How to prevent access to the drives only when users is logging on to the VDI

Question

We need to achieve the following.
User account ABC logs on to the Standard laptop, he should be able to access the C drive
Same User account ABC logs on to the VDI, he should not be able to access the C drive
GPO has the option to prevent access of the drives but I am thinking if I add the User in the restricting C drive access GPOs when he is logging on to the standard laptop, he will not be able to access the drives there as well.
Please suggest.

Answer 1

Hi @myquestforLearning ,

it's possible to place the VDI computer objects in a dedicated OU in AD. Link the GPO just to this OU containing the VDI computers
A second option, if the first option doesn't work for you is to use Security Group filtering for the GPO.
https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo

The linked article describes the way for users. But for computers it's the same way: Create a AD Group containing the computer objects instead of the user accounts.

----------

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

Answer 2

The VDI environment should have a GPO applied with Loopback Processing applied to the OU hosting the VDI machines. This will enable the VDI machines to apply user settings that have been applied to the Computer object.

Loopback processing can either "Replace" or "Merge".

Setting to Replace will overwrite any User Policies that the user may have scoped and then set the User Policies assigned to the computer object. Merge will merge the two together, keeping the user scoped policies whilst applying the user policies applied to the VDI machine.

This will allow you to have separate users setting for VDI users that will not affect normal laptop/desktop use. These user policies will only apply if the user is logging into a machine in an OU which is affected by a Loopback Policy GPO. This is the standard process for setting standardised permissions on a VDI environment.

Then set the standard Hide these specific drives in My Computer and Prevent access to drives from My Computer as needed.

For reference are you actually using VDI as in a Virtual Desktop Environment (VMware Horizon etc) or are you talking about standard VMware VMS?

James

Answer 3

Hi @myquestforLearning ,

Thank you so much for posting here.

1. To prevent access to the drive, we could configure the setting Prevent access to drives from My Computer under User Configuration > Administrative Templates > Windows Components > File Explorer. As we could see, it is user configuration, so the GPO should be linked to the OU which contains the user accounts.
2. But as for our requirement, we would like to apply the setting to different computers. That is to say, the dedicated settings should be applied to different computers. Normally the user account could be able to access the drive. So the only thing we will do is to prevent access to C drive when the user is logging on to the VDI.

We could check whether this solution could be helpful.

1. Create the OU and put the user accounts into this OU. Then create the GPO and link it to the OU. Configure the policy Prevent access to drives from My Computer as needed.
2. Configure the security filtering. Remove the authenticated users, and add the group (which we want to apply the policy) with Read and Apply permission.
   
3. Besides, please add the security group which contains the VDI computers and grant the Read permission. Then the policy should be only applied to these VDI computers. For example:

As mentioned, we are thinking of using WMI filtering. According to my experience, yes, it is an approach. We need to create the WMI filters so that the policy could only be applied to VDI machines.

Best regards,
Hannah Xiong