Let’s learn how to Fix WVD Remote desktop logon issue with a security policy called “Deny Remote Desktop Services Logon.” We are able to fix this issue with the help of my colleague Mark Thomas.
We are managing WVD VMs with Microsoft Intune. All the security policies are applied using Intune. I have a post that explains one of the examples “UserRights Policy Deployment Using Intune | Group Policy Replacement.”
Related Article – WVD Windows 10 Multi-Session Intune Hybrid Azure AD Support
An issue with WVD HostPool Login
The user was getting the following error when the user tries to logon to a Remote Desktop using assigned WVD host pool.
To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Remote Desktop Users group have this right. If the group you're in doesn't have this right, or if the right has been removed from the Remote Desktop Desktop Users group, you need to be granted this right manually.
Most of the organizations must have standard security policies by CIS. One of the security policy guidelines was to set a policy to Deny Remote Desktop Services Logon for Local Users and Guests.
More details about DenyRemoteDesktopServicesLogon policy is explained in the following Microsoft document – https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services
We use SIDs instead of Names in security policies to avoid complexities with different language pack installations of Windows. More details about well known SID here.
FIX – WVD Remote Desktop Logon Issue
After lot of trial and error, we removed the SID (S-1-2-0) for local from the policy called DenyRemoteDesktopServicesLogon and that fixed the issue.
- Well-known security identifiers in Windows operating systems
- WVD Life Cycle Management Remove Published Remote Apps with PowerShell
- WVD End User Experience Availability Updates from Ignite
- WVD Windows 10 Multi-Session Intune Hybrid Azure AD Support