In this blog post, we will demonstrate how to Enable screen capture protection for Windows 365 Cloud PCs. Screen capture protection safeguards sensitive information from being captured on client endpoints.
Various methods exist for capturing information displayed on the screen, such as using a Snipping Tool, a Print screen key on the keyboard (PrtSc), and other third-party tools. These tools and other APIs commonly used for this purpose will be ineffective when you enable Screen capture protection.
Attempting to capture a screenshot will result in displaying a black image, not only during regular usage but also during screen-sharing sessions. Enabling Screen capture protection enhances the security of your Windows 365 Cloud PCs by preventing unauthorized access to sensitive information, ensuring a more secure computing environment.
Screen Capture Protection Options
There are below two options for enabling screen capture protection. Let’s take a look:
- Block screen capture on client – This option will enable screen capture protection on the client endpoint.
- Block screen capture on client and Windows 365 Cloud PC – This option will activate screen capture protection on the client endpoint and restrict screen capture tools within the Cloud PCs.
Prerequisites
- Windows 10/11 Enterprise or Enterprise multi-session.
- Windows Server 2016/2019/2022 (In case of AVD or IaaS Remote desktop server Instance).
Enable Screen Capture Protection
- Sign in to the Intune admin center > Devices > Configuration > Create > New Policy.
- Select Platform as Windows 10 and later
- Profile type as Settings Catalog
- Click on the Create button.
- Basics Tab – Enter the Name and Description of the profile.
- Configuration Settings
- Click on + Add settings.
- In the Settings picker, search for screen capture protection.
- Click on Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Azure Virtual Desktop category.
- Check the box for Enable screen capture protection and exit the settings picker.
Please note that the same policy will work on Windows 365 and Azure Virtual Desktop Session Host. If you are working with Azure Virtual Desktop and want to enable screen capture protection, you can use the same policy and apply it to Azure Virtual Desktops (AVDs).
Note
- Use the toggle switches to Enable screen capture protection:
- Enable screen capture protection – Use the toggle switch to enable screen capture protection for Cloud PCs.
- Block screen capture on client and server: If the Cloud PCs are running Windows 11 22H2 client or a later version and you intend to block screen capture protection on the client endpoint and also prevent screen capturing tools, e.g., snipping tool inside the Cloud PCs, Enable Block screen capture on client and server as well.
About Screen capture protection policy: This policy setting allows you to specify whether protection against screen capture is enabled for a remote session across client and server. If you enable this policy setting to block screen capture on the client, the RD Session Host Server will instruct the client to enable screen capture protection for a remote session.
If a compatible client is used, it will prevent screen capture of the applications running in the remote session. If you enable this policy setting to block screen capture on the client and server, it will block the client as described above and instruct the session host to prevent tools and services within the session host from capturing the screen. This option requires the session host to be OS version Windows 11, version 22H2 or later.
The connection will be denied if the client is not compatible with screen capture protection. If you disable or do not configure this policy setting, the screen capture protection will be disabled.
- Scope tags – Click on Next.
- Assignments tab – Click Add groups and select an Entra security group containing Cloud PCs.
- Review + create – Review the policy summary and click Create.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.
Monitoring Deployment Progress
- Sign in to the Intune admin center > Devices > Configuration.
- Choose the Device Configuration profile you want to work with, and at the top of the page, you’ll see a quick view of the Success, Failure, Conflict, Not Applicable, and In Progress status.
- Click on View report to access more detailed information.
End User Experience
Screen capture protection will be enabled once the policy settings are successfully applied to the target devices. If user attempts to take a screenshot of the Cloud PC, it will display a black screen.