Watermarking in Azure Virtual Desktop

Watermarking, alongside screen capture protection, helps prevent sensitive information from being captured on client endpoints. When you enable watermarking, QR code watermarks appear as part of remote desktops. The QR code contains the Connection ID or Device ID of a remote session that admins can use to trace the session. Watermarking is configured on session hosts using Group Policy, and enforced by Windows App or the Remote Desktop client.

Here's a screenshot showing what watermarking looks like when it's enabled:

A screenshot showing watermarking enabled on a remote desktop.

Important

  • Once watermarking is enabled on a session host, only clients that support watermarking can connect to that session host. If you try to connect from an unsupported client, the connection will fail and you'll get an error message that is not specific.

  • Watermarking is for remote desktops only. With RemoteApp, watermarking is not applied and the connection is allowed.

  • If you connect to a session host directly (not through Azure Virtual Desktop) using the Remote Desktop Connection app (mstsc.exe), watermarking is not applied and the connection is allowed.

Prerequisites

You'll need the following things before you can use watermarking:

  • An existing host pool with session hosts.

  • A Microsoft Entra ID account that is assigned the Desktop Virtualization Host Pool Contributor built-in role-based access control (RBAC) roles on the host pool as a minimum.

  • A client that supports watermarking. The following clients support watermarking:

    • Remote Desktop client for:

    • Windows App for:

      • Windows
  • Azure Virtual Desktop Insights configured for your environment.

  • If you manage your session hosts with Group Policy in an Active Directory domain, you need:

    • A domain account that is a member of the Domain Admins security group.

    • A security group or organizational unit (OU) containing the session hosts you want to configure.

Enable watermarking

To enable watermarking using Group Policy:

  1. Follow the steps to make the Administrative template for Azure Virtual Desktop available.

  2. Open the Group Policy Management console on device you use to manage the Active Directory domain, then create or edit a policy that targets the computers providing a remote session you want to configure.

  3. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Azure Virtual Desktop.

  4. Open the policy setting Enable watermarking and set it to Enabled.

    A screenshot of the available settings for watermarking in Group Policy.

  5. You can configure the following options:

    Option Values Description
    QR code bitmap scale factor 1 to 10
    (default = 4)
    The size in pixels of each QR code dot. This value determines how many the number of squares per dot in the QR code.
    QR code bitmap opacity 100 to 9999 (default = 2000) How transparent the watermark is, where 100 is fully transparent and 9999 is fully opaque.
    Width of grid box in percent relevant to QR code bitmap width 100 to 1000
    (default = 320)
    Determines the distance between the QR codes in percent. When combined with the height, a value of 100 would make the QR codes appear side-by-side and fill the entire screen.
    Height of grid box in percent relevant to QR code bitmap width 100 to 1000
    (default = 180)
    Determines the distance between the QR codes in percent. When combined with the width, a value of 100 would make the QR codes appear side-by-side and fill the entire screen.
    QR code embedded content Connection ID (default)
    Device ID
    Specify whether the Connection ID or Device ID should be used in the QR code. Only select Device ID with session hosts that are in a personal host pool and joined to Microsoft Entra ID or Microsoft Entra hybrid joined.

    Tip

    We recommend trying out different opacity values to find a balance between the readability of the remote session and being able to scan the QR code, but keeping the default values for the other parameters.

  6. Ensure the policy is applied to your session hosts, then refresh Group Policy on the session hosts or restart them for the settings to take effect.

  7. Connect to a remote session with a supported client, where you should see QR codes appear. Any existing sessions will need to sign out and back in again for the change to take effect.

Find session information

Once you've enabled watermarking, you can find the session information from the QR code by using Azure Virtual Desktop Insights or querying Azure Monitor Log Analytics.

Azure Virtual Desktop Insights

To find out the session information from the QR code by using Azure Virtual Desktop Insights:

  1. Open a web browser and go to this link to open Azure Virtual Desktop Insights. Sign-in using your Azure credentials when prompted.

  2. Select the relevant subscription, resource group, host pool and time range, then select the Connection Diagnostics tab.

  3. In the section Success rate of (re)establishing a connection (% of connections), there's a list of all connections showing First attempt, Connection Id, User, and Attempts. You can look for the connection ID from the QR code in this list, or export to Excel.

Azure Monitor Log Analytics

To find out the session information from the QR code by querying Azure Monitor Log Analytics:

  1. Sign in to the Azure portal.

  2. In the search bar, type Log Analytics workspaces and select the matching service entry.

  3. Select to open the Log Analytics workspace that is connected to your Azure Virtual Desktop environment.

  4. Under General, select Logs.

  5. Start a new query, then run the following query to get session information for a specific connection ID (represented as CorrelationId in Log Analytics), replacing <connection ID> with the full or partial value from the QR code:

    WVDConnections
    | where CorrelationId contains "<connection ID>"