add remotedesktopservices csp

windows/client-management/mdm/policy-csp-remotedesktopservices.md

@@ -1,423 +1,490 @@
 ---
-title: Policy CSP - RemoteDesktopServices
+title: RemoteDesktopServices Policy CSP
-description: Learn how the Policy CSP - RemoteDesktopServices setting allows you to configure remote access to computers by using Remote Desktop Services.
+description: Learn more about the RemoteDesktopServices Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
 ms.author: vinpa
-ms.topic: article
+ms.date: 12/20/2022
+ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
-author: vinaypamnani-msft
+ms.topic: reference
-ms.localizationpriority: medium
-ms.date: 09/27/2019
-ms.reviewer: 
-manager: aaroncz
 ---
 
+<!-- Auto-Generated CSP Document -->
+
+<!-- RemoteDesktopServices-Begin -->
 # Policy CSP - RemoteDesktopServices
 
-<hr/>
-
-<!--Policies-->
-## RemoteDesktopServices policies
-
-<dl>
-  <dd>
-    <a href="#remotedesktopservices-allowuserstoconnectremotely">RemoteDesktopServices/AllowUsersToConnectRemotely</a>
-  </dd>
-  <dd>
-    <a href="#remotedesktopservices-clientconnectionencryptionlevel">RemoteDesktopServices/ClientConnectionEncryptionLevel</a>
-  </dd>
-  <dd>
-    <a href="#remotedesktopservices-donotallowdriveredirection">RemoteDesktopServices/DoNotAllowDriveRedirection</a>
-  </dd>
-  <dd>
-    <a href="#remotedesktopservices-donotallowpasswordsaving">RemoteDesktopServices/DoNotAllowPasswordSaving</a>
-  </dd>
-  <dd>
-  <dd>
-    <a href="#remotedesktopservices-donotallowwebauthnredirection">RemoteDesktopServices/DoNotAllowWebAuthnRedirection</a>
-  </dd>
-    <a href="#remotedesktopservices-promptforpassworduponconnection">RemoteDesktopServices/PromptForPasswordUponConnection</a>
-  </dd>
-  <dd>
-    <a href="#remotedesktopservices-requiresecurerpccommunication">RemoteDesktopServices/RequireSecureRPCCommunication</a>
-  </dd>
-</dl>
-
 > [!TIP]
-> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
+> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 >
-> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 >
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 
-<hr/>
+<!-- RemoteDesktopServices-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- RemoteDesktopServices-Editable-End -->
 
-<!--Policy-->
+<!-- AllowUsersToConnectRemotely-Begin -->
-<a href="" id="remotedesktopservices-allowuserstoconnectremotely"></a>**RemoteDesktopServices/AllowUsersToConnectRemotely**
+## AllowUsersToConnectRemotely
 
-<!--SupportedSKUs-->
+<!-- AllowUsersToConnectRemotely-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+<!-- AllowUsersToConnectRemotely-Applicability-End -->
 
-|Edition|Windows 10|Windows 11|
+<!-- AllowUsersToConnectRemotely-OmaUri-Begin -->
-|--- |--- |--- |
+```Device
-|Home|No|No|
+./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/AllowUsersToConnectRemotely
-|Pro|Yes|Yes|
+```
-|Windows SE|No|Yes|
+<!-- AllowUsersToConnectRemotely-OmaUri-End -->
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
 
-<!--/SupportedSKUs-->
+<!-- AllowUsersToConnectRemotely-Description-Begin -->
-<hr/>
+<!-- Description-Source-ADMX -->
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
 This policy setting allows you to configure remote access to computers by using Remote Desktop Services.
 
 If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services.
 
-If you disable this policy setting, users can't connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but won't accept any new incoming connections.
+If you disable this policy setting, users cannot connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but will not accept any new incoming connections.
 
-If you don't configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections aren't allowed.
+If you do not configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections are not allowed.
 
-> [!NOTE]
+Note: You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication.
-> You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication.
 
 You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider.
+<!-- AllowUsersToConnectRemotely-Description-End -->
 
-<!--/Description-->
+<!-- AllowUsersToConnectRemotely-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AllowUsersToConnectRemotely-Editable-End -->
 
-<!--ADMXBacked-->
+<!-- AllowUsersToConnectRemotely-DFProperties-Begin -->
-ADMX Info:
+**Description framework properties**:
--   GP Friendly name: *Allow users to connect remotely by using Remote Desktop Services*
--   GP name: *TS_DISABLE_CONNECTIONS*
--   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections*
--   GP ADMX file name: *terminalserver.admx*
 
-<!--/ADMXBacked-->
+| Property name | Property value |
-<!--/Policy-->
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- AllowUsersToConnectRemotely-DFProperties-End -->
 
-<hr/>
+<!-- AllowUsersToConnectRemotely-AdmxBacked-Begin -->
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 
-<!--Policy-->
+**ADMX mapping**:
-<a href="" id="remotedesktopservices-clientconnectionencryptionlevel"></a>**RemoteDesktopServices/ClientConnectionEncryptionLevel**
 
-<!--SupportedSKUs-->
+| Name | Value |
+|:--|:--|
+| Name | TS_DISABLE_CONNECTIONS |
+| Friendly Name | Allow users to connect remotely by using Remote Desktop Services |
+| Location | Computer Configuration |
+| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
+| ADMX File Name | TerminalServer.admx |
+<!-- AllowUsersToConnectRemotely-AdmxBacked-End -->
 
-|Edition|Windows 10|Windows 11|
+<!-- AllowUsersToConnectRemotely-Examples-Begin -->
-|--- |--- |--- |
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-|Home|No|No|
+<!-- AllowUsersToConnectRemotely-Examples-End -->
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
 
-<!--/SupportedSKUs-->
+<!-- AllowUsersToConnectRemotely-End -->
-<hr/>
 
-<!--Scope-->
+<!-- ClientConnectionEncryptionLevel-Begin -->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+## ClientConnectionEncryptionLevel
 
-> [!div class = "checklist"]
+<!-- ClientConnectionEncryptionLevel-Applicability-Begin -->
-> * Device
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+<!-- ClientConnectionEncryptionLevel-Applicability-End -->
 
-<hr/>
+<!-- ClientConnectionEncryptionLevel-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/ClientConnectionEncryptionLevel
+```
+<!-- ClientConnectionEncryptionLevel-OmaUri-End -->
 
-<!--/Scope-->
+<!-- ClientConnectionEncryptionLevel-Description-Begin -->
-<!--Description-->
+<!-- Description-Source-ADMX -->
-Specifies whether it requires the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you're using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) isn't recommended. This policy doesn't apply to SSL encryption.
+Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption.
 
 If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available:
 
-* High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that don't support this encryption level can't connect to RD Session Host servers.
+* High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Session Host servers.
 
-* Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that don't support 128-bit encryption.
+* Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that do not support 128-bit encryption.
 
 * Low: The Low setting encrypts only data sent from the client to the server by using 56-bit encryption.
 
-If you disable or don't configure this setting, the encryption level to be used for remote connections to RD Session Host servers isn't enforced through Group Policy.
+If you disable or do not configure this setting, the encryption level to be used for remote connections to RD Session Host servers is not enforced through Group Policy.
 
-> [!IMPORTANT]
+Important
-> FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level, when communications between clients and RD Session Host servers requires the highest level of encryption.
 
-<!--/Description-->
+FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption.
+<!-- ClientConnectionEncryptionLevel-Description-End -->
 
-<!--ADMXBacked-->
+<!-- ClientConnectionEncryptionLevel-Editable-Begin -->
-ADMX Info:
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
--   GP Friendly name: *Set client connection encryption level*
+<!-- ClientConnectionEncryptionLevel-Editable-End -->
--   GP name: *TS_ENCRYPTION_POLICY*
--   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
--   GP ADMX file name: *terminalserver.admx*
 
-<!--/ADMXBacked-->
+<!-- ClientConnectionEncryptionLevel-DFProperties-Begin -->
-<!--/Policy-->
+**Description framework properties**:
 
-<hr/>
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- ClientConnectionEncryptionLevel-DFProperties-End -->
 
-<!--Policy-->
+<!-- ClientConnectionEncryptionLevel-AdmxBacked-Begin -->
-<a href="" id="remotedesktopservices-donotallowdriveredirection"></a>**RemoteDesktopServices/DoNotAllowDriveRedirection**
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 
-<!--SupportedSKUs-->
+**ADMX mapping**:
 
-|Edition|Windows 10|Windows 11|
+| Name | Value |
-|--- |--- |--- |
+|:--|:--|
-|Home|No|No|
+| Name | TS_ENCRYPTION_POLICY |
-|Pro|Yes|Yes|
+| Friendly Name | Set client connection encryption level |
-|Windows SE|No|Yes|
+| Location | Computer Configuration |
-|Business|Yes|Yes|
+| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security |
-|Enterprise|Yes|Yes|
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
-|Education|Yes|Yes|
+| ADMX File Name | TerminalServer.admx |
+<!-- ClientConnectionEncryptionLevel-AdmxBacked-End -->
 
-<!--/SupportedSKUs-->
+<!-- ClientConnectionEncryptionLevel-Examples-Begin -->
-<hr/>
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- ClientConnectionEncryptionLevel-Examples-End -->
 
-<!--Scope-->
+<!-- ClientConnectionEncryptionLevel-End -->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
 
-> [!div class = "checklist"]
+<!-- DoNotAllowDriveRedirection-Begin -->
-> * Device
+## DoNotAllowDriveRedirection
 
-<hr/>
+<!-- DoNotAllowDriveRedirection-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+<!-- DoNotAllowDriveRedirection-Applicability-End -->
 
-<!--/Scope-->
+<!-- DoNotAllowDriveRedirection-OmaUri-Begin -->
-<!--Description-->
+```Device
+./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DoNotAllowDriveRedirection
+```
+<!-- DoNotAllowDriveRedirection-OmaUri-End -->
+
+<!-- DoNotAllowDriveRedirection-Description-Begin -->
+<!-- Description-Source-ADMX -->
 This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection).
 
 By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format `<driveletter>` on `<computername>`. You can use this policy setting to override this behavior.
 
-If you enable this policy setting, client drive redirection isn't allowed in Remote Desktop Services sessions, and Clipboard file copy redirection isn't allowed on computers running Windows Server 2019 and Windows 10.
+If you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed on computers running Windows XP, Windows Server 2003, Windows Server 2012 (and later) or Windows 8 (and later).
 
 If you disable this policy setting, client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed.
 
-If you don't configure this policy setting, client drive redirection and Clipboard file copy redirection aren't specified at the Group Policy level.
+If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level.
+<!-- DoNotAllowDriveRedirection-Description-End -->
 
-<!--/Description-->
+<!-- DoNotAllowDriveRedirection-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- DoNotAllowDriveRedirection-Editable-End -->
 
-<!--ADMXBacked-->
+<!-- DoNotAllowDriveRedirection-DFProperties-Begin -->
-ADMX Info:
+**Description framework properties**:
--   GP Friendly name: *Do not allow drive redirection*
--   GP name: *TS_CLIENT_DRIVE_M*
--   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection*
--   GP ADMX file name: *terminalserver.admx*
 
-<!--/ADMXBacked-->
+| Property name | Property value |
-<!--/Policy-->
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- DoNotAllowDriveRedirection-DFProperties-End -->
 
-<hr/>
+<!-- DoNotAllowDriveRedirection-AdmxBacked-Begin -->
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 
-<!--Policy-->
+**ADMX mapping**:
-<a href="" id="remotedesktopservices-donotallowpasswordsaving"></a>**RemoteDesktopServices/DoNotAllowPasswordSaving**
 
-<!--SupportedSKUs-->
+| Name | Value |
+|:--|:--|
+| Name | TS_CLIENT_DRIVE_M |
+| Friendly Name | Do not allow drive redirection |
+| Location | Computer Configuration |
+| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
+| Registry Value Name | fDisableCdm |
+| ADMX File Name | TerminalServer.admx |
+<!-- DoNotAllowDriveRedirection-AdmxBacked-End -->
 
-|Edition|Windows 10|Windows 11|
+<!-- DoNotAllowDriveRedirection-Examples-Begin -->
-|--- |--- |--- |
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-|Home|No|No|
+<!-- DoNotAllowDriveRedirection-Examples-End -->
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
 
-<!--/SupportedSKUs-->
+<!-- DoNotAllowDriveRedirection-End -->
-<hr/>
 
-<!--Scope-->
+<!-- DoNotAllowPasswordSaving-Begin -->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+## DoNotAllowPasswordSaving
 
-> [!div class = "checklist"]
+<!-- DoNotAllowPasswordSaving-Applicability-Begin -->
-> * Device
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+<!-- DoNotAllowPasswordSaving-Applicability-End -->
 
-<hr/>
+<!-- DoNotAllowPasswordSaving-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DoNotAllowPasswordSaving
+```
+<!-- DoNotAllowPasswordSaving-OmaUri-End -->
 
-<!--/Scope-->
+<!-- DoNotAllowPasswordSaving-Description-Begin -->
-<!--Description-->
+<!-- Description-Source-ADMX -->
 Controls whether passwords can be saved on this computer from Remote Desktop Connection.
 
-If you enable this setting, the password-saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves their settings, any password that previously existed in the RDP file will be deleted.
+If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted.
 
 If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection.
+<!-- DoNotAllowPasswordSaving-Description-End -->
 
-<!--/Description-->
+<!-- DoNotAllowPasswordSaving-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- DoNotAllowPasswordSaving-Editable-End -->
 
-<!--ADMXBacked-->
+<!-- DoNotAllowPasswordSaving-DFProperties-Begin -->
-ADMX Info:
+**Description framework properties**:
--   GP Friendly name: *Do not allow passwords to be saved*
--   GP name: *TS_CLIENT_DISABLE_PASSWORD_SAVING_2*
--   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Connection Client*
--   GP ADMX file name: *terminalserver.admx*
 
-<!--/ADMXBacked-->
+| Property name | Property value |
-<!--/Policy-->
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- DoNotAllowPasswordSaving-DFProperties-End -->
 
-<hr/>
+<!-- DoNotAllowPasswordSaving-AdmxBacked-Begin -->
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 
-<!--Policy-->
+**ADMX mapping**:
-<a href="" id="remotedesktopservices-donotallowwebauthnredirection"></a>**RemoteDesktopServices/DoNotAllowWebAuthnRedirection**
 
-<!--SupportedSKUs-->
+| Name | Value |
+|:--|:--|
+| Name | TS_CLIENT_DISABLE_PASSWORD_SAVING |
+| Friendly Name | Do not allow passwords to be saved |
+| Location | Computer Configuration |
+| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
+| Registry Value Name | DisablePasswordSaving |
+| ADMX File Name | TerminalServer.admx |
+<!-- DoNotAllowPasswordSaving-AdmxBacked-End -->
 
-|Edition|Windows 10|Windows 11|
+<!-- DoNotAllowPasswordSaving-Examples-Begin -->
-|--- |--- |--- |
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-|Home|No|No|
+<!-- DoNotAllowPasswordSaving-Examples-End -->
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
 
-<!--/SupportedSKUs-->
+<!-- DoNotAllowPasswordSaving-End -->
-<hr/>
 
-<!--Scope-->
+<!-- DoNotAllowWebAuthnRedirection-Begin -->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+## DoNotAllowWebAuthnRedirection
 
-> [!div class = "checklist"]
+<!-- DoNotAllowWebAuthnRedirection-Applicability-Begin -->
-> * Device
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+<!-- DoNotAllowWebAuthnRedirection-Applicability-End -->
 
-<hr/>
+<!-- DoNotAllowWebAuthnRedirection-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DoNotAllowWebAuthnRedirection
+```
+<!-- DoNotAllowWebAuthnRedirection-OmaUri-End -->
 
-<!--/Scope-->
+<!-- DoNotAllowWebAuthnRedirection-Description-Begin -->
-<!--Description-->
+<!-- Description-Source-ADMX -->
-This policy setting lets you control the redirection of web authentication (WebAuthn) requests from a Remote Desktop session to the local device. This redirection enables users to authenticate to resources inside the Remote Desktop session using their local authenticator (e.g., Windows Hello for Business, security key, or other).
+This policy setting lets you control the redirection of web authentication (WebAuthn) requests from a Remote Desktop session to the local device. This redirection enables users to authenticate to resources inside the Remote Desktop session using their local authenticator (e.g., Windows Hello for Business, security key, or other).
 
 By default, Remote Desktop allows redirection of WebAuthn requests.
 
-If you enable this policy setting, users can’t use their local authenticator inside the Remote Desktop session.
+If you enable this policy setting, users can't use their local authenticator inside the Remote Desktop session.
 
 If you disable or do not configure this policy setting, users can use local authenticators inside the Remote Desktop session.
+<!-- DoNotAllowWebAuthnRedirection-Description-End -->
 
-If you don't configure this policy setting, users can use local authenticators inside the Remote Desktop session.
+<!-- DoNotAllowWebAuthnRedirection-Editable-Begin -->
-<!--/Description-->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- DoNotAllowWebAuthnRedirection-Editable-End -->
 
-<!--ADMXBacked-->
+<!-- DoNotAllowWebAuthnRedirection-DFProperties-Begin -->
-ADMX Info:
+**Description framework properties**:
--   GP Friendly name: *Do not allow WebAuthn redirection*
--   GP name: *TS_WEBAUTHN*
--   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection*
--   GP ADMX file name: *terminalserver.admx*
 
-<!--/ADMXBacked-->
+| Property name | Property value |
-<!--/Policy-->
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- DoNotAllowWebAuthnRedirection-DFProperties-End -->
 
-<hr/>
+<!-- DoNotAllowWebAuthnRedirection-AdmxBacked-Begin -->
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 
-<!--Policy-->
+**ADMX mapping**:
-<a href="" id="remotedesktopservices-promptforpassworduponconnection"></a>**RemoteDesktopServices/PromptForPasswordUponConnection**
 
-<!--SupportedSKUs-->
+| Name | Value |
+|:--|:--|
+| Name | TS_WEBAUTHN |
+| Friendly Name | Do not allow WebAuthn redirection |
+| Location | Computer Configuration |
+| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
+| Registry Value Name | fDisableWebAuthn |
+| ADMX File Name | TerminalServer.admx |
+<!-- DoNotAllowWebAuthnRedirection-AdmxBacked-End -->
 
-|Edition|Windows 10|Windows 11|
+<!-- DoNotAllowWebAuthnRedirection-Examples-Begin -->
-|--- |--- |--- |
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-|Home|No|No|
+<!-- DoNotAllowWebAuthnRedirection-Examples-End -->
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
 
-<!--/SupportedSKUs-->
+<!-- DoNotAllowWebAuthnRedirection-End -->
-<hr/>
 
-<!--Scope-->
+<!-- PromptForPasswordUponConnection-Begin -->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+## PromptForPasswordUponConnection
 
-> [!div class = "checklist"]
+<!-- PromptForPasswordUponConnection-Applicability-Begin -->
-> * Device
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+<!-- PromptForPasswordUponConnection-Applicability-End -->
 
-<hr/>
+<!-- PromptForPasswordUponConnection-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/PromptForPasswordUponConnection
+```
+<!-- PromptForPasswordUponConnection-OmaUri-End -->
 
-<!--/Scope-->
+<!-- PromptForPasswordUponConnection-Description-Begin -->
-<!--Description-->
+<!-- Description-Source-ADMX -->
 This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection.
 
 You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.
 
-By default, Remote Desktop Services allows users to automatically sign in by entering a password in the Remote Desktop Connection client.
+By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client.
 
-If you enable this policy setting, users can't automatically sign in to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They're prompted for a password to sign in.
+If you enable this policy setting, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on.
 
-If you disable this policy setting, users can always sign in to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client.
+If you disable this policy setting, users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client.
 
-If you don't configure this policy setting, automatic logon isn't specified at the Group Policy level.
+If you do not configure this policy setting, automatic logon is not specified at the Group Policy level.
+<!-- PromptForPasswordUponConnection-Description-End -->
 
-<!--/Description-->
+<!-- PromptForPasswordUponConnection-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- PromptForPasswordUponConnection-Editable-End -->
 
-<!--ADMXBacked-->
+<!-- PromptForPasswordUponConnection-DFProperties-Begin -->
-ADMX Info:
+**Description framework properties**:
--   GP Friendly name: *Always prompt for password upon connection*
--   GP name: *TS_PASSWORD*
--   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
--   GP ADMX file name: *terminalserver.admx*
 
-<!--/ADMXBacked-->
+| Property name | Property value |
-<!--/Policy-->
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- PromptForPasswordUponConnection-DFProperties-End -->
 
-<hr/>
+<!-- PromptForPasswordUponConnection-AdmxBacked-Begin -->
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 
-<!--Policy-->
+**ADMX mapping**:
-<a href="" id="remotedesktopservices-requiresecurerpccommunication"></a>**RemoteDesktopServices/RequireSecureRPCCommunication**
 
-<!--SupportedSKUs-->
+| Name | Value |
+|:--|:--|
+| Name | TS_PASSWORD |
+| Friendly Name | Always prompt for password upon connection |
+| Location | Computer Configuration |
+| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
+| Registry Value Name | fPromptForPassword |
+| ADMX File Name | TerminalServer.admx |
+<!-- PromptForPasswordUponConnection-AdmxBacked-End -->
 
-|Edition|Windows 10|Windows 11|
+<!-- PromptForPasswordUponConnection-Examples-Begin -->
-|--- |--- |--- |
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-|Home|No|No|
+<!-- PromptForPasswordUponConnection-Examples-End -->
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
 
-<!--/SupportedSKUs-->
+<!-- PromptForPasswordUponConnection-End -->
-<hr/>
 
-<!--Scope-->
+<!-- RequireSecureRPCCommunication-Begin -->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+## RequireSecureRPCCommunication
 
-> [!div class = "checklist"]
+<!-- RequireSecureRPCCommunication-Applicability-Begin -->
-> * Device
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+<!-- RequireSecureRPCCommunication-Applicability-End -->
 
-<hr/>
+<!-- RequireSecureRPCCommunication-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/RequireSecureRPCCommunication
+```
+<!-- RequireSecureRPCCommunication-OmaUri-End -->
 
-<!--/Scope-->
+<!-- RequireSecureRPCCommunication-Description-Begin -->
-<!--Description-->
+<!-- Description-Source-ADMX -->
 Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication.
 
 You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.
 
-If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and doesn't allow unsecured communication with untrusted clients.
+If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients.
 
-If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that don't respond to the request.
+If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the request.
 
 If the status is set to Not Configured, unsecured communication is allowed.
 
-> [!NOTE]
+Note: The RPC interface is used for administering and configuring Remote Desktop Services.
-> The RPC interface is used for administering and configuring Remote Desktop Services.
+<!-- RequireSecureRPCCommunication-Description-End -->
 
-<!--/Description-->
+<!-- RequireSecureRPCCommunication-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- RequireSecureRPCCommunication-Editable-End -->
 
-<!--ADMXBacked-->
+<!-- RequireSecureRPCCommunication-DFProperties-Begin -->
-ADMX Info:
+**Description framework properties**:
--   GP Friendly name: *Require secure RPC communication*
--   GP name: *TS_RPC_ENCRYPTION*
--   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
--   GP ADMX file name: *terminalserver.admx*
 
-<!--/ADMXBacked-->
+| Property name | Property value |
-<!--/Policy-->
+|:--|:--|
-<hr/>
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- RequireSecureRPCCommunication-DFProperties-End -->
 
-<!--/Policies-->
+<!-- RequireSecureRPCCommunication-AdmxBacked-Begin -->
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 
-## Related topics
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | TS_RPC_ENCRYPTION |
+| Friendly Name | Require secure RPC communication |
+| Location | Computer Configuration |
+| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
+| Registry Value Name | fEncryptRPCTraffic |
+| ADMX File Name | TerminalServer.admx |
+<!-- RequireSecureRPCCommunication-AdmxBacked-End -->
+
+<!-- RequireSecureRPCCommunication-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- RequireSecureRPCCommunication-Examples-End -->
+
+<!-- RequireSecureRPCCommunication-End -->
+
+<!-- RemoteDesktopServices-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- RemoteDesktopServices-CspMoreInfo-End -->
+
+<!-- RemoteDesktopServices-End -->
+
+## Related articles
 
 [Policy configuration service provider](policy-configuration-service-provider.md)