Windows Virtual Desktop - How to deny logon through Remote Desktop Services on WVD hosts


Let’s say you have a pool of WVD (Windows Virtual Desktop) servers on Azure and for troubleshooting purposes, you need to deny a user (or users) to log on to a specific host. To do this you can do it with the below 2 ways:

Option #1

By enabling “Drain mode” in one (or more) of your session hosts. To do this, go to Azure portal and:

  • Search for “Windows Virtual Desktop” if you haven’t pinned it,
  • Go to “Host Pools”, select your host pool from the list
  • Go to “Session Hosts” under “Manage”
  • Click on the session host you want to enable drain mode
  • and finally click the “Drain mode” switch to enable it, after clicking “OK” on “Turn drain mode on - This session host will not allow any new connections” prompt.

Option #1

This will enable “Drain Mode” for that session host, so it won’t accept any new connections - Please note that currently connected, idle or disconnected user sessions will remain and you will have to sign them off manually should you choose that.

Option #2

Another option to deny a user (or users) to logon to a specific host is via Group Policy - this will allow a more granular approach as the session host will still accept connections but not from the users in the group policy:

  • Go to “Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment” and add the user or users you’re interested to deny in there. Apply this on all the session hosts you want to deny a user to log into.

Group policy description: Deny log on through Remote Desktop Services This security setting determines which users and groups are prohibited from logging on as a Remote Desktop Services client. Default: None.

Option #2 Option #2

Thank you for reading! Be sure to share this post if you found it helpful and don’t hesitate to chat with me about it!

This post was first published on Stathis’ log book by Stathis Athanasiadis aka StatAth