Restrict Clipboard Transfer

Step-by-Step: Locking Down Clipboard in Intune

Clipboard redirection—the ability to copy and paste between your local PC and a remote session—is convenient, but it can be a massive security risk. We’re going to walk through exactly how to lock this down using Microsoft Intune.

Why Restricting the Clipboard Matters for Security

When you use Remote Desktop Services (RDS) or Azure Virtual Desktop (AVD), you’re letting users access highly sensitive data (like financial records, customer PII, or internal source code) from a secure server.

The clipboard creates an easy avenue for that data to leave.

  • Data Loss Prevention (DLP): This is the main reason to set this policy. By restricting the clipboard, you stop users from copying sensitive corporate data from the secure remote session and pasting it onto an unsecured local device (like a personal laptop).
  • Reducing Attack Surface: In high-security environments, you want to close every possible hole. Restricting clipboard use removes an unexpected way for malicious activity to occur.

This measure is essential if your organization allows employees to access remote resources from Bring Your Own Device (BYOD) personal computers.

Real-World Scenario: Imagine a financial analyst using AVD to access a database of client information. If they connect from their personal laptop, a simple copy/paste operation could dump thousands of customer records onto an unsecured device. This Intune policy shuts that risk down.

Step-by-Step Guide: Configuring the Intune Policy

We will use the Settings Catalog in Intune, as this is an ADMX-backed policy that manages Windows settings.

1. Start the New Policy

  1. Log in to the Microsoft Intune Portal.
  2. Go to Devices > Configuration > + Create > New Policy.
  3. Set the options:
    • Platform: Windows 10 and later
    • Profile type: Settings catalog
  4. Click the Create button.

2. Name Your Policy

On the Basics tab, give your policy a clear identity.

  • Name: RDS Security - Restrict Clipboard Transfer (Client to Server)
  • Description (Optional): This policy limits or prevents copying data from the local client machine into the remote desktop session to enhance security.
  • Click Next.

3. Choose the Specific Setting

  1. Navigate to the Configuration settings tab, then click +Add settings.
  2. In the Settings Picker, use the search bar or browse by category. You need to find the following path:
    • Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection
  3. Select the setting: Restrict clipboard transfer from client to server.

4. Configure the Transfer Behavior

When you enable this policy, you define what is still allowed to be copied from the client PC to the server.

OptionWhat it DoesSecurity Consideration
Disabled/Not ConfiguredAllows full client-to-server clipboard transfer if redirection is active.Lowest Security (Potentially allows malware/scripts onto the server).
EnabledYou must choose which formats are allowed.Highest Security (Recommended).

If you select Enabled, you’ll see the following list of options. For maximum security, you should only check the absolute minimum required by your users (e.g., just plain text). To block it completely, Enable the policy but leave all the checkboxes unchecked.

Locking Down Clipboard in Intune pic 2
Locking Down Clipboard in Intune pic 2

5. Finalizing the Policy

  1. Scope Tags: Use these to limit who can see or manage this policy (optional). Click Next.
  2. Assignments: Click +Add groups to select the security groups that need this restriction applied (e.g., your “All Remote Desktop Users” group). Click Select to confirm. Click Next.
  3. Review + create: Check all your settings one last time. If everything looks right, click Create. You’ll get a confirmation message!

Monitoring and Maintenance

Checking Deployment Status

After the policy is created, you can track its success:

  1. Go to Devices > Configuration in the Intune Portal.
  2. Find and click on your new policy.
  3. The Device Monitoring Page will show you the status (Success, Error, Conflict). For faster deployment, ask your users to manually sync their device via the Company Portal.

Verifying on a Client Device (Event Viewer)

To confirm the policy is enforced locally:

  1. Open Event Viewer on a device targeted by the policy.
  2. Navigate to the following log path:
    • Application and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin
  3. Look for an entry from the MDM PolicyManager confirming the policy set for LimitClientToSvrClipboardRedirection (or a similar naming convention in the event details).

How to Remove or Delete the Policy

  • Remove Group Assignment: If you only need to remove the restriction from one group, open the policy, edit the Assignments tab, and remove the group from the Included groups list.
  • Delete Policy Completely: Simply go to the Configuration section, select the policy, and choose Delete. This will fully remove the settings from all targeted client devices.

Related Posts