Share via

Windows Cloud PC disconnects right after every attempt to establish a remote connection

CMIT Testing 0 Reputation points
2026-04-25T00:43:11.8566667+00:00

After every attempt to connect to Windows cloud PC, it disconnects right away. According to logs and ChatGPT, This is an Entra ID (AAD) authentication/session issue on the Cloud PC. I have 6 VMs deployed with same symptoms that I can remote in via RMM tools and using our local admin account and the deployed microsoft account to access the VM. How can this be fixed without having to reprovision the VM's ? Also, when troubleshooting one of the VMs, the VM disappeared from the intune device list but it is still active and able to remote in, which sounds like it disconnected from the tenant somehow. I tried to re-apply user licenses in hopes for it to fix any corrupt tokens/issues to no avail. I can provide any necessary logs and steps to take to avoid reprovisioning VMs.

Windows for business | Windows Client for IT Pros | User experience | Remote desktop services and terminal services
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VPHAN 30,935 Reputation points Independent Advisor
    2026-04-25T01:26:53.9133333+00:00

    Hi CMIT Testing,

    What you are seeing is a failure in the Entra ID primary refresh token handoff during the Remote Desktop connection sequence. Since your remote monitoring tools and local administrator accounts bypass this specific authentication broker, they continue to function normally. When the Cloud PC drops out of Intune or loses its secure channel to the tenant, the session host rejects the incoming Entra ID credentials and immediately terminates the session. The fact that one of your virtual machines disappeared from the management console indicates the device management certificate has likely expired or the underlying Entra ID object has become corrupt.

    To diagnose this, use your remote access tools to open an elevated command prompt and execute dsregcmd /status. You need to verify that both AzureAdJoined is set to YES and that the Primary Refresh Token is successfully issued under the SSO State section. You should also check the Event Viewer by navigating to Applications and Services Logs, then Microsoft, then Windows, then AAD, and looking in the Operational log for error codes like 1098 or 1097 which confirm token issuance failures.

    While you are investigating, strictly avoid running dsregcmd /leave to manually unjoin the device. Forcing a disjoin on a managed Cloud PC will permanently orphan the virtual machine from its Intune broker service, making reprovisioning your only option. You must also check your Entra ID sign-in logs specifically filtered by the affected users, as Conditional Access policies will instantly sever connections if they are configured to require a compliant device and the virtual machine has recently lost its Intune compliance state. Additionally, verify through your remote session that a conflicting Group Policy or Intune configuration profile has not accidentally removed your Entra ID users from the local Remote Desktop Users group.

    Hope this answer brought you some useful information. If it did, please hit “accept answer”. Should you have any questions, feel free to leave a comment.

    VP

    0 comments
  2. Q&A Assist
    2026-04-25T00:43:32.4266667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The behavior matches known Cloud PC connection issues related to authentication, policy, and network/RDP configuration rather than requiring reprovisioning. Use the following checks and remediations across the affected Cloud PCs.

    1. Verify this is not a resource or gateway issue
    • If users see errors like:
      • “We couldn't connect because there are currently no available resources” or
      • “The remote PC ended your session. Error code: 0x3”
    • Action: From https://windows365.microsoft.com, select the cog next to each Cloud PC and choose Restart to clear resource or CPU over‑utilization issues.
    • If you see “We couldn't connect to the gateway because of an error”: review custom DNS, NVAs, NSGs, resource locks, or blocks on required endpoints and remove anything interfering with the Windows 365/AVD endpoints.
    1. Check for RDP being blocked by policy (CSP/GPO) If the connection attempt times out or fails immediately with generic errors:
    • Confirm there is no Intune CSP or GPO blocking RDP:
      • Intune settings catalog:
        • Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections
        • Allow users to connect remotely by using Remote Desktop Services must be Enabled.
      • GPO path:
        • Computer Configuration\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections
        • Allow users to connect remotely by using Remote Desktop Services must be Enabled.
    • If you changed these, test again. If issues persist, use Inspect Connection in the Windows App or Troubleshoot under Manage my Cloud PC (three dots) for each affected Cloud PC.
    1. Address Microsoft Entra joined Cloud PC sign‑in issues If the Cloud PCs are Microsoft Entra joined and users are signing in with Entra accounts:

    3.1 PKU2U protocol disabled

    • Symptom: “The logon attempt failed” or immediate disconnect after auth when connecting from Windows desktop client with Entra‑joined/registered devices.
    • Fix on Cloud PCs and user devices via Intune:
      1. Create a filter that targets all Cloud PCs.
      2. Create a device configuration policy using the settings catalog.
      3. In Configuration settings, search for Network Security Allow PKU2U Authentication Requests and set to Allow.
      4. In Assignments, add All devices, edit filter → Include filtered devices in assignment, and select the Cloud PC filter.
      5. Also assign to a Microsoft Entra group containing the user devices.
    • If user devices are only GPO‑managed or unmanaged, enable the Allow PKU2U authentication requests to this computer to use online identities security policy on those devices.

    3.2 Per‑user MFA enabled

    • Per‑user MFA on the Entra account is not supported for Microsoft Entra joined Cloud PCs and can cause sign‑in failures/disconnects.
    • Fix:
      • Remove per‑user MFA for all Cloud PC users.
      • Replace it with a Conditional Access policy for Windows 365, as documented in the Windows 365 Conditional Access guidance.
    1. Check other common connection causes
    • Out‑of‑date VPN clients on the user side can break or drop RDP sessions. Update any third‑party VPN clients to the latest version.
    • If Remote Credential Guard is enabled on client PCs, ensure they have VPN connectivity to on‑prem domain controllers; otherwise, disable Remote Credential Guard for Cloud PC access.
    • Ensure Azure WireServer (168.63.129.16) is reachable from the Cloud PCs through any security software or gateway devices in the ANC virtual network.
    1. Network filtering and SSL inspection If the Cloud PCs disconnect immediately after authentication, especially from specific networks:
    • Ensure no network filtering or SSL inspection is breaking RDP/AVD traffic:
      • Disable SSL inspection/termination for networks used by Cloud PCs and client devices.
      • For third‑party web gateways, configure forced tunnel exceptions for critical Azure Virtual Desktop/Windows 365 traffic.
    • Also verify that required Windows 365/AVD endpoints are not blocked by firewalls or proxies on the client network.
    1. Group Policy/OU issues and Intune disappearance For the VM that disappeared from Intune but is still reachable:
    • This often indicates device management or policy issues rather than a broken VM.
    • Move the Cloud PC computer object into a separate OU that is blocked from receiving on‑prem GPOs and test connection again. This isolates whether a GPO is causing the disconnect.
    • For Cloud PCs generally, connection problems can be caused by GPOs; testing in a GPO‑blocked OU is the supported diagnostic step.
    • After confirming GPO is the cause, adjust or remove the problematic policies (for example, those affecting RDP, firewall, or authentication) and then move the Cloud PC back to the production OU.
    1. Intermittent or immediate disconnects with Windows 365 Switch/Windows App If users are using Windows 365 Switch/Task view:
    • If the Reconnect button in the disconnect dialog is used, it may fail or result in an unusable session. Let the disconnect complete and then reconnect from Task view.
    • If after sign‑in the user is not returned to the Cloud PC, select the Cloud PC again in Task view; the connection continues in the background and should complete in a few minutes.
    1. When reprovisioning is not desired All of the above steps (PKU2U enablement, removal of per‑user MFA, RDP policy checks, OU isolation, VPN/SSL inspection fixes, and WireServer reachability) can be applied without reprovisioning the Cloud PCs. Apply them across the six affected VMs, then retest connections from:
    • A Windows client with the latest Windows App/Remote Desktop client.
    • A network path that is known to allow Windows 365/AVD traffic.

    If, after these remediations, a specific Cloud PC still disconnects immediately and cannot be brought back into Intune or Entra device management, reprovisioning that individual Cloud PC may be the only remaining option, but it is not required as a first step.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.