Share via

Windows Cloud IO Protection

Important

Windows Cloud IO Protection will be in PREVIEW starting December 10th, 2025. See the Supplemental terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Overview: Securing Input for Windows 365 Cloud PCs

Windows 365 Cloud PCs already encrypt sessions and enforce identity-based authentication methods like MFA to prevent hijacking and man-in-the-middle attacks. However, endpoint device resident threats targeting windows cloud sessions such as key loggers that can still compromise sensitive data, leading to compliance risks and financial loss.

Windows Cloud IO Protection addresses this gap with a kernel-level driver and system-level encryption that securely routes keystrokes directly to the Cloud PC, bypassing OS layers vulnerable to malware. When this feature is enabled on a Cloud PC or Azure Virtual Desktop session host, it enforces a strict trust model:

  • Only protected endpoint physical devices can connect.

  • Endpoints must have the Windows Cloud IO Protect MSI installed to be protected.

If the MSI is missing, the connection is blocked and an error message appears. This ensures a secure channel between the Windows app and the Cloud PC/Azure Virtual Desktop session host, delivering uncompromised input protection.

Steps to install Windows Cloud Input Protect MSI

Prerequisites:

  • The endpoint must be a physical device (virtual machines aren't supported) with Windows 11. The end point device must use TPM 2.0

  • To install the Windows Cloud IO Protect MSI, the user needs to have Local Admin rights.

  1.  When the user tries to connect from a physical device (without Windows Cloud Input Protect MSI) to a Windows 365 Cloud PC or Azure Virtual Desktop session host, the following error message will appear.

    Screenshot that shows the error box and message if a user tries to connect without the Windows Cloud keyboard protection driver installed.

  2. User can choose between two types of MSI installer to install the Windows Cloud Input Protect msi.

  1. Follow the msi installation wizard steps as shown below

    Screenshot that shows the welcome screen for the driver installer.

    Screenshot that shows the custom setup screen for the driver installer.

    Screenshot that shows the installing progress screen for the driver installer.

    Screenshot that shows driver completed install.

    Windows App Prerequisites

    This feature is available only on latest Windows App version (Version should be 2.0.704.0 or newer). One can update to the latest available on Microsoft Market.

    Screenshot that shows Windows App version screen.

Configure Windows Cloud Input Protection on Cloud PC/Azure Virtual Desktop session hosts

Currently the feature can only be enabled using Group Policy.

Note

Group Policy Object steps are only applicable to hybrid environments. Support for Entra join customers will be available soon. Today, one can enable the feature for Entra join customers, by adding the registry keys manually as given below.

  1. Open the Registry Editor app
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
  3. Create a new DWORD with name fWCIOKeyboardInputProtection and value 1.

Steps to configure Windows Cloud Input Protection

To enable the Windows Cloud Keyboard Input Protection on your session hosts (Azure Virtual Desktop and Windows 365) using Group Policy in an Active Directory ___domain:

  1. Make the administrative template for Azure Virtual Desktop available in your ___domain by following the steps in Use the administrative template for Azure Virtual Desktop.

  2. Open the Group Policy Management console on a device you use to manage the Active Directory ___domain.

  3. Create or edit a policy that targets the computers providing a remote session you want to configure.

  4. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Azure Virtual Desktop.

    Screenshot that shows Azure Virtual Desktop section screen in Group Policy Management console.

  5. Double-click the policy setting Enable Keyboard Input Protection to open it.

  6. Select Enabled. Once you finish, select OK.

    Screenshot that shows enabling keyboard input protection screen in the Group Policy Management console.

  7. Once the policy applies to the computers providing a remote session, restart them for the settings to take effect.

Note

This feature is supported for the following:

  • Windows Cloud PC/Azure Virtual Desktop session host with latest Microsoft supported windows client OS versions
  • Supported clients. Windows 11 physical devices running supported native clients that have Windows Cloud IO Protect msi installed on them. 
  • Not supported clients.  Virtual end point device (VM), MAC OS, iOS, Android, Web and non-Windows Cloud IO protect enabled windows devices including Windows 365 Link devices
  • Last updated on