Share via

Windows Cloud IO Protection

Important

Windows Cloud IO Protection is in public preview. See the Supplemental terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Overview: Securing Input for Windows 365 Cloud PCs

Windows 365 Cloud PCs already encrypt sessions and enforce identity-based authentication methods like MFA to prevent hijacking and man-in-the-middle attacks. However, endpoint device resident threats targeting windows cloud sessions such as key loggers that can still compromise sensitive data, leading to compliance risks and financial loss.

Windows Cloud IO Protection addresses this gap with a kernel-level driver and system-level encryption that securely routes keystrokes directly to the Cloud PC, bypassing OS layers vulnerable to malware. When this feature is enabled on a Cloud PC or Azure Virtual Desktop session host, it enforces a strict trust model:

  • Only protected endpoint physical devices can connect.

  • Endpoints must have the Windows Cloud IO Protect MSI installed to be protected.

If the MSI is missing, the connection is blocked and an error message appears. This ensures a secure channel between the Windows app and the Cloud PC/Azure Virtual Desktop session host, delivering uncompromised input protection.

Steps to install Windows Cloud Input Protect MSI

Prerequisites:

  • The endpoint must be a physical device (virtual machines aren't supported) with Windows 11. The end point device must use TPM 2.0

  • To install the Windows Cloud IO Protect MSI, the user needs to have Local Admin rights.

  1.  When the user tries to connect from a physical device (without Windows Cloud Input Protect MSI) to a Windows 365 Cloud PC or Azure Virtual Desktop session host, the following error message appears.

    Screenshot of error message because keyboard protection client is not installed.

  2. User can choose between two types of MSI installer to install the Windows Cloud Input Protect msi.

  • Windows x64

  • Windows ARM 64

    Follow the msi installation wizard steps as shown below.

    Screenshot of MSI welcome for Windows Cloud IO Protection driver.

    Screenshot of how to enable ETW logging for Windows Cloud IO Protection driver.

    Screenshot of screen to confirm and begin installation of Windows Cloud IO Protection driver.

    Screenshot after a successful installation of the Windows Cloud IO Protection driver.

    Windows App Prerequisites

    This feature is available only on latest Windows App version (Version should be 2.0.704.0 or newer). One can update to the latest available on Microsoft Market.

    Screenshot that shows the Windows App version.

Configure Windows Cloud Input Protection on Cloud PC/Azure Virtual Desktop session hosts

Currently the feature can only be enabled using Group Policy.

Note

Group Policy Object steps are only applicable to hybrid environments. Support for Entra join customers will be available soon. Today, one can enable the feature for Entra join customers, by adding the registry keys manually as given below.

  1. Open the Registry Editor app
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
  3. Create a new DWORD with name fWCIOKeyboardInputProtection and value 1.

Steps to configure Windows Cloud Input Protection

To enable the Windows Cloud Keyboard Input Protection on your session hosts (Azure Virtual Desktop and Windows 365) using Group Policy in an Active Directory domain:

  1. Make the administrative template for Azure Virtual Desktop available in your domain by following the steps in Use the administrative template for Azure Virtual Desktop.

  2. Open the Group Policy Management console on a device you use to manage the Active Directory domain.

  3. Create or edit a policy that targets the computers providing a remote session you want to configure.

  4. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Azure Virtual Desktop.

    Screenshot of group policy editor in the Azure Virtual Desktop node.

  5. Double-click the policy setting Enable Keyboard Input Protection to open it.

  6. Select Enabled. Once you finish, select OK.

    Screenshot of group policy editor enabling keyboard input protection.

  7. Once the policy applies to the computers providing a remote session, restart them for the settings to take effect.

Note

This feature is supported for the following:

  • Windows Cloud PC/Azure Virtual Desktop session host with latest Microsoft supported windows client OS versions
  • Supported clients. Windows 11 physical devices running supported native clients that have Windows Cloud IO Protect msi installed on them. 
  • Not supported clients.  Virtual end point device (VM), MAC OS, iOS, Android, Web and non-Windows Cloud IO protect enabled windows devices including Windows 365 Link devices.
  • Last updated on