Merge pull request #215414 from dknappettmsft/avd-watermarking-preview

American-Dipper · web-flow · commit 97bc9379d18f · 2023-01-30T14:58:53.000-08:00
AVD watermarking preview
diff --git a/articles/virtual-desktop/TOC.yml b/articles/virtual-desktop/TOC.yml
@@ -247,12 +247,12 @@
         href: configure-host-pool-load-balancing.md
       - name: Personal desktop assignment type
         href: configure-host-pool-personal-desktop-assignment-type.md
+  - name: Administrative template
+    href: administrative-template.md
   - name: Move resources between regions
     href: move-resources.md
   - name: Use Azure Virtual Desktop license
     href: apply-windows-license.md
-  - name: Screen capture protection
-    href: screen-capture-protection.md
   - name: Customize session host image
     items:
       - name: Set up golden image in Azure
@@ -315,6 +315,12 @@
         href: configure-adfs-sso.md
       - name: Set up the KDC proxy
         href: key-distribution-center-proxy.md
+  - name: Security
+    items:
+    - name: Screen capture protection
+      href: screen-capture-protection.md
+    - name: Watermarking
+      href: watermarking.md
   - name: Deploy updates with Configuration Manager
     href: configure-automatic-updates.md
   - name: Set up multimedia redirection (preview)
diff --git a/articles/virtual-desktop/administrative-template.md b/articles/virtual-desktop/administrative-template.md
@@ -0,0 +1,69 @@
+---
+title: Administrative template for Azure Virtual Desktop
+description: Learn how to use the administrative template for Azure Virtual Desktop with Group Policy to configure settings.
+author: dknappettmsft
+ms.topic: how-to
+ms.date: 10/27/2022
+ms.author: daknappe
+---
+# Administrative template for Azure Virtual Desktop
+
+We've created an administrative template for Azure Virtual Desktop to configure some features of Azure Virtual Desktop. You can use the template with Group Policy, which enables you to centrally configure session hosts that are joined to an Active Directory (AD) domain. You can also use the template with Group Policy locally on each session host, but this isn't recommended to manage session hosts at scale.
+
+You can configure the following features with the administrative template:
+
+- [Screen capture protection](screen-capture-protection.md)
+- [RDP Shortpath for managed networks](rdp-shortpath.md?tabs=managed-networks)
+- [Watermarking](watermarking.md)
+
+> [!NOTE]
+> Importing the administrative template to Microsoft Intune is currently not supported. You should eventually be able to configure these features using the Intune settings catalog.
+
+## Prerequisites
+
+You'll need the following permission:
+
+- For Group Policy in an Active Directory domain, you'll need to be a member of the **Domain Admins** security group.
+
+- For local Group Policy on a session host, you'll need to be a member of the local **Administrators** security group.
+
+## Add the administrative template
+
+To add the administrative template, select a tab for your scenario and follow these steps.
+
+# [Group Policy (AD)](#tab/group-policy-domain)
+
+> [!NOTE]
+> These steps assume you're using the [Central Store for Group Policy](/troubleshoot/windows-client/group-policy/create-and-manage-central-store).
+
+1. Download the latest [Azure Virtual Desktop administrative template files](https://aka.ms/avdgpo) and extract the contents of the .cab file and .zip archive.
+
+1. Copy and paste the **terminalserver-avd.admx** file to the Group Policy Central Store for your domain, for example `\\contoso.com\SYSVOL\contoso.com\Policies\PolicyDefinitions`, where *contoso.com* is your domain name. Then copy the **terminalserver-avd.adml** file to the `en-us` subfolder.
+
+1. Open the **Group Policy Management Console** (GPMC) and create or edit a policy that targets your session hosts.
+
+1. To verify that the Azure Virtual Desktop administrative template is available, browse to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Remote Desktop Services** > **Remote Desktop Session Host** > **Azure Virtual Desktop**. You should see policy settings for Azure Virtual Desktop, as shown in the following screenshot:
+
+   :::image type="content" source="media/administrative-template-group-policy.png" alt-text="Screenshot of the Group Policy Management Editor showing Azure Virtual Desktop policy settings." lightbox="media/administrative-template-group-policy.png":::
+
+# [Local Group Policy](#tab/local-group-policy)
+
+1. Download the latest [Azure Virtual Desktop administrative template files](https://aka.ms/avdgpo) and extract the contents of the .cab file and .zip archive.
+
+1. Copy and paste the **terminalserver-avd.admx** file to the PolicyDefinitions folder at `%windir%\PolicyDefinitions`. Then copy the **terminalserver-avd.adml** file to the `en-us` subfolder.
+
+1. Open the **Local Group Policy Editor** console.
+
+1. To verify that the Azure Virtual Desktop administrative template is available, browse to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Remote Desktop Services** > **Remote Desktop Session Host** > **Azure Virtual Desktop**. You should see policy settings for Azure Virtual Desktop, as shown in the following screenshot:
+
+   :::image type="content" source="media/administrative-template-group-policy.png" alt-text="Screenshot of the Local Group Policy Editor showing Azure Virtual Desktop policy settings." lightbox="media/administrative-template-group-policy.png":::
+
+---
+
+## Next steps
+
+Learn how to use the administrative template with the following features:
+
+- [Screen capture protection](screen-capture-protection.md)
+- [RDP Shortpath for managed networks](rdp-shortpath.md?tabs=managed-networks)
+- [Watermarking](watermarking.md)
diff --git a/articles/virtual-desktop/media/administrative-template-group-policy.png b/articles/virtual-desktop/media/administrative-template-group-policy.png
diff --git a/articles/virtual-desktop/media/watermarking-result.png b/articles/virtual-desktop/media/watermarking-result.png
diff --git a/articles/virtual-desktop/screen-capture-protection.md b/articles/virtual-desktop/screen-capture-protection.md
@@ -1,17 +1,16 @@
 ---
-title: Azure Virtual Desktop screen capture protection
+title: Screen capture protection in Azure Virtual Desktop
 titleSuffix: Azure
-description: How to set up screen capture protection for Azure Virtual Desktop.
+description: Learn how to enable screen capture protection in Azure Virtual Desktop (preview) to help prevent sensitive information from being captured on client endpoints.
 author: femila
-ms.topic: conceptual
+ms.topic: how-to
 ms.date: 01/27/2023
 ms.author: femila
-ms.service: virtual-desktop
 ---
 
-# Screen capture protection
+# Screen capture protection in Azure Virtual Desktop
 
-Screen capture protection prevents sensitive information from being captured on the client endpoints. When you enable this feature, remote content will be automatically blocked or hidden in screenshots and screen shares. Also, the Remote Desktop client will hide content from malicious software that may be capturing the screen.
+Screen capture protection, alongside [watermarking](watermarking.md), helps prevent sensitive information from being captured on client endpoints. When you enable screen capture protection, remote content will be automatically blocked or hidden in screenshots and screen shares. Also, the Remote Desktop client will hide content from malicious software that may be capturing the screen.
 
 In Windows 11, version 22H2 or later, you can enable screen capture protection on session host VMs as well as remote clients. Protection on session host VMs works just like protection for remote clients.
 
diff --git a/articles/virtual-desktop/watermarking.md b/articles/virtual-desktop/watermarking.md
@@ -0,0 +1,98 @@
+---
+title: Watermarking in Azure Virtual Desktop (preview)
+description: Learn how to enable watermarking in Azure Virtual Desktop (preview) to help prevent sensitive information from being captured on client endpoints.
+author: dknappettmsft
+ms.topic: how-to
+ms.date: 10/27/2022
+ms.author: daknappe
+---
+# Watermarking in Azure Virtual Desktop (preview)
+
+> [!IMPORTANT]
+> Watermarking is currently in PREVIEW.
+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+
+Watermarking (preview), alongside [screen capture protection](screen-capture-protection.md), helps prevent sensitive information from being captured on client endpoints. When you enable watermarking, QR code watermarks appear as part of remote desktops. The QR code contains the *connection ID* of a remote session that admins can use to trace the session. Watermarking is configured on session hosts and enforced by the Remote Desktop client.
+
+Here's a screenshot showing what watermarking looks like when it's enabled:
+
+:::image type="content" source="media/watermarking-result.png" alt-text="A screenshot showing watermarking enabled on a remote desktop." lightbox="media/watermarking-result.png":::
+
+> [!IMPORTANT]
+> - Once watermarking is enabled on a session host, only clients that support watermarking can connect to that session host. If you try to connect from an unsupported client, the connection will fail and you'll get an error message that is not specific.
+>
+> - Watermarking is for remote desktops only. With remote apps, watermarking is not applied and the connection is allowed.
+>
+> - If you connect to a session host directly (not through Azure Virtual Desktop) using the Remote Desktop Connection app (`mstsc.exe`), watermarking is not applied and the connection is allowed.
+
+## Prerequisites
+
+You'll need the following things before you can use watermarking:
+
+- A Remote Desktop client that supports watermarking. The following clients currently support watermarking:
+
+  - [Windows Desktop client](users/connect-windows.md?toc=%2Fazure%2Fvirtual-desktop%2Ftoc.json), version 1.2.3317 or later, on Windows 10 and later.
+
+- [Azure Virtual Desktop Insights](azure-monitor.md) configured for your environment.
+
+## Enable watermarking
+
+To enable watermarking, follow the steps below:
+
+1. Follow the steps to download and add the [Administrative template for Azure Virtual Desktop](administrative-template.md).
+
+1. Once you've verified that the Azure Virtual Desktop administrative template is available, open the policy setting **Enable watermarking** and set it to **Enabled**.
+
+1. You can configure the following options:
+
+   | Option | Values | Description |
+   |--|:--:|--|
+   | QR code bitmap scale factor | 1 to 10<br />(*default = 4*) | The size in pixels of each QR code dot. This value determines how many the number of squares per dot in the QR code. |
+   | QR code bitmap opacity | 100 to 9999 (*default = 700*) | How transparent the watermark is, where 100 is fully transparent. |
+   | Width of grid box in percent relevant to QR code bitmap width | 100 to 1000<br />(*default = 320*) | Determines the distance between the QR codes in percent. When combined with the height, a value of 100 would make the QR codes appear side-by-side and fill the entire screen. |
+   | Height of grid box in percent relevant to QR code bitmap width | 100 to 1000<br />(*default = 180*) | Determines the distance between the QR codes in percent. When combined with the width, a value of 100 would make the QR codes appear side-by-side and fill the entire screen. |
+
+   > [!TIP]
+   > We recommend trying out different opacity values to find a balance between the readability of the remote session and being able to scan the QR code, but keeping the default values for the other parameters.
+
+1. Apply the policy settings to your session hosts by running a Group Policy update or Intune device sync.
+
+1. Connect to a remote session, where you should see QR codes appear. For any changes you make to the policy and apply to the session host, you'll need to disconnect and reconnect to your remote session to see the difference.
+
+## Find session information
+
+Once you've enabled watermarking, you can find the session information from the QR code by using Azure Virtual Desktop Insights or querying Azure Monitor Log Analytics.
+
+### Azure Virtual Desktop Insights
+
+To find out the session information from the QR code by using Azure Virtual Desktop Insights:
+
+1. Open a web browser and go to https://aka.ms/avdi to open Azure Virtual Desktop Insights. Sign-in using your Azure credentials when prompted.
+
+1. Select the relevant subscription, resource group, host pool and time range, then select the **Connection Diagnostics** tab.
+
+1. In the section **Success rate of (re)establishing a connection (% of connections)**, there's a list of all connections showing **First attempt**, **Connection Id**, **User**, and **Attempts**. You can look for the connection ID from the QR code in this list, or export to Excel.
+
+### Azure Monitor Log Analytics
+
+To find out the session information from the QR code by querying Azure Monitor Log Analytics:
+
+1. Sign in to [the Azure portal](https://portal.azure.com).
+
+1. In the search bar, type *Log Analytics workspaces* and select the matching service entry.
+
+1. Select to open the Log Analytics workspace that is connected to your Azure Virtual Desktop environment.
+
+1. Under **General**, select **Logs**.
+
+1. Start a new query, then run the following query to get session information for a specific connection ID (represented as *CorrelationId* in Log Analytics), replacing `<connection ID>` with the full or partial value from the QR code:
+
+   ```kusto
+   WVDConnections
+   | where CorrelationId contains "<connection ID>"
+   ```
+
+## Next steps
+
+- Learn more about [Azure Virtual Desktop Insights](azure-monitor.md).
+- For more information about Azure Monitor Log Analytics, see [Overview of Log Analytics in Azure Monitor](../azure-monitor/logs/log-analytics-overview.md).
