Enable screen capture protection in Azure Virtual Desktop
Screen capture protection, alongside watermarking, helps prevent sensitive information from being captured on client endpoints through a specific set of operating system (OS) features and Application Programming Interfaces (APIs). When you enable screen capture protection, remote content is automatically blocked in screenshots and screen sharing. You can configure screen capture protection using Group Policy on your session hosts.
There are two supported scenarios for screen capture protection, depending on the version of Windows you're using:
Block screen capture on client: the session host instructs a supported Remote Desktop client to enable screen capture protection for a remote session. This option prevents screen capture from the client of applications running in the remote session.
Block screen capture on client and server: the session host instructs a supported Remote Desktop client to enable screen capture protection for a remote session. This option prevents screen capture from the client of applications running in the remote session, but also prevents tools and services within the session host from capturing the screen.
When screen capture protection is enabled, users can't share their Remote Desktop window using local collaboration software, such as Microsoft Teams. With Teams, neither the local Teams app or using Teams with media optimization can share protected content.
Tip
To increase the security of your sensitive information, you should also disable clipboard, drive, and printer redirection. Disabling redirection helps prevent users from copying content from the remote session. To learn about supported redirection values, see Device redirection.
To discourage other methods of screen capture, such as taking a photo of a screen with a physical camera, you can enable watermarking, where admins can use a QR code to trace the session.
Prerequisites
Your session hosts must be running one of the following versions of Windows to use screen capture protection:
- Block screen capture on client is available with a supported version of Windows 10 or Windows 11.
- Block screen capture on client and server is available starting with Windows 11, version 22H2.
Users must connect to Azure Virtual Desktop with Windows App or the Remote Desktop app to use screen capture protection. The following table shows supported scenarios. If a user tries to connect with a different app or version, the connection is denied and shows an error message with the code
0x1151.App Version Desktop session RemoteApp session Windows App on Windows Any Yes Yes. Client device OS must be Windows 11, version 22H2 or later. Remote Desktop client on Windows 1.2.1672 or later Yes Yes. Client device OS must be Windows 11, version 22H2 or later. Azure Virtual Desktop Store app Any Yes Yes. Client device OS must be Windows 11, version 22H2 or later.
To configure Group Policy, you need:
A domain account that is a member of the Domain Admins security group.
A security group or organizational unit (OU) containing the devices you want to configure.
Enable screen capture protection
Screen capture protection is configured on session hosts and enforced by the client. You configure the settings by using Group Policy.
To configure screen capture protection using Group Policy:
Follow the steps to make the Administrative template for Azure Virtual Desktop available to Group Policy.
Open the Group Policy Management console on device you use to manage the Active Directory domain.
Create or edit a policy that targets the computers providing a remote session you want to configure.
Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Azure Virtual Desktop.
Double-click the policy setting Enable screen capture protection to open it, then select Enabled.
From the drop-down menu, select the screen capture protection scenario you want to use from Block screen capture on client or Block screen capture on client and server based on your requirements, then select OK.
Ensure the policy is applied to the computers providing a remote session, then restart them for the settings to take effect.
Verify screen capture protection
To verify screen capture protection is working:
Connect to a remote session with a supported client.
Take a screenshot or share your screen in a Teams call or meeting. The content should be blocked or hidden. Any existing sessions need to sign out and back in again for the change to take effect.
Related content
Enable watermarking, where admins can use a QR code to trace the session.
Learn about how to secure your Azure Virtual Desktop deployment at Security best practices.