Watermarking 101: What it is and why you need it in Azure Virtual Desktop

Last week, Microsoft announced the general availability of Watermarking for Azure Virtual Desktop (AVD), lets explore what it is, what it does and how you can enable it.  

Protect your data with watermarking in Azure Virtual Desktop

Azure Virtual Desktop (AVD) is a cloud-based service that allows you to access Windows desktops and applications from anywhere and any device. AVD provides a secure and scalable solution for remote work, virtual learning, and business continuity. However, as more and more data is accessed and shared through AVD, how can you ensure that your data is protected from unauthorized leakage or misuse?

One of the features that can help you prevent data theft is watermarking. Watermarking is a feature that adds a traceable watermark to remote desktops in AVD. This feature is a security measure that can help you identify the source of leaked data and deter potential attackers from capturing or sharing sensitive information.

What is watermarking and how does it work?

Watermarking is a feature that displays QR code watermarks as part of remote desktops in AVD. The QR code contains the connection ID of a remote session that admins can use to trace the session. Watermarking is configured on session hosts and enforced by the Remote Desktop client.

Here’s a screenshot showing what watermarking looks like when it’s enabled:

The watermark feature enables you to identify the source of leaked data by providing a unique identifier for each remote session. The identifier is the connection ID, which is encoded in the QR code watermark. The connection ID is a GUID that is generated when a user connects to a remote desktop in AVD. The connection ID is associated with the user’s identity, device, and session information.

By scanning the QR code watermark, you can find the connection ID and use it to query AVD Insights or Azure Monitor Log Analytics. These tools can help you retrieve the session information, such as the user name, host name, IP address, start time, end time, and activity details. You can also use the connection ID to search for any audit logs or security events related to the session.

By using the watermark feature, you can trace the source of leaked data and take appropriate actions, such as revoking access, resetting passwords, or reporting incidents. You can also use the watermark feature to deter potential attackers from capturing or sharing sensitive information, as they will know that their identity and session information are visible and traceable.

How do I enable it? 

The watermarking feature is now in GA. Users can scan the QR codes to find the connection ID and session information through AVD Insights or Azure Monitor Log Analytics. 

To use watermarking, you’ll need the following things:

• A Remote Desktop client that supports watermarking. The following clients currently support watermarking:
  • Windows Desktop client, version 1.2.3317 or later, on Windows 10 and later
  • Web client
• AVD Insights configured for your environment

You can then follow the official Microsoft Guidance ->  https://learn.microsoft.com/en-us/azure/virtual-desktop/watermarking. 

What are the benefits of watermarking?

Watermarking has several benefits for enhancing the security and compliance of your data in AVD:

• It helps you trace the source of leaked data by providing a unique identifier for each remote session.
• It deters potential attackers from capturing or sharing sensitive information by making it visible and traceable.
• It complements other security features such as screen capture protection, which prevents users from taking screenshots or recording videos of remote desktops.
• It supports various compliance requirements such as GDPR, HIPAA, PCI DSS, etc., by providing an audit trail for data access and usage.

What are some use case scenarios for watermarking?

Watermarking can be useful for various scenarios where data protection and accountability are important, such as:

• Remote work: Watermarking can help you ensure that your employees are accessing and handling your data securely and responsibly when they work from home or other locations.  In the event of a breach, you can identify and report upon the original source. 
• Virtual learning: Watermarking can help you prevent students from cheating or sharing exam answers by showing their identity and session information on their remote desktops.
• Business continuity: Watermarking can help you maintain your business operations and data integrity in case of disasters or emergencies by providing a backup solution for accessing your desktops and applications remotely.

Conclusion

Watermarking is a new feature that adds a traceable watermark to remote desktops in AVD. It is a security measure that can help you prevent data theft by identifying the source of leaked data and deterring potential attackers from capturing or sharing sensitive information. Watermarking is currently available for public preview and supports Windows Desktop client and Web client. You can enable and configure watermarking by using the Administrative template for Azure Virtual Desktop.

If you want to learn more about watermarking or other security features in AVD, you can visit the official documentation or contact us for any questions or feedback.