Azure Virtual Desktop (AVD) can be set up as a fully isolated sandbox environment. Through Host pool configurations, you have the ability to control various aspects, such as blocking data copy, clipboard access, device redirection, and drive redirection. With recently introduced features like Screen Capture Protection, you now have the capability to prevent the use of snipping tools for capturing AVD desktop screens.

Furthermore, by enabling Watermarking, you can add an extra layer of security. In the event that someone attempts to capture a picture using a cellphone camera, the captured screens will display a watermark indicating your corporate authority. This additional measure enhances the protection of sensitive information and ensures a secure computing environment within Azure Virtual Desktop.

In this post, let's explore a step-by-step guide on how to enable Screen Capture Protection and Watermarking for Azure Virtual Desktop (AVD).

Enable Screen capture protection.

Prerequisites

• Connecting Client – Windows 10 or Windows 11
• Session host server – Anything above Windows 11 22H2
• AVD Store app – Any
• AVD RD Client for Windows – 1.2.1672 or later
• AVD RD client for macOS – 10.7.0 or later

Configure Administrative templates.

You can configure screen capture protection from Intune, AD group policy, and local computer policies. For GPOs and local policies, you need to import the available administrative template for AVD.

1. Download the latest AVD Administrative template - https://aka.ms/avdgpo
2. Extract the zip to your local drive
3. Login to a domain controller and navigate to the GPO central store. In example \\contoso.com\SYSVOL\contoso.com\Policies\PolicyDefinitions
4. Copy and paste the terminalserver-avd.admx to PolicyDefinitions folder and terminalserver-avd.adml file to the en-us
   
   
   
   
   
5. To verify, Open the Group Policy editor, browse Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Azure Virtual Desktop, and you can see the following configurations.
   
   

Enable and Test Screen capture protection.

1. Create a new Group Policy for AVD security.
   
   
   
2. Edit the GPO - Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Azure Virtual Desktop.
3. Configure - Enable screen capture protection. There are two options to select: Block screen capture on the client or Block screen capture on the client and server.
   
   
   
   
   
4. Push the GPO to the right OU and restart the VMs
5. After restarting, you can test using a snipping tool. If everything is configured correctly, you will see the AVD screen go black when you capture it.
   
   

Enable Watermarking

1. Since we already configured the AVD Administrative template and the group policy, we can edit the same GPO to enable Watermarking. Edit the previously configured GPO - Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Azure Virtual Desktop.
   
   
   
2. Enable watermarking. You can configure the QR code size and QR code embedded context. Connection ID or Device ID
   
   
   
3. Apply the Group policy and restart the session hosts.
4. When you log in, you can see the watermarked QR code in the desktop background.
   
   
   

I hope this post is helpful.