Enable Screen Capture Protection for Azure Virtual Desktop Automated
Working remotely has a lot of advantages like less travel time, more focus to work (when the house is not full of kids :)), which contributes to working efficiently. But there are some concerns about security, and rightly so I think. Especially when you are used to ‘see’ what happens on the screen in real life which help at least you think you are in control of your data. In this article I will show how to enable AVD screen protection automated.
Introduction
In the world of working remotely a lot has been changed. Everyone is used to go to the office and see, speak and work together with colleagues. Now most of the time the only thing you see is your own screen without the knowledge what is going on on the other screens.
That’s the point where people gets nervous about a big thing: SECURITY. Where is the data, who is sharing it and how to avoid data leaks.
In this article I’m showing how to stop one of most easiest and common ways of the data leaks: Screen Capture. I will explain how to enable AVD Screen protection automated.
There are different ways how to enable the Screen Capture Protection and there also are different environment scenario’s. In this article I explain two environment scenario’s and two deployment scenario’s
Table Of Contents
Enable AVD Screen protection
The screen capture protection feature prevents sensitive information from being captured on the client endpoints. When you enable this feature, remote content will be automatically blocked or hidden in screenshots and screen shares. Also, the Remote Desktop client will hide content from malicious software that may be capturing the screen. To enable this feature automated, please check the post below.
Prerequisites
Currently, only the Windows Desktop client supports screen capture protection and only full desktops are supported. Install the Az.Avd PowerShell module
Install-Module Az.Avd
Import-Module Az.Avd
Finding AVD session hosts
In the first place we need to get all the Azure Virtual Desktop session hosts and their virtual machine names. To achieve that goal I use the Az.Avd PowerShell module.
# Get one of the current production VM's for getting the share image gallery info
$sessionHosts = Get-Avdsessionhost -hostpool avd-hostpool -ResourceGroupName rg-demo-avd-01
Run remote PowerShell command on the session host
One of the options is executing a local PowerShell script at the Windows Virtual Desktop sessionhost with the Invoke-AzVMRunComand command. This command allows you executing a local PowerShell script on the remote machine.
Now we know every existing session host we are able to execute the PowerShell which enables the Screen Capture Protection
foreach ($sessionHost in $sessionHosts.value){
$VirtualMachineName = ($sessionHosts.Name.Split("/")[-1]).Split(".")[0]
Get-AzVM -Name $VirtualMachineName | Invoke-AzVMRunCommand -CommandId 'RunPowerShellScript' -ScriptPath [PathToLocalScript]
}
After executing the command you will see something like this.
Enable AVD Screen Protection via ARM template
For the ARM template lovers I created a simple extension. It is possible to deploy the extension to the virtual machine with the New-AzResourceGroupDeployment command. The ARM templates are stored in my Github repository.
New-AzResourceGroupDeployment -ResourceGroupName ResourceGroupName -TemplateUri https://raw.githubusercontent.com/srozemuller/Windows-Virtual-Desktop/master/Security/Extensions/deploy-WvdScpExtension.json -vmName cust-wvd-1
After the configuration has been set there is no way to screen capture a Azure Virtual Desktop session.
Now you can see how easy it is to enable AVD screen protection.
Additional to the post more information is available at the following url: https://docs.microsoft.com/en-us/azure/virtual-desktop/screen-capture-protection.
Thank you for reading my blog enable screen capture protection for azure virtual desktop automated.
I hope you got a bit inspired. Enjoy your day and happy automating 👋
Related Posts
Disaster recovery plan for Azure Key Vault using tags, PowerShell and Azure Function
By default the Azure Key Vault has softdelete enabled with a 90 day retention. This option will protect Key Vault items when deleted by accident. When deleted you are able to restore that item through the portal or PowerShell.
Read moreHow to use Key Vault ARM templates and deal with sensitive parameters
At October 14, 2020 Mircosoft announced the public preview of ARM templates for adding secrets to Azure Key Vault. In this article I will explain a way how to use these templates.
Read moreAzure Virtual Desktop Image Management Automated - Part 3 Create AVD sessionhosts on image version with ARM
This article is serie of posts about AVD Image Management Automated. In this part we are going to add new sessionhosts to an existing AVD hostpool based on a ARM template.
Read more