W365 - Configure the session lock behaviour for the cloud Pc when SSO is enabled in Intune

Configure the session lock behaviour for the cloud Pc when SSO is enabled in Intune:

When single sign-on is enabled for the windows 365 provisioning policy and a remote session gets locked due to session inactivity for 15mins or screensaver settings enabled for 15mins then the session will get disconnected, and a notification will appear informing the user of the disconnection and show Reconnect or Ok to disconnect options like below.

Users can then select the Reconnect option from the dialog whenever they are ready to re-establish the session. It will not ask to re-enter the credentials again and will open the session immediately.

This was a known issue and many users were complaining about this - W365 Known Issue

However Microsoft has released a new feature that enables the remote lock screen experience even when SSO is enabled and when the session gets locked due to inactivity or screen saver settings - What's New in W365

PreReq for Win 11:

• Windows 11 single or multi-session with the 2024-05 Cumulative Updates for Windows 11 (KB5037770) or later installed.

Steps to configure the session lock behaviour on session hosts using Intune:

1. Open Microsoft Intune admin center.

2. Select Devices > Manage devices > Configuration > Create > New policy.

3. Select Platform as Windows 10 and later and Profile type as Settings catalog.

4. In Basics, enter the Name and valid Description.

5. In Configuration settings, select Add settings. Then:

   1. In the settings picker, expand Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security.

   2. Select the Disconnect remote session on lock for Microsoft identity platform authentication setting.

   3. Close the settings picker.

       6. Configure the setting to "Disabled" to show the remote lock screen when the session locks.

      7. Select Next.

      8. Add the Scope tags and Assignments and select Create.

      9. Once the policy configuration is created, the setting will take effect after the session hosts sync              with Intune and users initiate a new session or restart the cloud pc.

Alternatively this can be done using the below registry keys.

Value Data	Description
0	Show the remote lock screen.
1	Disconnect the session.

Enable Screen Lock:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"fdisconnectonlockmicrosoftidentity"=dword:00000000

Disconnect the session:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"fdisconnectonlockmicrosoftidentity"=dword:00000001

PowerShell Scripts:

You can find the automated scripts in my GitHub Repo - Windows365-Scripts/SSO-RemoteLockScreen at main · app2pack/Windows365-Scripts · GitHub

Microsoft recommendation:

Microsoft recommends to use the default disconnect when using the SSO due to its security benefits, which are highly recommended and expected by many customers:

• Consistent sign-in experience through Microsoft Entra ID when needed.
• Single sign-on experience and reconnection without authentication prompt when allowed by conditional access policies.
• Supports passwordless authentication like passkeys and FIDO2 devices, contrary to the remote lock screen.

• The Conditional access policies, including multifactor authentication and sign-in frequency, are re-evaluated when the user reconnects to their session.

• Can require multi-factor authentication to return to the session and prevent users from unlocking with a simple username and password.

Especially, When using the new Remote lock screen it won't re-evaluate Conditional access policies.

So for e.g. if the sign-in frequency has already timed out, it won't be checked again until the user is disconnected but this won't happen when using the default disconnect on lock feature.