Configure the clipboard transfer direction and data types that can be copied in Azure Virtual Desktop
Clipboard redirection in Azure Virtual Desktop allows users to copy and paste content, such as text, images, and files between the user's device and the remote session in either direction. You might want to limit the direction of the clipboard for users, to help prevent data exfiltration or malicious files being copied to a session host. You can configure whether users can use the clipboard from session host to client, or client to session host, and the types of data that can be copied, from the following options:
- Disable clipboard transfers from session host to client, client to session host, or both.
- Allow plain text only.
- Allow plain text and images only.
- Allow plain text, images, and Rich Text Format only.
- Allow plain text, images, Rich Text Format, and HTML only.
You apply settings to your session hosts. It doesn't depend on a specific Remote Desktop client or its version. This article shows you how to configure the direction the clipboard and the types of data that can be copied using Microsoft Intune or Group Policy.
Prerequisites
To configure the clipboard transfer direction, you need:
Host pool RDP properties must allow clipboard redirection, otherwise it will be completely blocked.
Your session hosts must be running one of the following operating systems:
- Windows 11 Enterprise or Enterprise multi-session, version 22H2 or 23H2 with the 2024-06 cumulative update (KB5039212) or later installed.
- Windows 11 Enterprise or Enterprise multi-session, version 21H2 with the 2024-06 cumulative update (KB5039213) or later installed.
- Windows Server 2022 with the 2024-07 cumulative update (KB5040437) or later installed.
Depending on the method you use to configure the clipboard transfer direction:
For Intune, you need permission to configure and apply settings. For more information, see Administrative template for Azure Virtual Desktop.
For configuring the local Group Policy or registry of session hosts, you need an account that is a member of the local Administrators group.
Configure clipboard transfer direction
Here's how to configure the clipboard transfer direction and the types of data that can be copied. Select the relevant tab for your scenario.
To configure the clipboard using Intune, follow these steps. This process creates an Intune settings catalog policy.
Sign in to the Microsoft Intune admin center.
Create or edit a configuration profile for Windows 10 and later devices, with the Settings catalog profile type.
In the settings picker, browse to Administrative templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection.
Check the box for the following settings, making sure you select the settings with the correct scope for your requirements, then close the settings picker. To determine which scope is correct for your scenario, see Settings catalog - Device scope vs. user scope settings:
Device scope settings:
- Restrict clipboard transfer from server to client
- Restrict clipboard transfer from client to server
User scope settings:
- Restrict clipboard transfer from server to client (User)
- Restrict clipboard transfer from client to server (User)
Expand the Administrative templates category, then toggle the switch for each setting you added to Enabled.
Once each setting is enabled, a drop-down list appears from which you can select the types of data that can be copied. Choose from the following options:
- Disable clipboard transfers from server to client or Disable clipboard transfers from client to server
- Allow plain text
- Allow plain text and images
- Allow plain text, images, and Rich Text Format
- Allow plain text, images, Rich Text Format, and HTML
Select Next.
Optional: On the Scope tags tab, select a scope tag to filter the profile. For more information about scope tags, see Use role-based access control (RBAC) and scope tags for distributed IT.
On the Assignments tab, select the group containing the computers providing a remote session you want to configure, then select Next.
On the Review + create tab, review the settings, then select Create.
Once the policy applies to the computers providing a remote session, restart them for the settings to take effect.
Connect to a remote session with a supported client and test the clipboard settings you configured are working by trying to copy and paste different types of content.
Related content
- Configure Watermarking.
- Configure Screen Capture Protection.
- Learn about how to secure your Azure Virtual Desktop deployment at Security best practices.