December 20, 2025
HomeAzure Virtual DesktopWindows Cloud Keyboard Input Protection (Preview): A Major Leap in Endpoint Security for AVD and Cloud PCs – Part 2

Windows Cloud Keyboard Input Protection (Preview): A Major Leap in Endpoint Security for AVD and Cloud PCs – Part 2

By  Azure Virtual Desktop, Windows 365  0 Comments

In my last post we have discussed in detail about Windows Cloud Keyboard Input Protection (Preview), in today’s post step by step implementation guide.

Before enabling Windows Cloud Keyboard Input Protection, ensure the following prerequisites are met:

1. Supported Workloads

  • Windows 365 Enterprise Cloud PCs
  • Azure Virtual Desktop (AVD)

This feature is designed specifically for cloud-hosted Windows desktops and does not apply to local-only Windows PCs.

2. Supported Endpoint Devices

  • Windows 10 or Windows 11 physical endpoint devices
  • Devices must be managed or at least policy-capable (Intune-managed recommended)

BYOD devices can benefit, but enforcement and visibility are strongest on Intune-managed endpoints.

Steps to install Windows Cloud Input Protect MSI

Prerequisites:

  • The endpoint must be a physical device (virtual machines aren’t supported) with Windows 11. The end point device must use TPM 2.0
  • To install the Windows Cloud IO Protect MSI, the user needs to have Local Admin rights.
  1.  When the user tries to connect from a physical device (without Windows Cloud Input Protect MSI) to a Windows 365 Cloud PC or Azure Virtual Desktop session host, the following error message appears.

  1. User can choose between two types of MSI installer to install the Windows Cloud Input Protect msi.

Follow the msi installation wizard steps as shown below.

Screenshot of MSI welcome for Windows Cloud IO Protection driver.

Screenshot of how to enable ETW logging for Windows Cloud IO Protection driver.

Screenshot of screen to confirm and begin installation of Windows Cloud IO Protection driver.

Configure Windows Cloud Input Protection on Cloud PC/Azure Virtual Desktop session hosts

Screenshot after a successful installation of the Windows Cloud IO Protection driver.

Windows App Prerequisites

This feature is available only on latest Windows App version (Version should be 2.0.704.0 or newer). One can update to the latest available on Microsoft Market.

Screenshot that shows the Windows App version.

Configure Windows Cloud Input Protection on Cloud PC/Azure Virtual Desktop session hosts

Note: Currently the feature can only be enabled using Group Policy.

Steps to configure Windows Cloud Input Protection

To enable the Windows Cloud Keyboard Input Protection on your session hosts (Azure Virtual Desktop and Windows 365) using Group Policy in an Active Directory domain:

  1. Make the administrative template for Azure Virtual Desktop available in your domain by following the steps in Use the administrative template for Azure Virtual Desktop.
  2. Open the Group Policy Management console on a device you use to manage the Active Directory domain.
  3. Create or edit a policy that targets the computers providing a remote session you want to configure.
  4. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Azure Virtual Desktop.

Screenshot of group policy editor in the Azure Virtual Desktop node.

  1. Double-click the policy setting Enable Keyboard Input Protection to open it.
  2. Select Enabled. Once you finish, select OK.

Screenshot of group policy editor enabling keyboard input protection.

  1. Once the policy applies to the computers providing a remote session, restart them for the settings to take effect.

This feature is supported for the following:

  • Windows Cloud PC/Azure Virtual Desktop session host with latest Microsoft supported windows client OS versions
  • Supported clients. Windows 11 physical devices running supported native clients that have Windows Cloud IO Protect msi installed on them. 
  • Not supported clients.  Virtual end point device (VM), MAC OS, iOS, Android, Web and non-Windows Cloud IO protect enabled windows devices including Windows 365 Link devices.

What is the registry change, and how this can be implemented manually?

Group Policy Object steps are only applicable to hybrid environments. Support for Entra join customers will be available soon. Today, one can enable the feature for Entra join customers, by adding the registry keys manually as given below.

  1. Open the Registry Editor app
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
  3. Create a new DWORD with name fWCIOKeyboardInputProtection and value 1.

Steps to Enable Windows Cloud Keyboard Input Protection (Registry) with PowerShell

# Registry path
$regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"

# Registry value details
$valueName = "fWCIOKeyboardInputProtection"
$valueData = 1
$valueType = "DWord"

# Create registry path if it doesn't exist
if (-not (Test-Path $regPath)) {
    New-Item -Path $regPath -Force | Out-Null
}

# Create or update the DWORD value
New-ItemProperty `
    -Path $regPath `
    -Name $valueName `
    -Value $valueData `
    -PropertyType $valueType `
    -Force | Out-Null
Write-Output "Windows Cloud Keyboard Input Protection registry setting enabled successfully."

How to Run It

Option 1: Run Locally (Admin Required)

Run PowerShell as Administrator

Disable / Rollback Script (Optional)

Set-ItemProperty `
    -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" `
    -Name "fWCIOKeyboardInputProtection" `
    -Value 0

Or remove completely:

Remove-ItemProperty `
    -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" `
    -Name "fWCIOKeyboardInputProtection"

After setting the registry:

  • Sign out / Sign in
  • Or reboot (recommended for kernel-level features)

Steps to Enable Windows Cloud Keyboard Input Protection (Registry) with Ansible

Ansible Inventory File

[windows_endpoints]
w365-endpoint-01
w365-endpoint-02
[windows_endpoints:vars]
ansible_connection=winrm
ansible_user=Administrator
ansible_password=YourPassword
ansible_winrm_transport=ntlm
ansible_port=5985
ansible_winrm_server_cert_validation=ignore

Ansible Playbook

---
- name: Enable Windows Cloud Keyboard Input Protection (Registry)
  hosts: windows_endpoints
  gather_facts: no

  tasks:

    - name: Ensure Terminal Services policy registry path exists
      ansible.windows.win_regedit:
        path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
        state: present

    - name: Enable Windows Cloud Keyboard Input Protection
      ansible.windows.win_regedit:
        path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
        name: fWCIOKeyboardInputProtection
        data: 1
        type: dword
        state: present

    - name: Confirm registry setting
      ansible.windows.win_reg_stat:
        path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
        name: fWCIOKeyboardInputProtection
      register: keyboard_protection_status

    - name: Display validation output
      debug:
        msg: >
          Windows Cloud Keyboard Input Protection enabled:
          {{ keyboard_protection_status.value == 1 }}

That’s all about it; you can add the Ansible playbook to your DevOps image pipeline. Let me know the test result once you implement it.

Post Views: 114
5.00 avg. rating (100% score) - 1 vote
Tags:, , ,

Related Posts

About Author

Aavisek Choudhury