I’m sure that a software developer simply built the term “Printer redirection” into a prototype. And because nobody has come up with a better idea, it’s remained to this day. What’s behind it though? It’s simply a feature to allow printing from a remote desktop to a local printer. Combined with a universal driver on the remote desktop and decent print data compression, this creates the advantage that every user can easily and immediately print to their own printer, even though they might be working on a remote desktop hundreds or thousands of miles away. It would otherwise only be possible to print in home offices or smaller branch offices at considerable expense.
Now, IT’s dream in theory of having nothing to do with users’ local printers and keeping their remote desktop farm nice and tidy is unfortunately also security’s nightmare. Anyone who has a printer can simply print all the documents they can access to their own printer at home for example. No firewall, no VPN, no email scanner, no blacklisting can protect against this.
It’s the well-known struggle of finding a balance between productivity and security. Not every employee has to print when working remotely. The trick is to know easy and as-granular-as-possible ways to switch “Printer redirection” on and off. So, let’s have a look at the possibilities.
1. On a Windows Server 2012 or higher, go to Administrative Tools and open the Remote Desktop Services folder
2. Select the Remote Desktop Gateway Manager
3. Select Connection Authorization Policies
4. Click on the policy RDG_CAP_ALLUsers and open the Device Redirection tab
5. Turn on “Disable device redirection for the following client device types” and check the box “Printers”.
Users’ local printers are no longer created on the remote desktop, and users can no longer print to their own printers. If you want to disable printer redirection for all, this is an easy way. If you want to have it more granular though, it gets complicated.
1. Open the Group Policy Editor and go to “Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection”.
2. Open the policy setting “Do not allow client printer redirection” and select the option “Enabled”
3. Click OK to save the change and close the window
Group Policies are a standard way to manage users and machines. Configurations are attached to organizational units (OUs) in Active Directory, and the corresponding computers (or users) in the OUs apply the configuration during the next group policy update. If the users who are to print and the users who are not to print have their remote desktops on separate computers, and these separate computers are also separated in AD, this can be used to selectively prevent printer redirection. In reality, however, this is not practical.
1. In the Azure Portal, search for Windows Virtual Desktop
2. Click on “Hostpool” and select the host pool
3. Click on “Properties”, select the “RDP settings” tab and set the printers switch to “Off”.
Similar to the group policies you can easily turn printer redirection on and off since the 2020 spring update. Similar to the group policies this setting refers to the computers hosting the remote desktops and not to the users. So, unless you want to include the need for local printing in your host pool considerations, granularity is a problem.
With ezeep for Azure, we’ve given a lot of thought to the trade-off between productivity and security in printing. We realized early on that printing to local printers would be based on user groups rather than machine groups. Here is our way to granularly allow or deny local printing:
1. In the ezeep admin portal, click on “Local Printer Support”
2. Then you click on the + and mark the group(s) whose members are allowed to print to their local printers.
3. Click on “Add Groups”.
And there you go, finding the right balance between productivity and security can be that easy. Do you have any questions? Then simply drop us a line at [email protected]!