Since it became possible to log in to AVD Session Hosts with Single Sign-On (SSO), there has been an issue where the session disconnects upon session lock. This problem arises because the lock screen does not offer modern options for unlocking the session. For security reasons, the session was disconnected, assuming that re-authentication would be quick and seamless.
In my experience, many customers have short screen lock times — usually 15 minutes or less — similar to the settings on physical devices. This means that the connection often needs to be re-established several times a day. The only solution until now was to disable Single Sign-On.
As of mid-September 2024, there is finally a way to control this behavior. Initially, this article included instructions on how to manage it via Intune, GPO, and the Registry. To simplify the process, I have created a Scripted Action for Nerdio, which can be used to configure the Session Hosts. This script can also be utilized through other methods. Currently, the article from Microsoft only describes the way via Intune and GPO.
Scripted Action
The following Scripted Action can be imported into Nerdio. After importing, you can configure the parameters when adding it to a deployment step:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 |
#name: Configure session lock behavior #description: Configure the session lock behavior #execution mode: Combined #tags: beckmann.ch <# Notes: When single sign-on is enabled and the remote session is locked, either by the user or by policy, the session is instead disconnected and a dialog is shown to let users know they were disconnected. Users can choose the Reconnect option from the dialog when they are ready to connect again. This is done for security reasons and to ensure full support of passwordless authentication. If you prefer to show the remote lock screen instead of disconnecting the session, you can change the behavior by setting the following registry key: Key: HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services Type: REG_DWORD Value name: fdisconnectonlockmicrosoftidentity 0 Show the remote lock screen. 1 Disconnect the session. More information, like supported OS versions, can be found here: https://learn.microsoft.com/azure/virtual-desktop/configure-session-lock-behavior More additional background information can be found here: https://learn.microsoft.com/en-us/azure/virtual-desktop/configure-single-sign-on?tabs=registry#session-lock-behavior #> param ( [Parameter( Mandatory = $true, HelpMessage = "Set the session lock behavior. 0 = Show the remote lock screen. 1 = Disconnect the session." )] [ValidateSet('0', '1')] [int]$lockScreen = 1 ) $ErrorActionPreference = 'Stop' Write-Output "Configure session lock behavior" Write-Output "Setting session lock behavior to $lockScreen" $regPath = "HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services" $regName = "fdisconnectonlockmicrosoftidentity" $regValue = $lockScreen try { If (!(Test-Path $regPath)) { New-Item -Path $regPath -Force } Write-Output "Setting registry key: $regPath\$regName to $regValue" If (Get-ItemProperty -Path $regpath -Name $regName -ErrorAction SilentlyContinue) { Write-Output "Registry key $regPath\$regName already exists. Updating value to $regValue" Set-ItemProperty -Path $regPath -Name $regName -Value $regValue -Type DWORD } Else { Write-Output "Registry key $regPath\$regName does not exist. Creating key with value $regValue" New-ItemProperty -Path $regPath -Name $regName -Value $regValue -PropertyType DWORD } } catch { Write-Output "Encountered error. $_" Throw $_ } Write-Output "Session lock behavior configured" |
Usage
To use the Scripted Action, you can add it to a Scripted Action Group and define the necessary parameters:
You can also configure this setting for VM deployment:
Conclusion
While this behavior can still be managed through Intune and GPO, I prefer to apply these settings directly to the host at the time of creation. Since I am increasingly working with Microsoft Entra ID Only implementations, Scripted Actions offer a convenient way to configure these settings from the start.