Context-based Redirections (Preview)

Context-based redirection enables organizations to control redirection behavior based on user and session conditions. By using authentication context, admins can define when specific client capabilities should be allowed or restricted based on factors such as user role, device compliance, or network location. This helps ensure that sensitive data is only accessible when the session meets the required level of trust.

Setting up context-based redirection involves the following high-level steps:

1. Create a Conditional Access (CA) policy with an authentication context and assign it to a user group.

2. Configure any required device compliance or configuration policies, typically assigned to a device group.

3. Create a Windows 365 Remote Connection Experience policy in Intune to map the authentication context to specific redirections and assign it to a device group (Cloud PCs).

4. Validate the behavior from the end-user perspective by connecting to a targeted Cloud PC or virtual machine.

You can apply authentication context to control the following redirections:

• Clipboard

• Drive

• Printer

• USB

Note

Context-based redirections (Preview) will be supported in the Windows App on Windows, Web browsers, Android, iOS/iPadOS, and macOS for full desktop sessions. It's currently only supported on Windows 365 Enterprise and Flex (dedicated).

Set targeted redirections to be "enabled" or "not configured"

Note

If you use a recent gallery image to test your Cloud PC or have existing policies in your environment that affect redirections, please change these prior to testing, since the most restrictive policy wins. Therefore, you'll need to set the redirections you want to test to be "not configured" or "enabled" for context-based redirection to work properly.

1. Log into Intune.

2. Navigate to Devices > Manage devices > Configuration.

3. Press Create > New Policy.

4. In Platform, select Windows 10 and later.

5. Under Profile type, select Settings catalog and then press Create.

6. In Basics, input the name and description.

7. In Configuration settings, select +Add settings.

   1. To manage printer redirection settings, search for Printer Redirection, select the resulting category, and select the settings you want to manage.

   2. To manage other redirection settings, search for Device and Resource Redirection, select the resulting category, and select the settings you want to manage.

8. Ensure that the configurations are toggled to Disabled.

9. In Scope tags page, select any desired scope tags to apply, then select Next.

10. In Assignments, select the users or groups that you want to receive the redirection policy, then select Next.

11. In Review + create, select Create.

For more information, please visit Manage device RDP redirections for Cloud PCs. | Microsoft Learn.

Admin workflow to author Conditional Access policies

1. In Intune, navigate to Devices > Manage devices > Conditional Access > Authentication contexts.

2. Press New authentication context.

3. Enter the name, description of the new authentication context

4. Select the Publish to apps checkmark and then select a variable from the ID dropdown.

5. Press Save.

6. While in Conditional Access, navigate to Policies on the sidebar.

7. Press New Policy and select the following configurations to create a new Conditional Access policy for managed, compliant devices:

   1. Input the name of this new Conditional Access policy

   2. In User or agents, select All users under Include.

   3. In Target resources, click on the dropdown under Select what this policy applies to and select Authentication context.

   4. Under Select the authentication contexts this policy will apply to, click on the authentication context you want to use.

   5. In Grant, select Grant access and then check the Require device to be marked as compliant and press Select.

   6. Toggle the Enable policy to On.

   7. Select Create.

Admin workflow to set authentication context for Windows 365 Settings

After creating your Conditional Access policy with an authentication context, you must configure a Windows 365 Remote Connection Experience policy in Intune to apply that authentication context to specific redirections. This connects your Conditional Access configuration to the actual redirection behavior experienced in the Cloud PC session.

Note

Make sure to assign this Windows 365 Remote Connection Experience policy to device groups (Cloud PCs), not user groups. Context-based redirection is enforced at the device level, so assigning the policy to users won’t apply the expected redirection behavior.

1. In Intune, navigate to Devices > Manage Windows 365 Cloud PCs > Cloud PC Settings.

2. Press Create > Remote Connection Experience (preview).

3. In Basics, enter the name and description of the setting.

4. In Configuration settings > Device redirections, navigate to the targeted redirection and select Authentication context: Context-based redirection.

5. In the newly appeared Entra Authentication context configuration, select the authentication context you want to use.

6. In Scope tags page, select any desired scope tags to apply, then select Next.

7. In Assignments, press Add groups and select the device group(s) you want to receive the redirection policy, then select Next.

8. In Review + create, select Create.

Validate context-based redirection behavior

To validate that context-based redirection is working as expected, test connections from devices with different trust levels and confirm the correct redirection behavior is applied.

1. Connect to the targeted Windows 365 Cloud PC from a managed, compliant device that satisfies the Conditional Access policy requirements.

   • Verify that the configured redirections are available within the remote session.

2. Connect to the same Windows 365 Cloud PC from a bring-your-own-device (BYOD) or noncompliant device that doesn’t satisfy the Conditional Access policy requirements.

   • Verify that the configured redirections are restricted or unavailable within the remote session.

If the expected behavior doesn’t occur, review:

• The Conditional Access policy assignment and authentication context configuration.

• Device compliance status in Microsoft Entra ID/Intune.

• The Windows 365 Remote Connection Experience policy assignment.

  • Any existing redirection policies that may override the configured behavior.

You can validate individual redirections by following the testing guidance in each redirection’s respective Microsoft Learn documentation:

1. Clipboard redirection: Verify whether copy and paste work between the local device and remote session.

2. Drive redirection: Review Configure fixed, removable, and network drive redirection over the Remote Desktop Protocol.

3. Printer redirection: Review Configure printer redirection over the Remote Desktop Protocol.

4. USB redirection: Review Configure USB redirection on Windows over the Remote Desktop Protocol.