Let’s learn how to Turn On Screen Capture Protection in AVD using Intune. This Screen Capture Protection configuration prevents users from capturing sensitive information on client endpoints through specific operating system (OS) features.
Turning on Screen Capture Protection in Azure Virtual Desktop (AVD) also helps prevent sensitive information from being captured on client endpoints through Application Programming Interfaces (APIs). With this feature, Microsoft protects sensitive information for Intune users.
There are many cyber threats in the Cyber World every day. Microsoft develops many security applications for users. Now, you can use Screen Capture Protection in AVD in Intune to protect organizations.
After enabling screen capture protection, remote content is automatically blocked in screenshots and screen sharing. Follow the steps below to configure screen capture protection using Microsoft Intune or Group Policy on your session hosts.
Index |
---|
Turn On Screen Capture Protection in AVD using Intune |
Steps for Turn On Screen Capture Protection in AVD |
End Users Experience – Screen Protection Policy Enabled |
- New Platform SSO for macOS Devices in Microsoft Intune
- New Granular Permissions for Endpoint Security Workloads in Intune
- Configure Screen Capture Protection For Windows 365 Cloud PC
Turn On Screen Capture Protection in AVD using Intune
Screen Capture Protection in AVD can be easily enabled in Microsoft Intune. Intune policy allows admins to enable Screen Capture Protection from the settings catalog. There are two supported scenarios for screen capture protection, depending on the Windows version.
- Block screen capture on client: If you enable this policy setting, the session host instructs a supported Remote Desktop client to enable screen capture protection for a remote session. This prevents screen capture from the client of applications running in the remote session.
- Block screen capture on client and server: By enabling this policy setting, the session host instructs a supported Remote Desktop client to enable screen capture protection for a remote session. This stops tools and services on the session host from capturing the screen, as well as screen capture from the client of programs running in the remote session.
Users must follow certain prerequisites to enable Screen Capture Protection in AVD. Your session hosts must be running one of the following versions of Windows to use screen capture protection. The table below shows the prerequisites.
Prerequisite |
---|
Block screen capture on client is available with a supported version of Windows 10 or Windows 11 |
Block screen capture on client and server is available starting with Windows 11, version 22H2 |
Steps for Turn On Screen Capture Protection in AVD
Users can easily turn on Screen Capture Protection in AVD using Microsoft Intune. The screen Capture Protection feature is available at the Microsoft Intune admin center.
- Sign in Microsoft Intune admin center.
- Devices >Configuration > +Create > +New Policy
In this window, you can select platform and Profile Type. Here the selected Platform is Windows 10 and later, and Profile type is Settings Catalog. Click on the Create button to continue.
After that, you can create a Profile for screen capture Protection. You can provide the policy’s name and description in the basic section. Here, I give Enabling Screen Capture Protection for AVD as the Name. After that, you can click on the Next button.
The next section after the basic section is the Configuration Settings. Here, you can click on +Add Settings to choose settings to configure.
After clicking on +Add Settings, you will see the Settings Picker window. Here, you can search for settings and browse by category. Here i search Administrative Template as the Key word to search.
- Choose Administrative Templates Windows Components Remote Desktop Services Remote Desktop Session Host Azure Virtual Desktop
- Select the Enable Screen Capture Protection setting from the list.
After selecting the settings from the above window, click the Next button, as shown in the below screenshot.
The next window is for selecting Scope Tags. This section is not mandatory. You can easily skip or add this setting if you prefer. Click on the Next button.
The next window will show the Assignment section. Here, you can select included groups or Excluded groups. The Assignment section determines which group needs Screen Capture Protection. Click on the Add groups option on the Included groups and select your preferred group. Then click on the Next button.
The last section is the Review + Create section. Here, you can verify each of the sections and make changes to any section. After that, you can click on the Create button.
After the policy creation is complete, you will receive a Notification on the Intune portal stating that the Policy has been created successfully.
End Users Experience – Screen Protection Policy Enabled
To verify that screen capture protection is working, Connect to a remote session with a supported client. To use screen capture protection, users must connect to Azure Virtual Desktop with the Windows App or the Remote Desktop app. The following table shows supported scenarios.
App | Version | Desktop session | RemoteApp session |
---|---|---|---|
Windows App on Windows | Any | Yes | Yes. Client device OS must be Windows 11, version 22H2 or later. |
Remote Desktop client on Windows | 1.2.1672 or later | Yes | Yes. Client device OS must be Windows 11, version 22H2 or later. |
Azure Virtual Desktop Store app | Any | Yes | Yes. Client device OS must be Windows 11, version 22H2 or later. |
Windows App on macOS | Any | Yes | Yes |
Remote Desktop client on macOS | 10.7.0 or later | Yes | Yes |
Take a screenshot or share your screen in a Teams call or meeting. The content should be blocked or hidden. Here you can see the black screen appeared, Any existing sessions must be signed out and checked again for the change to take effect. If a user tries to connect with a different app or version, the connection is denied and shows an error message.
- Deploy Local Primary Account On MacOS Using ADE Method In Intune
- How To Deploy PPPC Utility On MacOS Using Intune
We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here for HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.