358 comments

[ 3.2 ms ] story [ 248 ms ] thread
Any security feature that can be totally defeated with a spicy HDMI splitter and a 2nd computer should not exist.

This stuff looks much more to me like "fuck the user" than anything else. I am 100% convinced there is a cult of evil bastards at Microsoft, et. al. that is hellbent on making everyone's UI/UX as janky as possible.

Yea, this sounds like "Microsoft teams no longer supporting video on Linux and old versions of mac/windows" more than anything
Sounds like an good reason to turn down invites with an Teams link
Yep, joining Teams meetings from a browser on Linux is a flaky experience at best (despite Meet and Zoom working fine.) I'll happily send back a Google Meet invite to anyone that invites me to a Teams meeting.
Or, you know, just use the phone in your pocket
(comment deleted)
No. It is there to protect an organization from itself. It tells the participants that the content should not be shared by them.

It is essentially like a watermark in a PDF. It can be trivially defeated, but that isn't the point.

[flagged]
I think that it might more have legal implications than practical ones. It wont protect the organization from information exfiltration, but it might legally protect it, in the sense that a court might state that the necessary technical measures were there, so the organization is not responsible for the data leak that happened... or something in that direction.
If they wanted something like a watermark, they could have just added a watermark...
My complete guess would be a legal team asked for this. You can easily imagine several scenarios that would prompt them to seek out a feature like this.

I think this because our company recently enforced a 2 year mail deletion policy on all mailboxes for "legal reasons." Which were "we don't want stuff to show up in discovery if we get sued."

They could just integrate Web DRM APIs like Google Widevine, Microsoft PlayReady, and Apple FairPlay, as both of them are integrated into the operating system and only work with a supported monitor. An HDMI splitter would likely not pass the test.

Streaming services like Netflix and Disney Plus use these APIs to protect their content as well.

That's why OP mentioned a spicy HDMI splitter. HDMI splitters are allowed to break HDCP, which means that protection doesn't really matter.

I use a setup like this frequently for work to demo our Android TV based apps with full content even though it all has DRM applied. Always leads to a "how did you get this footage" line of questioning for anyone who knows that we use DRM.

How about a Camera directed at the screen, from an angle not visible by your webcam?
(comment deleted)
Same with door locks. If you don't have Protec2 and an armed guard at the door why bother
The workaround that Microsoft is officially supports but isnt mentioning it.....is using microsoft recall.
Yeah maybe this is a way of preventing anyone else from creating a copilot competitor
Yes. Don’t take a screenshot of your teams meeting, you aren’t trustworthy. We will block that while we take a screenshot of everyone’s computer every couple minutes and run an LLM on it.
Does psr.exe no longer take screenshots?
Why would Recall be allowed to screenshot DRMed content?
Because Recall would lose its entire purpose if it cannot recall any of your working day.
It wouldn't, but nobody criticising Recall uses Windows or had read the announcement
What makes you think that userspace software can bypass userspace restrictions?

Any and every screen capture app will show a blank or a replacement screen for the restricted area.

When Microsoft announced Recall they explicitly mention that it won't record drm video. Won't record private Browser windows. Will have configuration for what apps/windows to exclude.
At some point, you need to trust your staff. If you do not trust them to keep confidential information private, then why are you giving them the information in the first place?
You can’t really sniff out disgruntled employees until they act on it.
maybe if your employees are disgruntled and feel like they can't talk to you about it you are shit at your job
I had aggressively disgruntled colleagues that couldn‘t deal with being fired, having 3 month notice period and 2 extra salaries and called the CEO names via anonymous all hands meeting.

Many people are babies.

People make mistakes. Why not put a simple control in that doesn't get in the way of any legitimate use?
The mistake being, what, accidentally sneezing onto the printscreen button so hard it depresses?

This isn't the same as leaving a tool in someone; making and misplacing a screencap take active doing. If your meeting participants actively want to put data where it doesn't belong, the solution isn't accident prevention

The mistake being to intentionally take a copy of something confidential, because you forgot it was supposed to be confidential. People do things like this all the time.

It's essentially a guardrail. It can be easily circumvented if someone was being actively malicious.

I have some friends who work in a medical facility. They get an extreme amount of training on patient privacy laws and constant reminders not to get sensitive patient information on to their personal devices.

Despite the intense training and constant warnings, it happens constantly. And that’s just the cases they know about and address.

You have to be able to trust your staff, but you also have to be realistic that any organization at scale will have people who either don’t care or don’t think and it happens frequently.

In the US, medical privacy laws serve exactly two purposes:

1) Prevent the patients from suing after a data breach or intentional sale of their medical records, regardless of negligence.

2) Transfer as much money as possible from health care to privately owned businesses in the compliance industry.

Very few computer security lessons from that industry generalize to other parts of the economy.

Extreme amount of training? More like once a year online HIPAA test that everyone blows through with the occasional CISO phishing campaigns that at least one person fails.
This is a very weak argument.
Does this include screenshots? Lots of us screenshot coworkers screen share to log bugs and issues they are showing on a screen.
(comment deleted)
So, record your screen with your phone. =D
Interesting how this will stop me from taking a picture with my mobile phone. The amount of effort people will go to, to make people's work more cumbersome. I am not screenshotting for espionage, I am screenshotting to accomplish my job.
That was my first thought also.

I suppose if the presenter wants no screenshots they’d also want cameras on and you’d have to be pretty sly about using your phone.

Either way, dumb. The analog hole can’t be closed.

Sounds like they’ll want to disable the camera controls next.
Duplicate screen to another monitor outside of view of the camera is the low tech solution. The better one would be to get a HDMI splitter that can plug the feed into something to make a digital copy.
And the phone’s what I’d be using to exfiltrate anyway. I’d only screenshot on the work device for work purposes.
100% this. If I have something juicy I want to show my wife about how they’re messing up our 401k’s, etc. I take a phone picture so that there’s no record of it happening on the official device.

Microsoft doing this is a huge waste of time other than catching the bottom 5% of people doing something like that.

I just want to add that my company has our stuff so locked down, that it’s easier for me to take a phone pic, transcribe the code with ChatGPT, fix the issue on my personal machine, then type it back into the work laptop for some issues. It’s absurd how businesses want to control everything to such a degree that 1) there are now these crazy, leaky workarounds, and 2) it’s to the detriment of people actually getting stuff done for the business.

Not relevant at all.

This is like a watermark on a PDF. Not some impossible to circumvent security protocol.

It’s not literally every Teams meeting.

It’s an option the presenter can turn on when needed.

If you need the data from the presenter to do your job, presumably you’d contact them and ask.

I don’t know about you but sometimes it’s some small piece of information that isn’t worth contacting the presenter about. I need to call or craft an email, be polite and come up with some nonsense greeting maybe for a bullet point or two or a string I don’t want to rapidly shift focus to duplicate by hand. Then I have to sit around and wait for a response where they have to do the same, and I’m definitely not their priority.

Businesses want to control everything, so this will become a common default for people to use. It’ll be embedded in all sorts of company policies and I wouldn’t be surprised if Teams clients in some corporate domain can set it as a default option to help promote the policy (by default block screenshots on all our presentations to reduce liability risks).

If it’s like a paper, some data advertised, or some significant work that’s when you generally want and need to contact the author.

> I don’t know about you but sometimes it’s some small piece of information that isn’t worth contacting the presenter about. I need to call or craft an email, be polite and come up with some nonsense greeting maybe for a bullet point or two or a string I don’t want to rapidly shift focus to duplicate by hand. Then I have to sit around and wait for a response where they have to do the same, and I’m definitely not their priority.

So it’s something critically important for you to get your job done, but also something that’s not worth writing a couple sentence e-mail about, but also going to block your work while you sit around and wait all day for it?

Communication is the foundation of any office job. If you’re in a meeting with these people, just ask in the meeting? If you can’t, send an email during the meeting and you haven’t lost any time. It’s really not as hard as you’re trying to make it sound.

I generally discourage people from using ChatGPT for office communication, but to be honest if writing a simple e-mail request to get something you need for your job triggers this level of overthinking, you might benefit from letting it at least draft the email to get you started and past the analysis paralysis.

No he didn't say it's critically important. I don't know why you're being obtuse about this. He's 100% right.
> I need to call or craft an email, be polite and come up with some nonsense greeting maybe for a bullet point or two or a string I don’t want to rapidly shift focus to duplicate by hand. Then I have to sit around and wait for a response where they have to do the same, and I’m definitely not their priority.

This is not a problem with this feature, this is a problem with your office's expectations surrounding communication.

At my workplace this exchange looks like a slack message along these lines:

> Hey, can I get a copy of the info from side 10? I'll use it for $X.

> presumably you’d contact them and ask

Hey sorry to interrupt you but you blocked screenshots so please send me this frame. Also don't mind me I'll stop you again in 65 seconds.

> I am not screenshotting for espionage, I am screenshotting to accomplish my job.

This is literally the threat model that this feature is protecting against: it gives presenters a way to say "no really, when I say don't record I mean don't record". If people end up overusing it at your company, that's a problem to address with them, but I can totally imagine use cases where you would want to turn this on just as an added precaution against accidental but well-intentioned misuse of the visual aids in a private presentation.

This isn't to protect against corporate espionage, it's to give presenters the option to be a little bit more clear about their expectations of confidentiality.

No, no, what they’re doing is making it harder for me to work around their (inevitably misplaced) expectations of confidentiality. This is one of those things that will be misused to hell and back so we’re better off not having the feature at all. It’s existence is a net negative to corporate employees everywhere.
The other commenter is right. Same reason I use DRM email. It’s not that I’m stopping espionage, but reminding folks that this message shouldn’t be distributed to others.
Some people also use formats like PDF or images instead of editable text or slides for exactly the same reason.

It's not that they can't be modified, but it's an indication that you're not supposed to.

Could you trivially circumvent this by running Teams in the browser?
>to Android, desktop, iOS, and *web users* worldwide in July 2025.
... how?
Basically by enabling drm (widevine). For the browsers/configurations that people knowledgable about browsers use for anything but streaming they'll force audio only mode and pretend that it's an acceptable solution.
This is just to serve as a reminder of who actually "owns" your computer.

Overwhelmingly, people who speak in favor of windows, grew up using it. It's like the indoctrination of any religous cult, it works best when you start young.

One has to wonder when the world will recover from windoze brain damage...

Is that really any different than those that grew up with a Mac?
It's not a Windows vs Mac thing. It's using closed-source software vs open-source, i.e. Windows & Mac vs Linux et al.
This is highlighted by how many different types of user interface environments are implemented in free s/w platforms, vs the monoculture user interfaces of proprietary OSes.

The resultant windoze brain damage is a co-mingling of "you don't know what you don't know", lack of awareness of just how varied computer interfaces could be, with the "child indoctrination" aspect that nothing else seems quite right when it's not what you were raised on.

After my first programming experiences, on a TRS-80 in the mall radio shack in the late '70s, I was exposed to a variety of user interfaces, but eventually became locked into windows myself, mostly from employer enforcement.

The thing that drove me away in the end was the way various settings were moved around with each new release, and the way my workflow had to constantly adapt to arbitrary changes in the user interface with each revision.

After exploring a wide variety of desktop environments, I've been on fluxbox window manager for many years now and I'm still quite satisfied. All of my configuration options are in my home directory, and my user interface experience is recreated without incident when updating, and even when moving to new h/w.

But the monoculture is wide spread, and continues to inhibit computer innovation outside of what will benefit the mothership...

Really only as a matter of scale.

The main vendor locking practice of M$, has been to cut deals w/ h/w makers to preinstall windoze on their new computers.

This caused many many more people to face childhood indoctrination into windoze than into macOS.

Tangentially, over many years apple was a less malicious company than M$, but that advantage has waned in recent years.

> It's like the indoctrination of any religous cult

Heh; sister in grade school for her computer class was given a pamphlet where she and her classmates could learn how to become web surfers with IE, how to write a blog with WL Writer and how cool is SkyDrive for saving your files.

I was in favour of Windows until it reached a peak and then rapid decline.

MS was nowhere near as hostile towards its users in the past than it is now.

Awesome, this was really needed.

No, this isn't a "security" feature and it obviously can be easily circumvented. The reason this is useful is to make it extremely clear to participants that the contents should not be shared by them.

I think this would be true if this feature was optional. Then if a particular meeting had it on then you would think twice about capturing the content, but if it's always on even on some team games night then its devalued.
I screenshot a lot on meetings to take notes, usually when someone is presenting a slide and I want to note down the bits that are relevant to my work. But no, espionage!
What's to stop me embedding a pinhole camera in the lamp behind me, zooming it in on the screen, and recording every meeting?

These kinds of measures only stop the good guys from doing their jobs. The bad guys put way too much effort into espionage for this to work.

Totally irrelevant. This is there to protect an organization from itself. Think of it as a watermark on a PDF.

It exist to make the easiest way impossible and to tell participants that the content should not be shared by them.

I'm pretty sure you can use some HDMI capture device to do that easier.
That's the equivalent of sitting in a movie theater with a camcorder. Not important enough to bother crafting a solution for.
I would say it's completely different. A camcorder movie has bad quality, most people would rather pay for a good quality movie than a free camcorder one.

For sensitive data on the other hand quality doesn't matter as long as it's readable.

Plenty of people would pay to watch a camcorder copy of a new release film rather than pay the cost of taking the whole family to the theatre. That’s why it was commonly done. Now you just go online.
(comment deleted)
But if it makes Microsoft’s claim untenable then it’s worth noting that security is only limited…a sweeping generalization that “screen capture is blocked” isn’t really valid anymore.

Making something more difficult is okay to claim in my view, but trying to over-state capabilities or security concerns is problematic.

the Analogue hole Will never Die
It's not technically currently dead, but running a film movie camera pointing at your laptop during a Teams call is a bit out of reach of most. Even movies costing millions of credits are not shot on analogue any more.

Can you manufacture film yourself? Know anyone who does?

It could start with quietly making the essential chemicals in film production and development "controlled". Then you might need a licence to do analogue photography. Eventually even the last few analogue photographers either die or switch to digital due to the increasing impracticality of analogue. Then the film companies stop making it, then you make it illegal for them to start making it again. You've now killed the analogue hole.

Maybe you're hoping it would be futile like the war on drugs, except there's actually demand for drugs. I can't imagine dealers suddenly stocking up on illegal film for all the people wanting to capture stuff from their Teams calls.

I love all the comments imagining complex technical workarounds while skipping right over the obvious workaround of using a smartphone camera to take a picture of the screen (which was mentioned near the top of the article that everyone read, of course). Modern camera phones are wide angle enough that it’s not hard to grab a shot of the monitor out of frame.

> These kinds of measures only stop the good guys from doing their jobs. The bad guys put way too much effort into espionage for this to work.

This is for preventing casual screenshots and reminding average office workers that meeting content is sensitive. It’s not an iron-clad tool for defeating dedicated espionage involving hidden pinhole cameras.

There have been similar arguments for ages about how if something isn’t iron-clad perfect protection then it’s pointless, but in the real world making something more difficult actually makes people think twice and stops most of the people who would casually do it.

See for example Snapchat’s screenshot notifications. It’s well known that there’s an elaborate way to circumvent it. However the fact that it takes a lot of work and there’s a risk of getting caught trying really hard to deceive the other party is enough to make most people not want to risk it.

Exactly right. The great firewall of China is another example - of it blocks 60% of people from outside content it is probably "good enough for government work".
> Modern camera phones are wide angle enough that it’s not hard to grab a shot of the monitor out of frame.

Pedantic correction:

'grab a shot of the monitor out of frame of the webcam of the person wanting to take screenshots of the meeting'.

First time I read it I was somehow imagining breaking of laws of physics lmao.

I suppose the biggest irony of this is, most of the shops that might want to enable this are already so sloppy that they half expect folks to screenshot teams presentations for notes later.

(comment deleted)
I bet it streams the video like a protected HDMI movie... so the video stream isn't part of the WDDM's Team's Window - but placed on top of it.

Interestingly that can be overcome by moving the video just a little between two screens, which reverts it back to a WDDM surface. =D

Or TWO monitors, with "Duplicate" selected, and a camera recording the second monitor under the desk.

Thank you for this. I'm honestly baffled about the quality of other hackers' comments on this topic. Many of them take the feature as a personal attack where it simply is an additional layer of protection against accidentally leaking confidential information. Then making statements that this prevents people from working, where they did not understand that taking screenshots from meetings where this is enabled is not working, but violating work guidelines. When the presenter enables this, they want people to not take screenshots.

This whole comment sections is honestly ridiculous.

The vendors of the camera have the same interests of the vendor of the software. It is just a matter of time until the software watermarks the video and your camera automatically stops recording.

Users have to resort to (exclusively, if possible) open source tools.

The real solution is democratization of manufacturing. We need the ability to make our own hardware, our own computers. Then we won't need to suffer the silly policies of corporations.
Do you use netflix? Maybe similar when taking a screenshot there you end up with black where the video is playing

I can totally imagine that they will do something similar,so I guess it's pretty simple to implement if done like that

WhatsApp disabled creating screenshots of profile pictures (this annoyed my grandmother), but it cannot really do this when using through the web interface.
These folks never heard of something called photographic camera.
Wait till they implement no-screenshot zones just like they do with drones.
A former colleague was harassed for a months on end a boss and used screen recordings to prove it to HR.

Not surprised at all that MS is doing this.

Nothing is stopping anyone from recording the screen and capturing audio. However that is not the point. These features are required by regulated industries and companies like Microsoft can offer them. Plain and simple.
And what will prevent people from patching their Teams clients to still allow screenshots? What will prevent someone from building an unofficial Teams client from scratch that has none of this bullshit in the first place?
Which APIs would one use to implement this feature on Mac and Windows? For example is there a OS level flag that one can include on windows to not allow capturing of the app’s window - or is a notification sent out when someone tries to capture the screen (and then one can just blank the window)?
(comment deleted)
Yeah. Concentrating on getting Windows and all MS products to be more secure and robust, instead of building up smoke and mirros would have been too hard I guess.

What a waste of developers resources.

That's quite unfortunate because due to a screen capture through Snipping Tool I got evidence of my org planning to fire me before even making announcements through a shared PowerPoint deck with a slide containing a org chart which shouldn't really be there at the time in the Teams meeting.

So from a employee POV it has its uses.

But people who will get in the same situation like me could simply use the camera on their phone pointed at the screen and be done with it, I guess.

use your smartphone's camera next time. that puts the evidence on your device rather than your company's device.
I would always screenshot people's desktop/email when they started presenting, lot of people dig up decks in their email or they share their full desktop. Emails are useful especially when dealing with a vendor to see what other customers they are dealing with.
So how does this affect Teams in the browser?
Very likely. WideVine and PlayReady can enforce.
If they don't it's bye bye Teams for me (a blessing in disguise) because they discontinued the Linux client a while ago.
This is exactly my problem, hope they don't do the insane thing and just butcher it further
Watermarks, both hidden and visible, would be a more sensible solution.
This and DRM and other restrictive anti-features like self destroying messages, un-recordable strings, unprintable files are all fully artificial restrictions. They make no sense when the source code is available since removing it is as simple as removing an if.

I payed for my device, it is mine, it is up to me to decide whatever I'll do with it. It is my right under the private ownership definition. The current situation on modern devices, especially smartphones, is ridiculous and a complete distortion of rights that are fundamental even for the roots of capitalism.

Users should organize and, at the least, avoid using such services even if it means to lose some convenience. Losing my freedom is not a fair price to pay for such conveniences.

I have a hearing disability. I often recorded meetings so that I could replay and listen to key points again.

This is going to block a valid use of screen recording and I wonder if it would violate A.D.A. requirements

Your employer has an obligation to provide reasonable accommodations for your disability. There could be a number of solutions including:

* paying for professional human captioning of the meetings you're in (automated captions are not accurate enough to be relied on) * the host using Teams' own recording system and providing only you with the recording, maybe only the audio

is this something you have to enable(or disable) for your tenant? or for a particular meeting? i don't understand from the article

i don't see why would you want to enable this, unless you have BYOD allowed

Most folks know this is easily defeated typically by viewing the content on another device (eg via casting it, remote desktop, phone mirroring, etc) or viewing it from within a VM, and then using the native screen capture functionality on the viewing device to record/screenshot whatever you need.

That being said - guessing they are doing this for their enterprise customers mainly, where alot of those other options are locked down. But plenty of people already know to just record their screen from their phone anyway - impossible to block that and much safer way to exfiltrate whatever info/data you need.

> This feature will be available on Teams desktop applications (both Windows and Mac) and Teams mobile applications (both iOS and Android)."

Seems like it’s even easier, just join the meeting via browser.

I’m not familiar with a way to enforce this type of restriction in the browser.

Browser DRM like WideVine and PlayReady do the enforcing
Really? I didn't know it was possible to use DRM like WideVine for peer-to-peer video.
Teams is going through a central server and bouncing it out to participants, right? Not p2p.
I thought Teams was a reskin of Skype so whatever they used to do…
I've disabled DRM on my Firefox browser.

Sheesh, we've come to a state where browsers can no longer be referred to as "user agents".

From the Article, if only to be pedantic enough that I agree with 'yes a browser might work'

> The company plans to start rolling out this new Teams feature to Android, desktop, iOS, and web users worldwide in July 2025.

OTOH we will see if there's any type of weasel-wording on whether browser is in fact non-supported (i.e. will go to audio-only mode.)

The other possibility, is that every 'supported' platform has some form of DRM that results in the functionality working even on browser (just thinking out loud about DRM functionality possibilities) means Windows/MacOS/Android/iOS all work but everyone else is out of luck.

Same way Netflix does I’m sure.
The things you mention are a dream for most corporate employees, where everything is locked on their computers.

They will just make photos using their phones.

Ran into this “feature” this week. So instead of grabbing a screen cap from my VDI I have to grab it from my primary OS and then email myself the image to cross that corp “boundary”. They recently disabled copy and paste between my computer and the VDI session as well.
Wouldn’t HDCP prevent viewing content on another device? I assume that is what technology they would use to implement this.
"Easily" is temporary. There's already zero way to capture protected pixels on iOS. Cabled mirroring, screen casting, airplay, they're all blocked. Messaging apps are capitalizing on this with "screenshot protection for temporary media". Netflix has been doing it for ages. Jailbreak? Detected and blocked as "insecure device"

Maybe you can do it on not-iOS, until your insecure setup will be blocked by the server. Cat and mouse until there's 3 mice in the whole world.

This is security theater. It makes you feel secure but it doesn’t actually protect you. If things can not get out do not share them via Trams in the first place.
And adds an inconvenience. Easy enough to get around, but, now I have to add some extra effort to get around it.