Share via

How should block file copy from windows365 device to local machine

Richa Kumari 286 Reputation points
2023-10-17T04:33:23.7633333+00:00

Hello,

How should I block file copying from a Windows 365 device to local machine .These windows 365 device is managed by sccm also and it Domain join Hybrid device.

Thanks
Richa

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,822 questions
Windows 365 Enterprise
Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
349 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,451 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ali AlEnezi 1,051 Reputation points
    2023-10-17T04:42:46.3833333+00:00

    Hello Richa,

    Blocking file copying from a Windows 365 device (Cloud PC) to a local machine involves leveraging both Microsoft Endpoint Manager (Intune) for endpoint security and Azure AD Conditional Access. Since you mentioned that your device is also managed by SCCM (System Center Configuration Manager) and is a hybrid device, we can integrate these solutions to achieve the desired outcome.

    Here's a step-by-step process:

    Hybrid Azure AD Join: Ensure that your Windows 365 device is Hybrid Azure AD joined. This provides a way to ensure that the device is recognized in both on-premises Active Directory and Azure AD.

    Integrate SCCM with Intune: If you haven’t done this, integrate SCCM with Intune to get a single pane of management (often called "co-management").

    Configure Endpoint Security in Intune:

    • Open the Microsoft Endpoint Manager admin center.
    • Go to Endpoint security > Policy.
    • Create a new policy and select Windows 10 and later for the platform.
    • For the profile, choose Endpoint protection.
    • Configure settings such as 'Bitlocker' or 'Microsoft Defender Exploit Guard' as per your requirements.
    • Assign this policy to the relevant group that has your Windows 365 devices.

    Configure Conditional Access: Conditional Access policies can be utilized to restrict actions based on the conditions you set.

    • In the Azure portal, navigate to Azure Active Directory > Security > Conditional Access.
    • Create a new policy.
    • Under ‘Users and groups’, select users to whom this policy applies.
    • Under 'Cloud apps', select 'Windows 365'.
    • Under 'Conditions', you can set various parameters like device platform, location, etc.
    • Under 'Access controls', in 'Session', select 'Use app enforced restrictions'.
    • Then set the controls to restrict file downloads or clipboard actions between the cloud PC and local devices.
    • Save the policy.

    Windows Information Protection (WIP): WIP is another tool you can use to prevent inadvertent data leaks. It can be configured to protect company data by controlling what users can do with it. For instance, you can allow users to view a work file in a personal app but not modify, copy, or save it in a personal capacity.

    • Go to Microsoft Endpoint Manager admin center.
    • Navigate to Apps > App protection policies.
    • Create a policy for Windows 10 and configure it as per your needs.
    • Assign this policy to relevant user groups.

    Regular Auditing and Review: Periodically review and audit the device configuration, Conditional Access policies, and user behaviors to ensure compliance and make necessary adjustments based on emerging threats and changes in business requirements.

    After setting up the above, make sure to test the policies on a subset of users or devices before rolling them out organization-wide. This helps in ensuring that business operations aren't accidentally disrupted and that the policy works as intended.

    0 comments
  2. Crystal-MSFT 43,996 Reputation points Microsoft Vendor
    2023-10-17T05:42:45.13+00:00

    @Richa Kumari, Thanks for posting in Q&A. To block file copying from a Windows 365 device to a local machine, you can disable clipboard and drive redirection. This will prevent users from copying and pasting information from their Cloud PCs to other unmanaged locations and saving files to their personal devices from Cloud PCs.

    https://learn.microsoft.com/en-us/windows-365/enterprise/manage-rdp-device-redirections#rdp-device-redirection-settings

    Since the Windows 365 device is managed by SCCM and is a domain-joined hybrid device, you can control which service will manage which areas of Windows by toggling workloads. For more information, see Co-management workloads.

    Hope the above information can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.