PAM is configured so the connection timeout is set to 0, but the Windows servers have timeouts set in GPOs. When the timeout occurs, Windows locks the screen but the RDP session does not close.

Privileged Access Manager, all versions

With the connection timeout set to 0 in PAM, PAM will not initiate the session disconnect before 48 hours of inactivity. When Windows locks a server, it does not disconnect the associated RDP session. This behavior can be reproduced outside of PAM.

It is suggested that the connection timeout be set in PAM to be shorter than the timeout configured in the GPO.