Announcing general availability of Screen Capture Protection for Azure Virtual Desktop

Microsoft

Work From Home (WFH) was never so popular (or inevitable) as today. At the peak of COVID-19 lockdowns, more than 85% of connections to Azure Virtual Desktop were coming from users working from home. More than half of those users are sitting in front of devices not managed by corporate IT. Most of those unmanaged client devices are desktops often shared across family members. For sure, the lockdowns will eventually be lifted. Still, as many industry analytics agree, at least 50% of the users will continue to work from home.


While bring-your-own-device (BYOD) initiatives are trendy, customers struggle with securing access to corporate data. In a shared home computer scenario, the client device may contain spyware or other types of malware that periodically make screenshots and send them to the attacker. Home users may also use some legit applications to track what kids are doing online. In most cases, such apps also constantly record the screen and store the output either locally or in a third-party cloud service. Even with no malware, there's always room for human error and accidental sharing of confidential information using screen sharing either in virtual meeting or because of social engineering attacks. Because the risk of a data breach is still high, extra security controls are the top requested features for Azure Virtual Desktop.

 

Today we are excited to announce the general availability of Screen Capture Protection. This new Azure Virtual Desktop feature prevents sensitive information from being captured by the software running on the client endpoints. When you enable this feature, remote content will be automatically blocked or hidden in screenshots and screen shares. This protection works for built-in functionalities such as pressing the PrtScn button on the keyboard or Snipping Tool and third-party applications installed on the client.

 

Protection is enforced by verifying the Azure Virtual Desktop client's capabilities, and if the user tries to connect with the unsupported client, Azure Virtual Desktop will deny the connection.
You can enable the feature to secure a single session host or use Active Directory Group Policy to manage protection for different host pools centrally.

We recommend using this feature in combination with disabling the device and clipboard redirection.

 

The feature is available for all Azure Virtual Desktop customers at no extra cost.


To get started, have a look at Screen Capture Protection documentation that outlines the necessary steps needed to enable this feature.

 

9/16 Update - SCP feature is temporary unavailable in Azure Government cloud. We are working on deployne the required stack updates. The post will be updated when deployment is complete.

 

10/12 Update - SCP is now available for macOS and supports Sovereign clouds. learn more: Screen Capture Protection for macOS client and support for Sovereign Clouds

9 Replies
Will this function in an Azure Government environment?

@Shawn Hays Yes, the feature is available in all environments

@fdwl What happens if the WVD client is being used in a VM? I assume the host OS will be able to screenshot/record anything in this case as the underlying VM is not even aware of these tools on the host side. A better detection here is to check if the client is running in a VM and act accordingly, wouldn't that be the case? What about potentially third party clients on Linux too?

@c_rod Primary purpose of the feature is to protect content from unintended leak, by accidental sharing or through spyware.

It is not possible to completely prevent intended stealing of the content on unmanaged client device or using external capture such as camera or HDMI capture boxes, if content requires such protection, DRM protection should be applied instead.

 

While roadmap discussion is off-topic, we are considering additional protections including the support for nested sessions and extended client support. Please use AVD ideas to help prioritizing the work. 

Hi,

Is it compatible with the new Windows 365 Cloud PC solution on browsers ?

When will the Screen Capture Protection be a part of the security baseline as a default setting and configurable in Intune as opposed to having folks download, install, and configure administrative templates?

No, there are no plans to have this feature enabled by default.
When will this feature be supported in the RD Remote Android client? We receive an error "0x1151" if this policy is enabled for our Android clients using AVD or Win365.