Forum Discussion
WIndows 365 SSO preview disconnects on lock instead of showing lock screen
Hi Christiaan_Brinkhoff and team!
We are loving the Windows 365 SSO Preview. It is a fantastic improvement but we have a major showstopper for deployment: when the session locks instead of the lock screen the session disconnects.
Over all the years of on-prem RDP/AVD/etc., Windows has never behaved like this, unfortunately it is a poor user experience and I can't deploy it to my users like this. I understand why this is happening, today the SSO is happening outside the session and you will need to implement SSO unlock inside the session for this to work.
I very much hope the team is hard at work on how to unlock an SSO session, otherwise I can't use one of the very best features, security or otherwise, of Windows 365!
- DavidBelangerMicrosoft
Hi Carlos_Capellan, thank you for the feedback. We changed the experience in part for the reason you mentioned. The lock screen doesn't support the new Azure AD authentication. It also doesn't allow users to unlock the session with passwordless credentials like FIDO keys and some configurations of WHfB. Passwordless authentication is a key benefit of the new protocol. The disconnection also ensures the CA/MFA policies are re-evaluated when the user reconnects, providing a more secure solution that doesn't allow simply entering a username and password.
With that said, the current experience on Windows is definitely sub-par as the user has to dismiss the dialog, open the client and relaunch their session. Before general availability, we're adding an easy reconnect button on the disconnect dialog. This will allow users to easily get back into the session, potentially without having to enter their credentials, unless you configure re-authentication policies.
We'll of course continue to watch the feedback post-GA to see what further adjustments may be needed.
- Carlos_CapellanBrass Contributor
Hi DavidBelanger,
Thank you SO MUCH for the detailed reply, I certainly appreciate the technical roadblocks you and the team are dealing with.
Unfortunately, I feel this limitation substantially weakens the BYOD use case. In a mobile/WFH use case I would need to have an aggressive lock screen inactivity timeout, say 10 minutes, and I am concerned about getting very negative user feedback if we do this. A reconnect button helps, but does not solve this.
I think to fully work around this limitation I would need to allow access to Cloud PCs only from corp-owned endpoints with inactivity timeouts enforced on the endpoints, but no timeout for the Cloud PCs themselves. But now we're losing part of the ease of use of the experience.
I understand just surfacing the traditional RDP username/password prompt on the Cloud PC lock screen defeats all the SSO/passwordless auth methods you are trying to deliver. But I expect you will get this same feedback from many more customers that we still need a standard inactivity timeout experience with no reconnect needed.
If there are any other approaches around this current limitation that I haven't considered here, a guidance or best practices page or blog post would be greatly appreciated! And still hoping this is a top priority on the roadmap!