GPO tool

Group Policy made searchable

A free ADMX browser or comparison tool for IT administrators. Search policies, find registry keys, and see exactly what each setting writes to the Windows Registry. Or compare two GPO backups to see exactly what has changed between them.

Select a product
  • Select a category.

Disconnect remote session on lock for Microsoft identity platform authentication

This policy setting allows you to configure the user experience when the Remote Desktop session is locked by the user or by a policy. You can specify whether the remote session will show the remote lock screen or disconnect when the remote session is locked. Disconnecting the remote session ensures that a remote session cannot be left on the lock screen and cannot reconnect automatically due to loss of network connectivity.

This policy applies only when using an identity provider that uses the Microsoft identity platform, such as Microsoft Entra ID, to authenticate to the remote PC. This policy doesn't apply when using Legacy authentication which includes the NTLM, CredSSP, RDSTLS, TLS, and RDP basic authentication protocols.

If you enable or do not configure this policy setting, Remote Desktop connections using the Microsoft identity platform will disconnect the remote session when the remote session is locked. Users can reconnect when they're ready and can use passwordless authentication if configured.

If you disable this policy setting, Remote Desktop connections using the Microsoft identity platform will show the remote lock screen when the remote session is locked. Users can unlock the remote session using their username and password, or certificates.

Registry Information

VendorMicrosoft
ProductTerminal Server
CategoryRemote Desktop Services › Remote Desktop Session Host › Security
Applies toComputer Configuration
Supported onWindows Vista
Registry Key[HKLM]SOFTWAREPoliciesMicrosoftWindows NTTerminal Services
Value NamefDisconnectOnLockMicrosoftIdentity
TypeREG_DWORD
Enabled value1
Disabled value0

Registry File (.reg)

Windows Registry Editor Version 5.00

; Enable the policy
[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTTerminal Services]
"fDisconnectOnLockMicrosoftIdentity"=dword:00000001

; Disable the policy
[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTTerminal Services]
"fDisconnectOnLockMicrosoftIdentity"=dword:00000000

PowerShell

# Enable the policy
Set-ItemProperty -Path "HKLM:SOFTWAREPoliciesMicrosoftWindows NTTerminal Services" -Name "fDisconnectOnLockMicrosoftIdentity" -Value 1 -Type DWord

# Disable the policy
Set-ItemProperty -Path "HKLM:SOFTWAREPoliciesMicrosoftWindows NTTerminal Services" -Name "fDisconnectOnLockMicrosoftIdentity" -Value 0 -Type DWord