The most direct and efficient method to control session behavior, such as device redirection for an entire Azure Virtual Desktop (AVD) host pool, is by modifying its Remote Desktop Protocol (RDP) properties. By setting the redirectclipboard:i:0 and drivestoredirect:s: properties at the host pool level, you can disable clipboard and drive redirection for all user sessions connecting to that pool. This centralized approach is the simplest way to enforce the policy and directly meets the requirement to prevent file copying with minimal administrative effort.

B. Create a Conditional Access policy in Azure Active Directory (Azure AD).

Conditional Access policies control access to the AVD service based on user, device, or location conditions; they do not manage in-session RDP settings like device redirection.

C. Create a compliance policy in Intune.

Intune compliance policies are used to evaluate if a device meets certain health and security standards (e.g., encryption, OS version), not to configure RDP session settings.

D. Create a configuration profile in Intune.

While technically possible to configure these settings on session hosts via an Intune profile, modifying the host pool's RDP properties is a more direct, native AVD function that requires fewer steps, thus better satisfying the "minimize administrative effort" constraint.

1. Microsoft Learn | Azure Virtual Desktop documentation. "Supported RDP properties for Azure Virtual Desktop." This document explicitly lists redirectclipboard and drivestoredirect as configurable RDP properties for a host pool to control clipboard and drive redirection

respectively. This directly supports option A.

Section: Customize RDP properties for a host pool.

Details: The article states

"To disable clipboard redirection

use redirectclipboard:i:0." and "To disable drive redirection

leave the drivestoredirect property blank."

2. Microsoft Learn | Azure Virtual Desktop documentation. "Customize Remote Desktop Protocol (RDP) properties for a host pool." This guide provides the step-by-step procedure for modifying these properties in the Azure portal

demonstrating it is a simple

centralized administrative action.

Section: "Customize RDP properties with the Azure portal."

Details: The steps show how to navigate to the host pool's RDP Properties tab and enter the custom RDP settings

confirming the low administrative effort.

3. Microsoft Learn | Intune documentation. "Use the settings catalog to configure settings on Windows

iOS/iPadOS and macOS devices." This document explains how to use Intune configuration profiles. While it shows that RDP settings can be configured

the process involves creating a profile

selecting settings from the catalog

and assigning it to a device group

which is a more involved process than modifying a single property field in the AVD host pool settings.

Section: "Create the profile."

Details: The procedure outlines multiple steps

which contrasts with the simpler method in option A.

4. Microsoft Learn | Azure Active Directory documentation. "What is Conditional Access?" This document clarifies that Conditional Access is a tool for making access decisions to resources and does not extend to configuring the behavior within an application session like AVD.

Section: "Common signals."

Details: The documentation focuses on signals like user

location

and device for granting or blocking access

not for in-session configuration.