Prevent sensitive information from being captured on Windows 365 CPCs
30-05-2023 8:02 PM
PreviousHow to secure Windows 365 using a FIDO2 security keyNextManage local administrator rights on Windows 365 Cloud PCs.
Last updated
Was this helpful?
30-05-2023 8:02 PM
Last updated
Was this helpful?
Disclaimer: All information and content in this blog post is provided without any warranty whatsoever. The entire risk of using this information or executing the provided content remains with you. Under no circumstances should the mentioned persons or vendors, the author, or anyone else involved in creating these blog posts be held liable for any damage or data loss.
In this blog post I will show you how to enable a feature called βScreen Capture Protectionβ which will prevent sensitive information from being captured on your Windows 365 Cloud PC(s), intentionally or by malicious software. This can be done in several ways, but in this post I will walk you through the Group Policy Object (GPO) and the PowerShell approach.
Important note. It is recommended to use this feature together with disabling clipboard, drive and printer redirection. Disabling redirection will help to prevent the user(s) from copying the captured screen content from the Cloud PC. However, thereβs no guarantee that this feature will protect content in all scenarios, for example, where someone takes photography of the screen.
Only clients that support this feature can connect to a Windows 365 Cloud PC. Following clients currently support screen capture protection:
Windows Desktop Client version 1.2.1672 and above
macOS client version 10.7.0 and above
Get the Microsoft Remote Desktop client.
Okay, letβs get started! β The very first thing we need to do, is install the GPO administrative templates on our Domain Controller, which adds the Azure Virtual Desktop (AVD) settings to Group Policy Management.
Copy the βen-usβ folder and βterminalserver-avd.admxβ file to the root of either the local or central store.
Group Policy Local Store: β%windir%PolicyDefinitionsβ Group Policy Central Store: β%windir%SYSVOLsysvoldomain.localPoliciesPolicyDefinitionsβ
Open βGroup Policy Managementβ and create or modify an existing GPO.
From βGroup Policy Management Editorβ navigate to Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Azure Virtual Desktop
Enable the βEnable screen capture protectionβ setting. β Donβt forget to link the GPO to the correct OU.
Now you just wait for the GPO to be applied on the Windows 365 Cloud PC or if you have local administrator privileges you can open Command Prompt in administrator elevated mode, and run the following command: βgpupdate /forceβ.
Open βRegistry Editorβ and navigate to βHKLM:SOFTWAREPoliciesMicrosoftWindows NTTerminal Servicesβ and check that βfEnableScreenCaptureProtectβ with value β1β exists.
Restart your Windows 365 Cloud PC.
The next time you try to capture the screen, the result should be a black window. Awesome, it works!
Click on Reports | Endpoint analytics | Proactive remediations | Create script package.
Fill in the required field and click Next.
Add the detection and remediation script, leave the rest as is and click Next. Set scope tags if needed and click Next.
Assign it to a security group containing all or some of your Windows 365 Cloud(s). Click on the three dots to modify the schedule. Click Apply when you are done, and then click Next.
Review your configuration and click Create.
After a while, the screen capture protection will be enabled on the Windows 365 Cloud PC, now set by the PowerShell script.
And once again, we can confirm that the end result is a black window, if we try to capture the screen.
This feature protects the Remote Desktop window from being captured through a specific set of public operating system features and APIs. However, thereβs no guarantee that this feature will strictly protect content, for example, where someone takes photography of the screen.
Customers should use the feature together with disabling clipboard, drive, and printer redirection. Disabling redirection will help to prevent the user from copying the captured screen content from the remote session.
Users canβt share the Remote Desktop window using local collaboration software, such as Microsoft Teams, when the feature is enabled. If Microsoft Teams is used, both the local Teams app and Teams running with media optimizations canβt share the protected content.
If screen capture protection is enabled, and you are trying to connect to a Windows 365 Cloud PC from the web portal, you will receive a message similar to the one below.
In this blog post you have learned how to enabled screen capture protection on your Windows 365 Cloud PC(s) with either GPO or proactive remediation script from Microsoft Endpoint Manager admin center. Personally I would very much appreciate if it was possible to set this setting through a configuration profile within Microsoft Endpoint Manager Intune (I havenβt found it yet, but please correct me if it already exists). And then it would be nice to see support for screen capture protections on other platforms in the near future or at least come up with a more user-friendly message than just βDisconnectedβ if you from the web portal are trying to connect to a Windows 365 Cloud PC where screen capture protection has been enabled. That was the final words. β Happy testing! As always, if you have any questions regarding this topic, feel free to reach out to me.
Source:
macOS Client Download the Microsoft Remote Desktop client from the
Windows Desktop Client (Supported on Windows 10, Windows 10 IoT Enterprise, and Windows 7) Download the Microsoft Remote Desktop client for Download the Microsoft Remote Desktop client for Download the Microsoft Remote Desktop client for
Download the Extract the contents of the downloaded cab file and zip archive.
Now, letβs do it the PowerShell way. Go to The proactive remediation script can be found in my
Source: Important note. Please keep in mind that screen capture protection is only supported on Windows Desktop and macOS clients. This means that if you enable this feature, you will not be able to connect to your Windows 365 Cloud PC(s) from the web portal or other platforms (at least for now).