Edit

Configure the clipboard transfer direction and types of data that can be copied in Azure Virtual Desktop

  • Article

Important

Configuring the clipboard transfer direction in Azure Virtual Desktop is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Clipboard redirection in Azure Virtual Desktop allows users to copy and paste content, such as text, images, and files between the user's device and the remote session in either direction. You might want to limit the direction of the clipboard for users, to help prevent data exfiltration or malicious files being copied to a session host. You can configure whether users can use the clipboard from session host to client, or client to session host, and the types of data that can be copied, from the following options:

  • Disable clipboard transfers from session host to client, client to session host, or both.
  • Allow plain text only.
  • Allow plain text and images only.
  • Allow plain text, images, and Rich Text Format only.
  • Allow plain text, images, Rich Text Format, and HTML only.

You apply settings to your session hosts. It doesn't depend on a specific Remote Desktop client or its version. This article shows you how to configure the direction the clipboard and the types of data that can be copied using Microsoft Intune, or you can configure the local Group Policy or registry of session hosts.

Prerequisites

To configure the clipboard transfer direction, you need:

  • Session hosts running Windows 11 Insider Preview Build 25898 or the most recent version of Windows Insider Build (Dev Channel). You must join the Windows Insider Program to activate the Dev Channel Preview Build.

  • Host pool RDP properties must allow clipboard redirection, otherwise it will be completely blocked.

  • Depending on the method you use to configure the clipboard transfer direction:

    • For Intune, you need permission to configure and apply settings. For more information, see Administrative template for Azure Virtual Desktop.

    • For configuring the local Group Policy or registry of session hosts, you need an account that is a member of the local Administrators group.

Configure clipboard transfer direction

Here's how to configure the clipboard transfer direction and the types of data that can be copied. Select the relevant tab for your scenario.

To configure the clipboard using Intune, follow these steps. This process deploys an OMA-URI to target a CSP.

  1. Sign in to the Microsoft Intune admin center.

  2. Create a profile with custom settings for Windows 10 and later devices, with the Templates profile type and the Custom profile template name.

  3. For the Basics tab, enter a name and optional description for the profile, and then select Next.

  4. For the Configuration settings tab, select Add to show the Add row pane.

  5. In the Add row pane, enter one of the following sets of settings, depending on whether you want to configure the clipboard from session host to client, or client to session host.

    • To configure the clipboard from session host to client:

      • Name: (example) Session host to client

      • Description: Optional

      • OMA-URI: ./Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitServerToClientClipboardRedirection

      • Data type: String

      • Value: Enter a value from the following table:

        Value Description
        <![CDATA[<enabled/><data id="TS_SC_CLIPBOARD_RESTRICTION_Text" value="0"/>]]> Disable clipboard transfers from session host to client.
        <![CDATA[<enabled/><data id="TS_SC_CLIPBOARD_RESTRICTION_Text" value="1"/>]]> Allow plain text.
        <![CDATA[<enabled/><data id="TS_SC_CLIPBOARD_RESTRICTION_Text" value="2"/>]]> Allow plain text and images.
        <![CDATA[<enabled/><data id="TS_SC_CLIPBOARD_RESTRICTION_Text" value="3"/>]]> Allow plain text, images, and Rich Text Format.
        <![CDATA[<enabled/><data id="TS_SC_CLIPBOARD_RESTRICTION_Text" value="4"/>]]> Allow plain text, images, Rich Text Format, and HTML.

    • To configure the clipboard from client to session host:

      • Name: (example) Client to session host

      • Description: Optional

      • OMA-URI: ./Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitClientToServerClipboardRedirection

      • Data type: String

      • Value: Enter a value from the following table:

        Value Description
        <![CDATA[<enabled/><data id="TS_CS_CLIPBOARD_RESTRICTION" value="0"/>]]> Disable clipboard transfers from session host to client.
        <![CDATA[<enabled/><data id="TS_CS_CLIPBOARD_RESTRICTION" value="1"/>]]> Allow plain text.
        <![CDATA[<enabled/><data id="TS_CS_CLIPBOARD_RESTRICTION" value="2"/>]]> Allow plain text and images.
        <![CDATA[<enabled/><data id="TS_CS_CLIPBOARD_RESTRICTION" value="3"/>]]> Allow plain text, images, and Rich Text Format.
        <![CDATA[<enabled/><data id="TS_CS_CLIPBOARD_RESTRICTION" value="4"/>]]> Allow plain text, images, Rich Text Format, and HTML.

  6. Select Save to add the row. Repeat the previous two steps to configure the clipboard in the other direction, if necessary, then once you configure the settings you want, select Next.

  7. For the Assignments tab, select the users, devices, or groups to receive the profile, then select Next. For more information on assigning profiles, see Assign user and device profiles.

  8. For the Applicability Rules tab, select Next.

  9. On the Review + create tab, review the configuration information, then select Create.

  10. Once the policy configuration is created, resync your session hosts and reboot them for the settings to take effect.

  11. Connect to a remote session with a supported client and test the clipboard settings you configured are working by trying to copy and paste content.

Related content