Skip to content

Enabling Watermarking feature for AVD

Microsoft recently released the watermarking feature in a public preview for Azure Virtual Desktop. Watermarking is a valuable feature in secure environments that protects sensitive documents by introducing a watermark onto the session. This means that if somebody attempts to take a screenshot or a photo, it is easy to find the source of that photo. An example is if somebody is trying to steal information or documents containing credit card numbers.

In this blog post I will show you how to enable the watermarking feature. Note this is a feature which is currently in Public Preview so does have some limitations around it.

The biggest limitation currently is that it is only supported by the Windows Remote Desktop Client v1.2.3317 or later, and on Windows 10 or later. If you attempt to connect from any other client, i.e. a MacOS Client, or web client, the connection will fail.

You also need to ensure that Azure Virtual Desktop Insights is Enabled on the host pool.

Step 1 – Download the Administrative Template for Azure Virtual Desktop

Head over to https://learn.microsoft.com/en-us/azure/virtual-desktop/administrative-template and download the Administrative Template an deploy it onto your Domain Controllers. Once you have imported and linked the GPO you need to enable the Configuration Setting. The settings are as follows:

OptionValuesDescription
QR code bitmap scale factor1 to 10
(default = 4)
The size in pixels of each QR code dot. This value determines how many the number of squares per dot in the QR code.
QR code bitmap opacity100 to 9999 (default = 700)How transparent the watermark is, where 100 is fully transparent.
Width of grid box in percent relevant to QR code bitmap width100 to 1000
(default = 320)
Determines the distance between the QR codes in percent. When combined with the height, a value of 100 would make the QR codes appear side-by-side and fill the entire screen.
Height of grid box in percent relevant to QR code bitmap width100 to 1000
(default = 180)
Determines the distance between the QR codes in percent. When combined with the width, a value of 100 would make the QR codes appear side-by-side and fill the entire screen.

Step 2 – Configure the GPO Setting

Now we need to configure the relevant GPO Settings. As you can see from the screenshot I configured this on a session host which had the settings applied, looks pretty cool right!!

Step 3 – Test

After rebooting the session host you should be able to see the QR Code applied. Personally I thought it was a bit to much so I have lowered the setting down a bit and this looks a bit more workable:

Retrieving the session details

OK so let’s test this out! If you have a scenario where you need to retrieve the details you need to use a QR Code scanner to retrieve the session details. Most Android or Apple phones have these built in, otherwise you can use a third-party app. When you scan the QR code you will see something similar to below:

This long number is the actual Session ID of the user session. To retrieve this we need to go into Azure Virtual Desktop Insights. Once you are in there go to the Connection Diagnostics Tab and select the Host Pool which contains the details.

Now if you scroll down to the bottom of the screen you will see the “Connection activity browser for Last 48 hours” section. In there you will see a Session ID matching up to the one which we retrieve from the QR code.

Summary

This is a feature which many people have been waiting for and I am sure it will be very popular, especially in secure environments where DLP is a critical requirement. However, it is in Public Preview and it does seem to be quite limited at the moment.

The only client which is supported is the Windows Remote Desktop Client, if you enable the feature on your host pool the logon will fail unless you are using the Windows Client.

I also found the QR code to be a bit visually annoying in its default setting. You can turn it down a little, but after doing so I had issues trying to retrieve the QR code unless I viewed it under a black background, i.e. a command prompt. I would advise doing some testing in your environment to find the right mix of being a usable solution,

1 thought on “Enabling Watermarking feature for AVD”

  1. Pingback: AVD news of the week - Johan Vanneuville

Comments are closed.