This blog post will demonstrate how to enable screen capture protection for Windows 365 Cloud PCs. Screen Capture Protection safeguards sensitive information from being captured on client endpoints.
Various methods exist for capturing information displayed on the screen, such as using a Snipping Tool, a Print screen key on the keyboard (PrtSc), and various other third-party tools. However, these applications and other APIs commonly used for this purpose will be rendered ineffective by enabling Screen Capture Protection. Attempting to capture a screenshot will result in displaying a black image, not only during regular usage but also during screen-sharing sessions.
Enabling Screen Capture Protection enhances the security of your Windows 365 Cloud PCs by preventing unauthorized access to sensitive information, ensuring a more secure computing environment.
Table of Contents
Screen Capture Protection Options
Screen Capture Protection in Windows 365 Cloud PCs supports two options, each catering to specific needs. The choice between these options depends on whether you aim to enable screen protection mainly for remote sessions or intend to prevent tools and services from capturing screenshots within the Cloud PCs.
- Block screen capture on client – This option will enable screen capture protection on the client endpoint.
- Block screen capture on client and Windows 365 Cloud PC – This option will activate screen capture protection on the client endpoint and restrict screen capture tools within the Cloud PCs.
Prerequisites
- Windows 10/11 Enterprise or Enterprise multi-session.
- Windows Server 2016/2019/2022 (In case of AVD or IaaS Remote desktop server Instance).
Enable Screen Capture Protection using Intune
To Enable Screen Capture Protection on Windows 365 Cloud PCs using the Intune admin center, follow the below steps:
- Sign in to the Intune admin center.
- Go to Devices > Configuration > Create > New Policy.
- Select Platform as Windows 10 and later
- Profile type as Settings Catalog
- Click on the Create button.
Basics Tab
Enter the Name and Description of the profile. For Example:
- Name: W365 Screen Capture Protection Policy
- Description: This policy enables screen capture protection on Windows 365 Cloud PCs.
- Click on Next to proceed.
Configuration Settings
- Click on + Add settings.
- In the Settings picker, search for screen capture protection.
- Click on Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Azure Virtual Desktop category.
- Check the box for Enable screen capture protection and exit the settings picker.
Please note that the same policy will work on Windows 365 and Azure Virtual Desktop Session Host. If you are operating in an Azure Virtual Desktop infrastructure environment and wish to enable screen capture protection, you can use the same policy and apply it to Azure Virtual Desktops (AVDs).
Note
- Use the toggle switches to Enable screen capture protection:
- Enable screen capture protection – Use the toggle switch to enable screen capture protection for Cloud PCs.
- Block screen capture on client and server: If the Cloud PCs are running Windows 11 22H2 client or a later version and you intend to block screen capture protection on the Client Endpoint and prevent screen capturing tools, e.g., snipping tool from within the Cloud PCs, choose Enable Block screen capture on client and server as well.
About Screen capture protection policy: This policy setting allows you to specify whether protection against screen capture is enabled for a remote session across client and server. If you enable this policy setting to block screen capture on the client, the RD Session Host Server will instruct the client to enable screen capture protection for a remote session.
If a compatible client is used, it will prevent screen capture of the applications running in the remote session. If you enable this policy setting to block screen capture on the client and server, it will block the client as described above and instruct the session host to prevent tools and services within the session host from capturing the screen. This option requires the session host to be OS version Windows 11, version 22H2 or later.
The connection will be denied if the client is not compatible with screen capture protection. If you disable or do not configure this policy setting, the screen capture protection will be disabled.
Scope tags
Click on Next.
Assignments tab
Click Add groups and select an Entra security group containing Cloud PCs.
Review + create
Review the policy summary on the Review + Create tab and click Create.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.
Monitoring Deployment Progress
To monitor the deployment progress of a Device configuration profile, follow the below steps:
- Sign in to the Intune admin center.
- Click on Devices and then click on Configuration.
- Choose the Device Configuration profile you want to work with, and at the top of the page, you’ll see a quick view of the Success, Failure, Conflict, Not Applicable, and In Progress status.
- Click on View report to access more detailed information.
End-user Experience
Screen capture protection will be enabled once the policy settings are successfully applied to the target devices. If an end user attempts to take a screenshot of the Cloud PC, it will display a black screen.
You can attempt to use any screen-capturing tools, such as the Snipping Tool or the Print Screen key (PrtSc) on the keyboard. When utilizing these tools, the session window will automatically switch to a black screen, activated by the screen protection feature.
