Forum Discussion
AVD Adding users to Remote Desktop User Group
Hi all,
From my understanding AVD uses port 443 (HTTPS) to connect users to their virtualized environment. However, I have noticed that AVD automatically adds users to the Remote Desktop Users Group, which is meant originally for port 3389 (RDP). I spoke with a Microsoft Support Specialist regarding this and it was mentioned this was used as a break-glass method in case users cannot connect through 443. My question is then, is it necessary to have users added to the Remote Desktop Users Group? And is there any way we could stop the automation in adding users to that group?
Best Regards
Xerxes
7 Replies
Hi! :)
You need to keep users in the Remote Desktop Users group for AVD to hand off the session and there’s no built-in switch to stop it. To prevent direct RDP logons while keeping AVD over 443 intact you can deploy a VM extension or DSC script that runs after the AVD agent and removes the unwanted group membership use an Azure Automation runbook to periodically strip those users from the group on all session hosts apply a GPO “Deny log on locally” for those accounts so they stay in the group for AVD but can’t RDP in on port 3389 The simplest path is a VM extension ( a small PowerShell script at boot removes the extra memberships automatically.) hope this will help :)Hi, one of my customers raised the same security concern. Is there any option that we can avoid adding the domain user to the local "Remote Desktop Users" group?
Or, is it by design that Microsoft is recommending to the ADDS/domain-joined VDIs (Not Entra Only).XerxesHYeah, we noticed it recently as well, and it's quite a risk from the standpoint of cybersecurity. Has anyone found out how to disable this behavior?
Hi Kidd_Ip,
Absolutely. I was thinking Just-In-Time Access and/or restriction through firewall, but just wondering why that automatic procedure was there in the first place x) I find it weird to have to have a solution/work-around on something not in use (unless it is proven that it is). Thanks for the answers tho!
Best Regards
Xerxes
XerxesH Just tested on an Azure Virtual Desktop host pool Entra ID join and you are right.
But my RDP direct access is also working without being part of Remote Desktop Users Group, as soon my Entra ID user is having the Virtual Machine User Login role on the AVD VMsWhy do you want to remove that automation mechanism ?
Security purpose ?
Hi jlou65535
Yes correct! Thanks for verifying! When a user receives a session by opening remote app or virtual desktop, they are automatically added into that group, giving them RDP access. In my opinion they should not be added to the group as normal users should not have direct RDP to the session hosts as it does pose as a security risk.
Best Regards
Xerxes Hansen
