Fix AVD Remote Desktop Logon Issue Deny Remote Desktop Services Logon

Let’s learn how to Fix AVD Remote desktop logon issue with a security policy called “Deny Remote Desktop Services Logon.” We are able to fix this issue with the help of my colleague Mark Thomas.

We are managing AVD VMs with Microsoft Intune. All the security policies are applied using Intune. I have a post that explains one of the examples “UserRights Policy Deployment Using Intune | Group Policy Replacement.”

Related Article AVD Windows 10 Multi-Session Intune Hybrid Azure AD Support

An issue with AVD HostPool Login

The user was getting the following error when the user tries to logon to a Remote Desktop using the assigned AVD host pool.

Patch My PC
To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Remote Desktop Users group have this right. If the group you're in doesn't have this right, or if the right has been removed from the Remote Desktop Desktop Users group, you need to be granted this right manually.
AVD Remote Desktop Logon Issue Deny Remote Desktop Services Logon
AVD Remote Desktop Logon Issue – Deny Remote Desktop Services Logon

Security Policies for AVD

Most organizations must have standard security policies by CIS. One of the security policy guidelines was to set a policy to Deny Remote Desktop Services Logon for Local Users and Guests.

More details about DenyRemoteDesktopServicesLogon policy is explained in the following Microsoft document – https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services

AVD Remote Desktop Logon Issue - Deny Remote Desktop Services Logon
AVD Remote Desktop Logon Issue – Deny Remote Desktop Services Logon

We use SIDs instead of Names in security policies to avoid complexities with different language pack installations of Windows. More details about well-known SID are here.

SIDName
S-1-5-32-546Guests
S-1-2-0Local
Well Known SID Name Matching Table

FIX – AVD Remote Desktop Logon Issue

After a lot of trial and error, we removed the SID (S-1-2-0) for local from the policy called DenyRemoteDesktopServicesLogon and that fixed the issue.

Adaptiva
AVD Remote Desktop Logon Issue - Deny Remote Desktop Services Logon
AVD Remote Desktop Logon Issue – Deny Remote Desktop Services Logon

Resources

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.