Let’s learn how to Fix AVD Remote desktop logon issue with a security policy called “Deny Remote Desktop Services Logon.” We are able to fix this issue with the help of my colleague Mark Thomas.
We are managing AVD VMs with Microsoft Intune. All the security policies are applied using Intune. I have a post that explains one of the examples “UserRights Policy Deployment Using Intune | Group Policy Replacement.”
Related Article – AVD Windows 10 Multi-Session Intune Hybrid Azure AD Support
An issue with AVD HostPool Login
The user was getting the following error when the user tries to logon to a Remote Desktop using the assigned AVD host pool.
To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Remote Desktop Users group have this right. If the group you're in doesn't have this right, or if the right has been removed from the Remote Desktop Desktop Users group, you need to be granted this right manually.
Security Policies for AVD
Most organizations must have standard security policies by CIS. One of the security policy guidelines was to set a policy to Deny Remote Desktop Services Logon for Local Users and Guests.
More details about DenyRemoteDesktopServicesLogon policy is explained in the following Microsoft document – https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services
We use SIDs instead of Names in security policies to avoid complexities with different language pack installations of Windows. More details about well-known SID are here.
FIX – AVD Remote Desktop Logon Issue
After a lot of trial and error, we removed the SID (S-1-2-0) for local from the policy called DenyRemoteDesktopServicesLogon and that fixed the issue.
- AVD Life Cycle Management Remove Published Remote Apps with PowerShell
- AVD End User Experience Availability Updates from Ignite
- AVD Windows 10 Multi-Session Intune Hybrid Azure AD Support