Limit Clipboard Transfers in Windows 365

Managing the security and efficiency of remote work environments is increasingly essential, especially with the growing adoption of Windows 365 Cloud PCs. Two key aspects of managing these environments are clipboard transfers and device redirection. These features enhance user productivity but also pose potential security risks if not properly controlled.

Controlling clipboard transfer and data types

Intune provides the ability to restrict clipboard transfers in several ways:

  1. Transfer Direction – You can configure whether users can copy data from their local device to the remote desktop or from the remote desktop to their local device, or allow both directions.
  2. Data Types – Administrators can restrict what kind of data can be copied and pasted, limiting it to text only, or allowing images and files to be transferred.

To configure these settings:

  1. Navigate to Devices > Configuration Profiles > Create Profile.
  2. Choose Windows 10 and later as the platform and pick the Settings Catalog
  3. Search for Restrict clipboard transfer from server to client, add it to the policy
  4. Search for Restrict clipboard transfer from client to server, add it to the policy.

There are a few options here:

  • Disable clipboard transfers
  • Allow plain text copying
  • Allow plain text and images
  • Allow plain text, images and Rich Text Format
  • Allow plain text, images, Rich Text Format and HTML

Each of these are configured to/from client and server. And server being the Windows 365 PC of course. So pick the ones that align with the company or security policy.

Configure the requested settings and apply it to your devices. Target the policy to your Cloud PCs.

This setting above will deny clipboard transfers in both directions!

Managing Device Redirections in Windows 365 Cloud PCs

Remote Desktop Protocol (RDP) allows users to redirect local peripherals, such as printers, USB drives, and smart cards, to the remote desktop session. This functionality can improve user experience but might introduce security risks, particularly in scenarios where sensitive data can be copied from the Cloud PC to a less secure local device.

Key Device Redirection Policies to Manage:

  • USB Device Redirection: Prevents the redirection of USB storage devices to mitigate data leakage.
  • Printer Redirection: Controls whether users can redirect their local printers to the remote session.

Steps to Manage Device Redirections in Windows 365:

  1. Navigate to Devices > Configuration Profiles > Create Profile.
  2. Choose Windows 10 and later as the platform and pick the Settings Catalog
  3. Choose the redireftyion you want to block.
  4. Assign the policy to a group with your targeted cloud PCs.

Usually we at least want to block the drive and Plug And Play redirection so bulk transfers cant be done from the Cloud PC or any malicious brought into the device.

Combining Control of Clipboard and Device Redirections for Enhanced Security

By carefully managing clipboard transfers and RDP device redirections, IT administrators can ensure a more secure and controlled remote desktop environment. Whether you are using Azure Virtual Desktop or Windows 365 Cloud PCs, leveraging tools like Intune provides the flexibility needed to align these settings with your organization’s security policies.

For businesses concerned about data leakage, blocking unnecessary device redirection and clipboard transfers is essential. Administrators can fine-tune these controls to strike a balance between user productivity and data protection.

Leave a Reply

Your email address will not be published. Required fields are marked *