Configure the session lock behavior for Azure Virtual Desktop

You can choose whether the session is disconnected or the remote lock screen is shown when a remote session is locked, either by the user or by policy. When the session lock behavior is set to disconnect, a dialog is shown to let users know they were disconnected. Users can choose the Reconnect option from the dialog when they're ready to connect again.

When used with single sign-on using Microsoft Entra ID, disconnecting the session provides the following benefits:

  • A consistent sign-in experience through Microsoft Entra ID when needed.

  • A single sign-on experience and reconnection without authentication prompt, when allowed by conditional access policies.

  • Support for passwordless authentication like passkeys and FIDO2 devices, contrary to the remote lock screen. Disconnecting the session is necessary to ensure full support of passwordless authentication.

  • Conditional access policies, including multifactor authentication and sign-in frequency, are reevaluated when the user reconnects to their session.

  • You can require multifactor authentication to return to the session and prevent users from unlocking with a simple username and password.

For scenarios that rely on legacy authentication, including NTLM, CredSSP, RDSTLS, TLS, and RDP basic authentication protocols, users are prompted to re-enter their credentials when they reconnect or start a new connection.

The default session lock behavior is different depending on whether you're using single sign-on with Microsoft Entra ID or legacy authentication. The following table shows the default configuration for each scenario:

Scenario Default configuration
Single sign-on using Microsoft Entra ID Disconnect the session
Legacy authentication protocols Show the remote lock screen

This article shows you how to change the session lock behavior from its default configuration using Group Policy.

Prerequisites

Select the relevant tab for your configuration method.

Before you can configure the session lock behavior, you need to meet the following prerequisites:

Configure the session lock behavior

Select the relevant tab for your configuration method.

To configure the session lock experience using Group Policy, follow these steps.

  1. The Group Policy settings are only available on the operating systems listed in Prerequisites. To make them available on other versions of Windows Server, you need to copy the administrative template files C:\Windows\PolicyDefinitions\terminalserver.admx and C:\Windows\PolicyDefinitions\en-US\terminalserver.adml from a session host to the same location on your domain controllers or the Group Policy Central Store, depending on your environment. In the file path for terminalserver.adml replace en-US with the appropriate language code if you're using a different language.

  2. Open the Group Policy Management console on the device you use to manage the Active Directory domain.

  3. Create or edit a policy that targets the computers providing a remote session you want to configure.

  4. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security.

    A screenshot showing the Remote Desktop Session Host security options in the Group Policy editor.

  5. Double-click one of the following policy settings, depending on your requirements:

    • For single sign-on using Microsoft Entra ID:

      1. Double-click Disconnect remote session on lock for Microsoft identity platform authentication to open it.

        • To disconnect the remote session when the session locks, select Enabled or Not configured.

        • To show the remote lock screen when the session locks, select Disabled.

      2. Select OK.

    • For legacy authentication protocols:

      1. Double-click Disconnect remote session on lock for legacy authentication to open it.

        • To disconnect the remote session when the session locks, select Enabled.

        • To show the remote lock screen when the session locks, select Disabled or Not configured.

      2. Select OK.

  6. Ensure the policy is applied to the session hosts, then restart them for the settings to take effect.

  7. To test the configuration, connect to a remote session, then lock the remote session. Verify that the session either disconnects or the remote lock screen is shown, depending on your configuration.