Configure the Clipboard Transfer direction in Azure Virtual Desktop (Preview) with Ansible

In March 2024, another security feature of Azure Virtual Desktop was released for preview. This is the Clipboard Transfer Direction. Today I will discuss this in detail and show you how you can deploy it in AVD images or session hosts with the help of Ansible.

What is Clipboard Transfer Direction?

Clipboard redirection in Azure Virtual Desktop enables users to conveniently copy and paste content between their local device and the remote session. However, in certain situations, it may be necessary to restrict the clipboard’s direction to mitigate risks such as data exfiltration or the transfer of malicious files to a session host. You can configure users to only utilize the clipboard for copying data either from the session host to the client or vice versa, and also specify the types of data they are permitted to copy.

Can you please explain this more technically?

Clipboard redirection in Azure Virtual Desktop enables users to easily copy and paste various content, including text, images, and files, between their local device and the remote session bidirectionally. However, to enhance security measures and mitigate risks such as data exfiltration or the transfer of malicious files, it may be necessary to restrict clipboard functionality for users.

You have the flexibility to manage clipboard access by configuring the direction of clipboard transfers and specifying the types of data allowed. The available options include:

  • Disabling clipboard transfers from the session host to the client, the client to the session host, or both.
  • Allowing plain text only.
  • Allowing plain text and images only.
  • Allowing plain text, images, and Rich Text Format (RTF) only.
  • Allowing plain text, images, Rich Text Format (RTF), and HTML.

These settings are applied to session hosts universally and are not dependent on any specific Remote Desktop client or its version.

To configure clipboard settings and data types, you can utilize Microsoft Intune or Ansible for centralized management, or alternatively, employ local Group Policy or registry settings on session hosts. This article provides guidance on configuring clipboard direction and permissible data types through Ansible, but you also have the option to configure these settings locally on session hosts using Group Policy or registry modifications. Or you can use intune to configure it.

Prerequisites

To set up the clipboard transfer direction, you’ll need:

Session hosts operating on Windows 11 Insider Preview Build 25898 or the latest version from the Windows Insider Build (Dev Channel). Joining the Windows Insider Program is necessary to activate the Dev Channel Preview Build.

The RDP properties of the host pool must permit clipboard redirection; otherwise, it will be completely blocked.

Depending on the method chosen to configure the clipboard transfer direction:

a. For Intune, you require permissions to configure and apply settings. For further details, refer to the Administrative Template for Azure Virtual Desktop.

b. To configure the local Group Policy or registry of session hosts, you need an account that belongs to the local Administrators group.

c. For Ansible you need to open firewall port 5985 in the Session Host or the AVD Image.

Concept:

To configure the clipboard from session host to client, set one of the following registry keys and its value. Using the value for the machine applies to all users, and using the value for the user applies to the current user only.

  • Key:
    • Machine: HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services
    • Users: HKCU\Software\Policies\Microsoft\Windows NT\Terminal Services
  • Type: REG_DWORD
  • Value name: SCClipLevel

Please note that you can change the direction behavior by following this table in the data value (# value data field in the below code).

Value Data Description
0 Disable clipboard transfers from session host to client.
1 Allow plain text.
2 Allow plain text and images.
3 Allow plain text, images, and Rich Text Format.
4 Allow plain text, images, Rich Text Format, and HTML.

The above table is for configuring transfer between client to session host.

To configure the clipboard from client to session host, set one of the following registry keys and its value. Using the value for the machine applies to all users, and using the value for the user applies to the current user only.

  • Key:
    • Machine: HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services
    • Users: HKCU\Software\Policies\Microsoft\Windows NT\Terminal Services
  • Type: REG_DWORD
  • Value name: CSClipLevel
Value Data Description
0 Disable clipboard transfers from session host to client.
1 Allow plain text.
2 Allow plain text and images.
3 Allow plain text, images, and Rich Text Format.
4 Allow plain text, images, Rich Text Format, and HTML.

The above table is for configuring transfers between session hosts to clients.

How do I create an Ansible Playbook to achieve this task?

Let’s see the Ansible Code, which you need to use in the playbook.


– name: Add Clipboard Redirection in AVD Image
hosts: windows
gather_facts: no
tasks:
– name: Debug – Print registry paths before modification
debug:
msg: “Registry path for machine: {{ item }}”
loop:
– “HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services”
– “HKCU\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services”

– name: Set SCClipLevel registry key for machine
win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services
name: SCClipLevel
data: 0 # Value data
type: dword

– name: Set SCClipLevel registry key for users
win_regedit:
path: HKCU:\Software\Policies\Microsoft\Windows NT\Terminal Services
name: SCClipLevel
data: 0 # Value data
type: dword

– name: Debug – Print registry paths after modification
debug:
msg: “Registry path for machine: {{ item }}”
loop:
– “HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services”
– “HKCU\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services”

Once you configure the playbook, save it with the name as add_clipboard_redirection.yaml (You can save with any other name of course). You can run the below command to run the playbook.

ansible-playbook add_clipboard_redirection.yaml -i /etc/ansible/hosts -l windows

Once you run the pipeline the changes will be done in the AVD image or the session host as you can see the below output.

In the MS documentation, you can find how to do the same with intune and GPO but by following this article, you can easily able to configure this security features with Ansible and apply them to your Devops Pipeline.

Please note that once the changes are done, you need to restart your session host else it will not work.

How to test?

You can connect to a remote session with a supported client and test the clipboard settings you configured are working by trying to copy and paste content.

That’s all for today, I hope you will like this article. You have a good day ahead.

Tags:,

Add a Comment

Your email address will not be published. Required fields are marked *