In Windows 10 1809, Microsoft introduced a clipboard with multiple entries and added the ability to sync its contents among several devices. This cloud clipboard poses certain security risks, such as data leakage. However, it can be restricted by using Group Policy.

A multilevel clipboard that can hold many objects is a big step forward compared to the simple version, in which each new entry overwrites the old one. With the key combination Win + V, you can display the list of all stored data and paste it with a mouse click into the application that currently has the focus.

Inserting content from the clipboard history into an application

Inserting content from the clipboard history into an application

However, this convenience can also be used for unwanted purposes. Since entries can be permanently pinned to the clipboard, users might store passwords there so they can directly paste them into applications. Such a "password manager" is obviously a security risk.

The clipboard becomes even more of a problem when users synchronize copied content with other devices via the cloud. In this way, sensitive data can easily leak out of the company.

Interactive configuration

The cloud clipboard and its functions can be configured in the settings app under System > Clipboard. By activating Clipboard history, you can allow multiple items to be stored on the clipboard. However, it is not possible to disable pinning entries.

Configuration of the multilevel clipboard in the Settings app

Configuration of the multilevel clipboard in the Settings app

In addition, synchronization with other devices can be activated here, and you can delete the current content from there.

Management via Group Policy

These two settings from the app can also be controlled centrally via group policies and thus cannot be changed by users. They can be found under Computer Configuration > Policies > Administrative Templates > System > Operating System Policies.

With Allow Clipboard History, you can determine whether users are able to save multiple entries or the clipboard should behave the traditional way.

Group policies for clipboard control

Group policies for clipboard control

Allow clipboard synchronization across devices: By disabling this setting, you can block the cloud feature.

With Windows 11 2022, another setting was added that affects the behavior of the clipboard for Remote Desktop. If you enable the redirection of the clipboard from the remote session to the client in the RDP client, then copied elements will not be transferred to the local cloud clipboard by default.

You can change this using Disable Cloud Clipboard integration for server-to-client data transfer, located under Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client. By disabling the policy, you allow clipboard data exchange between the session host and the client device.

Manage copying of data from a remote session to the local cloud clipboard

Manage copying of data from a remote session to the local cloud clipboard

Management via PowerShell

In version 5.0, PowerShell received two cmdlets for accessing the clipboard: Get-Clipboard and Set-Clipboard. They also work with the cloud clipboard but are not able to change the two settings described.

In addition, Get-Clipboard can only read the last entry from history. Set-Clipboard at least manages to append new items without deleting the entire history.

If you still want to customize the two settings for the cloud clipboard via PowerShell, you can do so by writing the corresponding keys in the registry. These are of type DWORD and are called AllowClipboardHistory and AllowCrossDeviceClipboard, respectively:

New-ItemProperty -Name AllowClipboardHistory -Value 0 -PropertyType DWORD `
-Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\System

The configuration of AllowCrossDeviceClipboard follows the same pattern. A value of 0 disables the respective feature.

Summary

The convenience of an extended clipboard is offset by risks from unwanted usage. Synchronization to other devices via the cloud can lead to data leaks.

The group policies therefore offer two settings that can be used to disable both features and reduce the clipboard to classic behavior. An option that controls data exchange for Remote Desktop was recently added.

Subscribe to 4sysops newsletter!

PowerShell currently does not offer cmdlets tailored to the new clipboard. The two settings mentioned can only be configured by directly modifying the registry.

avataravatar
1 Comment
  1. Considering the increasing security threats, it is a very useful setting. I would love to have a setting to automatically clear the clipboard after certain duration to prevent information leakage through clipboard hijacking.

Leave a reply

Please enclose code in pre tags

Your email address will not be published.

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account