Search code examples
windowsrdpgroup-policymediadevicesoptical-drive

Allow Windows RDP users to access removable media

I am trying to configure Windows 10 with PowerShell. To enable access to optical drives when logged on via RDP (Remote Desktop Protocol) I use the following code:

Function EnableMediaBurningDevices {
    Write-Output "Enabling media burning devices..."

    Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "AllocateCDRoms" -Type String -Value "0"
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "AllocateDASD" -Type String -Value "1"
}

This does not work as expected.

Windows 10 1809
Logged on via RDP with my local administrator account

Symptoms:
- Opti Drive Control 1.70 message "No drives found" when starting
- Nero DiscSpeed 12.5.6.0 message "You do not have permissions to burn to physical recorders" when starting
- VirtualBox 6.0.4 error VERR_ACCESS_DENIED when selecting Devices->Optical drives->Host Drive
All this works fine when locally logged on with the same account.

Following this guide:
https://learn.microsoft.com/en-us/windows/desktop/imapi/providing-user-permissions-for-media-burning-devices
I tried to set these two policies:
- Devices: Restrict CD-ROM access to locally logged-on user only = Disabled
- Devices: Allowed to format and eject removable media = Administrators and Power Users
(gpedit.msc, Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options)

These are the registry keys behind it:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon, AllocateCDRoms = 0
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon, AllocateDASD = 1

None of the symptoms changed. I also tried this with RDP to a Windows 7 machine to no avail. Locally logged on I have access to my CD/DVD/BD burners, remotely I do not.

It would be great if someone could help me to get this to work,
Zweikeks

Solution

  • The solution is to set this group policy (instead of the two in my question):

    # Enable remotely logged-on users to access media burning devices
Function EnableMediaBurningDevices {
    Write-Output "Enabling media burning devices..."

    # -Force required to create nested keys
    # Check if the key already exists, otherwise with -Force all its existing values will be deleted!
    If (!(Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices")) {
        New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices" -Force -ErrorAction SilentlyContinue | Out-Null
    }
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices" -Name "AllowRemoteDASD" -Type DWord -Value 1
}

    - All Removable Storage: Allow direct access in remote sessions = Enabled
    (gpedit.msc, Computer Configuration, Administrative Templates, System, Removable Storage Access)

    The associated registry key:
    - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices, AllowRemoteDASD = 1

    /Zweikeks