Let’s discuss How to Restrict Clipboard Transfer from Client to Server on Remote Desktop Services using Intune. This policy setting controls whether the clipboard can be used to transfer data from the
Remote Desktop session to the client.
In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for the clipboard to transfer data from a Remote Desktop session to a client is rare, so it makes sense to reduce the number of unexpected avenues for malicious activity to occur.
Organizations decide to enable or disable this policy based on a fundamental trade-off between security and user productivity. Data Loss Prevention is the primary reason for to enable this policy. By enabling, restriction prevents users from copying sensitive corporate data (like proprietary source code, internal documents, financial records, or customer PII) from the secure remote environment and pasting it onto an unmanaged or less-secure local device.
This is especially critical when allowing access to the remote desktop environment from unmanaged Bring Your Own Device (BYOD) personal computers. This policy is benefical for end users, administators and organizations.
Table of Contents
How to Restrict Clipboard Transfer from Client to Server on Remote Desktop Services using Intune
For example, A financial services firm uses AVD to provide access to highly confidential trading platforms and customer databases. Users connect from both corporate laptops and, in some cases, personal devices (BYOD) using a remote access solution.
- How to Allow Clipboard History using Intune Settings Catalog
- Intune New Clipboard Transfer Direction Settings Now Available in Windows Settings Catalog
- Clipboard Settings on Windows | Clear Clipboard Data | Group Policy Settings
Configure Policy from Intune Portal
This is an ADMX-backed policy and requires SyncML format for configuration. Sign in to the Microsoft Intune Portal with Credentials. Navigate to Devices > Configuration > + Create > New Policy.
Profile Choosing Step
After that you can choose appropriate platform and profile type. This is necessary step for policy creation and you cannot change profile and platform after creating profile. Here I would like to configure the policy to Windows 10 and later platform and settings catalog profile. Then click on the Create button.
Begin Policy with Basic Tab
Basic Tab is the first tab that helps users to give identity for policy. For this you can add Name and description for the settings you want to select for policy creation. Here is Name is mandatory and description is optional. After adding this click on the Next button.
Configure Restrict Clipboard Transfer from Server to Client Policy
After that you will get Configuration settings tab which helps you to access specific settings. To get the settings click on the +Add settings hyperlink and select specific settings from Settings Picker. Here, I would like to select the settings by browsing by Category. I choose Administrative Templates\Windows Components\Remote Desktop Session Host\Device and Resource Redirection\Restrict clipboard transfer from server to client.
Disable Restrict Clipboard Transfer from Server to Client
If you disable or don’t configure this policy setting, users can copy arbitrary contents from client to server if clipboard redirection is enabled. Click on the Next button.
Enable Restrict Clipboard Transfer from Server to Client
If you enable this policy setting, you must choose from the following behaviors. You can choose any of this option according to your preferences.
| Options |
|---|
| Allow plain text copying from client to server. |
| Allow plain text and images copying from client to server. |
| Allow plain text, images and Rich Text Format copying from client to server. |
| Allow plain text, images, Rich Text Format and HTML copying from client to server. |
Adding Scope Tags
Scope Tag is not a mandatory step for policy creation. But you can add Scope tags for visibility restrictions. Here, I don’t add scope tags for Enterprise IP Range Policy. Click on the Next button.
Selecting Group from the Assignment Tab
To assign the policy to specific groups, you can use the Assignment Tab. Here I click, +Add groups option under Included groups. I choose a group from the list of groups and click on the Select button. Again, I click on the Select button to continue.
Review Policy
This is the Finalize step for policy creation. You can review all the details on this tab and avoid misconfiguration. After verifying all the details, click on the Create Button. After creating the policy, you will get a success message.
Monitoring Status
Device Monitoring Page shows if the Policy is succeeded or Not. Before checking this, you can sync the device on Company Portal for Faster policy deployment. Then Go to Devices > Configuration > Search for the Policy. Here, the policy shows as successful.
Event Viewer Details
It helps you check the client side and verify the policy status. Open the Client device and open the Event Viewer. Go to Start > Event Viewer. Navigate to Logs: In the left pane, go to Application and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin.
MDM PolicyManager: Set policy string, Policy: (LimitServerToClientClipboardRedirection), Area:
(RemoteDesktopServices), EnrollmentID requesting merge: (EB427D85-802F-46D9-A3E2-
D5B414587F63), Current User: (Device), String: (), Enrollment Type: (0x6), Scope: (0x0).
Removing the Assigned Group from Restrict Clipboard Transfer from Client to Server Policy Settings
If you want to remove the Assigned group from the policy, it is possible from the Intune Portal. To do this, open the Policy on Intune Portal and edit the Assignments tab and the Remove Policy.
To get more detailed information, you can refer to our previous post – Learn How to Delete or Remove App Assignment from Intune using by Step-by-Step Guide.
How to Delete Restrict Clipboard Transfer from Client to Server
You can easily delete the Policy from the Intune Portal. From the Configuration section, you can delete the policy. It will completely remove it from the client devices.
For detailed information, you can refer to our previous post – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc