Remote desktop lock after 60 seconds

Unfortunately, that didn't help. I did that a long time ago. The problem occurs when joining a disconnected session.

Hi tom nancy,

On a low-latency LAN, Windows 11 (especially the newer 24H2 stack) aggressively utilizes RDP over UDP (User Datagram Protocol) for performance. Smart card redirection traffic is extremely sensitive to packet ordering and momentary drops. It appears the RDP-UDP implementation in 24H2 has a regression or instability that causes the virtual smart card handle to drop momentarily during session re-establishment or heartbeat checks. The OS interprets this micro-disconnect as a physical removal, triggering your "Lock Workstation" policy. VPNs often force RDP to fall back to TCP (due to encapsulation overhead or firewall traversal), which is why the session remains stable in that scenario.

To resolve this, you need to force the Remote Desktop client to utilize the TCP protocol exclusively, which provides guaranteed packet delivery and ordering, stabilizing the smart card redirection channel. On the Windows 11 24H2 client machine (the one initiating the connection), open the Local Group Policy Editor (gpedit.msc) and navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client. Locate and Enable the policy setting "Turn off UDP On Client". If you prefer a registry-based fix or need to deploy this via script, you can create a DWORD value named fClientDisableUDP and set it to 1 at the path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client. A reboot of the client machine (or simply restarting the Remote Desktop app) is required for this to take effect. This will align the LAN behavior with the stable VPN behavior by bypassing the problematic UDP transport layer.

VP

Hello I cant turn off smart card removeal behavior (scremoveoption set to 0) because this is our security standard. We have 2 servers with problem (connection from win 11 24h2). Ban You advise another way to resolve this problem ? Strange is that over vpn works ok but via lan lock every 60 seconds

Hello tomasz glodek,

To resolve this, you need to modify the Group Policy on the target remote machine. Navigate to Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ Security Options and locate the policy "Interactive logon: Smart card removal behavior." If this is currently set to "Lock Workstation," change it to "No Action" and run gpupdate /force. Alternatively, you can modify the registry directly at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon by setting the DWORD value ScRemoveOption to 0. This will stop the OS from locking the session even if it erroneously detects the redirected YubiKey has dropped.

The reason mstsc.exe /remoteguard functions correctly is that Remote Guard fundamentally changes the credential architecture; it performs cryptographic operations on the client side and does not expose the raw smart card credentials or rely on the traditional smart card redirection driver (rdpdr.sys) in the same way. Since the remote host doesn't "hold" the smart card context, it cannot detect a "removal" event. Given that 24H2 has tightened security boundaries, using Remote Guard is actually the preferred "best practice" implementation for YubiKey over RDP as it mitigates Pass-the-Hash attacks, so sticking with that switch is a technically sound permanent fix if you cannot relax the smart card removal policy.

I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!

VP

It seems that the issue you are experiencing with Remote Desktop locking every 60 seconds after using a YubiKey for authentication could be related to the configuration of the Remote Desktop session or the authentication method being used. Here are a few points to consider:

1. Session Lock Configuration: The behavior you described may be influenced by the session lock policies configured on your Windows 11 devices. There are policies that can control how sessions behave when they are locked, including whether they disconnect or show the lock screen. You might want to check the settings related to the session inactivity limit or screen saver configurations that could be causing the session to lock after a period of inactivity.
2. Legacy vs. Microsoft Identity Authentication: If you are using legacy authentication methods (like username and password), the session might disconnect when locked. However, if you are using Microsoft Entra authentication, it may behave differently. You can configure policies to manage how sessions behave when locked based on the authentication method used.
3. Network Differences: Since you mentioned that the issue occurs only in the office LAN and not over VPN, it might be worth investigating if there are any network policies or configurations in your office environment that could be affecting the Remote Desktop sessions.
4. Using MSTSC with RemoteGuard: The fact that using mstsc.exe with the RemoteGuard switch resolves the issue suggests that there might be specific configurations or enhancements in that mode that prevent the session from locking unexpectedly.

To troubleshoot further, you may want to review the Remote Desktop session policies and ensure that they are set according to your organization's needs, especially regarding session locking and disconnection settings.

References:

• Policy CSP - RemoteDesktopServices
• Policy CSP - RemoteDesktopServices
• Troubleshoot unexpected RDS session locks or disconnections