Policy
Disconnect remote session on lock for legacy authentication
Windows 11 25H2
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows11
This policy setting allows you to configure the user experience when the Remote Desktop session is locked by the user or by a policy. You can specify whether the remote session will show the remote lock screen or disconnect when the remote session is locked. Disconnecting the remote session ensures that a remote session cannot be left on the lock screen and cannot reconnect automatically due to loss of network connectivity. This policy applies only when using legacy authentication to authenticate to the remote PC. Legacy authentication is limited to username and password, or certificates like smartcards. Legacy authentication doesn't leverage the Microsoft identity platform, such as Microsoft Entra ID. Legacy authentication includes the NTLM, CredSSP, RDSTLS, TLS, and RDP basic authentication protocols. If you enable this policy setting, Remote Desktop connections using legacy authentication will disconnect the remote session when the remote session is locked. Users can reconnect when they're ready and re-enter their credentials when prompted. If you disable or do not configure this policy setting, Remote Desktop connections using legacy authentication will show the remote lock screen when the remote session is locked. Users can unlock the remote session using their username and password, or certificates.
Registry values
How enabled and disabled states update the registry.
| Registry location | Type | Enabled value | Disabled value |
|---|---|---|---|
| HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDisconnectOnLockLegacy | REG_DWORD | 1 | 0 |
Policy elements
Inputs and configuration options exposed by this policy.
This policy has no additional user input fields.
Other policies in this category
Explore related policies at the same level.
- ComputerAlways prompt for password upon connectionAt least Windows Server 2003 operating systems or Windows XP Professional
- ComputerDisconnect remote session on lock for Microsoft identity platform authenticationWindows 11 22H2 SERVER
- ComputerDo not allow local administrators to customize permissionsAt least Windows Server 2003
- ComputerEnable Microsoft Entra ID Authentication EnforcementAt least Windows 11 Version 24H2
- ComputerRequire secure RPC communicationAt least Windows Server 2003
- ComputerRequire use of specific security layer for remote (RDP) connectionsAt least Windows Vista
- ComputerRequire user authentication for remote connections by using Network Level AuthenticationAt least Windows Vista
- ComputerServer authentication certificate templateAt least Windows Vista
- ComputerSet client connection encryption levelAt least Windows Server 2003 operating systems or Windows XP Professional