Fix AVD Remote Desktop Logon Issue Deny Remote Desktop Services Logon

Let’s learn how to Fix the AVD Remote desktop logon issue with a security policy called “Deny Remote Desktop Services Logon.” My colleague Mark Thomas can help us fix this issue.

We are managing AVD VMs with Microsoft Intune. All the security policies are applied using Intune. I have a post explaining one example, “UserRights Policy Deployment Using Intune | Group Policy Replacement.”

The Microsoft Remote Desktop client offers a seamless connection to Azure Virtual Desktop, enabling easy access to your desktops and applications. This article provides constructive guidance on connecting to Azure Virtual Desktop using the Remote Desktop client for Windows.

The Windows App lets you securely connect to Windows devices and applications from Azure Virtual Desktop, Windows 365, Microsoft Dev Box, Remote Desktop Services, and remote PCs. Additionally, you can subscribe to a feed provided by your organization’s administrators, ensuring a streamlined user experience.

Patch My PC

Related Article AVD Windows 10 Multi-Session Intune Hybrid Azure AD Support

Index
An issue with the AVD HostPool Login
Security Policies for AVD
FIX – AVD Remote Desktop Logon Issue
Resources
Fix AVD Remote Desktop Logon Issue Deny Remote Desktop Services Logon – Table 1

An issue with the AVD HostPool Login

The user got the following error when logging into a Remote Desktop using the assigned AVD host pool.

Adaptiva
To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Remote Desktop Users group have this right. If the group you're in doesn't have this right, or if the right has been removed from the Remote Desktop Desktop Users group, you need to be granted this right manually.
Fix AVD Remote Desktop Logon Issue Deny Remote Desktop Services Logon - Fig.1
Fix AVD Remote Desktop Logon Issue Deny Remote Desktop Services Logon – Fig.1

Security Policies for AVD

Most organizations must have standard security policies by CIS. One of the security policy guidelines was to set a policy to Deny Remote Desktop Services Logon for Local Users and Guests.

More details about the DenyRemoteDesktopServicesLogon policy are explained in the following Microsoft document – https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services

Fix AVD Remote Desktop Logon Issue Deny Remote Desktop Services Logon - Fig.2
Fix AVD Remote Desktop Logon Issue Deny Remote Desktop Services Logon – Fig.2

We use SIDs instead of Names in security policies to avoid complexities with different language pack installations of Windows. More details about well-known SID are here.

SIDName
S-1-5-32-546Guests
S-1-2-0Local
Fix AVD Remote Desktop Logon Issue Deny Remote Desktop Services Logon – Table 2

FIX – AVD Remote Desktop Logon Issue

After much trial and error, we removed the SID (S-1-2-0) for local from the policy called DenyRemoteDesktopServicesLogon, which fixed the issue.

Fix AVD Remote Desktop Logon Issue Deny Remote Desktop Services Logon - Fig.3
Fix AVD Remote Desktop Logon Issue Deny Remote Desktop Services Logon – Fig.3

Resources

We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His primary focus is Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

1 thought on “Fix AVD Remote Desktop Logon Issue Deny Remote Desktop Services Logon”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.