirection with the Remote Desktop Gateway Manager

Users’ local printers are no longer created on the remote desktop, and users can no longer print to their own printers. If you want to disable printer redirection for all, this is an easy way. If you want to have it more granular though, it gets complicated.

Deactivating Printer Redirection via Group Policy

1. Open the Group Policy Editor and go to “Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection”.

2. Open the policy setting “Do not allow client printer redirection” and select the option “Enabled”

3. Click OK to save the change and close the window

Deactivating Printer Redirection via Group Policy

Group Policies are a standard way to manage users and machines. Configurations are attached to organizational units (OUs) in Active Directory, and the corresponding computers (or users) in the OUs apply the configuration during the next group policy update. If the users who are to print and the users who are not to print have their remote desktops on separate computers, and these separate computers are also separated in AD, this can be used to selectively prevent printer redirection. In reality, however, this is not practical.

Azure Virtual Desktop

1. In the Azure Portal, search for Azure Virtual Desktop

2. Click on “Hostpool” and select the host pool

3. Click on “Properties”, select the “RDP settings” tab and set the printers switch to “Off”.

Windows Virtual Desktop Spring Update 2020

Similar to the group policies you can easily turn printer redirection on and off. Similar to the group policies, this setting refers to the computers hosting the remote desktops and not to the users. So, unless you want to include the need for local printing in your host pool considerations, granularity is a problem.

With ezeep Blue, we’ve given a lot of thought to the trade-off between productivity and security in printing. We realized early on that printing to local printers would be based on user groups rather than machine groups. Here is how easy it is for ezeep Blue users to granularly allow or deny local printing:

1. In the ezeep Blue Admin Portal, click on “Policies”

2. Click on the toggle button in the local printer support section to deactivate or activate local printing for all users.

3. If you to deactivate local printing for specific users, add these groups to the list.

Local Printer Support

And there you go, finding the right balance between productivity and security can be that easy. Do you have any questions about using ezeep Blue in your VDI/AVD environment? Then simply drop us a line at [email protected] or learn more on our website about Remote Desktop Printing!