Azure Virtual Desktop – You can now enable watermarking (preview)

With increasing use of Azure Virtual Desktop, it is more and more important to ensure sensitive information are protected.

A first level of protection has been added with the screen capture protection (see https://learn.microsoft.com/en-us/azure/virtual-desktop/screen-capture-protection/).

Today a new screen capture protection capability is being made available in preview: watermarking

When enabled, QR code watermarks appear as part of the remote desktop – this does not appear for remote applications. This QR code contains the connection ID of the session helping administrators to track down the session if screen capture is leaked.

Before you start setting things up, you need to ensure you are using the Windows Desktop Client version 1.2.3317 or later.

Then you need to download (https://learn.microsoft.com/en-us/azure/virtual-desktop/administrative-template?tabs=group-policy-domain/) the administrative template for Azure Virtual Desktop (this is not (yet) available in Intune).

Import the template either in Active Directory (if your AVD sessions are AD joined) or locally of your golden image (if your AVD sessions are AAD joined).

Then enable the Enable watermarking setting located under the Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Azure Virtual Desktop branch

image

  • QR code bitmap scale factor:
    • set the size in pixels of each QR code dot. This value determines how many the number of squares per dot in the QR code
    • value between 1 and 10; default is set to 4
  • QR code bitmap opacity
    • set the transparency of the watermark is, where 100 is fully transparent
    • value between 100 and 9999; default is set to 700
  • Width of grid box in percent relevant to QR code bitmap width
    • Determines the distance between the QR codes in percent. When combined with the height, a value of 100 would make the QR codes appear side-by-side and fill the entire screen
    • value between 100 and 1000; default value is set to 320
  • Height of grid box in percent relevant to QR code bitmap width
    • Determines the distance between the QR codes in percent. When combined with the width, a value of 100 would make the QR codes appear side-by-side and fill the entire screen
    • value between 100 and 1000; default value is set to 180

After applying the policy, the next session will get the QR code displayed.

image

Administrators can then find the session information by capturing/reading the QR code

image  image

Then connect to https://aka.ms/avdi to access the AVD Insights workbook and access the Connection Diagnostics tab to search for the session ID displayed from the QR code under the Success rate of (re)establishing a connection (% of connections) list

image

This can be exported in Excel for easier search.

You can also use the Log Analytics workspace using this log query

WVDConnections
| where CorrelationId contains “<connection ID>”

Leave a Comment

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.