Understanding Microsoft Azure Virtual Desktop Session Lock: Enhancing Security and User Experience

Understanding Microsoft Azure Virtual Desktop Session Lock: Enhancing Security and User Experience

Azure Virtual Desktop (AVD) continues to revolutionize how organizations manage virtual desktops in the cloud, offering flexibility, scalability, and enhanced security. One essential aspect of using AVD effectively is understanding and configuring the Session Lock Behavior. This feature controls what happens when a remote session is locked—whether by user action or via policy.

What is Session Lock Behavior in Azure Virtual Desktop?

The session lock behavior in Azure Virtual Desktop dictates how the system responds when a user locks their session. There are two primary options:

1. Disconnect the Session: This option terminates the session and presents the user with a dialog box informing them of the disconnection. The user can later reconnect by selecting the “Reconnect” option, which restores the session.
2. Show the Remote Lock Screen: Alternatively, the remote lock screen is displayed without disconnecting the session. The user can unlock the session by providing their credentials.

By default, the system behaves differently depending on whether Single Sign-On (SSO) with Microsoft Entra ID is enabled or legacy authentication is used.

Benefits of Disconnecting Sessions with Single Sign-On (SSO)

When utilizing SSO through Microsoft Entra ID, disconnecting the session during a lock event has several advantages, particularly in environments requiring stringent security measures:

• Consistent Sign-in Experience: Users reconnect to the session seamlessly through Microsoft Entra ID. Conditional Access Policies ensure that access remains secure while allowing the same session to resume smoothly.
• Passwordless Authentication: One of the standout benefits is the support for passwordless authentication methods like FIDO2 devices and passkeys. These modern, secure methods are fully supported only when the session is disconnected, ensuring a streamlined yet secure authentication process.
• Conditional Access Reevaluation: Every time a session is reconnected, the Conditional Access Policies, including Multi-Factor Authentication (MFA) and sign-in frequency requirements, are re-evaluated. This provides an added layer of security to ensure that only the authorized user can access the session.
• Support for MFA: Organizations can enforce MFA during reconnections to further enhance security, preventing unauthorized access even if someone knows the user’s credentials.

For users relying on legacy authentication protocols (e.g., NTLM, CredSSP), the default behavior is to display the remote lock screen without disconnecting the session. However, organizations can configure the behavior to align with their security and operational needs.

How to Configure Session Lock Behavior

Configuring the session lock behavior in Azure Virtual Desktop can be done through

Using Microsoft Intune

Here are the steps to configure the session lock experience via Microsoft Intune:

Sign in to the Microsoft Intune admin center. https://intune.microsoft.com

Create a configuration profile for Windows 10 or later devices, using the Settings catalog profile type.

Policy Name: AVD_SessionLock_SSO_Disconnect_Policy

In the settings picker, navigate to:

• • Administrative templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security.

For Single Sign-On (SSO) using Microsoft Entra ID:

• • Enable the option for Disconnect remote session on lock for Microsoft Entra ID-based authentication.
  • Set the desired configuration to either Enabled (to disconnect the session) or Disabled (to show the remote lock screen).

For Legacy Authentication Protocols:

• • Enable the option for Disconnect remote session on lock for legacy authentication.
  • Configure to Enabled or Disabled as needed.

Review and apply the policy. Once applied, restart the session hosts for the settings to take effect.

Final Thoughts

The Azure Virtual Desktop Session Lock behavior offers flexibility for organizations to optimize both security and user experience. By leveraging single sign-on with Microsoft Entra ID, you can ensure a seamless, secure connection for users while supporting advanced authentication methods like passwordless sign-ins. For environments that still rely on legacy protocols, administrators can fine-tune the behavior to balance usability and security.

Implementing these settings using tools like Microsoft Intune or Group Policy ensures that administrators have full control over the session lock behavior, making Azure Virtual Desktop a versatile and secure solution for modern workforces.

Sharing is caring!