How To Guy

USB Redirection In VMware Horizon 6.0 With View

How to restrict USB drives while still allowing audio and video to VDI clients.

• By James Brown
• 08/26/2015

VMware Horizon 6.0 with View is an awesome virtual desktop infrastructure (VDI) that expands the use of USB redirection. I've implemented the latest version, and really like the ability to redirect or divide USB devices between the physical client and the virtual desktop.

USB redirection allows a user to have a USB device plugged into the Horizon 6.0 client machine and display the same device on the VMware View virtual desktop (see Figure 1).

VDI users have different requirements. Some need access to their USB drive files, while others need access to USB audio and video. To meet my customers' requirements and keep security compliant, I utilize Active Directory's Group Policies Manager (GPM).

GPM allows you to customize any VDI environment on a user or group level. In addition, I like the ADM templates, and recommend downloading them when you download Horizon 6.0 with View. The templates can be seen here. The ADM templates allow for user and group USB redirection configuration at a granular level. You can also tweak the ADMs to save time needed for other tasks.

The USB devices are designated by Vendor Identification (VID) or Product Identification (PID) codes. The VIDs and PIDs identify the vendor or family of USB devices, so the correct driver can be utilized for the USB redirection process. You can explore the details of using USB devices and policies by downloading this whitepaper.

For my customers, I restrict use of the physical USB storage drives but allow audio and video to their VDI desktops. Once I created the appropriate AD Organizational Unit (OU), I imported the necessary ADM templates into AD. The imported ADM template was then assigned to the appropriate OU with the necessary permissions.

I decided to implement the Group Policy Object (GPO) so that the USB storage device wouldn't appear to all users in the selected desktop pool, while still allowing audio and video capabilities for video conferencing. Let's walk through the implementation procedure.

1. Navigate within the GPM and expand the VMware View Client Configuration and its sub-folder "View USB Configuration" (Figure 3).

2. Open and select Exclude the ExcludeDeviceFamily policy and type o:storage in the policy. Close the policy window. (This setting will block all USB storage devices from being available to the View desktop for the selected desktop pool, for all users).

3. Navigate within the client logs located at DriveLetter:ProgramData\VMware\VDM\logs\ to locate the VID and PID codes for the audio and video USB devices (Figure 4).

4. Open and select Include IncludeVidPId policy and type o:Vid-031e_Pid-5072; Vid-015f_Pid-if37 in the options policy block. Then close the policy window.

5. The final policy implementation, as shown in Figure 5, will disallow all USB storage devices, but allow the specified audio and video devices used for video conferencing.

6. Finally, plug in the appropriate USB device into your VMware Horizon 6.0 client and test the redirection process. Once successfully tested, your USB redirection solution is ready to use.

USB redirection with VMware Horizon 6.0 with View has allowed my customers to conduct their video with audio conferencing as requested. In addition, my VDI environment is more secure by not allowing rogue USB storage devices to connect to a physical client node. Of course, you still need to implement the security measures that apply to vSphere and the guest operating system nodes. You will find various GPO policies that can be combined and configured to any VMware VDI environment.

VMware has a wealth of information to assist you in your VDI planning, architecture, implementation and administration. Once you delve into implementing the more granular VMWare Horizon 6.0 with View GPO ADMs, the more robust, secure and user-friendly your VDI environment will be.