Windows Remote Desktop Client - You were disconnected because your session was locked

Occasional Contributor

Good day,

I see a behavior with Remote Desktop client that once the machine inactivity timeout is passed , the remote session will be disconnection with a message " You were disconnected because your session was locked . Reconnect by launching your resource again " . The normal behavior is to lock the user's screen and ask for password instead of disconnecting the session .

any idea what is causing such behavior  ?

13 Replies

Hi - Facing the same issue. Started facing the issue couple of days before

@KEmam I have an AVD lab setup that i'm testing with and this behaviro started for me out of the blue late last week.  I have the sessions set to lock after 15 minutes, disconnect after 2 hours, and log off after 4 hours of disconneced but for some reason this started.   As far as the other comment around conditional access I do require MFA after 1 hour but that only happens with the Remote Desktop App and only when connecting again after one horue is never prompts during a session.  

 

In the end somethign has changed in the last few days as best I can tell

@mikhailf Thanks for the reply.

I have checked the CA Session control policies and nothing is coming from there. we have not enabled the session control policy. 

Experienced the same behavior. Is there a control/setting where we can configure this?

@BernardVB we have the same issue. Whenever the screen gets locked, either after a time or manually by pressing Ctrl-Alt-End->lock. The session gets disconnected. Does anyone know how to prevent the connection from being disconnected? 

@BernardVB I have an open case with Microsoft but I still didn't get any solution . I will keep you all posted once I get an update .

Waiting to see what MS tells you...having same issue.

@KEmam Any news from Microsoft support? Thanks!

@Kobyahsi   There is still no clue from Microsoft side about this behavior but here is my analysis so far for troubleshooting the issue :

 

The issue is related to the new Single Sign-on feature that was released in September for Azure VD by attempting to authenticate to Azure Active Directory .

If I disable that feature from host pool RDP settings , the screen locks properly and asks for Password .

 

The issue looks related to how the conditional access policy is configured and if the account has MFA enabled .

Although I am able to login with Single Sign-on it looks like when the screen locks the MFA part kicks in and disconnect the session instead of locking the screen and this is where I see the below error in the logs :

KEmam_0-1667831192170.png

 

I am currently checking with our AD Team on how to prevent MFA on those machines to see if the issue is resolved with Machine Inactivity Time and Screen Lock .

You can try the same procedure from your side by disabling Azure AD authentication to confirm the issue and check with AD Team what policies are getting applied when you enable that feature .

KEmam_1-1667831357486.png

 

I will update the thread once I have that discussion and confirm if the issue is resolved .

Hi folks, disconnecting a session when it locks is the expected behavior when enabling Azure AD authentication either in Azure Virtual Desktop with the RDP property above or in MSTSC on the Advanced tab by checking the option "Use a web account to sign to the remote computer".

I will add this to the documentation, but this was done for security reasons. The user is signing in to the session host using an Azure AD token and this allows the use of passwordless authentication and ensures CA/MFA policies are applied. The lock screen in Windows does not support passwordless and doesn't enforce CA/MFA policies. So users who sign using passwordless would not be able to unlock the session and another user could unlock the session, bypassing all CA/MFA policies. With SSO enabled, users should be able to easily launch the resource again and be connected.

Appreciate any feedback on this.
Thank you.
Thanks David for your input , Please add the documentation link as I have not seen that mentioned anywhere related to Passwordless authentication for Azure Virtual Desktop or in any Demo for that feature .

This disconnect behavior affects the user experience in a noticeable way . I would prefer at that point that we just lock the screen and ask user for password instead of disconnecting the whole session and ask user to launch it again.
One more concern about disconnecting the session that it affects the Idle Timeout for the user .
If we have Machine Inactivity Time : 15 min. , Idle Timeout : 2 Hours , and Disconnect Timeout : 2 Hours
Disconnecting the session after 15 min. automatically triggers the Disconnect Timeout which gives the user 2 Hours 15 min. before forcing Log off , instead of 4 Hours .

Please correct me if I am wrong about that assumption .