How to Enable Screen Capture Protection in Windows 365 for Enhanced Security
Learn how to enable and use screen capture protection in Windows 365 to secure sensitive information and prevent unauthorized captures, enhancing your organization's data security.
When used alongside watermarking, screen capture protection in Windows 365 helps prevent sensitive data that your organization handles, stores, and transmits from being captured on client endpoints. When this feature is enabled, remote content is automatically blocked in screenshots and screen sharing using a specific set of operating system (OS) features and Application Programming Interfaces (APIs). This feature also blocks users from sharing their Remote Desktop window using local collaboration programs like Microsoft Teams. If a user tries to take a screenshot or share their screen, all that will be captured is a blank screen. Accordingly, with screen capture protection enabled you will not have to worry about endpoint users or malicious software leaking sensitive data, making this feature particularly valuable for government contractors seeking CMMC certification.
This blog will take a deeper look at Windows 365 screen capture protection and walk you through the process of enabling it. While screen capture protection can be configured using Microsoft Intune or Group Policy on your session host, in this blog we will focus on how to enable screen capture protection in Microsoft Intune.
Supported Scenarios for Screen Capture Protection
According to Microsoft, there are two supported scenarios for screen capture protection depending on the version of Windows that your organization is using:
- Block Screen Capture on the Client: By enabling this setting, the session host will instruct a supported Remote Desktop client to enable screen capture protection for a remote session. Choosing this option prevents screen capture from the client of applications running in the remote session.
- Block Screen Capture on Client and Server: When this option is selected, you will be provided with more comprehensive protection, as not only is screen capture from the client of applications running in the remote session prevented, but it also prevents tools and services within the session host from capturing the screen.
Which option you should choose will depend on the version of Windows you are running, as there are prerequisites for enabling screen capture protection in Windows 365. Below we take a look at the prerequisites for each scenario as well as for enabling screen capture in Microsoft Intune.
Prerequisites to Enable Screen Capture Protection
Before we look at the process of enabling screen capture protection in Windows 365, it’s important that we first look at the prerequisites for doing so, as your system must meet certain requirements in order to turn on screen capture protection in either Windows 365 or Azure Virtual Desktop.
Microsoft outlines the following prerequisites to enable screen capture protection:
-
Firstly, your session host must be running one of the following versions of Windows to use screen capture protection:
Block Screen Capture on Client: is available with a supported version of Windows 10 or 11.
Block Screen Capture on Client and Server: is available starting with Windows 11, version 22H2. -
Additionally, to configure Microsoft Intune to enable screen capture protection, you also need:
Microsoft Entra ID account that is assigned the Policy and Profile manager built-in RBAC role.
A group containing the devices you want to configure.
Once you’ve met these prerequisites, you’ll be able to enable screen capture protection. Consult your MSP if you’re unsure whether you meet these requirements.
Enable Screen Capture Protection in Microsoft Intune
Once you familiarize yourself with the screen capture protection scenarios and prerequisites in Windows 365, your next step will be to enable screen capture protection in Microsoft Intune. While Microsoft provides step-by-step instructions for enabling screen capture protection both in Microsoft Intune and Group Policy on their website, we’ll provide a brief overview below of the steps you must take to enable screen capture protection in Intune specifically.
1. First, you must sign in to the Microsoft Intune admin center.
2. Next, you will need to create or edit a Settings catalog configuration profile for Windows 10 or later devices. The Intune Settings catalog will allow you to enable screen capture protection policies and assign them to cloud PCs.
3. In the “Settings picker” window, search “screen capture protection” and from these search results select “Administrative templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Azure Virtual Desktop.”
4. On this screen, you can then check the box for “Enable screen capture protection,” and then close the settings picker window.
5. Next, expand the “Administrative templates” category and toggle the switch that says “Enable screen capture protection” to enabled.
6. Moving to the “Assignments” tab, pick a group name containing the computers that you want to assign to the screen capture protection policy. You may want to start with a few small test groups and then expand the policy if testing is successful.
7. Finally, on the “Review + create tab,” review the settings and select “Create” to enable the screen capture protection policy. You should see a notification appear that says “Policy Enable Screen Capture Protection in Windows 365 created successfully.” Once this is done, you will need to restart the computers the policy applies to.
Verify Screen Capture Protection
Once you’ve taken the above steps to enable screen capture protection, how will you know if it worked. The best way to verify that screen capture protection is working is to connect to a remote session with a supported client. Next, take a screenshot or share your screen in a Teams call or meeting. If screen capture protection is working, the content should be blocked or hidden. Even if you use a snipping tool or third-party screen capture tool to take a screenshot during the session, all you should see in the screenshot is a blank screen. However, it’s important to note that in order for screen capture protection to take effect, any existing sessions need to sign out and back in again.
Limitations of Screen Capture Protection in Windows 365
While screen capture protection in Windows 365 can be extremely useful in helping secure your organization’s sensitive data, it’s important to note that this feature is not without its issues and limitations. For instance, while this software can be critical in preventing malicious software from taking screen captures of sensitive data, and it can help prevent your team from accidentally sharing secure data over unsecured channels, it won’t prevent malicious actors within your organization from sharing sensitive data through other means such as by taking photos of their screen with a cell phone. Additionally, enabling this feature can cause issues for your team when collaborating, as it prevents users from sharing their Remote Desktop window using local collaboration software such as Microsoft Teams while this feature is enabled, as Teams cannot share protected content.
If your organization handles secure data or sensitive government data such as Controlled Unclassified Information (CUI) and you must maintain CMMC compliance, you should then consider partnering with a CMMC-certified managed service provider (MSP) to help you go over your options for securing your data. An experienced MSP can help you determine if screen capture protection in Windows 365 is right for your organization, and they can walk you through your options for securing CUI to ensure CMMC compliance.
Need to Protect Confidential Data? Learn How AgileSecure Helps Organizations Secure Sensitive Data to Achieve CMMC Compliance
If you’re looking for a CMMC-certified MSP you can trust to help you protect your sensitive data and guide you through the CMMC certification process, look no further than Agile IT. With our proactive cloud program AgileSecure, we can help empower your organization to maintain CMMC compliance and stay ahead of evolving security threats and regulatory requirements with IT management and security services tailored to meet your needs. Agile IT will be a trusted partner dedicated to enhancing your security and compliance posture to protect your organization’s sensitive data. We do this by leveraging state-of-the-art security measures designed for a digital landscape that is constantly evolving and where a proactive stance must be taken to keep your data secure.
If you’re in the process of seeking CMMC certification, or you’re simply interested in enhancing your security posture in order to protect your valuable data and maintain CMMC compliance, consider reaching out to Agile IT to learn more about our CMMC services. Our experienced team is here to help give you deep insights into your security posture and provide you with comprehensive guidance and support throughout the CMMC certification process.
