Security in AVD Environments: Screen Capture Protection Feature

Screen capture protection in Azure Virtual Desktop (AVD) is an important feature for preserving data security within Azure Virtual Desktop environments. Released for general availability on August 30th, 2021, it aims to protect sensitive information from being captured at client endpoints. Once activated, it ensures that remoted content is concealed or obstructed in screenshots, screen sharing sessions, and from any malicious software that might continuously capture the screen's content.

Supported Scenarios and Prerequisites of Screen Capture Protection in AVD

The feature is configured on the session host level and enforced on the client. It is supported by Windows Desktop client for full desktops only and macOS client version 10.7.0 or later for both RemoteApp and full desktops. If a user attempts to connect to a protected session host with an unsupported client, the connection will fail with error 0x1151.

1. Block Screen Capture on Client: This scenario prevents screen capture from the client side. When enabled, any attempt to take a screenshot or screen recording from the client device will result in a blank or black screen.

• Use Case: Ideal for environments where users access sensitive information and there is a need to prevent data leakage through client-side screen capture tools.
• Mechanism: The AVD client application detects screen capture attempts and actively blocks the capture of the remote session content. This includes built-in screenshot tools, third-party screen capture software, and screen recording features.
• Impact: Users will see a blank or black screen in the captured image or video, ensuring that sensitive information is not exposed.

2. Block Screen Capture on Client and Server: This scenario extends the protection to both the client and the session host. It prevents screen capture from both the client device and within the remote session itself.

• Use Case: Suitable for highly secure environments where both client-side and server-side screen capture needs to be restricted to ensure maximum data protection.
• Mechanism: The session host detects screen capture attempts and blocks the capture of the session content. This includes attempts to capture the screen using remote desktop tools or other software running within the session.
• Impact: Any screen capture attempt from within the session will result in a blank or black screen, ensuring that sensitive information remains protected.

> Prerequisites:

1. Operating System Requirements:

• Windows 10: Version 2004 or later.
• Windows 11: Any version.

2. Client Application Requirements:

• Windows Desktop Client: The latest version of the Remote Desktop client for Windows.
• Remote Desktop App: Ensure the app is updated to the latest version available in the Microsoft Store.

3. Session Host Configuration:

• Group Policy: Configure the Group Policy settings on the session host to enable screen capture protection.
• Microsoft Intune: Alternatively, use Microsoft Intune to configure the necessary policies on the session host.

4. Azure Virtual Desktop Environment:

• AVD Setup: Ensure that your AVD environment is properly set up and configured.
• User Permissions: Users must have the necessary permissions to access and modify the settings for screen capture protection.

5. Network and Connectivity:

• Stable Internet Connection: A reliable and stable internet connection is required for seamless operation of AVD and its features.
• Firewall and Network Settings: Ensure that the necessary ports and protocols are allowed through your network firewall to enable communication between the client and the session host.

Enabling Screen Capture Protection in AVD:

1. Using Group Policy:

• Open the Group Policy Management Console (GPMC).
• Navigate to the policy path: Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Device and Resource Redirection.
• Enable the policy setting: “Do not allow screen capture”.                    

2. Using Microsoft Intune:

• Sign in to the Microsoft Endpoint Manager admin center.
• Create a new device configuration profile.
• Configure the profile to enable screen capture protection and assign it to the appropriate devices.                 

Additional Considerations

• Compatibility: Ensure that the client devices and session hosts meet the necessary prerequisites for enabling screen capture protection.

• User Experience: Inform users about the screen capture protection feature and its implications, such as the inability to take screenshots or share screens during remote sessions.

• Limitation: There’s no guarantee of blocking the content from being captured using tools that bypass the DWM Enforcement by hooking into lower-level graphics stack (such as mirror drivers).

Additional Security Measures:

• Watermarking :right_arrow: To discourage other methods of screen capture, such as taking a photo of the screen with a physical camera, watermarking can be enabled.

• Clipboard Redirection :right_arrow:This prevents users from copying over the captured screen content from remote machine, such as by hitting PrntScr command which is executed on remote machine.