Implementing Watermarking and Screen Capture Protection in Azure Virtual Desktop

Introduction

As organisations increasingly rely on Azure Virtual Desktop (AVD) to support hybrid workforces, protecting sensitive data accessed via virtual desktops has become a top priority. To address this, Microsoft introduced watermarking and screen capture protection, which deters data leakage by:

Overlaying session-specific user information on the screen
Blocking attempts to capture screen content using built-in tools

In this blog, we’ll explore what these features do, how to enable them, and how to apply best practices for secure deployment.

Become an Azure Expert in Just 2 Months with Industry-Certified Trainers

Career-Boosting Skills
Hands-on Labs
Flexible Learning

Enroll Now

What Are Watermarking and Screen Capture Protection? Watermarking

Watermarking in AVD overlays user-identifying information (such as the username and IP address) as a semi-transparent layer across the session screen. This discourages users from taking screenshots or recording sensitive sessions.

Key details included in the watermark:

Entra ID (Azure AD) username
Session ID
Client IP address
Timestamp

Watermarks are dynamic and cannot be easily removed, making them an effective deterrent.

Example of a session with watermarking enabled: The overlay displays user-specific details in a semi-transparent format across the virtual desktop interface.

Screen Capture Protection

This feature blocks screen capture tools (like Snipping Tool, Snagit, or even Print Screen) from capturing the AVD session window when it’s active. Instead of the actual desktop content, a blank or black screen is captured.

This works on supported Windows endpoints using the Remote Desktop client (MSRDC).

If you enable screen capture protection on session hosts, users need to connect from a supported device. If they try to connect from an unsupported device, they will see an error message saying that screen capture protection is enabled. The message looks like this:

Web browser:

iOS/iPadOS:

Prerequisites

Before enabling these features, ensure the following:

Requirement	Details
AVD Client Version	Must use the Remote Desktop Client v1.2.3313 or later
OS Support	Windows 10/11 Enterprise or multi-session (Windows Server 2022 also supported)
Session Host Agent	AVD Agent and Side-by-side Stack must be up to date
Entra ID Join or Hybrid Join	Required for user identification in watermarks
Host Pools	Must be part of a validation environment for early feature previews (optional)

How to Enable Watermarking and Screen Capture Protection

Depending on your deployment model, these features are configured using RDP properties or Group Policy.

Option 1: Configure via RDP Properties (Recommended)

In the Azure Portal, go to your AVD Host Pool.
Under RDP Properties, click Advanced.
Add the following settings:

enablerdwatermark:i:1

watermarktext:s:YourOrg – %username% – %ip%

enablerdscreencaptureprotection:i:1

enablerdwatermark:i:1 turns watermarking on.
watermarktext:s: allows customization.
enablerdscreencaptureprotection:i:1 blocks screen capture tools.

%username% and %ip% are replaced with the session user’s actual values.

Option 2: Configure via Group Policy (if using on-prem or GPO-managed session hosts)

Download the latest AVD administrative templates.
Navigate to:Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment
Set the following policies:

Enable watermarking → Enabled
Enable screen capture protection → Enabled
Customise watermark content using the appropriate setting.

Testing the Configuration

After applying the configuration:

Connect to a session using the Remote Desktop app.
You should see a semi-transparent watermark across the screen.
Try using Print Screen or Snipping Tool — the screen capture should be black or empty.

These features do not currently apply to web client sessions (browser-based access) or macOS endpoints.

Best Practices

Use with Conditional Access: Combine with location and device policies for stronger access control.
Test on non-production environments before enabling org-wide.
Notify users about watermarking to avoid confusion or support calls.
Monitor session behaviour using Azure Monitor and Log Analytics to verify policy enforcement.
Avoid custom watermark text that might overlap with app UI – adjust size and transparency if needed.

Limitations

Only supported on Windows desktop clients (not browsers or mobile clients).
No granular per-user or per-app control — applies at session level.
Visual watermarking does not prevent all screen captures (e.g., camera photos).

Use Cases

Finance and legal firms handling sensitive client data
Healthcare accessing patient records remotely
Education or exam proctoring in virtual labs
Call centres with compliance requirements

Conclusion

Watermarking and screen capture protection are critical security features in Azure Virtual Desktop (AVD), designed to safeguard sensitive data and support compliance frameworks. While these mechanisms are not infallible, they provide a crucial layer of both visual deterrence and technical enforcement to mitigate the risk of data exfiltration.

To enhance the security posture of your AVD environment, begin by implementing these features in a test host pool, assessing the user experience, and performing thorough validation before deploying them across the organisation.

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner, Amazon CloudFront, Amazon OpenSearch, AWS DMS, AWS Systems Manager, Amazon RDS, and many more.