Configuring the Session Lock Behavior

Since it became possible to log in to AVD Session Hosts with Single Sign-On (SSO), there has been an issue where the session disconnects upon session lock. This problem arises because the lock screen does not offer modern options for unlocking the session. For security reasons, the session was disconnected, assuming that re-authentication would be quick and seamless.

In my experience, many customers have short screen lock times — usually 15 minutes or less — similar to the settings on physical devices. This means that the connection often needs to be re-established several times a day. The only solution until now was to disable Single Sign-On.

As of mid-September 2024, there is finally a way to control this behavior. Initially, this article included instructions on how to manage it via Intune, GPO, and the Registry. To simplify the process, I have created a Scripted Action for Nerdio, which can be used to configure the Session Hosts. This script can also be utilized through other methods. Currently, the article from Microsoft only describes the way via Intune and GPO.

Scripted Action

The following Scripted Action can be imported into Nerdio. After importing, you can configure the parameters when adding it to a deployment step:

Usage

To use the Scripted Action, you can add it to a Scripted Action Group and define the necessary parameters:

You can also configure this setting for VM deployment:

Conclusion

While this behavior can still be managed through Intune and GPO, I prefer to apply these settings directly to the host at the time of creation. Since I am increasingly working with Microsoft Entra ID Only implementations, Scripted Actions offer a convenient way to configure these settings from the start.