Anavem
EnglishFrancais
Anavem
Languagefr
How to Configure RDP Session Timeouts and Keep-Alive in Windows Server 2025

How to Configure RDP Session Timeouts and Keep-Alive in Windows Server 2025

Configure Windows Server 2025 to automatically disconnect idle RDP sessions for resource optimization or keep sessions alive to prevent unwanted disconnections using Group Policy and registry settings.

Evan MaelEvan Mael
March 27, 2026 12 min
mediumrdp 8 steps 12 min

Why Configure RDP Session Timeouts in Windows Server 2025?

Remote Desktop Protocol (RDP) session management is critical for maintaining server performance and security in Windows Server 2025 environments. Unmanaged RDP sessions can consume significant system resources, create security vulnerabilities, and impact server stability. With the latest Windows Server 2025 release from October 2024, Microsoft continues to provide robust session timeout controls through Group Policy and registry configurations.

What Are the Benefits of Proper RDP Session Management?

Configuring appropriate session timeouts serves multiple purposes. For resource optimization, automatically disconnecting idle sessions frees up memory, CPU, and network resources that would otherwise remain allocated to inactive users. From a security perspective, limiting session duration reduces the risk of unauthorized access through abandoned sessions. Conversely, keeping sessions alive prevents productivity loss from unexpected disconnections during long-running processes or critical administrative tasks.

How Do Windows Server 2025 Session Policies Work?

Windows Server 2025 uses the same proven session management framework as previous versions, with policies controlling three distinct timeout scenarios: idle sessions (user inactive but connected), disconnected sessions (network interruption but session preserved), and maximum session duration (total connection time regardless of activity). The system differentiates between disconnecting sessions (preserving running applications) and terminating them (ending all processes), giving administrators precise control over resource management and user experience.

Implementation Guide

Full Procedure

01

Enable Remote Desktop and Verify Prerequisites

Before configuring session timeouts, ensure Remote Desktop is properly enabled on your Windows Server 2025. This step verifies your server is ready for RDP session management.

Open Server Manager and navigate to Local Server. Check that Remote Desktop shows Enabled. If not, click on it and select Enable Remote Desktop.

Alternatively, use PowerShell to enable RDP:

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

Verify RDP is listening on port 3389:

netstat -an | findstr :3389

You should see TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING

Pro tip: For production servers, consider changing the default RDP port for security. Modify the registry key HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber to use a custom port.
02

Access Group Policy Editor for Session Configuration

Open the Group Policy Editor to configure RDP session timeout policies. This is the primary method for managing session limits in Windows Server 2025.

Press Win + R, type gpedit.msc, and press Enter. If you're managing a domain environment, use Group Policy Management Console instead:

gpmc.msc

Navigate to the Remote Desktop Services policies location:

Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits

You'll see four key policies that control session behavior:

  • Set time limit for active but idle Remote Desktop Services sessions
  • Set time limit for disconnected sessions
  • Set time limit for active Remote Desktop Services sessions
  • End session when time limits are reached

Verify you're in the correct location by checking the policy descriptions match session timeout management.

Warning: Changes to these policies affect all RDP sessions on the server. Test in a non-production environment first, especially if users have long-running processes.
03

Configure Automatic Idle Session Disconnection

Set up automatic disconnection of idle RDP sessions to optimize server resources. This configuration is recommended for servers with limited resources or high user concurrency.

Double-click Set time limit for active but idle Remote Desktop Services sessions. Select Enabled and choose your timeout value:

  • 15 minutes - Recommended for high-security environments
  • 30 minutes - Balanced approach for most scenarios
  • 1 hour - For development or low-security environments

Configure Set time limit for disconnected sessions. Enable this policy and set it to 1 hour (3600 seconds). This ensures disconnected sessions don't consume resources indefinitely.

Set Set time limit for active Remote Desktop Services sessions to 12 hours to prevent extremely long sessions that might indicate security issues.

Enable End session when time limits are reached. This terminates sessions instead of just disconnecting them, freeing up all resources.

Apply the changes:

gpupdate /force

Verify the policy application:

gpresult /r | findstr "Remote Desktop"
Pro tip: Use different timeout values for different user groups by creating separate OUs and applying different Group Policy Objects. Administrative users might need longer timeouts than regular users.
04

Configure Registry Settings for Precise Control

Use registry modifications for precise timeout control when Group Policy doesn't provide the exact timing you need. Registry values are specified in milliseconds, offering more granular control.

Open an elevated Command Prompt and add the following registry entries for a 15-minute idle timeout:

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v MaxIdleTime /t REG_DWORD /d 900000 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v MaxDisconnectionTime /t REG_DWORD /d 3600000 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v MaxConnectionTime /t REG_DWORD /d 43200000 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fResetBroken /t REG_DWORD /d 1 /f

Alternatively, use PowerShell for the same configuration:

$regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
Set-ItemProperty -Path $regPath -Name "MaxIdleTime" -Value 900000 -Type DWord
Set-ItemProperty -Path $regPath -Name "MaxDisconnectionTime" -Value 3600000 -Type DWord
Set-ItemProperty -Path $regPath -Name "MaxConnectionTime" -Value 43200000 -Type DWord
Set-ItemProperty -Path $regPath -Name "fResetBroken" -Value 1 -Type DWord

Verify the registry entries:

reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"

Restart the Terminal Services service to apply changes immediately:

net stop TermService
net start TermService
Warning: Restarting TermService will disconnect all current RDP sessions. Schedule this during maintenance windows or notify users beforehand.
05

Configure Keep-Alive Settings to Prevent Disconnections

Configure RDP sessions to stay alive indefinitely by disabling timeout policies. This approach is useful for servers running long-duration processes or for administrative workstations.

In Group Policy Editor, navigate back to the Session Time Limits policies. For each timeout policy, select Disabled or Not Configured:

  • Set time limit for active but idle Remote Desktop Services sessions: Disabled
  • Set time limit for disconnected sessions: Disabled
  • Set time limit for active Remote Desktop Services sessions: Disabled
  • End session when time limits are reached: Disabled

Use PowerShell to set registry values to 0 (unlimited) for keep-alive configuration:

$regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
Set-ItemProperty -Path $regPath -Name "MaxIdleTime" -Value 0 -Type DWord
Set-ItemProperty -Path $regPath -Name "MaxDisconnectionTime" -Value 0 -Type DWord
Set-ItemProperty -Path $regPath -Name "MaxConnectionTime" -Value 0 -Type DWord

Configure TCP keep-alive to prevent network-related disconnections:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v KeepAliveInterval /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v KeepAliveTimeout /t REG_DWORD /d 1 /f

Apply changes:

gpupdate /force
Pro tip: Even with keep-alive enabled, implement application-level session management for critical processes. Network interruptions can still cause disconnections that policies can't prevent.
06

Configure Screen Lock and Inactivity Settings

Prevent automatic screen locking that can interfere with RDP session management. Screen lock policies are separate from RDP timeout policies and need independent configuration.

Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options in Group Policy Editor.

Find and configure Interactive logon: Machine inactivity limit. Set this to 0 seconds to disable automatic locking, or set an appropriate value that's longer than your RDP timeout.

Use registry to disable machine inactivity timeout:

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v InactivityTimeoutSecs /t REG_DWORD /d 0 /f

Disable screensaver lock for the current user (run this for each user account):

reg add "HKCU\Control Panel\Desktop" /v ScreenSaveSecure /t REG_SZ /d 0 /f
reg add "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 0 /f

For system-wide screensaver settings, modify the default user profile:

reg load HKU\DefaultUser C:\Users\Default\NTUSER.DAT
reg add "HKU\DefaultUser\Control Panel\Desktop" /v ScreenSaveSecure /t REG_SZ /d 0 /f
reg add "HKU\DefaultUser\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 0 /f
reg unload HKU\DefaultUser

Verify screen lock is disabled by checking the registry:

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v InactivityTimeoutSecs
07

Test and Verify Session Timeout Configuration

Thoroughly test your RDP session timeout configuration to ensure it works as expected. This step validates that your policies are correctly applied and functioning.

Create a test RDP session from another machine:

mstsc /v:your-server-ip

Check current session information using PowerShell:

Get-RDUserSession -ConnectionBroker localhost | Select-Object UserName, SessionState, IdleTime, SessionId

For servers without RDS role, use the query command:

query session

Monitor session timeout behavior by leaving the session idle for your configured timeout period. For a 15-minute timeout, wait 16 minutes and verify the session is disconnected or terminated.

Check event logs for session timeout events:

Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | Where-Object {$_.Id -eq 23 -or $_.Id -eq 24 -or $_.Id -eq 25} | Select-Object TimeCreated, Id, LevelDisplayName, Message

Verify registry settings are active:

reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"

Test network keep-alive functionality by monitoring network connections:

netstat -an | findstr :3389
Pro tip: Create a PowerShell script to automatically test session timeouts by connecting, going idle, and monitoring the session state. This helps validate configuration changes without manual testing.
08

Troubleshoot Common Session Timeout Issues

Address common problems that prevent RDP session timeout policies from working correctly. These troubleshooting steps resolve the most frequent configuration issues.

If sessions aren't timing out as expected, check for conflicting policies:

gpresult /h gpresult.html
start gpresult.html

Look for conflicting settings in both Computer and User Configuration sections. User Configuration policies can override Computer Configuration.

Verify the Terminal Services service is running and configured correctly:

sc query TermService
sc qc TermService

Check for Group Policy processing errors:

Get-WinEvent -LogName "Microsoft-Windows-GroupPolicy/Operational" | Where-Object {$_.LevelDisplayName -eq "Error"} | Select-Object TimeCreated, Id, Message

If registry changes aren't taking effect, ensure you're modifying the correct hive. Some settings require both policy and direct registry modification:

reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"

For domain environments, check if domain policies are overriding local settings:

gpresult /scope computer /v | findstr -i "terminal\|remote\|session"

Reset Terminal Services configuration if needed:

reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f
gpupdate /force
net stop TermService && net start TermService
Warning: Deleting the Terminal Services registry key removes all custom configurations. Document your settings before performing this reset operation.

Monitor real-time session activity for troubleshooting:

while ($true) {
    Clear-Host
    query session
    Start-Sleep -Seconds 30
}

Frequently Asked Questions

What happens to running applications when an RDP session times out in Windows Server 2025?+
When an RDP session reaches its idle timeout, the behavior depends on your configuration. If you've enabled 'End session when time limits are reached', all running applications are terminated and unsaved work is lost. If this setting is disabled, the session is only disconnected, preserving running applications in memory. Users can reconnect to the same session and continue where they left off. For critical applications, consider using Windows Services or scheduled tasks that run independently of user sessions.
How do I set different RDP timeout values for different user groups in Windows Server?+
Create separate Organizational Units (OUs) in Active Directory for different user groups, then apply different Group Policy Objects (GPOs) to each OU. For example, create an 'Administrators' OU with longer timeout values and a 'Standard Users' OU with shorter timeouts. Configure the session timeout policies in each GPO's Computer Configuration section. You can also use security group filtering on GPOs to apply policies based on group membership rather than OU structure.
Why do my RDP sessions still disconnect even after disabling all timeout policies?+
Network-related disconnections can occur independently of Windows timeout policies. Check your network infrastructure for unstable connections, firewall timeouts, or NAT session limits. Enable TCP keep-alive by setting the KeepAliveInterval registry value to 1 minute in the RDP-Tcp configuration. Also verify that no domain-level Group Policies are overriding your local settings by running 'gpresult /r' and checking for conflicting policies. Router or firewall idle timeouts may also cause disconnections that Windows policies cannot prevent.
Can I configure RDP session timeouts through PowerShell scripting for automation?+
Yes, you can fully automate RDP timeout configuration using PowerShell. Use Set-ItemProperty to modify registry values directly, or leverage Group Policy PowerShell modules for domain environments. Create scripts that set MaxIdleTime, MaxDisconnectionTime, and MaxConnectionTime registry values, then use Invoke-GPUpdate to apply changes. For large environments, consider using PowerShell Desired State Configuration (DSC) to maintain consistent timeout settings across multiple servers. Always test scripts in non-production environments first.
What are the security implications of keeping RDP sessions alive indefinitely?+
Keeping RDP sessions alive indefinitely increases security risks significantly. Unattended sessions with administrative privileges can be exploited if physical access is gained to the client machine. Long-running sessions also make it harder to detect unauthorized access through session monitoring. Best practices recommend maximum session limits of 12 hours even for administrative users, with mandatory re-authentication for sensitive operations. Consider implementing additional security measures like smart card authentication, network access protection, or privileged access management solutions when extending session timeouts.
Evan Mael
Written by

Evan Mael

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#rdp#windows-server#session-management

Further Intelligence

Deepen your knowledge with related resources

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
tutorial
Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive
How to Configure Suspicious File Blocking in Microsoft Defender Using Intune
tutorial
Cybersecurity

How to Configure Suspicious File Blocking in Microsoft Defender Using Intune

Deep Dive
How to Control Windows Start Menu Shortcuts Using Microsoft Intune
tutorial
Cloud Computing

How to Control Windows Start Menu Shortcuts Using Microsoft Intune

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account