Keyboard Input Protection for Windows 365 and Azure Virtual Desktop now in preview

The evolving threat landscape for virtualization

The rapid adoption of cloud-based virtualization has transformed how organizations deliver secure, scalable workspaces. This shift has also expanded the attack surface for cybercriminals. Recent market intelligence highlights that endpoint malware like infostealers, keyloggers, screen scrapers, and ransomware continue to target user devices. This includes personal devices like those used for Bring Your Own Device (BYOD) strategies, as those unmanaged devices may be less secure and thus an easier target.

Harvesting sensitive data at the endpoint device has become a top method for attackers using tools like Infostealer malware, which has become a leading threat that is used to steal sensitive data from both managed and unmanaged devices. ^[1] Attackers are increasingly targeting personal devices that access corporate resources, exploiting gaps in endpoint security.

Shifting the trust boundary to the endpoint

For organizations embracing a remote workforce, endpoint protection is no longer optional — it’s essential. While virtualization solutions secure the cloud and network layers, they cannot fully shield against threats originating on user devices. 

• Malware risk: Keyloggers and screen scrapers on unmanaged endpoints can capture sensitive data before it reaches the cloud.
• BYOD exposure: Personal devices often lack enterprise-grade security, creating compliance and data loss risks.
• Detection delays: Endpoint breaches can go unnoticed for months, giving attackers time to harvest credentials and compromise sessions.

Customers need assurance that every device connected to a cloud service meets security posture requirements. Enforcing keyboard input protection on the endpoint and verification checks from the cloud side — within the virtualized environment — offers end to end protection and closes these gaps and ensures safety guardrails are always applied, regardless of device type. This is critical for safeguarding sensitive data and maintaining compliance in a distributed workforce. 

Introducing Windows Cloud Keyboard Input Protection

We are excited to announce Windows Cloud I/O Protection capabilities, to help protect Windows 365 Cloud PC and Azure Virtual Desktop VM endpoints from malware and other risks stemming from inputs or displays. The first of these new capabilities is Windows Cloud Keyboard Input Protection, now in public preview, purpose-built to address endpoint security concerns for Windows 365 and Azure Virtual Desktop. It establishes a secure communication channel that begins at the endpoint device’s kernel and extends to Windows 365 Cloud PCs or Azure Virtual Desktop session host or virtual machines (VMs). Windows Cloud Keyboard Input Protection solution ensures the confidentiality and integrity of sensitive input data by encrypting user keystrokes at the kernel level and decrypting them exclusively within the remote virtual environment. As a result, unauthorized interception or manipulation of input is effectively prevented throughout the entire path — from the moment the user types until the data reaches the Cloud PC. 

Solution components include:

• Kernel-level encryption: A software kernel driver and system-level encryption service work together to route all keyboard inputs directly from the physical device to the Cloud PC or Azure Virtual Desktop VM’s in encrypted format. This prevents interception by OS-level malware, including keyloggers and screen scrapers.
• VM-side decryption: Only the remote Cloud PC or VM can decrypt the keystrokes, ensuring that sensitive data never appears in clear text on the endpoint device.
• Seamless user experience: The protection is transparent to users and IT admins, maintaining productivity while enforcing robust security without performance impact.

Activating Windows Cloud Keyboard Input Protection

Security IT admins can enable Windows Cloud Keyboard Input Protection using Group Policy in an Active Directory domain by opening the Group Policy Management console, navigating to Windows Components > Remote Desktop Services > Remote Desktop Session Host > Azure Virtual Desktop > Enable Keyboard Input Protection, and enabling it as shown below.

IT admins can easily enable keyboard input protection for Windows 365 or Azure Virtual Desktop.

After the feature is enabled, the end user with admin privileges will need to install Windows Cloud IO Protect endpoint enablement package (WCIO Protect.msi) on their physical device.

This feature is supported in:

• Windows Azure Virtual Desktop VMs with the latest Microsoft supported Windows Client OS versions.
• Supported endpoint device OS:
  1. Supported: Windows 11 physical devices running supported Windows App (Version should be 2.0.704.0 or newer) with Windows Cloud IO Protect msi installed on them

To learn more about setting up Windows Cloud Keyboard Input Protection, visit our Learn page.

How Windows Cloud Keyboard Input Protection helps

With the proliferation of endpoint threats and the rise of remote work, organizations need more than just cloud security — they need endpoint-to-cloud protection. Windows Cloud IO Keyboard Input Protection delivers:

• Compliance assurance: By preventing unauthorized data capture at the endpoint, organizations can better meet regulatory requirements for data protection and privacy.
• Reduced breach risk: Utilizing secure communication channels from the end point kernel to the remote VM dramatically lowers the risk of credential theft and data exfiltration from resident threats.
• Future-ready security: As attackers evolve, Microsoft’s approach — combining kernel-level protection, device compliance, and cloud integration — sets a new standard for secure desktop delivery.

Next steps

Windows Cloud Keyboard Input Protection will be rolling out to organizations using Windows 365 and Azure Virtual Desktop in the coming weeks.

To learn more about this feature, and other security capabilities within Windows Cloud, please visit our resources:

• Windows 365 Learn doc on Windows Cloud I/O Protection
• For an overview of Windows 365 Security concepts, visit https://aka.ms/w365security
• To see more about our Ignite announcements around Windows 365 and Azure Virtual Desktop, see our Windows blog
• To see our security announcements bringing B2B and external identity support for Windows 365 and Azure Virtual Desktop, visit this blog
• To learn more about the security risks and mitigations for BYOD, and how Windows 365 can help, visit https://aka.ms/w365byodebook
  
  
  

1. The 2025 Verizon Data Breach Investigations Report found that 30% of compromised systems were enterprise-licensed, while 46% were non-managed endpoints, often due to BYOD policies. 

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A.