|
| 1 | +--- |
| 2 | +title: Troubleshoot Unexpected RDS Session Locks or Disconnections |
| 3 | +description: Introduces how to configure RDS session time-outs to troubleshoot unexpected session locks or disconnections. |
| 4 | +ms.date: 03/11/2025 |
| 5 | +manager: dcscontentpm |
| 6 | +audience: itpro |
| 7 | +ms.topic: troubleshooting |
| 8 | +ms.reviewer: kaushika |
| 9 | +ms.custom: |
| 10 | +- sap:remote desktop services and terminal services\session connectivity |
| 11 | +- pcy:WinComm User Experience |
| 12 | +--- |
| 13 | +# Troubleshoot unexpected RDS session locks or disconnections |
| 14 | + |
| 15 | +A Remote Desktop Services (RDS) session can enter a **locked** and **disconnected** status at regular intervals. In this situation, the session requires users to sign in or reconnect to the session. This article introduces how to troubleshoot unexpected lock and disconnection time intervals. |
| 16 | + |
| 17 | +## Introduction |
| 18 | + |
| 19 | +RDS can have the following statuses: |
| 20 | + |
| 21 | +- **Active**: The user is currently connected and interacting with the system. |
| 22 | +- **Idle**: The user is connected but hasn't interacted with the server for a specific period. |
| 23 | +- **Locked**: Users are redirected to the login screen, but their sessions remain active without any error message. |
| 24 | +- **Disconnected**: The user's connection to the server has been severed, and then the RDP window typically closes with an error message. The session remains to run on the server. |
| 25 | + |
| 26 | +Disconnections occurring without a consistent timing pattern are more likely caused by network issues rather than configuration settings. |
| 27 | + |
| 28 | +## Verify if the session time-out is a disconnection |
| 29 | + |
| 30 | +On a Windows computer, when **MaxIdleTime** or **MaxConnectionTime** is configured, RDS sessions disconnect when conditions are met with distinct messages. Other RDS session time limit policies determine the behavior after a session is disconnected. |
| 31 | + |
| 32 | +| Configuration | Set a time limit for active but idle RDS sessions | Set a time limit for active RDS sessions | |
| 33 | +| :------------------------ | :-------------------------------------------------------------------------------------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------- | |
| 34 | +| Registry (Type: `REG_DWORD`) | `MaxIdleTime` | `MaxConnectionTime` | |
| 35 | +| Message when disconnected | Your Remote Desktop Services session ended because the remote computer didn't receive any input from you. | The remote session ended because the total logon time limit was reached. This limit is set by the server administrator or by network policies. | |
| 36 | + |
| 37 | +You can use the following two methods to configure these registry values. |
| 38 | + |
| 39 | +### RDS deployment |
| 40 | + |
| 41 | +The default configuration for these session limits should be set in **Collection** > **Properties tasks** > **Session** on the server that manages the RDS deployment. Usually, the server is the Remote Desktop Connection Broker. These settings are then applied to the registries of the Remote Desktop Session Hosts in that collection. |
| 42 | + |
| 43 | +The registry values are located at `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp`. |
| 44 | + |
| 45 | +> [!NOTE] |
| 46 | +> |
| 47 | +> - If you connect to the RDS deployment through a Remote Desktop Gateway (RDGW), a similar configuration can be done in **RDGW manager > Policies > Connection Authorization Policies > Timeouts tab**. Users who bypass the RDGW won't be affected. |
| 48 | +> - The session time-out disconnection message is distinct from the message caused by the **MaxConnectionTime** setting: **The connection has been disconnected because the session timeout limit was reached.** |
| 49 | +
|
| 50 | +### Computer and user policies |
| 51 | + |
| 52 | +Computer and user policies should be configured with **gpedit.msc** (locally) or **gpmc.msc** (domain level) at the following path: |
| 53 | +**Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits** |
| 54 | + |
| 55 | +Policy configurations are applied to the corresponding registry paths: |
| 56 | + |
| 57 | +- Computer policy registry path: **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services** |
| 58 | +- User policy registry path: **HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Terminal Services** |
| 59 | + |
| 60 | +> [!IMPORTANT] |
| 61 | +> |
| 62 | +> - Policies have precedence over default configurations. |
| 63 | +> - Computer policies have precedence over user policies. |
| 64 | +> - Registry values are expressed in milliseconds. |
| 65 | +> - To apply these configurations, users must reconnect or log off/on. |
| 66 | +
|
| 67 | +## Verify if the session time-out is a lock |
| 68 | + |
| 69 | +On a Windows machine, there are two distinct forms of a session lock configuration: |
| 70 | + |
| 71 | +1. The **Machine inactivity limit** policy. |
| 72 | +2. **Screen saver**. |
| 73 | + |
| 74 | +If any of the preceding settings are configured, sessions are locked when conditions are met. |
| 75 | + |
| 76 | +> [!IMPORTANT] |
| 77 | +> |
| 78 | +> - Policies have precedence over default configurations. |
| 79 | +> - These configurations apply immediately, but if not, ask users to reconnect or log off/on. |
| 80 | +
|
| 81 | +### Machine inactivity limit policy |
| 82 | + |
| 83 | +This policy can only be configured at the computer level, with the value specified in seconds. The configuration policy path and the corresponding registry path are: |
| 84 | + |
| 85 | +- Policy path: **Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options** - **Interactive logon: Machine inactivity limit** |
| 86 | +- Registry path: `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - InactivityTimeoutSecs` |
| 87 | + |
| 88 | + Type: `REG_DWORD` |
| 89 | + |
| 90 | +### Screen saver |
| 91 | + |
| 92 | +To enable a screen saver that locks the session, three registry values of type `REG_SZ` must be configured: |
| 93 | + |
| 94 | +- **ScreenSaveActive** - Enable (**1**) or disable (**0**) the screen saver. |
| 95 | +- **ScreenSaverIsSecure** - Password protected (**1**) or unprotected (**0**). |
| 96 | +- **ScreenSaveTimeOut** - How much user idle time (in seconds) must elapse before the screen saver is launched. |
| 97 | + |
| 98 | +Screen saver is a user configuration. The configuration can be set by using the **Screen Saver Settings** console or using policies. |
| 99 | + |
| 100 | +#### Screen Saver Settings |
| 101 | + |
| 102 | +To configure on **Screen Saver Settings**: |
| 103 | + |
| 104 | +1. Open Command Prompt and run the following command to open the console: |
| 105 | + |
| 106 | + ```cmd |
| 107 | + control desk.cpl,,1 |
| 108 | + ``` |
| 109 | +
|
| 110 | +2. Select from the **Screen saver** dropdown box. |
| 111 | +3. Define a time-out. |
| 112 | +4. Select the **On resume, display logon screen** checkbox. |
| 113 | +
|
| 114 | +The values are written in the registry path: `Computer\HKEY_CURRENT_USER\Control Panel\Desktop` |
| 115 | +
|
| 116 | +#### Policies |
| 117 | +
|
| 118 | +Three policies must be configured to enable the screen saver: **Enable screen saver**, **Password protect the screen saver**, and **Screen saver timeout**. |
| 119 | +
|
| 120 | +The configuration policy path and the corresponding registry path are: |
| 121 | +
|
| 122 | +- Policy path: **User Configuration > Administrative Templates > Control Panel > Personalization**. |
| 123 | +- Registry path: `Computer\HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop`. |
| 124 | +
|
| 125 | +## Contact Microsoft Support |
| 126 | +
|
| 127 | +If the preceding steps can't resolve the issue, collect data on the affected machine while replicating the issue. Download [the TroubleShootingScript (TSS) script](https://aka.ms/getTSS) and run the following command on an elevated PowerShell prompt: |
| 128 | +
|
| 129 | +```powershell |
| 130 | +.\TSS.ps1 -Scenario UEX_RDSsrv -start -UEX_Logon |
| 131 | +``` |
| 132 | + |
| 133 | +For more information, see [Gather information by using TSS for user experience-related issues](../../windows-client/windows-tss/gather-information-using-tss-user-experience.md). |
0 commit comments