Watermarking for Windows 365 Cloud PCs and Azure Virtual Desktop is an excellent security feature that can be enabled alongside screen capture protection. When you activate watermarking, a QR code watermarks will appear within Cloud PCs and AVDs. This QR code helps trace session information back to identify user details.
The implementation of watermarking in Cloud PCs and AVDs serves as a protective measure, preventing information from being stolen, used, or altered without the owner’s permission.
Some of the useful Articles/Step-by-Step guides on Windows 365:
- How to Setup Windows 365: Step-by-Step Guide.
- Windows 365: Enable Screen Capture Protection using Intune.
- Set Idle Session Limits Using Intune for Windows 365/AVD.
Table of Contents
To enable watermarking on Windows 365 Cloud PC and AVD session hosts, please take note of the following prerequisites:
- You will require a Remote desktop client version 1.2.3317 or later on Windows 10 and later Client endpoints.
- You can use the Remote Desktop Client or Windows App for best results.
- Ensure Azure Virtual Desktop Insights are configured (when enabling Watermarking for AVDs). For Windows 365 Cloud PCs, this is not required.
Steps to Enable Watermarking on Windows 365/AVD using Intune
To configure watermarking on Windows 365 Cloud PCs and Azure Virtual Desktop session hosts, please follow the steps below:
- Sign in to the Intune admin center.
- Go to Devices > Configuration > Click on Create.
- Select Platform as Windows 10 and later
- Profile type as Settings Catalog
- Click on the Create button.
Enter the Name and Description of the profile. For Example:
- Name: W365 Watermark Policy.
- Description: This policy enables watermarking on the Cloud PCs.
Click on Next to proceed.
- Click on “+ Add settings.”
- In the Settings picker, search for “watermarking“.
- Click on Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Azure Virtual Desktop category.
- Check the box for “Enable watermarking” and exit the settings picker.
- Toggle the switch to enable watermarking. After enabling watermarking, the following configuration options will be available.
|Height of grid box in percent relative to QR code bitmap height (Device).
|100 to 1000M
|The distance between the QR codes is specified in percent. When combined with the width, a value of 100 would make the QR codes appear side-by-side and fill the entire screen.
|QR code bitmap opacity (Device)
|The opacity of the watermark is determined by a percentage. A value of 100 is fully transparent, and higher values increase opacity.
|QR code bitmap scale factor (Device)
|1 to 10
(default = 4)
|The size of each QR code dot is measured in pixels. This value determines the number of squares per dot in the QR code.
|QR code embedded content (Device)
|Connection ID and Device ID
|When configuring watermarks for Windows 365 Cloud PCs, set this option to ‘Device ID.’ The Device ID option is valid only for target devices that are Microsoft Entra joined or Microsoft Entra hybrid joined.
|Width of grid box in percent relative to QR code bitmap width (Device)
|100 to 1000
(default = 320)
The distance between the QR codes in
|The distance between the QR codes is specified in percent. When combined with the height, a value of 100 would make the QR codes appear side-by-side and fill the entire screen.
Click on Next.
Click Add groups and select an Entra security group containing Cloud PCs.
Review + create
Review the policy summary on the Review + Create tab and click Create.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.
Monitoring Intune Watermarking Policy Deployment Progress
To monitor the deployment progress of a Device configuration profile, follow the below steps:
- Sign in to the Microsoft Intune admin center.
- Click on “Devices” and then click on “Configuration“.
- Choose the Device Configuration profile you want to work with, and at the top of the page, you’ll see a quick view of the Success, Failure, Conflict, Not Applicable, and In Progress status.
- Click on “View report” to access more detailed information.
After the Cloud PCs have synchronized the watermarking policy deployed via Intune, QR watermarks will appear on the screen according to the device configuration profile settings. The Windows App is the preferred method to connect to a Cloud PC. However, you can also connect to Windows 365 Cloud PCs using a browser. QR watermarking will appear regardless of the client used to connect.
When configuring watermarks for Windows 365 Cloud PCs, we set the QR code embedded content (Device) to ‘Device ID,’ the recommended option. Therefore, the QR codes will trace back to the Device ID of the Cloud PCs, which can then be linked back to the user.
QR Code Watermarks not getting applied
After configuring the device configuration profile and deploying it to the target Cloud PCs, it may take some time to take effect. You can expedite the deployment by manually forcing an Intune sync on your Cloud PC.
Restarting the Cloud PC can also help speed up the policy deployment process. For reference, you can use this step-by-step guide, which demonstrates four different ways to restart your Cloud PCs.