Set Idle Session Limits Using Intune for Windows 365/AVD

Let’s explore how to configure idle session limits for a Windows 365 Cloud PC. Utilizing the Intune admin center, you can create a device configuration policy applicable to Windows 365 Enterprise or Windows 365 Frontline editions. Please note that the same configuration policy will also work on Azure Virtual Desktop devices as well.

Windows 365 Frontline is a cost-saving option within the Windows 365 service, offering a single license to provision three Cloud PCs. However, only one session can be connected to any of these three Cloud PCs.

It might be more logical to apply idle session limits to Windows 365 Frontline Edition Cloud PCs because you want the session to be released for the next person to utilize. Since users may be working in different shifts, it’s ideal to end the session when it’s not actively used.

When users are using Windows 365 Enterprise Edition, they typically have personal/dedicated Cloud PCs. Therefore, it’s generally not advisable or required to set an idle session time limit for users assigned with a Windows 365 Enterprise license.

By default, no idle session limit is applied. The session will remain active until the user logs off from their Cloud PC. Consequently, A user working in the next shift with a Windows 365 Frontline license may encounter difficulty connecting to their Cloud PC.

A recommendation for users is to save their work and sign out from their Cloud PCs once they no longer use them. However, in cases where a user forgets to sign out, configuring an idle session limit will automatically disconnect and sign out the user, freeing up the license.

Some of the useful Articles/Step-by-Step guides on Windows 365:

Steps to Configure Idle Session Limit using Intune

Now that we understand the importance of idle session limits, especially for Windows 365 Cloud PCs, particularly the Frontline edition, let’s go through the steps to configure a policy in Intune:

Steps to Configure Idle Session Limit using Intune
Steps to Configure Idle Session Limit using Intune
  • Select Platform as Windows 10 and later
  • Profile type as Settings Catalog
  • Click on the Create button.
Steps to Configure Idle Session Limit using Intune
Steps to Configure Idle Session Limit using Intune
  • Click on Next to proceed.

Basics Tab

Enter the Name and Description of the profile. For Example:

  • Name: W365 Frontline Idle session limit policy.
  • Description: This policy enables Idle session limits on Windows 365 Frontline Cloud PCs.
Steps to Configure Idle Session Limit using Intune: Basics tab
Steps to Configure Idle Session Limit using Intune: Basics tab

Configuration Settings

  • Click on “+ Add settings.”
  • In the Settings picker, search for “idle session“.
  • Click on Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits category.
  • Check the box for “Idle session limits: (Device)” and exit the settings picker.
Steps to Configure Idle Session Limit using Intune: Configuration settings tab
Steps to Configure Idle Session Limit using Intune: Configuration settings tab
  • Set time limit for active but idle Remote Desktop Services sessions: Use the toggle switch to enable this policy setting.
  • Idle session limit: (Device): You can select the timeout value for idle sessions anywhere from 1 minute to 5 days. For demonstration and testing purposes, I have set it to 1 minute. However, you can choose the value that meets your organization’s session limit requirements. Click on ‘Next‘ to proceed.
Steps to Configure Idle Session Limit using Intune: Configuration settings tab

Scope tags

Click on Next.

Assignments tab

Click Add groups and select an Entra security group containing Cloud PCs.

Steps to Configure Idle Session Limit using Intune: Assignments tab
Steps to Configure Idle Session Limit using Intune: Assignments tab

Review + create

Review the policy summary on the Review + Create tab and click Create.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.

Related: How to force Intune Sync manually from macOS

Monitoring Cloud PC Idle Session Time Limits Policy Deployment

To monitor the deployment progress of a Device configuration profile, follow the below steps:

  • Sign in to the Microsoft Intune admin center.
  • Click on “Devices” and then click on “Configuration“.
  • Choose the Device Configuration profile you want to work with, and at the top of the page, you’ll see a quick view of the Success, Failure, Conflict, Not Applicable, and In Progress status.
  • Click on “View report” to access more detailed information.
Monitoring Cloud PC Idle Session Time Limits Policy Deployment
Monitoring Cloud PC Idle Session Time Limits Policy Deployment

End-user Experience

After this policy is successfully applied, if a Cloud PC has been idle for the specified duration configured in the policy, the session will be automatically disconnected. Users will receive a pop-up notice stating, Your session timed out due to inactivity. Try connecting again.

Your session timed out due to inactivity. Try connecting again.
Your session timed out due to inactivity. Try connecting again.

After clicking on the ‘Reconnect‘ button, the session reconnected successfully. Additionally, I observed the following pop-up message after reconnecting to the Cloud PC. The message reads: “Session has been idle over its time limit. It will be disconnected in 2 minutes. Press any key now to continue session“. Click on OK to continue using your Cloud PC.

Session has been idle over its time limit. It will be disconnected in 2 minutes. Press any key now to continue session
Session has been idle over its time limit. It will be disconnected in 2 minutes. Press any key now to continue session

Registry Key for Idle Session Time limit on a Cloud PC

The registry location is HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services. On the right side, you will find a registry entry called MaxIdleTime, a DWORD value. The value of this registry entry will be in milliseconds.

For example, if we have configured an idle session timeout value of 1 minute in our policy, the registry entry MaxIdleTime would reflect the same. It would show 60000 milliseconds, equal to a 60-second timeout value. This confirms that Intune has configured this Cloud PC’s idle session timeout value correctly.

Registry Key for Idle Session Time limit on a Cloud PC
Registry Key for Idle Session Time limit on a Cloud PC

Confirm the Idle Session Limit Intune Policy Deployment Using Windows Event Logs

In the previous section, we learned how to confirm the idle session limit applied via Intune on a target Cloud PC from the Windows registry editor. This can also be confirmed using the Windows Event Viewer. Let’s check the steps:

  • Press the Windows key + R to open the Run dialog box.
  • Type eventvwr and press Enter to open the Event viewer.
  • Navigate to Application and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider/Admin.
  • Right-click on the Admin folder and click on Filter Current Log
  • Enter 814 in the Event ID box and click on OK.
Confirm the Idle Session Limit Intune Policy Deployment Using Windows Event Logs
Confirm the Idle Session Limit Intune Policy Deployment Using Windows Event Logs
  • You can now locate all logs related to Event ID 814. Examine them one by one until you identify the deployed configuration policy. As the screenshot below shows, the log displays the TS_Sessions_IdlLimitText value as 60000, which we configured via Intune.

MDM PolicyManager: Set policy string, Policy: (TS_SESSIONS_Idle_Limit_2), Area: (ADMX_TerminalServer), EnrollmentID requesting merge: (CCE3B-8IYH-0BBB-0009-903BEHBE90B), Current User: (Device), String: (), Enrollment Type: (0x6), Scope: (0x0).

Event Log 814 corresponding to Idle session limit policy deployment
Confirm the Idle Session Limit Intune Policy Deployment Using Windows Event Logs

Leave a Comment