Fix WVD Remote Desktop Logon Issue Deny Remote Desktop Services Logon

0
WVD Remote Desktop Logon Issue

Let’s learn how to Fix WVD Remote desktop logon issue with a security policy called “Deny Remote Desktop Services Logon.” We are able to fix this issue with the help of my colleague Mark Thomas.

Introduction

We are managing WVD VMs with Microsoft Intune. All the security policies are applied using Intune. I have a post that explains one of the examples “UserRights Policy Deployment Using Intune | Group Policy Replacement.”

Related Article WVD Windows 10 Multi-Session Intune Hybrid Azure AD Support

An issue with WVD HostPool Login

The user was getting the following error when the user tries to logon to a Remote Desktop using assigned WVD host pool.

To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Remote Desktop Users group have this right. If the group you're in doesn't have this right, or if the right has been removed from the Remote Desktop Desktop Users group, you need to be granted this right manually.
WVD Remote Desktop Logon Issue Deny Remote Desktop Services Logon
WVD Remote Desktop Logon Issue – Deny Remote Desktop Services Logon
Altaro Office 365 Backup
Advertisement Altaro Office 365 Backup

Security Policies

Most of the organizations must have standard security policies by CIS. One of the security policy guidelines was to set a policy to Deny Remote Desktop Services Logon for Local Users and Guests.

More details about DenyRemoteDesktopServicesLogon policy is explained in the following Microsoft document – https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services

WVD Remote Desktop Logon Issue - Deny Remote Desktop Services Logon
WVD Remote Desktop Logon Issue – Deny Remote Desktop Services Logon

We use SIDs instead of Names in security policies to avoid complexities with different language pack installations of Windows. More details about well known SID here.

SIDName
S-1-5-32-546Guests
S-1-2-0Local
Well Known SID Name Matching Table

FIX – WVD Remote Desktop Logon Issue

After lot of trial and error, we removed the SID (S-1-2-0) for local from the policy called DenyRemoteDesktopServicesLogon and that fixed the issue.

WVD Remote Desktop Logon Issue - Deny Remote Desktop Services Logon
WVD Remote Desktop Logon Issue – Deny Remote Desktop Services Logon

Resources

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.