In this article, you’ll learn how to configure idle session time limits for Cloud PC (Windows 365 Frontline) in Intune. By defining Cloud PC idle session time limits, you enforce how long the users are inactive in your organization before they are signed out of Cloud PC.
When a user reaches the idle timeout session you’ve set, they’ll get a notification on Cloud PC that they’re about to be signed out of Cloud PC. They have to click OK to stay signed in, or they’ll be automatically signed out of the Cloud PC session.
It’s a best practice to enforce the idle session time limits on all your Windows 365 Frontline Cloud PCs. This helps protect sensitive company data and adds another layer of security for end users who work on non-company or shared devices.
Should you Enforce Idle Session Time Limits for Cloud PCs?
Yes, Microsoft strongly suggests configuring an idle session time limit policy to enforce when inactive Cloud PC sessions are terminated, as some employees may forget to do so. With idle session limits applied, the Cloud PC session will automatically disconnect active but idle sessions after the specified amount of time. Your organization must instruct employees to save their work at the end of their shift and explicitly disconnect or sign out using any Windows end-session control in order to make the Frontline licence available for use by another employee.
Windows 365 Frontline is a new concept of Windows 365 that helps organizations save costs by allowing a single license to provision three Cloud PC virtual machines. Windows 365 Frontline is for organizations of all sizes with shift and part-time workers who require access to Cloud PCs only for limited amounts of time, such as during their scheduled hours. Take a look at a useful guide on creating a Windows 365 Frontline Cloud PC provisioning policy.
Configure Idle Session Time Limits for Cloud PC (Windows 365 Frontline)
You can enforce the idle session time limits on all your Windows 365 Frontline Cloud PCs by creating a configuration profile. This profile can be applied across all your Cloud PCs, ensuring the same policy is enforced consistently.
- Sign in to the Microsoft Intune admin center (https://intune.microsoft.com)
- Select Devices > Configuration profiles > Create profile.
Select Platform as Windows 10 and later and Profile Type as Settings catalog. Click Create.
On the General tab of the new policy, specify the name and description for the Cloud PC session time limit policy. You can specify the following details:
Name: Configure Idle Session Time Limits for Windows 365 Frontline Cloud PCs
Description: Idle Session Time Limit Policy ensures the inactive Cloud PC sessions will be disconnected after idle session time limit.
The Intune settings catalog allows you to enable and configure the idle session limit policy for Cloud PCs. In the Configuration Settings window, select Add Settings.
On the Settings Picker window, type “session time limits” in the search box and click Search. Select the search result for “Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits.” Select the box for “Set time limit for active but idle Remote Desktop Services sessions” and close the pane.
Set time limit for active but idle Remote Desktop Services sessions
This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected.
If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active.
If you have a console session, idle session time limits do not apply. If you disable or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time.
Expand Administrative Templates and toggle “Set your idle but active session limit for Remote Desktop Services sessions” to Enabled. Click the drop-down for the Idle Session Limit and select a value. In the screenshot below, the idle session limit for Cloud PCs is set to 1 hour. Click Next.
Selecting scope tags are optional. However, you may include or add scope tags. Click Next.
On the Assignments tab, choose “Add groups” and select the groups to whom you would like to assign the session time limit policy (for Frontline Cloud PCs). You could select all users who are using Windows 365 Frontline, depending on whether you’d like to customize the timeout policy based on the types of users. Click Next.
On the Review+Create window, review the settings that you have defined for idle session time limit policy for Frontline Cloud PCs and select Create.
Monitor Cloud PC Idle Session Time Limits Policy Deployment
After you create the policy, a notification will appear automatically in the top right-hand corner with a message. Policy created – “Configure Idle Session Time Limits for Cloud PC – Windows 365 Frontline” created successfully. The policy is also shown in the list of Configuration profiles.
You must wait for the policy to apply to the targeted groups and once the devices check-in with the Intune service they will receive your profile settings. You can also force sync Intune policies on your computers.
Likewise, you can monitor the device configuration profiles in Microsoft Intune with a few simple steps. Furthermore, you can check the status of a profile, see which devices are assigned, and update the properties of a profile. To accomplish that, go to Devices > Configuration Profiles > select Frontline Cloud PC Session Time Limit policy profile. Under the section “Device and user check-in status”, select View Report.
What happens when Idle Session Time Limit applies to Cloud PC
Suppose a user logs in to the Cloud PC and the session remains idle for some time. Once the idle session time limit policy is enforced, we see the following message on the cloud PC.
“Idle timer expired: Session has been idle over its time limit. It will be disconnected in 2 minutes. Press any key now to continue session“.
Clicking OK will continue the existing session.
In some cases, users may also encounter Cloud PC error code 0x3 where the session is completely disconnected. To reconnect to the Cloud PC, the user must select the Retry option and the Cloud PC is again accessible.
Troubleshooting Cloud PC Idle Session Time Limits using Registry
After enforcing the idle session time limits for Cloud PCs, if the policy isn’t working on Cloud PCs, you can troubleshoot this issue with the help of registry.
The following registry path is useful for troubleshooting the Cloud PC idle session time limits:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services or Computer\HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
When you navigate to the above registry path on Cloud PC, take a look at the value of MaxIdleTime. The idle session time limits that we applied to our Cloud PCs should match with the value of MaxIdleTime (milliseconds). In our case, the idle session limit was set for 1 hour for Cloud PCs and the registry value of MaxIdleTime is 3600000 which is correct.