Information
This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session.
The recommended state for this setting is: Enabled.
Rationale:
In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer.
Impact:
Users in a Remote Desktop Services session will not be able to redirect server data to local (client) LPT ports.
Solution
To establish the recommended configuration, set the following Device Configuration Policy to Enabled:
To access the Device Configuration Policy from the Intune Home page:
Click Devices
Click Configuration profiles
Click Create profile
Select the platform (Windows 10 and later)
Select the profile (Administrative Templates)
Click Create
Enter a Name
Click Next
Configure the following Setting
Path: Computer Configuration\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection
Setting Name: Do not allow LPT port redirection
Configuration: Enabled
Select OK
Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)
Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.
Default Value:
Disabled. (Remote Desktop Services allows LPT port redirection.)