Hello Richa,
Blocking file copying from a Windows 365 device (Cloud PC) to a local machine involves leveraging both Microsoft Endpoint Manager (Intune) for endpoint security and Azure AD Conditional Access. Since you mentioned that your device is also managed by SCCM (System Center Configuration Manager) and is a hybrid device, we can integrate these solutions to achieve the desired outcome.
Here's a step-by-step process:
Hybrid Azure AD Join: Ensure that your Windows 365 device is Hybrid Azure AD joined. This provides a way to ensure that the device is recognized in both on-premises Active Directory and Azure AD.
Integrate SCCM with Intune: If you haven’t done this, integrate SCCM with Intune to get a single pane of management (often called "co-management").
Configure Endpoint Security in Intune:
- Open the Microsoft Endpoint Manager admin center.
- Go to
Endpoint security
>Policy
. - Create a new policy and select
Windows 10 and later
for the platform. - For the profile, choose
Endpoint protection
. - Configure settings such as 'Bitlocker' or 'Microsoft Defender Exploit Guard' as per your requirements.
- Assign this policy to the relevant group that has your Windows 365 devices.
Configure Conditional Access: Conditional Access policies can be utilized to restrict actions based on the conditions you set.
- In the Azure portal, navigate to Azure Active Directory > Security > Conditional Access.
- Create a new policy.
- Under ‘Users and groups’, select users to whom this policy applies.
- Under 'Cloud apps', select 'Windows 365'.
- Under 'Conditions', you can set various parameters like device platform, location, etc.
- Under 'Access controls', in 'Session', select 'Use app enforced restrictions'.
- Then set the controls to restrict file downloads or clipboard actions between the cloud PC and local devices.
- Save the policy.
Windows Information Protection (WIP): WIP is another tool you can use to prevent inadvertent data leaks. It can be configured to protect company data by controlling what users can do with it. For instance, you can allow users to view a work file in a personal app but not modify, copy, or save it in a personal capacity.
- Go to Microsoft Endpoint Manager admin center.
- Navigate to
Apps
>App protection policies
. - Create a policy for Windows 10 and configure it as per your needs.
- Assign this policy to relevant user groups.
Regular Auditing and Review: Periodically review and audit the device configuration, Conditional Access policies, and user behaviors to ensure compliance and make necessary adjustments based on emerging threats and changes in business requirements.
After setting up the above, make sure to test the policies on a subset of users or devices before rolling them out organization-wide. This helps in ensuring that business operations aren't accidentally disrupted and that the policy works as intended.