diff --git a/src/assets/images/changelog/access/rdp-clipboard-controls.png b/src/assets/images/changelog/access/rdp-clipboard-controls.png
new file mode 100644
index 00000000000000..80ac84fb6a5d49
Binary files /dev/null and b/src/assets/images/changelog/access/rdp-clipboard-controls.png differ
diff --git a/src/content/changelog/access/2026-03-01-rdp-clipboard-controls.mdx b/src/content/changelog/access/2026-03-01-rdp-clipboard-controls.mdx
new file mode 100644
index 00000000000000..24fc3bed9f8614
--- /dev/null
+++ b/src/content/changelog/access/2026-03-01-rdp-clipboard-controls.mdx
@@ -0,0 +1,26 @@
+---
+title: Clipboard controls for browser-based RDP
+description: Administrators can now restrict copy and paste actions between a user's local machine and their browser-based RDP session.
+date: 2026-03-01
+products:
+ - access
+---
+
+You can now configure clipboard controls for browser-based RDP with Cloudflare Access. Clipboard controls allow administrators to restrict whether users can copy or paste text between their local machine and the remote Windows server.
+
+
+
+This feature is useful for organizations that support bring-your-own-device (BYOD) policies or third-party contractors using unmanaged devices. By restricting clipboard access, you can prevent sensitive data from being transferred out of the remote session to a user's personal device.
+
+## Configuration options
+
+Clipboard controls are configured per policy within your Access application. For each policy, you can independently allow or deny:
+
+- **Copy from local client to remote RDP session** — Users can copy/paste text from their local machine into the browser-based RDP session.
+- **Copy from remote RDP session to local client** — Users can copy/paste text from the browser-based RDP session to their local machine.
+
+By default, both directions are denied for new policies. For existing Access applications created before this feature was available, clipboard access remains enabled to preserve backwards compatibility.
+
+When a user attempts a restricted clipboard action, the clipboard content is replaced with an error message informing them that the action is not allowed.
+
+For more information, refer to [Clipboard controls for browser-based RDP](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/#clipboard-controls).
diff --git a/src/content/docs/cloudflare-one/access-controls/policies/index.mdx b/src/content/docs/cloudflare-one/access-controls/policies/index.mdx
index 0e5335a30c3ab2..421abd20792b8b 100644
--- a/src/content/docs/cloudflare-one/access-controls/policies/index.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/policies/index.mdx
@@ -17,6 +17,7 @@ An Access policy consists of an **Action** as well as rules which determine the
- [Actions](#actions)
- [Rule types](#rule-types)
- [Selectors](#selectors)
+- [Connection context](#connection-context)
## Actions
@@ -166,6 +167,19 @@ of initial sign on and when reissuing the SaaS session. Once the user has
authenticated to the SaaS app, session management falls solely within the
purview of the SaaS app.
+## Connection context
+
+Connection context settings allow you to control how users interact with an application after they have been granted access. While [selectors](#selectors) determine who can access an application, connection context settings determine what actions users can take during their session.
+
+Connection context is configured per policy, allowing you to grant different permissions to different groups of users. For example, you could allow full-time employees to copy data from a remote RDP session while restricting contractors to read-only access.
+
+The available connection context settings depend on the application type:
+
+| Application type | Available settings |
+| --- | --- |
+| [Infrastructure (SSH)](/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/) | Allowed UNIX usernames |
+| [Browser-based RDP](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/#clipboard-controls) | Clipboard controls (copy/paste restrictions) |
+
## Order of execution
Policies are evaluated based on their action type and ordering. Bypass and Service Auth policies are evaluated first, from top to bottom as shown in the UI. Then, Block and Allow policies are evaluated based on their order.
diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser.mdx
index 37713219a4b541..bd2b4c5854a61d 100644
--- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser.mdx
+++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser.mdx
@@ -6,7 +6,7 @@ sidebar:
label: Browser-based RDP
---
-import { Render, GlossaryTooltip, Details } from "~/components";
+import { Render, GlossaryTooltip, Details, Tabs, TabItem, APIRequest } from "~/components";
Users can connect to an RDP server without installing an RDP client or the [WARP client](/cloudflare-one/team-and-resources/devices/warp/) on their device. Browser-based RDP leverages [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/), which creates a secure, outbound-only connection from your RDP server to Cloudflare's global network. Setup involves running the `cloudflared` daemon on the RDP server (or any other host machine within the private network) and routing RDP traffic over a public hostname.
@@ -109,29 +109,30 @@ The DNS record does not need to point to an active destination IP address or hos
12.
-
-13.
+13. (Optional) In your Access policy, configure [clipboard controls](#clipboard-controls) to restrict copy and paste actions between the user's local machine and the browser-based RDP session.
+
+14.
-14. Select **Next**.
+15. Select **Next**.
-15. (Recommended) Turn on **Show application in App Launcher** and configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) for the application. The App Launcher allows users to view the Windows servers that they can access using browser-based RDP. Without the App Launcher, users will need to know each target's direct URL.
+16. (Recommended) Turn on **Show application in App Launcher** and configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) for the application. The App Launcher allows users to view the Windows servers that they can access using browser-based RDP. Without the App Launcher, users will need to know each target's direct URL.
:::note
Ensure that users match an Allow rule in your [App Launcher policies](/cloudflare-one/access-controls/access-settings/app-launcher/#enable-the-app-launcher).
:::
-16.
+17.
-17. Select **Next**.
+18. Select **Next**.
-18.
-19. Select **Save**.
+20. Select **Save**.
## 5. (Recommended) Modify order of precedence in Gateway
@@ -168,11 +169,104 @@ To connect to a Windows machine over RDP:
:::
4. Select the port that you want to connect to. The port selection screen only appears if the Access application allows RDP traffic on multiple ports (for example, port `3389` and port `65321`).
-5. (Optional) In your browser settings, allow the Access application to access the clipboard. Clipboard permissions grant the ability to copy or paste text between the local machine and the remote Windows machine.
+5. (Optional) In your browser settings, allow the Access application to access the clipboard. Clipboard access is subject to [policy restrictions](#configure-clipboard-controls) configured by your administrator.
6. Enter your Windows username and password. For more information on how to format your username, refer to [User identifier formats](#user-identifier-formats).
You now have access to the remote Windows desktop.
+## Clipboard controls
+
+Clipboard controls allow you to restrict whether users can copy or paste text between their local machine and the browser-based RDP session. They are are configured per policy within your Access application. You can configure different clipboard permissions for different groups of users by creating multiple policies.
+
+### Default behavior
+
+- **New policies**: Clipboard access is denied by default. You must explicitly allow clipboard actions.
+- **Existing applications**: Access applications for browser-based RDP created before this feature was available retain full clipboard access to preserve backward compatibility.
+
+### Available settings
+
+For each Access policy, you can choose one of the following clipboard control options:
+
+| Setting | Description |
+| --- | --- |
+| _Client to remote RDP session allowed_ | Users can copy and paste text from their local client into the browser-based RDP session. |
+| _Remote RDP session to client allowed_ | Users can copy and paste text from the browser-based RDP session to their local client. |
+| _Both directions allowed_ | Users can copy and paste text between the browser-based RDP session and their local client. |
+| _Off_ | Users are not allowed to copy and paste text between the browser-based RDP session and their local client. |
+
+When a user attempts a restricted clipboard action, the clipboard content is replaced with a message informing them that the action is not allowed.
+
+### Configure clipboard controls
+
+
+
+
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Access controls** > **Applications**.
+2. Locate your browser-based RDP application and select **Configure**.
+3. Select the **Policies** tab.
+4. Create a new policy or select an existing policy to edit.
+5. Expand **Connection context**.
+6. Under **RDP data flow control**, choose a **Text clipboard control** setting. Refer to [Available settings](#available-settings) for setting descriptions.
+7. Select **Save policy**.
+
+
+
+
+When [creating or updating an Access policy](/api/resources/zero_trust/subresources/access/subresources/policies/) for an RDP application, configure the allowed copy/paste formats in each direction. For example, the following policy allows users to copy text from their local client into the browser-based RDP session, but blocks copying content out of the RDP session.
+
+
+
+
+
+
+Using the `connection_rules` attribute within a [`cloudflare_zero_trust_access_policy`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_policy) resource, configure the allowed copy/paste formats in each direction. For example, the following policy allows users to copy text from their local client into the browser-based RDP session, but blocks copying content out of the RDP session.
+
+```tf
+resource "cloudflare_zero_trust_access_policy" "rdp-policy" {
+ account_id = var.cloudflare_account_id
+ name = "Allow engineers with restricted clipboard"
+ decision = "allow"
+
+ include = [
+ {
+ email_domain = {
+ domain = "example.com"
+ }
+ }
+ ]
+
+ connection_rules = {
+ rdp = {
+ allowed_clipboard_local_to_remote_formats = ["text"]
+ allowed_clipboard_remote_to_local_formats = []
+ }
+ }
+}
+```
+
+
+
+
## Compatibility
### RDP server operating systems
@@ -263,7 +357,7 @@ The login flow differs slightly when using an Microsoft Entra ID-bound username:
- **WARP authentication**: Since browser-based RDP traffic does not go through the WARP client, users cannot use their [WARP session identity](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-sessions/#configure-warp-sessions-in-access) to authenticate.
- **Audio over RDP**: Users cannot use their microphone and speaker to interact with the remote machine.
- **Clipboard size limit**: Data copied between the local machine and the browser-based RDP session may not exceed 500 KB.
-- **Clipboard controls**: Admins do not have the ability to restrict copy/paste actions between the remote machine and the user's local clipboard.
-- **File transfers**: Users cannot copy/paste files from their local machine to the remote machine and vice versa.
+- **Clipboard data types**: Clipboard controls only support text data. Image and file clipboard transfers are not supported.
+- **File transfers**: Users cannot transfer files from their local machine to the remote machine and vice versa.
- **Print to local printer**: Users cannot print information from their browser-based RDP session to a printer in their local network.
- **Network Level Authentication for Entra-joined accounts**: Browser-based RDP does not support PKU2U authentication which is required for [Network Level Authentication (NLA)](https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/remotepc/remote-desktop-allow-access#why-allow-connections-only-with-network-level-authentication) with Entra-joined accounts. Connecting to Entra-joined accounts requires disabling enforcement of NLA on the remote Windows machine. You can disable NLA from **Settings** > **System** > **Remote Desktop**, or use the Local Group Policy Editor to disable **Require user authentication for remote connections by using Network Level Authentication**.