I often am involved in setting up remote desktops for developers who need a secure, dedicated environment. Up until now, if the company required that all data stayed strictly on the remote desktop, I was limited to disabling clipboard redirection as a whole (Together with other security settings of course). This forced the developers to work entirely within the AVD host or Windows 365 Cloud PC.
As you can imagine, when you’re coding, you often want to grab a snippet from your local PC and from an existing project and paste it into your new one that you work on from the Remote Desktop. But with these security measures in place, that simple action was not allowed, making it pretty frustrating for anyone trying to get work done efficiently.
Solution!
Microsoft has now introduced new options for configuring clipboard redirection, offering a more granular approach to managing data transfer between client and server environments. You can now restrict clipboard transfers in either direction at both the device and user levels, with the ability to specify the types of data that can be copied.
This is also a very powerful tool when you allow access to Azure Virtual Desktop or Windows 365 for external contractors from unmanaged devices. You can prevent them copying data over to a device where you don’t have any control.
Update
Microsoft now disables Drive, File and Printer redirection by default on all newly provisioned Host Pools and Cloud PCs, If you want to allow this, make sure to configure the settings explained in this article. Besides Clipboard, make sure to review drive redirection as well to restore to ability to copy/past files.
How flexible is it?
Reading the detailed definition of the policy, it states the following:
This policy setting allows you to restrict clipboard data transfers from server to client. If you enable this policy setting, you must choose from the following behaviors:
- Disable clipboard transfers from server to client.
- Allow plain text copying from server to client.
- Allow plain text and images copying from server to client.
- Allow plain text, images and Rich Text Format copying from server to client.
- Allow plain text, images, Rich Text Format and HTML copying from server to client.
If you disable or do not configure this policy setting, users can copy arbitrary contents from server to client if clipboard redirection is enabled.
That’s pretty flexible and means you now have control on the direction the clipboard redirection works but also on the content that’s available on the clipboard. If you for example have highly confidential file, you can use this setting to prevent the user from making an external copy of the file, but still allowing the clipboard to copy text. This way you can also prevent users from copying malicious files to their Cloud Endpoint.
Data Security
Although you now have the option to configure advanced clipboard redirection. it’s important to keep in mind that only clipboard redirection is not sufficient if you are considering your data security strategy.
Limiting file transfers is easy, but a malicious person could still copy/paste the content or take photos of the document with their phone.”
Consider clipboard redirection an additional tool you can use but don’t forget to consider things like:
- Sensitivity Labeling
- Watermarking
- Screenshot Protection
- Drive/Device Redirection
- Network Security
- Endpoint lockdown policies
Requirements
It’s a small and cool new feature, but keep the following requirements in mind:
- AVD: Clipboard redirection must be enabled in the hostpool properties
- Windows 11 Enterprise or Enterprise multi-session, version 22H2 or 23H2 with the 2024-06 cumulative update (KB5039212) or later installed.
- Windows 11 Enterprise or Enterprise multi-session, version 21H2 with the 2024-06 cumulative update (KB5039213) or later installed.
- Windows Server 2022 with the 2024-07 cumulative update (KB5040437) or later installed.
- If you are deploying this using GPO’s make sure to download the latest ADMX templates from Microsoft.
Configuration
As everything with Windows 365 and Intune, this is super easy to use and set up. You can use Intune and the Settings Catalog to create a Configuration profile.
My goal is to enable clipboard redirection from the client to the host, allowing code copy/paste. However, clipboard redirection from the host to the client will be disabled, preventing users from copying output data back to their physical machine.
Navigate to Intune and create a new Configuration Profile.
The settings we are looking for are located in the Settings Catalog, so make sure to select this as the profile type.
Choose a name and add a description.
Now, choose the desired setting. Clipboard redirection is controlled by separate policies for each copy direction and user/system scope.
To configure this, go to the following path in the settings picker:
Settings Catalog – Administrative Templates – Windows Components – Remote Desktop Session Hosts – Device and Resource Redirection
The Settings Catalog shows the policies to determine the clipboard redirection direction.
In our use case, translating client-to-server terms would look like this:
- “Restrict from server to client” means preventing data from being copied from the Cloud PC or AVD session host to the external PC.
- “Restrict from client to server” means preventing data from being copied from the client PC to the Cloud PC or AVD session host.
After selecting one of the options above you have the option to control the Clipboard contents. You can disable clipboard redirection in this direction completely or only allow a specific type of clipboard content.
In my use case I disabled clipboard redirection fromserver to client as this was the request from the customer. The other way around was allowed.
Review your settings, define the assignment, keep in mind to select a user group if you choose to apply the user settings and a device group if you opted for the device policy.
That’s it!
Allowing the Copying and Pasting of Files
Configuring clipboard redirection in Windows 365 is straightforward, but there’s an important detail many admins overlook: controlling whether users can copy and paste files directly between their local device and their Cloud PC.
Let’s see what Microsoft says about this:
This means, if you want to allow a user to copy and paste files from their client device to their cloud PC, you should create a second configuration profile as well.
As usual start by creating a new settings catalog profile.
Search for Drive Redirection and select the setting.
To re-enable file copy and paste between your local device and Cloud PC, ensure that “Do not allow drive redirection” is set to Disabled. This restores the ability to transfer files seamlessly between the two environments.
Configuring this will also restore the ability to navigate to your local drives right from within the Explorer of your Cloud PC.
File transfer over Clipboard Redirection Still not Working?
After enabling Drive and Clipboard redirection, I noticed that transferring files through the clipboard was still not possible. After some investigation, I found out that the issue was caused by two remaining registry keys:
CSClipLevel: Configures clipboard redirection from the client to the Cloud PC or Session Host.
SCClipLevel: Configures clipboard redirection from the Cloud PC or Session Host back to the client.
Removing them AND restarting the Remote Desktop Services service resolves the issue.
To make this more easy I created a remediation script to fix this, please note that if you use this, only scope the script on the Cloud PCs or Session Hosts that you want to allow to have this ability enabled.
Deploying this script is easy and can be done through Intune.
Give it a name and a description, and upload the script files. Again, don’t forget to allow drive and clipboard redirection in addition to deploying this script.
Now select the detection script and the remediation script and make sure to scope it on the device group in the assignment phase. Please note that the script needs to restart the Remote Desktop Services service, which means that once the script hits the Cloud PC it will disconnect the active session.
This script also assumes that you enabled clipboard redirection and drive redirection through policy. To make things worse, Microsoft pushes back these to registry keys and once the Cloud Endpoint restarts, file transfer over clipboard redirection will stop working again.
Good to know
- This works for AVD and Windows 365, but also for traditional RDP.
- Settings are made available in the Intune Settings Catalog but also as ADMX templates for use within GPOs.
- From a User Experience perspective you will need to manage two different clipboards, which can be confusing.
- Don’t forget to evaluate Drive Redirection as well if you want to copy and paste files
Leave a Reply