READONLY USB and Client Drive Redirection in Horizon 7

One of the features of Horizon 7 is the ability to redirect USB and Client Drives as Read-only.

This is extremely useful for customers who are security conscious and do not want users to modify files on drives or usb devices connected to the endpoint devices from their virtual desktops.

A good example is a customer who is using VDI for Internet Separation. Lets a Govt Agency do not allow internet access on their production network. They may choose to publish Internet Explorer for users for web browsing via VDI or RDS. In such a case, IE browser runs in a totally isolated environment from the production network. Users are not allowed to download files or make modifications to the endpoint devices on the production network. However, they may still want users to upload files to external websites or use data on the endpoint. This can be done redirecting Client Drive and USB devices on the client endpoint to the virtual desktops.

This functionality is achieved by pushing down a group policy as below. Documentation reference.

Preventing Write Access to Shared Folders

To prevent write access to all folders that are shared with the remote desktop, create a new string value named permissions and set its value to any string that begins with r, except for rw.

HKLM\Software\VMware, Inc.\VMware TSDR\permissions=r

USB and Client Drive Redirection without the Policy

The client drives and USB drives are seen as below.

drives shown

Users are able to write/modify files on the Client Drives and USB


USB and Client Drive Redirection with the Policy

Registry setting is modified


Users get an error while trying to write to the drives.

cannot read

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s