Windows 365 Clipboard Copy Pasta

Back in June 2025, Microsoft announced that it would enhance Windows 365 security by disabling clipboard and other redirects by default. Depending on your environment, you might need to undo this change. I'm gonna go over my trial and error of controlling these settings via Intune after spending months with a useless non-Premier Microsoft Support case with a bunch of AI slop troubleshooting by the support team. I turned to my own AI slop, which gave me a hint to actually search for something else to get my own fleet with a working copy and paste again.

If you only need text/image/file copy and paste back (the default also blocked printer redirect and plug-and-play devices, which we won't cover). These are all you need. Settings catalog, search for Device and Resource Redirection, add Do not allow Clipboard redirection and Do not allow drive redirection as Disabled. The drive redirection is for copy and pasting files, clipboard for text/images/rich text/HTML.

Settings catalog for Do not allow Clipboard redirectioni and Do not allow drive redirection set to Disabled

However, if you're like me and messed around with the other 4 settings about limiting the content of what can be copied and pasted, you might be stuck with it disabled altogether. When you enable one of these 4 settings (Restrict clipboard transfer to and from server/client), you get a choice of gradual control on what type of content can be copied and pasted; it ranges from nothing can be copied and pasted to just plain text to images and rich text. In these settings, server refers to the Windows 365 device, and client is the device you're connecting from (or host machine).

Restrict clipboard transfer from server to client/client to server, for both device and user

In my initial testing, I had played around with these settings and had learned since that if any of these were previously set, the registry remains and won't be unset, which we know is how GPO has always worked. What I didn't know was that if any of these 4 settings were set to deny copy/paste, deny takes precedence regardless of Device vs User setting. That is to say, denying always wins, great for security, but doesn't follow other types of Device vs User settings - confusing!

The other issue with having had these enabled is that putting it back to disable does not bring back the ability to copy and paste, regardless of your setting in "Do not allow clipboard redirection". It leaves the setting written in the registry, so you have to clear them out via other means (or leave them enabled with the highest allowed setting, disable just tells Intune not to set them anymore).

These are the 4 registry keys related to these 4 settings should you choose to just get rid of these settings completely from your Intune policies. Thanks to the hint from AI making me look under HKCU Terminal Services and it giving me the wrong answer about what SCClipLevel is. Thanks to this blog for showing me what the settings actually are and what they mean after searching for SCClipLevel.

Path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services
Values: SCClipLevel (Server to Client) and CSClipLevel (Client to Server)

Path: HKCU:\Software\Policies\Microsoft\Windows NT\Terminal Services
Values: SCClipLevel (Server to Client) and CSClipLevel (Client to Server)

These keys are not documented on any Microsoft website, so big thanks to the community for translating these settings.

Delete those keys with the deployment tool of your choice.

A quick reference of how to delete it with PowerShell: Remove-ItemProperty -Path $registryPath -Name $valueName