|
| 1 | +--- |
| 2 | +title: Troubleshoot unexpected RDS session locks or disconnections |
| 3 | +description: Introduces how to configure RDS session timeouts to troubleshoot unexpected session locks or disconnections. |
| 4 | +ms.date: 01/15/2025 |
| 5 | +manager: dcscontentpm |
| 6 | +audience: itpro |
| 7 | +ms.topic: troubleshooting |
| 8 | +ms.reviewer: kaushika |
| 9 | +ms.custom: |
| 10 | +- sap:remote desktop services and terminal services\session connectivity |
| 11 | +- pcy:WinComm User Experience |
| 12 | +--- |
| 13 | +# Troubleshoot unexpected RDS session locks or disconnections |
| 14 | + |
| 15 | +A Remote Desktop Services (RDS) session can enter **locks** and **disconnects** status at regular intervals. This requires users to log in or reconnect to the session. This article introduces how to troubleshoot unexpected **locks** and **disconnects** time intervals. |
| 16 | + |
| 17 | +## Introductions |
| 18 | + |
| 19 | +RDS can have the following status: |
| 20 | + |
| 21 | +- **active**: the user is currently connected and interacting with the system. |
| 22 | +- **idle**: the user is connected but has not interacted with the server for a specific period. |
| 23 | +- **locked**: users are redirected to the login screen, but their sessions remain active without any error message. |
| 24 | +- **disconnected**: The user's connection to the server has been severed, and then the RDP window typically closes with an error message. The session remains running on the server. |
| 25 | + |
| 26 | +Disconnects occurring without a consistent timing pattern are more likely caused by **network issues** rather than configuration settings. |
| 27 | + |
| 28 | +## Verify if the session timeout is a disconnect |
| 29 | + |
| 30 | +On a Windows computer, when **MaxIdleTime** or **MaxConnectionTime** are configured, RDS sessions disconnect when conditions are met with distinct messages. Additional RDS session time limit policies determine the behavior after a session is disconnected. |
| 31 | + |
| 32 | +| Configuration | Set time limit for active but idle RDS sessions | Set time limit for active RDS sessions | |
| 33 | +| :------------------------ | :-------------------------------------------------------------------------------------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------- | |
| 34 | +| Registry (Type:REG_DWORD) | MaxIdleTime | MaxConnectionTime | |
| 35 | +| Message when disconnected | Your Remote Desktop Services session ended because the remote computer didn't receive any input from you. | The remote session ended because the total logon time limit was reached. This limit is set by the server administrator or by network policies. | |
| 36 | + |
| 37 | +You can use the following two methods to configure the above registry values. |
| 38 | + |
| 39 | +### RDS Deployment |
| 40 | + |
| 41 | +The default configuration for these session limits should be set at the **Collection** > **Properties tasks** > **Session** on the server that manages the RDS deployment. Usually, the server is the Remote Desktop Connection Broker. These settings are then applied to the registry of the Remote Desktop Session Hosts in that collection. |
| 42 | + |
| 43 | +Registry path: `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp`. |
| 44 | + |
| 45 | +> [!NOTE] |
| 46 | +> |
| 47 | +> - If users connect to the RDS Deployment through a Remote Desktop Gateway (RDGW), similar configuration can be done in **RDGW manager > Policies > Connection Authorization Policies > Timeouts tab**. Users that bypass the RDGW won't be affected. |
| 48 | +> - Session timeout will have a distinct disconnect message compared to the message caused by the **MaxConnectionTime** setting: **The connection has been disconnected because the session timeout limit was reached.** |
| 49 | +
|
| 50 | +### Computer and User policies |
| 51 | + |
| 52 | +Computer and User policies should be configured with **gpedit.msc** (locally) or **gpmc.msc** (domain level) on the following path: |
| 53 | +**Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits** |
| 54 | + |
| 55 | +Policy configurations are applied to the corresponding registry path: |
| 56 | + |
| 57 | +- Computer policy registry path: **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services** |
| 58 | +- User policy registry path: **HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Terminal Services** |
| 59 | + |
| 60 | +## Verify if the session timeout is a Lock |
| 61 | + |
| 62 | +On a Windows machine, there are two distinct forms of configuring a session lock: |
| 63 | + |
| 64 | +1. **Machine inactivity limit** policy. |
| 65 | +2. Configuring a **Screen saver**. |
| 66 | + |
| 67 | +If any of the above is configured, sessions will be locked when conditions are met. |
| 68 | + |
| 69 | +> [!IMPORTANT] |
| 70 | +> |
| 71 | +> - Policies have precedence to default configurations. |
| 72 | +> - These configurations apply immediately, but if not, ask users to reconnect or logoff/logon. |
| 73 | +
|
| 74 | +### Machine inactivity limit policy |
| 75 | + |
| 76 | +The policy can only be configured at the Computer level, with the value specified in seconds. The configuration policy path and the corresponding registry path where it will be applied are outlined below: |
| 77 | + |
| 78 | +- Policy path: **Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options** - **Interactive logon: Machine inactivity limit** |
| 79 | +- Registry path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - InactivityTimeoutSecs |
| 80 | + Type:REG_DWORD |
| 81 | + |
| 82 | +### Screen saver |
| 83 | + |
| 84 | +To enable a screen saver that locks the session, three registry values of type:REG_SZ must be configured: |
| 85 | + |
| 86 | +- **ScreenSaveActive** - Enable (**1**) or Disable (**0**) a Screen Saver |
| 87 | +- **ScreenSaverIsSecure** - Password protected (**1**) or unprotected (**0**) |
| 88 | +- **ScreenSaveTimeOut** - How much user idle time (seconds) must elapse before the screen saver is launched |
| 89 | + |
| 90 | +Screen saver is a user configuration. The configuration can be set by using **Screen Saver Settings** console or by using policies. |
| 91 | + |
| 92 | +#### Screen Saver Settings |
| 93 | + |
| 94 | +To configure on Screen Saver Settings: |
| 95 | + |
| 96 | +- open CMD and run following command to open the console: *control desk.cpl,,1* |
| 97 | +- Select from **Screen saver** dropdown box. |
| 98 | +- Define a timeout. |
| 99 | +- Select **On resume, display logon screen** checkbox. |
| 100 | + |
| 101 | +Values are written on registry path: `Computer\HKEY_CURRENT_USER\Control Panel\Desktop` |
| 102 | + |
| 103 | +#### Policies |
| 104 | + |
| 105 | +Three below policies must be configured to enable Screen Saver: **Enable screen saver**, **Password protect the screen saver**, and **Screen saver timeout**. |
| 106 | + |
| 107 | +The configuration policies path and the corresponding registry path where it will be applied are outlined below: |
| 108 | + |
| 109 | +- Policy path: **User Configuration > Administrative Templates > Control Panel > Personalization**. |
| 110 | +- Registry path: `Computer\HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop`. |
| 111 | + |
| 112 | +## Contact Microsoft Support |
| 113 | + |
| 114 | +If the preceding steps cannot resolve the issue, collect data on the affected machine while replicating the issue. Download [TSS script](https://aka.ms/getTSS), and run the following command on an elevated Powershell: |
| 115 | + |
| 116 | +```powershell |
| 117 | +.\TSS.ps1 -Scenario UEX_RDSsrv -start -UEX_Logon |
| 118 | +``` |
| 119 | + |
| 120 | +For more information see [Gather information by using TSS for user experience-related issues](../../windows-client/windows-tss/gather-information-using-tss-user-experience.md). |
0 commit comments