Forum Discussion
Windows Remote Desktop Client - You were disconnected because your session was locked
Kobyahsi There is still no clue from Microsoft side about this behavior but here is my analysis so far for troubleshooting the issue :
The issue is related to the new Single Sign-on feature that was released in September for Azure VD by attempting to authenticate to Azure Active Directory .
If I disable that feature from host pool RDP settings , the screen locks properly and asks for Password .
The issue looks related to how the conditional access policy is configured and if the account has MFA enabled .
Although I am able to login with Single Sign-on it looks like when the screen locks the MFA part kicks in and disconnect the session instead of locking the screen and this is where I see the below error in the logs :
I am currently checking with our AD Team on how to prevent MFA on those machines to see if the issue is resolved with Machine Inactivity Time and Screen Lock .
You can try the same procedure from your side by disabling Azure AD authentication to confirm the issue and check with AD Team what policies are getting applied when you enable that feature .
I will update the thread once I have that discussion and confirm if the issue is resolved .
I will add this to the documentation, but this was done for security reasons. The user is signing in to the session host using an Azure AD token and this allows the use of passwordless authentication and ensures CA/MFA policies are applied. The lock screen in Windows does not support passwordless and doesn't enforce CA/MFA policies. So users who sign using passwordless would not be able to unlock the session and another user could unlock the session, bypassing all CA/MFA policies. With SSO enabled, users should be able to easily launch the resource again and be connected.
Appreciate any feedback on this.
Thank you.
- AgmaletMay 26, 2024Copper ContributorImagine how this “for security” reasons is not secure at all. So my session disconnects rather than locking, then if someone other than the user goes to the client, can SSO into the resource with the other user’s creds. Bring lock back please!
- leonavasApr 19, 2023Copper ContributorHello David, any clue if we can add more time so it doesn't lock/disconnect automatically?
Where can I find the documentation about this? - CM42Feb 14, 2023Copper ContributorExperiencing this same thing in Windows 365 VDI desktops and found no documentation around it. Is there at least a way to extend the timeout? I am so far unable to find one and it seems very short, maybe 5 minutes. Yes, it's easy to get back in but it seems like you turn around to have a conversation at your desk and you are disconnected. At least the session does not appear to ever actually log you off or kill open items.
- KEmamNov 11, 2022Copper ContributorOne more concern about disconnecting the session that it affects the Idle Timeout for the user .
If we have Machine Inactivity Time : 15 min. , Idle Timeout : 2 Hours , and Disconnect Timeout : 2 Hours
Disconnecting the session after 15 min. automatically triggers the Disconnect Timeout which gives the user 2 Hours 15 min. before forcing Log off , instead of 4 Hours .
Please correct me if I am wrong about that assumption . - KEmamNov 10, 2022Copper ContributorThanks David for your input , Please add the documentation link as I have not seen that mentioned anywhere related to Passwordless authentication for Azure Virtual Desktop or in any Demo for that feature .
This disconnect behavior affects the user experience in a noticeable way . I would prefer at that point that we just lock the screen and ask user for password instead of disconnecting the whole session and ask user to launch it again.- Cathy LeikDec 22, 2022Copper ContributorI agree it is disruptive to the user experience. We are seeing this with Citrix sessions as well.