This article demonstrates how to enable screen capture protection in Windows 365. The Screen Capture Protection feature helps prevent sensitive information from being captured on Windows 365 cloud PCs.
In our previous article, we showed you how to enable watermarking in Windows 365. Along with screen capture prevention, watermarking Cloud PCs helps prevent sensitive information from being captured on client endpoints.
Screen capture protection in Windows 365 can be used to stop users from taking screenshots or screen recordings of the cloud PC session from the endpoint client. When you enable the screen capture protection policy in Intune, the remote content is automatically blocked from screenshots and screen sharing.
Users cannot share their Remote Desktop window using a local collaboration program like Microsoft Teams when screen capture protection is enabled in Windows 365. Protected content cannot be shared with teams using either the local Teams app or Teams with media optimization.
The majority of businesses worry about employee data leaks because they can result in fraud and identity theft. With Windows 365 Cloud PCs, one of the means to secure the data involves turning on screen capture protection. Applying this capture protection policy prevents the use of third-party screen capture applications installed on the client to take screenshots, including well-known tools like PrtScn and Snipping Tool.
Useful Read: Move Windows 365 Cloud PCs to Another Region
Ways to configure screen capture protection for Windows 365
There are two ways to configure screen capture protection in Windows 365 for your cloud PCs:
- Download the AVD GPO templates, and then set up the AVD admx GPO using the group policy management console or an Intune policy.
- Use the Intune policy to activate the screen capture protection on cloud PCs.
The quickest and easiest way to enable screen capture protection on your Windows 365 cloud PCs, including Azure Virtual Desktop, is through an Intune policy. Organizations can now use Intune to deploy screen capture protection policies in order to secure their Windows 365 cloud PCs. In this article, we will talk about this technique.
The requirements for turning on screen capture protection in Windows 365 and AVD are as follows:
- Your session hosts must be running one of the following versions of Windows to use screen capture protection:
- If you are going to block screen capture on the client, ensure you run a supported version of Windows 10 or Windows 11.
- If you wish to block screen capture on the client and server, use Windows 11, version 22H2 or a higher version.
- The cloud PCs should be online in order for the screen capture protection policy to apply.
Useful Article: Windows 365: Enable Cloud PC Reset Option for Users
Enable Screen Capture Protection in Windows 365
In this section, we will create a configuration profile in Intune, turn on screen capture protection in Windows 365, and apply this profile to our cloud PCs.
Perform the following steps to enable screen capture protection in Windows 365:
- Sign in to the Microsoft Intune admin center.
- Select Devices > Windows > Configuration Profiles.
- To create a new configuration profile, select +Create Profile.
On the Create a Profile pane, configure the following and select Create.
- Platform: Windows 10 and later
- Profile Type: Settings Catalog
In the Basics tab, enter the following properties:
- Name: Enter a descriptive name for the profile, which you can easily identify later. For example, a good profile name is ‘Enable Screen Capture Protection in Windows 365‘.
- Description: Enter a brief description of the profile. This setting is optional but recommended.
In the Configuration Settings section, under Settings Catalog, click Add Settings. The Intune Settings catalog allows you to enable and assign screen capture protection policies to cloud PCs.
Configure Screen Capture Protection Policy in Intune
On the Settings picker window, type “screen capture protection” in the search box and click Search. From the search results, select Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Azure Virtual Desktop.
Enable screen capture protection: The screen capture protection policy allows you to specify whether protection against screen capture is enabled for a remote session across client and server. By enabling this policy via Intune, clients will be able to receive instructions from the RD session host server to enable screen capture protection for a remote session. If the client is incompatible with screen capture protection, the connection will be denied.
Select the setting: Enable screen capture protection. This will also activate another setting, screen capture protection options (device). Close the settings picker window.
Supported Scenarios for Screen Capture Protection
According to Microsoft, there are two supported scenarios for screen capture protection depending on the version of Windows you’re using:
- Block screen capture on client: If you enable this policy setting, the session host instructs a supported Remote Desktop client to enable screen capture protection for a remote session. This prevents screen capture from the client of applications running in the remote session.
- Block screen capture on client and server: By enabling this policy setting, the session host instructs a supported Remote Desktop client to enable screen capture protection for a remote session. This stops tools and services on the session host from capturing the screen, as well as screen capture from the client of programs running in the remote session.
In our situation, we have both options enabled (this is done for testing). We advise reading both of the scenarios once if you are applying this policy to your organization’s Cloud PCs. Click Next.
On the Assignments tab, pick a group to which you want to assign the screen capture protection policy. We recommend first deploying the policy to a few test groups comprised of cloud PCs and then expanding it to larger groups if the testing is successful. Select Next.
On the Review + Create page, review all the settings that you have defined to configure screen capture protection in Windows 365 and select Create.
After you create the above policy, a notification appears: “Policy Enable Screen Capture Protection in Windows 365 created successfully“. This confirms that the policy has been created and is being applied to the groups we chose. The new profile that we created displays in the list of configuration profiles in Intune.
Monitor Screen Capture Protection Policy in Intune
Once the devices are online and have checked in with the Microsoft Intune service, the applied policy will be assigned to the designated groups. You can also force manual sync of Intune policies on your computers to get the latest policies and settings from Intune.
To monitor the screen capture policy in Intune that you applied to your groups, select the policy and review the “Device and user check-in status“. Under the Device and user check-in status, we see the total number of cloud PCs that succeeded in receiving the Intune screen capture protection policy.
We’ll check to see if it’s possible to take screenshots and capture information after the cloud PCs have received the screen capture protection policy from Intune.
From our testing, when we attempted to use the PRTSC key to grab the screenshot during the Cloud PC session, we saw a blank screen. No data or information was copied from the session.
Even when you use a snipping tool or any third-party screen capture tool to take a screenshot of the Cloud PC desktop or any application during the session, it doesn’t capture any details. This demonstrates that Microsoft’s screen capture protection feature on our Windows 365 cloud PCs actually works as promised.
Screen Capture Protection Windows 365 Not Working
In some cases, the screen capture protection policy may fail to apply to certain cloud PCs. Any policy assignment errors will be shown in the Intune admin center, and you will also learn which Cloud PCs the policy was unable to apply to. To resolve the issues, you will need to troubleshoot the issue by reviewing Intune logs on Windows computers.