- Windows 11 taskbar: remove chat icon, customize search field with Group Policy - Tue, Oct 3 2023
- Allow non-admins to access Remote Desktop - Thu, Sep 28 2023
- Which WSUS products to select for Windows 11? - Tue, Sep 26 2023
A multilevel clipboard that can hold many objects is a big step forward compared to the simple version, in which each new entry overwrites the old one. With the key combination Win + V, you can display the list of all stored data and paste it with a mouse click into the application that currently has the focus.
Inserting content from the clipboard history into an application
However, this convenience can also be used for unwanted purposes. Since entries can be permanently pinned to the clipboard, users might store passwords there so they can directly paste them into applications. Such a "password manager" is obviously a security risk.
The clipboard becomes even more of a problem when users synchronize copied content with other devices via the cloud. In this way, sensitive data can easily leak out of the company.
Interactive configuration
The cloud clipboard and its functions can be configured in the settings app under System > Clipboard. By activating Clipboard history, you can allow multiple items to be stored on the clipboard. However, it is not possible to disable pinning entries.
Configuration of the multilevel clipboard in the Settings app
In addition, synchronization with other devices can be activated here, and you can delete the current content from there.
Management via Group Policy
These two settings from the app can also be controlled centrally via group policies and thus cannot be changed by users. They can be found under Computer Configuration > Policies > Administrative Templates > System > Operating System Policies.
With Allow Clipboard History, you can determine whether users are able to save multiple entries or the clipboard should behave the traditional way.
Group policies for clipboard control
Allow clipboard synchronization across devices: By disabling this setting, you can block the cloud feature.
With Windows 11 2022, another setting was added that affects the behavior of the clipboard for Remote Desktop. If you enable the redirection of the clipboard from the remote session to the client in the RDP client, then copied elements will not be transferred to the local cloud clipboard by default.
You can change this using Disable Cloud Clipboard integration for server-to-client data transfer, located under Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client. By disabling the policy, you allow clipboard data exchange between the session host and the client device.
Manage copying of data from a remote session to the local cloud clipboard
Management via PowerShell
In version 5.0, PowerShell received two cmdlets for accessing the clipboard: Get-Clipboard and Set-Clipboard. They also work with the cloud clipboard but are not able to change the two settings described.
In addition, Get-Clipboard can only read the last entry from history. Set-Clipboard at least manages to append new items without deleting the entire history.
If you still want to customize the two settings for the cloud clipboard via PowerShell, you can do so by writing the corresponding keys in the registry. These are of type DWORD and are called AllowClipboardHistory and AllowCrossDeviceClipboard, respectively:
New-ItemProperty -Name AllowClipboardHistory -Value 0 -PropertyType DWORD ` -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\System
The configuration of AllowCrossDeviceClipboard follows the same pattern. A value of 0 disables the respective feature.
Summary
The convenience of an extended clipboard is offset by risks from unwanted usage. Synchronization to other devices via the cloud can lead to data leaks.
The group policies therefore offer two settings that can be used to disable both features and reduce the clipboard to classic behavior. An option that controls data exchange for Remote Desktop was recently added.
Subscribe to 4sysops newsletter!
PowerShell currently does not offer cmdlets tailored to the new clipboard. The two settings mentioned can only be configured by directly modifying the registry.
Considering the increasing security threats, it is a very useful setting. I would love to have a setting to automatically clear the clipboard after certain duration to prevent information leakage through clipboard hijacking.