We use cookies to improve your experience on our site and enable certain core website functionalities. For more information, visit our Privacy Policy page.

Accept
  • Insights

Context-Based Redirections in Azure Virtual Desktop

Jeff Silverman

< 1 min read

All Insights

Context-Based Redirections in Azure Virtual Desktop

Microsoft recently announced public preview of context-based redirections for Azure Virtual Desktop. If you manage AVD environments, especially in organizations that support BYOD or contractor access alongside managed corporate devices, this feature directly addresses a long-standing pain point in AVD security.

Here’s what changed and how it works…

Opt-in for expert insights & event invites

The Problem

Until now, AVD redirection policies including clipboard, drive, printer, and USB were configured at the host pool level and applied uniformly to every connection. If you blocked clipboard copy-paste to prevent data exfiltration from unmanaged personal devices, you also blocked it for every compliant, Intune-enrolled corporate laptop connecting to that same host pool.

You could work around this limitation by deploying separate host pools – one for managed devices with relaxed redirection policies and another for BYOD with everything locked down – but this approach essentially doubles your administrative and operational overhead. For organizations that already manage multiple host pools for different use cases, adding additional pools with different redirection settings can get unwieldy pretty quicky.

Fortunately, context-based redirections eliminate the need for this workaround by making redirection behavior dynamic based on the trust level of each connection.

How It Works

The architecture is straightforward and builds on components most organizations already have in place:

  1. Create a Conditional Access Authentication Context – For example, “Require device to be marked as compliant.” Assign it to a user group and define the conditions under which it’s satisfied.
  2. Bind the Authentication Context to Host Pool RDP Properties –In the AVD host pool’s Device Redirection tab, instead of a binary enabled/disabled toggle, select “Dynamically configure using authentication context” for each redirection type (clipboard, drive, printer, USB) and map it to the authentication context you created.
  3. Runtime Evaluation – When a user connects, AVD evaluates whether the device meets the Conditional Access policy. If it does (e.g. the device is Intune-enrolled, compliant, and healthy), the redirection is allowed. If it doesn’t, the redirection is blocked.

The result: One host pool, two behaviors, no client-side configuration required, and no additional session-host management.

Why This Matters

A few scenarios that come up regularly in our client engagements:

  • Firm staff on corporate-managed devices from the office or home may have full clipboard, drive, printer, and USB redirection enabled
  • The same staff on BYOD devices from a hotel or other location may have some restrictions, for example printer and clipboard redirection may be enabled but drive and USB redirection may be blocked
  • Contract attorneys or outside counsel on unmanaged devices may have printer redirection only
  • Vendors on unmanaged devices may have all redirection blocked

All of this from a single host pool with a single desktop image and a single set of auto-scale rules. That’s a meaningful reduction in operational complexity.

Next Steps and to Learn More

For more information, or configuration assistance, please contact your Kraft Kennedy Account Executive, or Jeff Silverman.

And please visit https://learn.microsoft.com/en-us/azure/virtual-desktop/context-based-redirections-avd for further information.

Continuous Learning

More Information

Looking for more ways to interact with Kraft Kennedy?
Connect with the team or check out our upcoming events!