Manage Windows App redirection settings with Microsoft Intune

Article
2025-04-02

You can manage whether local resources such as cameras, microphones, storage, and the clipboard are redirected to a remote session from Azure Virtual Desktop, Windows 365, and Microsoft Dev Box. Before you can do this, requiring local device security compliance is a prerequisite to manage local device redirection settings. For more information, see Require local client device security compliance with Microsoft Intune and Microsoft Entra Conditional Access.

At a high-level, you manage redirection settings for Windows App on a client device using Intune app configuration policies. These policies work alongside Intune app protection policies and Conditional Access policies that were already configured when requiring local client device security compliance. You can use filters to target users and devices based on specific criteria.

Example scenario

Here's an example scenario where users in a group are allowed drive redirection when connecting from their Windows corporate device, but drive redirection is disallowed on their iOS/iPadOS or Android corporate device.

The values you specify in filters and policies depend on your requirements, so you need to determine what's best for your organization.

To achieve this scenario:

Make sure your session hosts and host pools settings, Cloud PCs, or dev boxes are configured to allow drive redirection.
Create two filters:
1. One for managed apps for managed iOS/iPadOS devices.
2. One for managed apps for managed Android devices.
Create two app protection policies, one for iOS/iPadOS and one for Android.
Create three app configuration policies:
1. iOS/iPadOS:
  1. One managed devices policy to identify the enrolled user account and device ID.
  2. One managed apps policy with drive redirection disabled. Assign the filter for iOS/iPadOS created in step 2.
2. Android: one for managed apps for Android devices with drive redirection disabled. Assign the filter for Android created in step 2.

Prerequisites

Before you can configure redirection settings on a local client device using Intune and Conditional Access, you need:

To complete the steps in Require local client device security compliance with Microsoft Intune and Microsoft Entra Conditional Access. All the prerequisites in that article apply to this article as well.
There are more Intune prerequisites for configuring app protection policies and Conditional Access policies. For more information, see:
- Use app-based Conditional Access policies with Intune.

Create an app configuration policy for iOS/iPadOS managed devices

For iOS/iPadOS devices that are managed only, you need to create an app configuration policy for managed devices for Windows App. This step isn't necessary for Android.

Important

For iOS/iPadOS, for the Device Management type to be enforced to Intune managed devices, extra app configuration settings are required. For more information, see Device Management types.

Starting with Intune's September (2409) service release, the IntuneMAMUPN, IntuneMAMOID, and IntuneMAMDeviceID app configuration values are automatically sent to managed applications on Intune enrolled iOS/iPadOS devices for certain apps, including Windows App.

To create and apply an app configuration policy for managed devices, follow the steps in Add app configuration policies for managed iOS/iPadOS devices and use the following settings:

On the Basics tab, for targeted app, select Windows App Mobile from the list. You need to have added the app to Intune from the App Store for it to show in this list.
On the Settings tab, for the Configuration settings format drop-down list, select Use configuration designer, then enter the following settings exactly as shown:

Configuration key Value type Configuration value

IntuneMAMUPN String {{userprincipalname}}

IntuneMAMOID String {{userid}}

IntuneMAMDeviceID String {{deviceID}}
On the Assignments tab, assign the policy to the security group containing the users to apply the policy to. You must apply the policy to a group of users to have the policy take effect. For each group, you can optionally select a filter to be more specific in the app configuration policy targeting.

Configuration key	Value type	Configuration value
`IntuneMAMUPN`	String	`{{userprincipalname}}`
`IntuneMAMOID`	String	`{{userid}}`
`IntuneMAMDeviceID`	String	`{{deviceID}}`

Create an app configuration policy for managed apps

We recommend you create a separate app configuration policy for managed apps for iOS/iPadOS and Android as app configuration policy capabilities might change over time between the platforms.

Create extra app configuration policies as needed if your device redirection requirements differ between groups of users. For example, block drive redirection for Finance users and block drive and clipboard redirection for Marketing users.

To create and apply an app configuration policy for managed apps, follow the steps in App configuration policies for Intune App SDK managed apps and use the following settings:

On the Basics tab, select Select public apps, search for and select Windows App, then select Select. For Android only, if Windows App doesn't yet appear for you, enter Remote Desktop instead. This is due to Intune deployment timing. Both apps use the same package ID com.microsoft.rdc.androidx, so app configuration policies apply to both apps regardless of the app name you see in the Intune console.

On the Settings tab, expand General configuration settings, then enter the following name and value pairs for each redirection setting you want to configure exactly as shown. These values correspond to the RDP properties listed on Supported RDP properties, but the syntax is different:

Name	Description	Value
`audiocapturemode`	Indicates whether audio input redirection is enabled.	`0`: Audio capture from the local device is disabled. `1`: Audio capture from the local device and redirection to an audio application in the remote session is enabled.
`camerastoredirect`	Determines whether camera redirection is enabled.	`0`: Camera redirection is disabled. `1`: Camera redirection is enabled
`drivestoredirect`	Determines whether disk drive redirection is enabled.	`0`: Disk drive redirection is disabled. `1`: Disk drive redirection is enabled.
`redirectclipboard`	Determines whether clipboard redirection is enabled.	`0`: Clipboard redirection on local device is disabled in remote session. `1`: Clipboard redirection on local device is enabled in remote session.

Here's an example of how the settings should look:

A screenshot showing redirection name and values pairs in Intune.

On the Assignments tab, assign the policy to the security group containing the users to apply the policy to. You must apply the policy to a group of users to have the policy take effect. For each group, you can optionally select a filter to be more specific in the app configuration policy targeting.

Verify the configuration

Now that you configured Intune and Conditional Access to manage device redirection for Windows App, verify your redirection configuration works as expected by connecting to a remote session. You should check from both a managed and/or unmanaged device for each platform, depending on the policies you configured.

Share via