Menu Close

Enable Screen Capture Protection for Windows Virtual Desktop Automated

Working remotely has a lot of advantages like less travel time, more focus to work (when the house is not full of kids :)), which contributes to working efficiently. But there are some concerns about security, and rightly so I think. Especially when you are used to ‘see’ what happens on the screen in real life which help at least you think you are in control of your data.


In the world of working remotely a lot has been changed. Everyone is used to go to the office and see, speak and work together with colleagues. Now most of the time the only thing you see is your own screen without the knowledge what is going on on the other screens.
That’s the point where people gets nervous about a big thing: SECURITY. Where is the data, who is sharing it and how to avoid data leaks.

In this article I’m showing how to stop one of most easiest and common ways of the data leaks: Screen Capture. I will explain how to enable this feature in a Windows Virtual Desktop environment.

There are different ways how to enable the Screen Capture Protection and there also are different environment scenario’s. In this article I explain two environment scenario’s and two deployment scenario’s

Table of contents


Validation environment

Make sure the hostpool is deployed in the validation environment. You can check the current validation environment in the portal under Hostpool -> Setting -> Properties. In my case I had to change the environment. It took some time when the setting has been active on the background.

An another option is to check the validation environment with PowerShell. You need the Get-AzWvdHostpool command.

Windows Desktop Client version

Make sure you have the latest Windows Desktop Client installed. At this moment the need version is not public. Download the insider from this page What’s new in the Windows Desktop client.

Finding Windows Virtual Desktop session hosts

In the first place we need to get all the Window Virtual Desktop session hosts and their virtual machine names.

# Testing if there is allready a WVD VM with an update status
$WvdHostpool = Get-AzWvdHostPool | ? { $_.Name -eq "WVD-Hostpool-Norm-DevOps" } 
# Creating VM configuration based on existing VM's in specific hostpool, selecting first one
$WvdHostpoolResourceGroup = ($WvdHostpool).id.split("/")[4]
Write-Output "Hostpool resourcegroup is $WvdHostpoolResourceGroup"

# Get one of the current production VM's for getting the share image gallery info
$sessionHosts = Get-AzWvdSessionHost -ResourceGroupName $WvdHostpoolResourceGroup -HostPoolName $

Run remote PowerShell command on the session host

One of the options is executing a local PowerShell script at the Windows Virtual Desktop sessionhost with the Invoke-AzVMRunComand command. This command allows you executing a local PowerShell script on the remote machine.

Now we know every existing session host we are able to execute the PowerShell which enables the Screen Capture Protection

foreach ($sessionHost in $sessionHosts){
    $VirtualMachineName = ($sessionHosts.Name.Split("/")[-1]).Split(".")[0]
    Get-AzVM -Name $VirtualMachineName | Invoke-AzVMRunCommand -CommandId 'RunPowerShellScript' -ScriptPath [PathToLocalScript]

After executing the command you will see something like this.

Deploy via ARM template

For the ARM template lovers I created a simple extension. It is possible to deploy the extension to the virtual machine with the New-AzResourceGroupDeployment command. The ARM templates are stored in my Github repository.

New-AzResourceGroupDeployment -ResourceGroupName ResourceGroupName -TemplateUri -vmName cust-wvd-1

After the configuration has been set there is no way to screen capture a Windows Virtual Desktop session.

Leave a Reply

Your email address will not be published. Required fields are marked *