You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/virtual-desktop/configure-single-sign-on.md
+10-4Lines changed: 10 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -34,12 +34,18 @@ Before you enable single sign-on, review the following information for using it
34
34
When single sign-on is enabled and the remote session is locked, either by the user or by policy, the session is instead disconnected and a dialog is shown. Users can select the Reconnect option from the dialog when they are ready to connect again. This is done for security reason and to ensure full support of passwordless authentication. Disconnecting provides the following benefits:
35
35
36
36
- Consistent sign-in experience through Microsoft Entra ID when needed.
37
+
- Single sign-on experience and reconnection without authentication prompt when allowed by conditional access policies.
37
38
- Supports passwordless authentication like passkeys and FIDO2 devices, contrary to the remote lock screen.
39
+
- Conditional access policies, including multifactor authentication and sign-in frequency, are re-evaluated when the user reconnects to their session.
38
40
- Can require multi-factor authentication to return to the session and prevent users from unlocking with a simple username and password.
39
-
- Reevaluates any applicable Microsoft Entra conditional access policies including sign-in frequency.
40
-
- When meeting all conditional access requirements, users benefit from Entra single sign-on when reconnecting and are not prompted to re-authenticate.
41
41
42
-
If you prefer to show the remote lock screen instead of disconnecting the session, you can configure your session hosts using Intune, Group Policy or the registry.
42
+
If you prefer to show the remote lock screen instead of disconnecting the session, your session hosts must use the following operating systems:
43
+
44
+
- Windows 11 single or multi-session with the [2024-05 Cumulative Updates for Windows 11 (KB5037770)](https://support.microsoft.com/kb/KB5037770) or later installed.
45
+
- Windows 10 single or multi-session, versions 20H2 or later with the [2024-06 Cumulative Updates for Windows 10 (KB5039211)](https://support.microsoft.com/kb/KB5039211) or later installed.
46
+
- Windows Server 2022 with the [2024-05 Cumulative Update for Microsoft server operating system (KB5037782)](https://support.microsoft.com/kb/KB5037782) or later installed.
47
+
48
+
You can configure the session lock behavior of your session hosts by using Intune, Group Policy or the registry.
43
49
44
50
# [Intune](#tab/intune)
45
51
@@ -103,7 +109,7 @@ To configure the session lock experience using Group Policy, follow these steps.
103
109
1. Once the policy is configured, it will take effect after the user initiate a new session.
104
110
105
111
> [!TIP]
106
-
> During the preview, you can also configure Group Policy centrally in an Active Directory domain by copying the `terminalserver.admx` and `terminalserver.adml` administrative template files from a session host to the [Group Policy Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store)in a test environment.
112
+
> To configure the Group Policy centrally on Active Directory Domain Controllers using Windows Server 2019 or Windows Server 2016, copy the `terminalserver.admx` and `terminalserver.adml` administrative template files from a session host to the [Group Policy Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store)on the domain controller.
0 commit comments