Updated for flow and clarity

dknappettmsft · dknappettmsft · commit 79bdde2f38ef · 2025-01-15T11:12:13.000Z
diff --git a/articles/virtual-desktop/client-device-redirection-intune.md b/articles/virtual-desktop/client-device-redirection-intune.md
@@ -4,7 +4,7 @@ description: Learn how to configure redirection settings for iOS/iPadOS Windows
 ms.topic: how-to
 author: dknappettmsft
 ms.author: daknappe
-ms.date: 11/09/2024
+ms.date: 01/15/2025
 ---
 
 # Configure client device redirection settings for Windows App and the Remote Desktop app using Microsoft Intune
@@ -147,15 +147,15 @@ Before you can configure redirection settings on a client device using Microsoft
 
 - A client device running one of the following versions of Windows App or the Remote Desktop app:
    - For Windows App:
-      - iOS/iPadOS: 11.0.7 or later.
+      - iOS/iPadOS: 11.0.8 or later.
       - Android: 1.0.145 or later.
 
    - Remote Desktop app:
       - Android: 10.0.19.1279 or later.
 
 - The latest version of:
    - iOS/iPadOS: Microsoft Authenticator app
-   - Android: Company Portal app, installed in the same profile as Windows App for personal devices.  Both app either in personal profile OR both apps in work profile.
+   - Android: Company Portal app, installed in the same profile as Windows App for personal devices. Both apps need to either be in a personal profile or in a work profile, not one in each profile.
 
 - There are more Intune prerequisites for configuring app configuration policies, app protection policies, and Conditional Access policies. For more information, see:
    - [App configuration policies for Microsoft Intune](/mem/intune/apps/app-configuration-policies-overview).
@@ -224,15 +224,15 @@ To create and apply an app protection policy, follow the steps in [How to create
 
    - For iOS and iPadOS, you can configure the following settings:
 
-      - Send org data to other apps. Set to **None** to enable screen capture protection. 
-      - Restrict cut, copy, and paste between other apps
-      - Third-party keyboards
+      - **Send org data to other apps**. Set to **None** to enable [screen capture protection](screen-capture-protection.md). 
+      - **Restrict cut, copy, and paste between other apps**
+      - **Third-party keyboards**
 
    - For Android, you can configure the following settings:
 
-      - Restrict cut, copy, and paste between other apps
-      - Screen capture and Google Assistant
-      - Approved keyboards
+      - **Restrict cut, copy, and paste between other apps**
+      - **Screen capture and Google Assistant**
+      - **Approved keyboards**
 
    > [!TIP]
    > If you disable clipboard redirection in an app configuration policy, you should set **Restrict cut, copy, and paste between other apps** to **Blocked**.
diff --git a/articles/virtual-desktop/compare-remote-desktop-clients.md b/articles/virtual-desktop/compare-remote-desktop-clients.md
@@ -5,7 +5,7 @@ ms.topic: concept-article
 zone_pivot_groups: remote-desktop-clients
 author: dknappettmsft
 ms.author: daknappe
-ms.date: 11/19/2024
+ms.date: 01/15/2025
 ---
 
 # Compare Remote Desktop app features across platforms and devices
@@ -641,26 +641,21 @@ The following table shows which security features are available on each platform
 
 | Feature | Windows<br />(MSI) | Windows<br />(AVD Store) | Windows<br />(RD Store) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |
 |--|:-:|:-:|:-:|:-:|:-:|:-:|:-:|
-| Screen capture protection | ✅ | ✅ |  ❌ | ✅ | ❌ | ❌ | ❌ |
+| Screen capture protection | ✅ | ✅ |  ❌ | ✅ | <sup>&#8197;&#8197;</sup>✅&sup1; | <sup>&#8197;&#8197;</sup>✅&sup1; | ❌ |
 | Watermarking | ✅ | ✅ |  ❌ | ✅ | ✅ | ✅ | ✅ |
 
+1. Requires [Microsoft Intune to configure client device redirection settings](/azure/virtual-desktop/client-device-redirection-intune).
+
 ::: zone-end
 
-::: zone pivot="windows-365"
+::: zone pivot="windows-365,dev-box"
 
 | Feature | Windows<br />(MSI) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |
 |--|:-:|:-:|:-:|:-:|:-:|
-| Screen capture protection | ✅ | ✅ | ❌ | ❌ | ❌ |
+| Screen capture protection | ✅ | ✅ | <sup>&#8197;&#8197;</sup>✅&sup1; | <sup>&#8197;&#8197;</sup>✅&sup1; | ❌ |
 | Watermarking | ✅ | ✅ | ✅ | ✅ | ✅ |
 
-::: zone-end
-
-::: zone pivot="dev-box"
-
-| Feature | Windows<br />(MSI) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |
-|--|:-:|:-:|:-:|:-:|:-:|
-| Screen capture protection | ✅ | ✅ | ❌ | ❌ | ❌ |
-| Watermarking | ✅ | ✅ | ✅ | ❌ | ✅ |
+1. Requires [Microsoft Intune to configure client device redirection settings](/azure/virtual-desktop/client-device-redirection-intune).
 
 ::: zone-end
 
diff --git a/articles/virtual-desktop/screen-capture-protection.md b/articles/virtual-desktop/screen-capture-protection.md
@@ -4,44 +4,69 @@ description: Learn how to enable screen capture protection in Azure Virtual Desk
 ms.topic: how-to
 author: dknappettmsft
 ms.author: daknappe
-ms.date: 06/28/2024
+ms.date: 01/15/2025
 ---
 
 # Enable screen capture protection in Azure Virtual Desktop
 
-Screen capture protection, alongside [watermarking](watermarking.md), helps prevent sensitive information from being captured on client endpoints through a specific set of operating system (OS) features and Application Programming Interfaces (APIs). When you enable screen capture protection, remote content is automatically blocked in screenshots and screen sharing. You can configure screen capture protection using Microsoft Intune or Group Policy on your session hosts.
+Screen capture protection, alongside [watermarking](watermarking.md), helps prevent sensitive information from being captured on client endpoints through a specific set of operating system (OS) features and APIs. When you enable screen capture protection, remote content is automatically blocked in screenshots and screen sharing.
 
-There are two supported scenarios for screen capture protection, depending on the version of Windows you're using:
+There are two supported scenarios for screen capture protection:
 
-- **Block screen capture on client**: the session host instructs a supported Remote Desktop or Windows App client to enable screen capture protection for a remote session. This option prevents screen capture from the client of applications running in the remote session.
+- **Block screen capture on client**: prevents screen capture from the local device of applications running in the remote session.
 
-- **Block screen capture on client and server**: the session host instructs a supported Remote Desktop client to enable screen capture protection for a remote session. This option prevents screen capture from the client of applications running in the remote session, but also prevents tools and services within the session host from capturing the screen.
+- **Block screen capture on client and server**: prevents screen capture from the local device of applications running in the remote session, but also prevents tools and services within the session host capturing the screen.
 
-When screen capture protection is enabled, users can't share their Remote Desktop window using local collaboration software, such as Microsoft Teams. With Teams, neither the local Teams app or using [Teams with media optimization](teams-on-avd.md) can share protected content.
+When screen capture protection is enabled, users can't share their remote window using local collaboration software, such as Microsoft Teams. With Teams, neither the local Teams app or using [Teams with media optimization](teams-on-avd.md) can share protected content.
 
 > [!TIP]
 > - To increase the security of your sensitive information, you should also disable clipboard, drive, and printer redirection. Disabling redirection helps prevent users from copying content from the remote session. To learn about supported redirection values, see [Device redirection](rdp-properties.md#device-redirection).
 >
 > - To discourage other methods of screen capture, such as taking a photo of a screen with a physical camera, you can enable [watermarking](watermarking.md), where admins can use a QR code to trace the session.
 
+## Determine your configuration
+
+The steps to configure screen capture protection depend on which platforms your users are connecting from: 
+
+- For Windows and macOS devices running Windows App or Remote Desktop client, you configure screen capture protection on session hosts using Intune or Group Policy. Windows App and the Remote Desktop client enforces screen capture protection settings from a session host without additional configuration.
+
+- For iOS/iPadOS and Android devices running Windows App, you block screen capture on the local device by [configuring an Intune app protection policy](client-device-redirection-intune.md), part of [mobile application management](/mem/intune/fundamentals/deployment-plan-protect-apps) (MAM). If you also want to block screen capture from within the session host, you also need to configure screen capture protection on session hosts using Intune or Group Policy.
+
+Here's a summary of the configuration steps needed for each platform:
+
+| Platform | Block screen capture on client | Block screen capture on client and server |
+|--|--|--|
+| Windows | Configure session hosts with Intune or Group Policy | Configure session hosts with Intune or Group Policy |
+| macOS | Configure session hosts with Intune or Group Policy | Configure session hosts with Intune or Group Policy |
+| iOS/iPadOS | Configure the local device with Intune MAM | Configure the local device with Intune MAM and session hosts with Intune or Group Policy |
+| Android | Configure the local device with Intune MAM | Configure the local device with Intune MAM and session hosts with Intune or Group Policy |
+
 ## Prerequisites
 
-- Your session hosts must be running one of the following versions of Windows to use screen capture protection:
+- For scenarios where you need to configure session hosts, those session hosts must be running a Windows 11, version 22H2 or later, or Windows 10, version 22H2 or later.
 
-   - **Block screen capture on client** is available with a [supported version of Windows 10 or Windows 11](prerequisites.md#operating-systems-and-licenses) or a [supported version of Windows App on iOS/iPadOS or Android using Intune MAM](/azure/virtual-desktop/client-device-redirection-intune)
-   - **Block screen capture on client and server** is available starting with Windows 11, version 22H2.
+- Users must connect to Azure Virtual Desktop with Windows App or the Remote Desktop app to use screen capture protection. The following table shows supported scenarios:
 
-- Users must connect to Azure Virtual Desktop with Windows App or the Remote Desktop app to use screen capture protection. The following table shows supported scenarios. If a user tries to connect with a different app or version, the connection is denied and shows an error message with the code `0x1151`.
+   - Windows App:
+   
+      | Platform | Minimum version | Desktop session | RemoteApp session | 
+      |--|--|--|--|
+      | Windows App on Windows | Any | Yes | Yes. Local device OS must be Windows 11, version 22H2 or later. |
+      | Windows App on macOS | Any | Yes | Yes |
+      | Windows App on iOS/iPadOS | 11.0.8 | Yes | Yes |
+      | Windows App on Android (preview)&sup1; | 1.0.145 | Yes | Yes |
 
-   | App | Version | Desktop session | RemoteApp session | 
-   |--|--|--|--|
-   | Windows App on Windows | Any | Yes | Yes. Client device OS must be Windows 11, version 22H2 or later. |
-   | Remote Desktop client on Windows | 1.2.1672 or later | Yes | Yes. Client device OS must be Windows 11, version 22H2 or later. |
-   | Azure Virtual Desktop Store app | Any | Yes | Yes. Client device OS must be Windows 11, version 22H2 or later. |
-   | Windows App on macOS | Any | Yes | Yes |
-   | Windows App on iOS/iPadOS | 11.0.7 or later | Yes | Yes |
-   | Windows App (Preview) on Android | 1.0.145 | Yes | Yes |
-   | Remote Desktop client on macOS | 10.7.0 or later | Yes | Yes |
+      1. Doesn't include support for Chrome OS.
+
+   - Remote Desktop client:
+
+      | Platform | Minimum version | Desktop session | RemoteApp session | 
+      |--|--|--|--|
+      | Windows (desktop client) | 1.2.1672 | Yes | Yes. Local device OS must be Windows 11, version 22H2 or later. |
+      | Windows (Azure Virtual Desktop Store app) | Any | Yes | Yes. Local device OS must be Windows 11, version 22H2 or later. |
+      | macOS | 10.7.0 or later | Yes | Yes |
+
+   If a user tries to connect with a different app or version, such as Windows App in a web browser, the connection is denied and shows an error message with the code `0x1151`.
 
 - To configure Microsoft Intune, you need:
 
@@ -55,13 +80,13 @@ When screen capture protection is enabled, users can't share their Remote Deskto
 
    - A security group or organizational unit (OU) containing the devices you want to configure.
 
-## Enable screen capture protection
+## Enable screen capture protection on session hosts
 
-Screen capture protection is configured on session hosts and enforced by the client. Select the relevant tab for your scenario.
+Select the relevant tab for your scenario.
 
-# [Microsoft Intune (Windows)](#tab/intune)
+# [Microsoft Intune](#tab/intune)
 
-To configure screen capture protection using Microsoft Intune:
+To configure screen capture protection on session hosts using Microsoft Intune:
 
 1. Sign in to the [Microsoft Intune admin center](https://endpoint.microsoft.com/).
 
@@ -89,9 +114,9 @@ To configure screen capture protection using Microsoft Intune:
 
 1. Once the policy applies to the computers providing a remote session, restart them for the settings to take effect.
 
-# [Group Policy (Windows)](#tab/group-policy)
+# [Group Policy](#tab/group-policy)
 
-To configure screen capture protection using Group Policy:
+To configure screen capture protection on session hosts using Group Policy:
 
 1. Follow the steps to make the [Administrative template for Azure Virtual Desktop](administrative-template.md) available in Group Policy.
 
@@ -111,35 +136,36 @@ To configure screen capture protection using Group Policy:
 
 1. Ensure the policy is applied to the computers providing a remote session, then restart them for the settings to take effect.
 
-# [iOS/iPadOS](#tab/iOS)
+---
 
-To configure screen capture protection using Intune App Protection Policies:
+## Enable screen capture protection on local devices
 
-1. Follow the steps to create an [App protection policy](/azure/virtual-desktop/client-device-redirection-intune) for your device.
+To use screen capture protection on iOS/iPadOS and Android devices running Windows App, you need to configure an Intune app protection policy.
 
-1. On the **Data protection** tab, set **Send org data to other apps** with a value of **None**.
+> [!TIP]
+> On Windows and macOS, Windows App and the Remote Desktop client enforces screen capture protection settings from a session host without additional configuration.
 
-1. Configure other settings as needed and target the App Protection Policy to users and devices as listed in [App protection policy](/azure/virtual-desktop/client-device-redirection-intune). 
+To configure an Intune app protection policy to enable screen capture protection on iOS/iPadOS and Android devices:
 
-# [Android](#tab/Android)
+1. Follow the steps to [Configure client device redirection settings for Windows App and the Remote Desktop app using Microsoft Intune](client-device-redirection-intune.md). Configuration of screen capture protection is part of an [app protection policy](client-device-redirection-intune.md#create-an-app-protection-policy).
 
-To configure screen capture protection using Intune App Protection Policies:
+1. When configuring an app protection policy, on the **Data protection** tab, configure the following setting, depending on the platform:
 
-1. Follow the steps to create an [App protection policy](/azure/virtual-desktop/client-device-redirection-intune) for your device.
+   1. For iOS/iPadOS, set **Send org data to other apps** to **None**.
 
-1. On the **Data protection** tab, set **Screen capture and Google Assistant** to **Block**.
+   1. For Android, set **Screen capture and Google Assistant** to **Block**.
 
-1. Configure other settings as needed and target the App Protection Policy to users and devices as listed in [App protection policy](/azure/virtual-desktop/client-device-redirection-intune). 
----
+1. Configure other settings based on your requirements and target the app protection policy to users and devices. 
 
 ## Verify screen capture protection
 
 To verify screen capture protection is working:
 
-1. Connect to a remote session with a supported client.
+1. Connect to a new remote session with a supported client. Don't reconnect to an existing session. You need to sign out of any existing sessions and sign back in again for the change to take effect. 
 
-1. Take a screenshot or share your screen in a Teams call or meeting. The content should be blocked or hidden. Any existing sessions need to sign out and back in again for the change to take effect.
+1. From a local device, take a screenshot or share your screen in a Teams call or meeting. The content should be blocked or hidden.
 
+1. If you enabled **Block screen capture on client and server** on your session hosts, try to capture the screen using a tool or service within the session host. The content should be blocked or hidden.
 
 ## Related content
 
