You can disable the ability to lock the workstation, which we did, and which made this issue go away, but the problem is that doing so introduces another issue noted in a KB article in which the only resolution is to enable workstation locking. This issue has been frustrating us for awhile now. The closest I can get is running a script to force logoffs, and then noting which users it fails for and manually sending a VM reset (looking at the Sessions, sorting by Status so Disconnected are at the top). Save the code below as something like "Logoff.ps1" and kick it off from PowerCLI on one of the Connection Brokers:
$DisconnectedSessions = Get-RemoteSession -State "Disconnected" | Sort
foreach ($DisconnectedSession in $DisconnectedSessions) {
Send-SessionLogoff -Session_id $DisconnectedSession.session_id
write-host "$($DisconnectedSession.username) has been logged off."
}
That at least makes it easy to see which sessions are going to hang up.