This is a tricky situation, as the session locking behavior isn't being controlled by standard Group Policy or Ivanti Workspace settings as you've explored. Here's a breakdown of potential causes and how to investigate further:
Likely Causes (Beyond Standard GP and Ivanti):
RDS Session Timeout Settings: While not a direct "lock" policy, there are session timeout settings within Remote Desktop Services that could be indirectly causing this behavior. When a session reaches its idle timeout, the server might disconnect or end the session, and Ivanti Workspace could be configured to re-establish a new session upon reconnection, effectively presenting a locked screen.
Ivanti Workspace Configuration (Less Likely, but Possible): Even though you haven't found a direct locking policy, there might be a less obvious setting within Ivanti related to session management, reconnection behavior, or power management that's contributing to this.
Third-Party Software or Utilities: Some third-party monitoring, security, or management tools installed on the RDS servers could have their own inactivity timeout policies that trigger a session lock.
Registry Settings on the RDS Servers: Specific registry keys related to Remote Desktop Services or Windows power management could be configured to enforce this timeout.
PowerShell Scripts or Scheduled Tasks: A custom script or scheduled task running on the RDS servers might be actively locking idle sessions after 10 minutes.
Troubleshooting Steps:
Examine RDS Session Timeout Settings:
- Open Server Manager on one of the RDS servers.
- Navigate to Remote Desktop Services > Collections.
- Select your RDS Collection.
- Under "Properties" (usually in the "Tasks" dropdown or a right-click option), look for settings related to Session Timeout or Session Limits.
- Specifically, check the following tabs/settings:
- Session Tab: Look for "End a disconnected session," "Active session limit," and "Idle session limit." Ensure these are not set to a value that would cause a disconnect leading to a perceived lock after 10 minutes.
- RD Session Host Configuration: You can also access this via
gpedit.msc (though you mentioned no relevant GPO). Navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits. Review the settings here, even if you believe no GPO is applying them (local policy could be in effect).
Deep Dive into Ivanti Workspace Configuration:
- Re-examine all relevant Ivanti Workspace settings and policies. Look for anything related to:
- Session management
- Connection behavior
- Power management
- Idle timeouts (even if not explicitly labeled "lock")
- Reconnection settings
- Check the Ivanti Workspace console, agent configuration on the RDS servers, and any relevant Ivanti documentation.
Investigate Third-Party Software:
- List all third-party software installed on the RDS servers, especially security tools, monitoring agents, or any utilities that might have session management capabilities.
- Review the configuration of these applications for any inactivity timeout settings.
Check Registry Settings:
- Open the Registry Editor (
regedit) on one of the RDS servers.
- Navigate to the following keys and examine the values:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
- Look for values like
IdleTimeout (this is usually in milliseconds).
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemoteDesktopServices\SessionTimeLimits (This is where GPO settings would apply, but it's worth checking).
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power (While less likely for session locking, it's worth a quick review for unusual power settings).
Review Scheduled Tasks:
- Open Task Scheduler on one of the RDS servers.
- Carefully examine all scheduled tasks for any that might be running scripts or executables that could be locking user sessions after a specific period of inactivity.
Check Event Logs:
- Examine the Windows Event Logs on the RDS servers, particularly the System, Application, and TerminalServices-LocalSessionManager logs. Look for events that occur around the 10-minute mark of inactivity that might indicate what's triggering the lock.
PowerShell Scripts:
- If you suspect a custom script, review any PowerShell scripts that are executed during logon, session connect, or run as scheduled tasks. Look for commands related to locking sessions (
Lock-Computer, rundll32.exe user32.dll,LockWorkStation).
Test with a Local Account (Bypass Ivanti):
- Temporarily enable direct RDP access to one of the RDS servers (if security policies allow).
- Log in with a local user account (bypassing Ivanti Workspace).
- Let the session sit idle for more than 10 minutes.
- Observe if the session locks. If it does, the issue is likely within the RDS server configuration itself (registry, local policy, etc.). If it doesn't lock, the issue is more likely related to how Ivanti Workspace is managing or interacting with the sessions.
How to Change the Lock Timeout (Once Found):
Once you identify the source of the 10-minute lock, the method to change it will depend on the cause:
- RDS Session Timeout Settings: Modify the "Idle session limit" in the RDS Collection properties or the corresponding settings in the RD Session Host Configuration (via
gpedit.msc if a local policy is in effect). Set the desired timeout to 30 minutes (remember to specify the time in the correct unit, usually minutes).
- Ivanti Workspace: If the setting is within Ivanti, consult the Ivanti Workspace documentation for how to configure session timeouts or inactivity behavior.
- Third-Party Software: Adjust the timeout settings within the configuration of the specific third-party application.
- Registry Settings: Modify the relevant registry value (e.g.,
IdleTimeout in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp). Be cautious when editing the registry and always create a backup before making changes. Remember that timeout values in the registry are often in milliseconds. 30 minutes would be $30 \times 60 \times 1000 = 1,800,000$ milliseconds.
- PowerShell Scripts/Scheduled Tasks: Edit the script or the scheduled task to either remove the locking functionality or adjust the timeout value.
Important Considerations:
- Reboot: After making changes to RDS configuration or registry settings, a reboot of the RDS server might be required for the changes to take effect.
- Testing: Thoroughly test the new 30-minute inactivity timeout after making any changes to ensure it's working as expected and doesn't introduce any unintended side effects.
- Documentation: Document the changes you make and the reason for them.
By systematically working through these troubleshooting steps, you should be able to pinpoint the policy or setting responsible for the unexpected 10-minute session lock on your RDS servers managed by Ivanti Workspace. Good luck!
