Windows 365: Enable Screen Capture Protection using Intune

In this blog post, we will learn how to enable Screen Capture Protection for Windows 365 Cloud PCs. The primary purpose of Screen Capture Protection is to safeguard sensitive information from being captured on client endpoints.

Various methods exist for capturing information displayed on the screen, such as using a Snipping Tool, Print screen key on the keyboard (PrtSc), and various other third-party tools. However, by enabling Screen Capture Protection, these applications, and other APIs commonly used for this purpose will be rendered ineffective. Attempting to capture a screenshot will result in displaying a black image, not only during regular usage but also during screen-sharing sessions.

Enabling Screen Capture Protection enhances the security of your Windows 365 Cloud PCs by preventing unauthorized access to sensitive information, ensuring a more secure computing environment.

Screen Capture Protection Options

Screen Capture Protection in Windows 365 Cloud PCs supports two options, each catering to specific needs. The choice between these options depends on whether you aim to enable screen protection mainly for remote sessions or also intend to prevent tools and services from capturing screenshots within the Cloud PCs themselves.

  • Block screen capture on client – This option will enable screen capture protection on the client endpoint.
  • Block screen capture on client and Windows 365 Cloud PC – This option will activate screen capture protection on the client endpoint and restrict screen capture tools within the Cloud PCs.

Prerequisites

  • Windows 10/11 Enterprise or Enterprise multi-session.
  • Windows Server 2016/2019/2022 (In case of AVD or IaaS Remote desktop server Instance).

Enable Screen Capture Protection using Intune

To Enable Screen Capture Protection on Windows 365 Cloud PCs using the Intune admin center, follow the below steps:

Create a Device configuration profile for Screen capture protection
Create a Device configuration profile for Screen capture protection
  • Select Platform as Windows 10 and later
  • Profile type as Settings Catalog
  • Click on the Create button.
Select Settings catalog profile type
Select Settings catalog profile type

Basics Tab

Enter the Name and Description of the profile. For Example:

  • Name: W365 Screen Capture Protection Policy
  • Description: This policy enables screen capture protection on Windows 365 Cloud PCs.
Screen capture protection policy on Intune: Basics tab
Screen capture protection policy on Intune: Basics tab
  • Click on Next to proceed.

Configuration Settings

  • Click on “+ Add settings.”
  • In the Settings picker, search for “screen capture protection“.
  • Click on Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Azure Virtual Desktop category.
  • Check the box for “Enable screen capture protection” and exit the settings picker.

Please note that the same policy will work on Windows 365 and Azure Virtual Desktop Session Host. If you are operating in an Azure Virtual Desktop infrastructure environment and wish to enable screen capture protection, you can use the same policy and apply it to Azure Virtual Desktops (AVDs).

Note
Screen capture protection policy on Intune: Settings picker
Screen capture protection policy on Intune: Settings picker
  • Use the toggle switches to Enable screen capture protection:
    • Enable screen capture protection – Use the toggle switch to enable screen capture protection for Cloud PCs.
    • Block screen capture on client and server: If the Cloud PCs are running Windows 11 22H2 client or a later version and you intend to block screen capture protection on the Client Endpoint and prevent screen capturing tools, e.g., snipping tool from within the Cloud PCs, choose Enable “Block screen capture on client and server” as well.
Screen capture protection policy on Intune: Configuration settings tab
Screen capture protection policy on Intune: Configuration settings tab

Scope tags

Click on Next.

Assignments tab

Click Add groups and select an Entra security group containing Cloud PCs.

Screen capture protection policy on Intune: Assignment tab
Screen capture protection policy on Intune: Assignment tab

Review + create

On the Review + Create tab, review the policy summary and click on Create.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.

Monitoring Deployment Progress

To monitor the deployment progress of a Device configuration profile, follow the below steps:

  • Sign in to the Microsoft Intune admin center.
  • Click on “Devices” and then click on “Configuration“.
  • Choose the Device Configuration profile you want to work with, and at the top of the page, you’ll see a quick view of the Success, Failure, Conflict, Not Applicable, and In Progress status.
  • Click on “View report” to access more detailed information.
Monitoring the screen capture protection policy progress via Intune admin center
Monitoring the screen capture protection policy progress via Intune admin center

End-user Experience

Once the policy settings are successfully applied to the target devices, screen capture protection will be enabled. If an end user attempts to take a screenshot of the Cloud PC, it will display a black screen.

You can attempt to use any screen-capturing tools, such as the Snipping Tool or the Print Screen key (PrtSc) on the keyboard. When utilizing these tools, the session window will automatically switch to a black screen, activated by the screen protection feature.

Screen capture protection feature End-user Experience

Leave a Comment