w365: Enabling Screen Capture Protection for Windows 365 in Intune

As the hybrid work environment becomes the new normal, securing virtual desktops is more critical than ever. Windows 365, Microsoft's cloud PC solution, includes a valuable feature: Screen Capture Protection. This feature prevents unauthorized screen captures of sensitive information displayed on a Windows 365 Cloud PC. Managing this through Microsoft Intune ensures a seamless and centralized approach. In this blog, we will provide a straightforward guide on enabling Screen Capture Protection in Intune that disables screen capture using screen capture tools prntscn/SnippingTool. 

Simple Steps to Enable Screen Capture Protection in Intune

1. Log into Microsoft Intune:

   

2. Navigate to Configuration Profiles:

   Go to Devices > Configuration profiles

3. Create a New Profile:

   Click on Create profile, Choose Windows 10 and later as the platform. Select Templates for the profile type, then choose Administrative Templates.

4. Configure Screen Capture Settings:

   - In the settings picker, browse to Administrative templates > Windows Components > RemoteDesktop Services > Remote Desktop Session Host > Azure Virtual Desktop.

   - Find and select Enable screen capture protection.

   - Set this policy to Enabled.

Turn off the another setting as it stops tools and services on the session host from capturing the screen, as well as screen capture from the client of programs running in the remote session.

5. Assign the Profile:

   - Assign this profile to the group of users or devices that will use Windows 365 Cloud PCs.

   

6. Review and Create:

   - Review the settings and click Create. 

   - The profile will be pushed to the assigned devices and users, enabling screen capture protection.

7. Restart the cloud pc for setting to take effect.

Before:

After:

Demo:

Important Considerations When Using Screen Capture Protection

Web Browser Access and Screen Sharing

When screen capture protection is enabled, any connection through the web browser or remote desktop app in Android or iOS will fail, presenting an error message like below.  Additionally, if you join Teams meetings through your Cloud PC, you will no longer be able to share your screen.

Though the second screen shows "you need to enable screen capture protection", it should actually say to disable the screen protection to access cloud pc in the browser session. 

Update (28/08/2024): Microsoft has fixed the error message with screen capture protection enabled and accessed through  browsers.

when accessing through Remote desktop client in iOS, below error is shown.

 

These are the limitations that are explained here - https://learn.microsoft.com/en-us/azure/virtual-desktop/screen-capture-protection?tabs=intune#prerequisites

w365:Exploring the Windows 365 Switch: Adding Cloud PC to Task View

 As technology advances, the line between local computing and cloud computing continues to blur. Microsoft’s Windows 365, a revolutionary cloud PC service, has introduced an exciting new feature called Windows 365 Switch. This feature seamlessly integrates your cloud PC into the Windows 11 Task View, making the transition between your local desktop and cloud PC effortless. In this blog, we’ll delve into what the Windows 365 Switch is, its benefits, and how to make the most of this powerful feature.

What is Windows 365 Switch?

Windows 365 Switch is a feature within Windows 365 that allows users to add their cloud PC to the Task View of their local Windows 11 machine. Task View, a familiar tool for Windows users, lets you quickly switch between open applications and virtual desktops. With the addition of Windows 365 Switch, you can now easily toggle between your local desktop environment and your cloud PC, providing a seamless hybrid computing experience.

Key Benefits of Windows 365 Switch

1. Seamless Transition

The primary benefit of Windows 365 Switch is the seamless transition it provides between your local desktop and your cloud PC. Whether you're working on a document locally or need to access specialized software on your cloud PC, switching between the two environments is as simple as clicking a button in Task View.

2. Enhanced Productivity

By integrating your cloud PC into Task View, Windows 365 Switch enhances your productivity. You no longer need to log in and out of different systems or manage multiple sets of files manually. Everything you need is just a click away, allowing you to maintain your workflow without interruptions.

3. Consistent User Experience

Windows 365 Switch ensures a consistent user experience across both your local and cloud environments. Your settings, applications, and files are always synchronized, providing a unified workspace that adapts to your needs, whether you're working locally or in the cloud.

 4. Flexibility and Mobility

In today’s hybrid work environment, flexibility is crucial. Windows 365 Switch allows you to access your cloud PC from any Windows 11 device, providing the mobility to work from anywhere. This flexibility is especially beneficial for remote workers, freelancers, and teams spread across different locations.

5. Simplified Management

For IT administrators, managing a hybrid workforce becomes simpler with Windows 365 Switch. Centralized management tools ensure that both local desktops and cloud PCs are secure, updated, and compliant with organizational policies. This unified management approach reduces complexity and enhances overall security.

How to Use Windows 365 Switch

Using Windows 365 Switch is straightforward. Here’s a step-by-step guide to get you started:

Step 1: Set Up Windows 365

Ensure you have a Windows 365 subscription and your cloud PC is set up. Follow the setup instructions provided by Microsoft to get your cloud PC running.

Step 2: Access Task View

On your local Windows 11 machine, access Task View by clicking the Task View icon on the taskbar or by pressing `Windows + Tab` on your keyboard.

Step 3: Add Cloud PC to Task View

Open the Windows app, choose one Cloud PC, select the ellipses, and then select Add to Task view.

 You can add one or more cloud pc to your Task view, however the first Cloud PC will only be visible in the task view. The others will be arranged in stack and if the first one is removed, the next one will be visible.

https://learn.microsoft.com/en-us/windows-365/enterprise/windows-365-switch-known-issues#support-for-only-one-cloud-pc

Step 4: Switch Between Environments

Click on your cloud PC in Task View to switch to it. You can now work on your cloud PC as if it were a local desktop. To return to your local environment, simply use Task View again and select your local desktop.

Keyboard Navigation:

To use keyboard shortcuts to switch between local pc and cloud pc in task view use the below combination keys.

WIN + Ctrl + left or right arrows

Step 5: Disconnect from cloud pc

To disconnect from a Cloud PC, select the Task view in the taskbar, right-click on the Cloud PC, and then select Disconnect.

Caveats:

you can add more than one Cloud PC to the task view using the Windows app but only one the first one added is ever shown and not the second or third ones.

The Cloud PCs are added in a stack fashion, so if you remove the first CPC you added, the second one will take its place.

What if you have deprovisoned the cloud pc and not able to remove from task view? 

Try checking this registry key:

Remove the Reg keys under the below branch and restart explorer.exe or reboot and it should be gone.

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RemoteSystemProviders\

If it doesn’t work, check the windows 365 switch known issues article and follow the same.

Intune - Linux Intune app shows Something went wrong [1001] while registering

 login in Intune app in Ubuntu 22.04 and click Register shows an error after a while "Something went wrong. [1001]"

Run below command in terminal and reproduce the issue on the device again.

journalctl --user -f -u microsoft-identity-broker. service

Found the below error in the logs -

Jul 02 12:39:37 microsoft-identity-broker[2719976]: Caused by: com.microsoft.identity.broker4j.workplacejoin.exception.DrsErrorResponseException: {"code":"invalid_request","subcode":"error_directory_quota_exceeded","message":"User 'aef5db22-07a6-40ee-9f7e-20' is not eligible to enroll a device of type 'Linux'. Reason 'DeviceCapReached'.","operation":"DeviceJoin","requestid":"08e0c4a1-e0d4-4a1f-bad9-101f3549aba6"}

From the logs, we can see that this user is not eligible to enrol his device because the maximum limit to register devices has already reached.

Remove any stale devices for the end user in Intune portal and retry registration again.