Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Screen capture protection, alongside watermarking, helps prevent sensitive data from being captured on client devices using specific operating system (OS) features and APIs. When you enable screen capture protection, remote content is automatically blocked in screenshots and screen sharing. This feature can be applied to Azure Virtual Desktop virtual machines and Windows 365 Cloud PCs.
When Screen Capture Protection (SCP) is enabled to block screen capture on the client, users can continue to share their remote desktop or individual applications using supported collaboration experiences such as Microsoft Teams. Compatibility between SCP and Teams screen sharing depends on the use of supported client configurations. When unsupported configurations are used, protected content may appear as a black screen during sharing. For current compatibility requirements and configuration guidance with Teams, see here.
Important
Screen capture protection doesn't provide Digital Rights Management (DRM)-level protection. It prevents screen capture through standard OS features and APIs and isn't a substitute for DRM solutions. For comprehensive data protection, use screen capture protection as part of a broader defense-in-depth security strategy that includes other controls, such as conditional access policies, data loss prevention, and endpoint management.
Tip
To increase the security of your sensitive information, you should also disable clipboard, drive, and printer redirection. Disabling redirection helps prevent users from copying content from the remote session. To learn about supported redirection values, see Device redirection.
To discourage other methods of screen capture, such as taking a photo of a screen with a physical camera, you can enable watermarking, where admins can use a QR code to trace the session.
Determine your configuration
The steps to configure screen capture protection depend on where you configure it, which platforms your users are connecting from and what scenario you want to achieve.
Windows and macOS devices: you prevent screen capture by configuring virtual machines (Azure Virtual Desktop) or Cloud PCs (Windows 365) using an Intune device configuration policy or Group Policy. Windows App or the Remote Desktop client enforces screen capture protection settings without further configuration.
When you configure screen capture protection on virtual machines or Cloud PCs, there are two further settings you can configure to help meet your requirements:
Block screen capture on client: prevents screen capture from the local device of applications running in the remote session.
Block screen capture on client and server: prevents screen capture from the local device of applications running in the remote session, but also prevents tools and services within the virtual machine or Cloud PC capturing the screen.
In this scenario, here's the outcome when connecting from each platform type:
| Platform | Connection allowed | Screen capture blocked |
|---|---|---|
| Windows | ✅ | ✅ |
| macOS | ✅ | ✅ |
| iOS/iPadOS | ✅¹ | ✅¹ |
| Android | ✅1 | ✅1 |
| Web | ❌ | N/A |
1. Hybrid enforcement (iOS/iPadOS/Android): When Screen Capture Protection is enabled on the virtual machine or Cloud PC, connections from managed iOS/iPadOS and Android devices are allowed when protected by an Intune MAM app protection policy that blocks screen capture. Hybrid enforcement isn't applicable on platforms that don't support Intune MAM.
Note
Hybrid enforcement requires the following minimum app versions:
- iOS/iPadOS: Windows App version 11.2.4
- Android: Windows App version 11.0.0.94 (or later supporting hybrid enforcement)
Android & iOS devices: Screen captures are prevented by configuring local devices using Microsoft Intune mobile application management (MAM). It doesn't prevent tools and services within the virtual machine or Cloud PC capturing the screen. For more information, see Manage local device redirection settings with Microsoft Intune.
In this scenario, here's the outcome when connecting from each platform type:
| Platform | Connection allowed | Screen capture blocked |
|---|---|---|
| Windows | ✅ | ❌ |
| macOS | ✅ | ❌ |
| iOS/iPadOS | ✅ | ✅ |
| Android | ✅ | ✅ |
| Web | ✅ | ❌ |
Important
For Android and iOS/iPadOS devices, hybrid enforcement (MAM configuration) is the supported model when admin-configured SCP (for Windows and macOS) is enabled in Intune.
Platform considerations for screen capture protection on macOS
While fully supported on Windows, there are known limitations on macOS due to the platform's current security architecture:
Microsoft Teams compatibility: on macOS, enabling screen capture protection might interfere with screen sharing in Microsoft Teams, potentially causing shared windows to appear blank or not display properly. If Teams-based collaboration is required, screen capture protection might need to be temporarily disabled on the device.
Platform-level enforcement: due to macOS restrictions, some native applications might not fully respect screen capture protection enforcement. This is a limitation of the operating system's available APIs, not a defect in screen capture protection itself.
Here are some recommendations for these limitations:
For collaboration-heavy macOS workflows, consider configuring screen capture protection settings based on business need and risk level.
For highly sensitive content, Windows endpoints are recommended for full enforcement of screen protection features.
Watermarking and administrative policies can be used to further discourage misuse on platforms with limited enforcement.
Admin deployment patterns
The following patterns describe common deployment scenarios for screen capture protection:
Pattern 1: Desktop endpoints (Windows and macOS)
If your users connect only from Windows or macOS devices, configure screen capture protection on virtual machines (Azure Virtual Desktop) or Cloud PCs (Windows 365) using an Intune device configuration policy or Group Policy. No MAM configuration is required.
- Configure virtual machines (Azure Virtual Desktop) or Cloud PCs (Windows 365) with screen capture protection enabled.
- Windows App and the Remote Desktop client enforce protection automatically.
Pattern 2: Mixed endpoints (Windows/macOS and Android/iOS)
If your users connect from both desktop and mobile devices, use hybrid enforcement. Configure screen capture protection on both the virtual machine or Cloud PC and the Intune MAM app protection policy.
- Configure virtual machines (Azure Virtual Desktop) or Cloud PCs (Windows 365) with screen capture protection enabled (Intune or Group Policy).
- Configure an Intune MAM app protection policy to block screen capture on Android and iOS/iPadOS devices.
- On Android and iOS/iPadOS, Windows App supports hybrid enforcement: if both the admin-configured SCP and the MAM policy block screen capture, the connection is allowed and screen capture is blocked. If the MAM policy doesn't block screen capture, the Android and iOS/iPadOS connection is blocked.
Prerequisites
Before you can configure screen capture protection, ensure you meet the following prerequisites:
For scenarios where you need to configure virtual machines or Cloud PCs, those virtual machines or Cloud PCs must be running a Windows 11, version 22H2 or later, or Windows 10, version 22H2 or later.
Users must connect to Azure Virtual Desktop with Windows App or the Remote Desktop app to use screen capture protection. The following table shows supported scenarios:
Windows App:
Platform Minimum version Desktop session RemoteApp session Windows App on Windows Any Yes Yes. Local device OS must be Windows 11, version 22H2 or later. Windows App on macOS Any Yes Yes Windows App on iOS/iPadOS 11.2.4 Yes Yes Windows App on Android¹ 11.0.0.94 Yes Yes 1. Doesn't include support for Chrome OS because Intune MAM isn't supported on Chrome OS.
Remote Desktop client:
Platform Minimum version Desktop session RemoteApp session Windows (desktop client) 1.2.1672 Yes Yes. Local device OS must be Windows 11, version 22H2 or later. macOS 10.7.0 or later Yes Yes
To configure Microsoft Intune, you need:
Microsoft Entra ID account that is assigned the Policy and Profile manager built-in RBAC role.
A group containing the devices you want to configure.
To configure Group Policy, you need:
A domain account that is a member of the Domain Admins security group.
A security group or organizational unit (OU) containing the devices you want to configure.
Enable screen capture protection on virtual machines and Cloud PCs using an Intune device configuration policy or Group Policy
Select the relevant tab for your scenario.
To configure screen capture protection on virtual machines (Azure Virtual Desktop) or Cloud PCs (Windows 365) using Microsoft Intune:
Sign in to the Microsoft Intune admin center.
Create or edit a configuration profile for Windows 10 and later devices, with the Settings catalog profile type.
In the settings picker, browse to Administrative templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Azure Virtual Desktop.
Check the box for Enable screen capture protection, then close the settings picker.
Expand the Administrative templates category, then toggle the switch for Enable screen capture protection to Enabled.
Toggle the switch for Screen Capture Protection Options (Device) to off for Block screen capture on client, or on for Block screen capture on client and server based on your requirements, then select OK.
Select Next.
Optional: On the Scope tags tab, select a scope tag to filter the profile. For more information about scope tags, see Use role-based access control (RBAC) and scope tags for distributed IT.
On the Assignments tab, select the group containing the computers providing a remote session you want to configure, then select Next.
On the Review + create tab, review the settings, then select Create.
Once the policy applies to the computers providing a remote session, restart them for the settings to take effect.
Enable screen capture protection on local devices using Intune MAM
To use screen capture protection on iOS/iPadOS and Android devices running Windows App, you need to configure an Intune app protection policy.
To configure an Intune app protection policy to enable screen capture protection on iOS/iPadOS and Android devices:
Follow the steps to Require local client device security compliance with Microsoft Intune and Microsoft Entra Conditional Access. Local client device security compliance provides the foundation to configure screen capture protection on iOS/iPadOS and Android devices running Windows App.
When configuring an app protection policy, on the Data protection tab, configure the following setting, depending on the platform:
For iOS/iPadOS, set Screen capture to Block.
For Android, set Screen capture to Block.
Configure other settings based on your requirements and target the app protection policy to users and devices.
Verify screen capture protection
To verify screen capture protection is working:
Connect to a new remote session with a supported client. Don't reconnect to an existing session. You need to sign out of any existing sessions and sign back in again for the change to take effect.
From a local device, take a screenshot or share your screen in a Teams call or meeting. The content is blocked or hidden.
On Windows and macOS devices, if you enabled Block screen capture on client and server on your virtual machines or Cloud PCs, try to capture the screen using a tool or service within the virtual machine or Cloud PC. The content is blocked or hidden.
If you enable screen capture protection on virtual machines or Cloud PCs, you must connect from a supported device. If you don't, you see an error message indicating that screen capture protection is enabled. The error message looks similar to these screenshots:
Web browser:
iOS/iPadOS:
Verify and troubleshoot Android or iOS/iPadOS hybrid enforcement
When admin-configured SCP is enabled, Android or iOS/iPadOS connections are only allowed if the MAM app protection policy also blocks screen capture (hybrid enforcement).
To verify Android or iOS/iPadOS hybrid enforcement is working:
Confirm the Intune MAM app protection policy is applied to the user and device. In the Microsoft Intune admin center, check the app protection policy status for the user under Apps > Monitor > App protection status.
On the Android or iOS/iPadOS device, sign out of Windows App and sign back in to pick up the latest policy settings.
Connect to the remote session. If both the admin-configured SCP and the MAM policy block screen capture, the connection succeeds and screen capture is blocked.
If Android or iOS/iPadOS connections are blocked unexpectedly, check the following:
- Verify the MAM app protection policy is assigned to the user and that Screen capture is set to Block.
- Restart Windows App on the Android or iOS/iPadOS device or sign out and sign back in.
- Confirm that the installed version of Windows App for Android or iOS/iPadOS supports hybrid enforcement.
- Confirm the Android device isn't running ChromeOS or Meta Quest, which don't support Intune MAM.
Tip
If a user is blocked because the MAM policy isn't applied or doesn't block screen capture, recommend the following message to help them understand the issue:
"Your organization requires screen capture protection to be enforced on your device to connect to this remote session. Ensure you're using the Windows App from a managed device with an app protection policy that blocks screen capture. Contact your IT admin for assistance."
Related content
Enable watermarking, where admins can use a QR code to trace the session.
Learn about how to secure your Azure Virtual Desktop deployment at Security best practices.