RDS 2012 R2 – Remoteapp Locked out every 10 minutes…

Griffon

Hello World,

Today, we will be speaking about Remote Desktop Services (RDS) technology.  If you follow us, you know now that we are quite busy with a project where RDS technology is used to centralize and consolidate a bunch of applications (and possibly desktops)

The project we are working on is basically trying to move from the classical application delivery model (install apps on each computer) to an Application as a service model (moving applications to the RDS infrastructurce)

So far, it’s really working great…

Description of a the Issue

As more and more users are consuming applications via the RDS infrastructure; everyday we discover new features/annoyances that can impact the user experience while using the RemoteApp infrastructure. We just discovered a new gpo settings that you might need to check on your RDS infrastructure….

The RDS infrastructure in used is based on Windows 2012 R2 software.  Users can access the applications via the RDWeb Access server.  The users can launch their applications with no problem. However,after some times, we had users complaining that every 10 minutes their remoteapp session was locked (or disconnected).

To be more specific, if a user was inactive for 10 minutes (i.e. no using any remoteapps he was connected to), a lockout event would fire up.

RDS_InactivityLock

Click on Picture for Better Resolution

In the past, this issue was not there.  So we had to investigate a little bit in order to find what could cause this issue.

New GPO in Windows 2012 R2

Origin of the issue

After some investigations, we found out that this behaviour has coming from a new GPO that was applied to all the servers in the customer premises.  Apparently, there is a new gpo available in windows 2012 R2 that can be configured to automatically lock computers when users are inactive for a specific amount of time.  This gpo is indeed a good security practice ensuring that if the user forget to lock the workstation before leaving, this will be done automatically.

If you open the Group policy management policy (gpmc.msc) or the local gpo editor (gpedit.msc), if you browse to  :

  • Computer Settings > Windows Settings > Security Settings > Local Policies > Security  Options

you will see the following option :

  • Interactive Login : Machine inactivity limit  

RDS_InactivityLock2

Click on Picture for Better Resolution

Fixing the issue

By default, this settings is not enforced. However, in our project, security is an important aspect and this gpo has been applied on the RDS servers.  As the user experience was also important in this project, it was decided to change this inactivity lockout for the RDS servers.  As agreed with the customer, we have removed the problematic gpo from the RDS servers infrastructure and now the users are not presented anymore with a lockout screen every 10 mins.

Final Notes

More we work with RDS and more we are learning stuff.   Each new version of Windows might bring new features that we need to be aware of so we can offer the best experience to the users.  The Application as a service concept we have developped is so far working really well and the customer (and user community) are really pleased with this new way of working.

Hope you enjoy this tip and trick about RDS and lockout session

Till next time

See ya

 

Leave a Reply