deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-11 04:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/client-management/mdm/policy-csp-remotedesktopservices.md
Chris J. Lin ef1c69b439
Release mcc ent (#1) 
* smb adds

* smb adds

* formatting

* private preview and support content

* edit removed and dep

* Fix blocking issues

* Acro-fix

* 24H2 CSP Updates

* Fix link

* fix link in dep page

* edit

* edit index file

* syntax-fix-24h2

* ltsc-edits

* ltsc-edits

* lichris-docs-1

* Acrolinx improvements

* refresh for maxado-8631996

* update link for maxado-8631993

* additional edits, acrolinx

* ltsc-tw

* contentsource-8914508

* contentsource-8914508

* Updates for 1 October release

* Set stale debug to false

* update gp link for 24h2

* additional changes

* Changes to updates, acrolinx changes

* fixes broken links

* Fixed alignment issues

* updates from Rafal

* fixed acrolinx

* so many link fixes

* added release notes and troubleshoot content

* updates

* Update security-compliance-toolkit-10.md

Added Windows 11 24H2

* Update get-support-for-security-baselines.md

Updated for Windows 11 24H2

* bump date

* bump date

* fix pde comment

* fixing broken link

* Fix broken redirections

* fix to rel link

* reset head, fix link

* add cli to deploy, add script to cli

* removing "mcce"

* edits to create page

* Update default and global release policies OS version and dates to latest release values

* emoved e from mcce and other changes

* updated example script

* added important notice to update page

* more update page changes

* clarified how proxy configuration is used

* anonymizing variables in example script

* revise example script

* acrolinx fixes to update page

* changes to other pages and content in overview page

* Update broken link

Update broken link

* Update windows-sandbox-configure-using-wsb-file.md

Update `HostFolder` value description in `MappedFolder`, specifying that the path could be absolute or relative, not only absolute as, instead, is for the `SandboxFolder` value.

* Remove bad link

Removed bad link. There is already a second link referring to content so no need to replace the link.

* docfx update for security book

* Correct TOC entry changing Windows 10 to Windows

* Update whats-new-do.md

- Vpn to VPN
- Minor improvements

* Updated date for freshness reporting

* Add EOS callout

Fix some obvious Acrolinx issues

* Fixed typo added clarity

* Update mcc-ent-deploy-to-windows.md

* Update .openpublishing.redirection.windows-deployment.json

* Update .openpublishing.redirection.windows-deployment.json

* Update policy-csp-localpoliciessecurityoptions.md

* Correct indentation and spacing

* Acrolinx: "Enteprise"

* Update mcc-ent-edu-overview.md

* refresh

* Remove redirection and final bits of store-for-business

store-for-business, AKA /microsoft-store/, is retired, and the content is archived in officearchive-pr. This archival was for ADO task 9268422.

* added support content and other changes

* fixed tabs

* fixed tabs

* Updated device reg policy and group information

* Update delivery-optimization-endpoints.md

Added a line item in MCC table for Outlook *res.cdn.office.net requirement

* freshness review

* Fix broken links

* Minor change

* content for faq

* changes to landing page

* more content to faqs

* pencil edit

* add copilot exps link

* edits and ren cli file temporarily

* ren file back and edit toc to lowercase

* edit

* edit

* edit

* Update windows-autopatch-configure-network.md

Adding a new network endpoint required for the service 'device.autopatch.microsoft.com' @tiaraquan

* Clarify some points and remove data that is confusing to customers.

* fix syntax

* Sentence correction

* Update windows/deployment/do/waas-delivery-optimization-faq.yml

Co-authored-by: Meghan Stewart <33289333+mestew@users.noreply.github.com>

* Update windows/deployment/do/waas-delivery-optimization-faq.yml

Co-authored-by: Meghan Stewart <33289333+mestew@users.noreply.github.com>

* moved shortcuts under policy settings article

---------

Co-authored-by: Alma Jenks <v-alje@microsoft.com>
Co-authored-by: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Co-authored-by: Stacyrch140 <102548089+Stacyrch140@users.noreply.github.com>
Co-authored-by: Nidhi Doshi <77081571+doshnid@users.noreply.github.com>
Co-authored-by: Gary Moore <5432776+garycentric@users.noreply.github.com>
Co-authored-by: Vinay Pamnani (from Dev Box) <vinpa@microsoft.com>
Co-authored-by: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Co-authored-by: Aaron Czechowski <aczechowski@users.noreply.github.com>
Co-authored-by: Aditi Srivastava <133841950+aditisrivastava07@users.noreply.github.com>
Co-authored-by: Daniel H. Brown <32883970+DHB-MSFT@users.noreply.github.com>
Co-authored-by: David Strome <21028455+dstrome@users.noreply.github.com>
Co-authored-by: Padma Jayaraman <v-padmaj@microsoft.com>
Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Co-authored-by: Rebecca Agiewich <16087112+rjagiewich@users.noreply.github.com>
Co-authored-by: Rick Munck <33725928+jmunck@users.noreply.github.com>
Co-authored-by: Tanaka <Huios@users.noreply.github.com>
Co-authored-by: Tiara Quan <95256667+tiaraquan@users.noreply.github.com>
Co-authored-by: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Co-authored-by: Davide Piccinini <davide.piccinini.95@gmail.com>
Co-authored-by: Phil Garcia <phil@thinkedge.com>
Co-authored-by: Learn Build Service GitHub App <Learn Build Service LearnBuild@microsoft.com>
Co-authored-by: tiaraquan <tiaraquan@microsoft.com>
Co-authored-by: Caitlin Hart <caithart@microsoft.com>
Co-authored-by: Harman Thind <63820404+hathin@users.noreply.github.com>
Co-authored-by: [cmknox] <[cmknox@gmail.com]>
Co-authored-by: Carmen Forsmann <cmforsmann@live.com>
2024-10-17 11:34:07 -07:00

40 KiB
Raw Blame History

title, description, ms.date
title description ms.date
RemoteDesktopServices Policy CSP Learn more about the RemoteDesktopServices Area in Policy CSP. 09/27/2024

Policy CSP - RemoteDesktopServices

[!INCLUDE ADMX-backed CSP tip]

[!INCLUDE Windows Insider tip]

AllowUsersToConnectRemotely

Scope Editions Applicable OS
Device
User		 Pro
Enterprise
Education
Windows SE
IoT Enterprise / IoT Enterprise LTSC		 Windows 10, version 1703 [10.0.15063] and later 
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/AllowUsersToConnectRemotely

This policy setting allows you to configure remote access to computers by using Remote Desktop Services.

  • If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services.

  • If you disable this policy setting, users can't connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but won't accept any new incoming connections.

  • If you don't configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections aren't allowed.

Note

You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication.

You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

[!INCLUDE ADMX-backed policy note]

ADMX mapping:

Name Value
Name TS_DISABLE_CONNECTIONS
Friendly Name Allow users to connect remotely by using Remote Desktop Services
Location Computer Configuration
Path Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections
Registry Key Name SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
ADMX File Name TerminalServer.admx

ClientConnectionEncryptionLevel

Scope Editions Applicable OS
Device
User		 Pro
Enterprise
Education
Windows SE
IoT Enterprise / IoT Enterprise LTSC		 Windows 10, version 1703 [10.0.15063] and later 
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/ClientConnectionEncryptionLevel

Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) isn't recommended. This policy doesn't apply to SSL encryption.

  • If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available:

  • High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that don't support this encryption level can't connect to RD Session Host servers.

  • Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that don't support 128-bit encryption.

  • Low: The Low setting encrypts only data sent from the client to the server by using 56-bit encryption.

  • If you disable or don't configure this setting, the encryption level to be used for remote connections to RD Session Host servers isn't enforced through Group Policy.

Important.

FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options). The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

[!INCLUDE ADMX-backed policy note]

ADMX mapping:

Name Value
Name TS_ENCRYPTION_POLICY
Friendly Name Set client connection encryption level
Location Computer Configuration
Path Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
Registry Key Name SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
ADMX File Name TerminalServer.admx

DisconnectOnLockLegacyAuthn

Scope Editions Applicable OS
Device
User		 Pro
Enterprise
Education
Windows SE
IoT Enterprise / IoT Enterprise LTSC		 Windows 11, version 24H2 [10.0.26100] and later 
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DisconnectOnLockLegacyAuthn

This policy setting allows you to configure the user experience when the Remote Desktop session is locked by the user or by a policy. You can specify whether the remote session will show the remote lock screen or disconnect when the remote session is locked. Disconnecting the remote session ensures that a remote session can't be left on the lock screen and can't reconnect automatically due to loss of network connectivity.

This policy applies only when using legacy authentication to authenticate to the remote PC. Legacy authentication is limited to username and password, or certificates like smartcards. Legacy authentication doesn't leverage the Microsoft identity platform, such as Microsoft Entra ID. Legacy authentication includes the NTLM, CredSSP, RDSTLS, TLS, and RDP basic authentication protocols.

  • If you enable this policy setting, Remote Desktop connections using legacy authentication will disconnect the remote session when the remote session is locked. Users can reconnect when they're ready and re-enter their credentials when prompted.

  • If you disable or don't configure this policy setting, Remote Desktop connections using legacy authentication will show the remote lock screen when the remote session is locked. Users can unlock the remote session using their username and password, or certificates.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

[!INCLUDE ADMX-backed policy note]

ADMX mapping:

Name Value
Name TS_DISCONNECT_ON_LOCK_POLICY
Friendly Name Disconnect remote session on lock for legacy authentication
Location Computer Configuration
Path Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
Registry Key Name SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
Registry Value Name fDisconnectOnLockLegacy
ADMX File Name TerminalServer.admx

DisconnectOnLockMicrosoftIdentityAuthn

Scope Editions Applicable OS
Device
User		 Pro
Enterprise
Education
Windows SE
IoT Enterprise / IoT Enterprise LTSC		 Windows 11, version 24H2 [10.0.26100] and later 
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DisconnectOnLockMicrosoftIdentityAuthn

This policy setting allows you to configure the user experience when the Remote Desktop session is locked by the user or by a policy. You can specify whether the remote session will show the remote lock screen or disconnect when the remote session is locked. Disconnecting the remote session ensures that a remote session can't be left on the lock screen and can't reconnect automatically due to loss of network connectivity.

This policy applies only when using an identity provider that uses the Microsoft identity platform, such as Microsoft Entra ID, to authenticate to the remote PC. This policy doesn't apply when using Legacy authentication which includes the NTLM, CredSSP, RDSTLS, TLS, and RDP basic authentication protocols.

  • If you enable or don't configure this policy setting, Remote Desktop connections using the Microsoft identity platform will disconnect the remote session when the remote session is locked. Users can reconnect when they're ready and can use passwordless authentication if configured.

  • If you disable this policy setting, Remote Desktop connections using the Microsoft identity platform will show the remote lock screen when the remote session is locked. Users can unlock the remote session using their username and password, or certificates.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

[!INCLUDE ADMX-backed policy note]

ADMX mapping:

Name Value
Name TS_DISCONNECT_ON_LOCK_AAD_POLICY
Friendly Name Disconnect remote session on lock for Microsoft identity platform authentication
Location Computer Configuration
Path Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
Registry Key Name SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
Registry Value Name fDisconnectOnLockMicrosoftIdentity
ADMX File Name TerminalServer.admx

DoNotAllowDriveRedirection

Scope Editions Applicable OS
Device
User		 Pro
Enterprise
Education
Windows SE
IoT Enterprise / IoT Enterprise LTSC		 Windows 10, version 1703 [10.0.15063] and later 
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DoNotAllowDriveRedirection

This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection).

By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format <driveletter> on <computername>. You can use this policy setting to override this behavior.

  • If you enable this policy setting, client drive redirection isn't allowed in Remote Desktop Services sessions, and Clipboard file copy redirection isn't allowed on computers running Windows XP, Windows Server 2003, Windows Server 2012 (and later) or Windows 8 (and later).

  • If you disable this policy setting, client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed.

  • If you don't configure this policy setting, client drive redirection and Clipboard file copy redirection aren't specified at the Group Policy level.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

[!INCLUDE ADMX-backed policy note]

ADMX mapping:

Name Value
Name TS_CLIENT_DRIVE_M
Friendly Name Do not allow drive redirection
Location Computer Configuration
Path Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection
Registry Key Name SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
Registry Value Name fDisableCdm
ADMX File Name TerminalServer.admx

DoNotAllowPasswordSaving

Scope Editions Applicable OS
Device
User		 Pro
Enterprise
Education
Windows SE
IoT Enterprise / IoT Enterprise LTSC		 Windows 10, version 1703 [10.0.15063] and later 
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DoNotAllowPasswordSaving

Controls whether passwords can be saved on this computer from Remote Desktop Connection.

  • If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted.

  • If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

[!INCLUDE ADMX-backed policy note]

ADMX mapping:

Name Value
Name TS_CLIENT_DISABLE_PASSWORD_SAVING_2
Friendly Name Do not allow passwords to be saved
Location Computer Configuration
Path Windows Components > Remote Desktop Services > Remote Desktop Connection Client
Registry Key Name SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
Registry Value Name DisablePasswordSaving
ADMX File Name TerminalServer.admx

DoNotAllowWebAuthnRedirection

Scope Editions Applicable OS
Device
User		 Pro
Enterprise
Education
Windows SE
IoT Enterprise / IoT Enterprise LTSC		 Windows 11, version 22H2 [10.0.22621] and later 
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DoNotAllowWebAuthnRedirection

This policy setting lets you control the redirection of web authentication (WebAuthn) requests from a Remote Desktop session to the local device. This redirection enables users to authenticate to resources inside the Remote Desktop session using their localauthenticator (e.g., Windows Hello for Business, security key, or other).

By default, Remote Desktop allows redirection of WebAuthn requests.

  • If you enable this policy setting, users can't use their local authenticator inside the Remote Desktop session.

  • If you disable or don't configure this policy setting, users can use local authenticators inside the Remote Desktop session.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

[!INCLUDE ADMX-backed policy note]

ADMX mapping:

Name Value
Name TS_WEBAUTHN
Friendly Name Do not allow WebAuthn redirection
Location Computer Configuration
Path Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection
Registry Key Name SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
Registry Value Name fDisableWebAuthn
ADMX File Name TerminalServer.admx

LimitClientToServerClipboardRedirection

Scope Editions Applicable OS
Device
User		 Pro
Enterprise
Education
Windows SE
IoT Enterprise / IoT Enterprise LTSC		 [10.0.20348.2523] and later
[10.0.25398.946] and later
Windows 11, version 21H2 [10.0.22000.3014] and later
Windows 11, version 22H2 with KB5037853 [10.0.22621.3672] and later
Windows 11, version 23H2 with KB5037853 [10.0.22631.3672] and later
Windows 11, version 24H2 [10.0.26100] and later		 
./User/Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitClientToServerClipboardRedirection

./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitClientToServerClipboardRedirection

This policy setting allows you to restrict clipboard data transfers from client to server.

  • If you enable this policy setting, you must choose from the following behaviors:

  • Disable clipboard transfers from client to server.

  • Allow plain text copying from client to server.

  • Allow plain text and images copying from client to server.

  • Allow plain text, images and Rich Text Format copying from client to server.

  • Allow plain text, images, Rich Text Format and HTML copying from client to server.

  • If you disable or don't configure this policy setting, users can copy arbitrary contents from client to server if clipboard redirection is enabled.

Note

This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the stricter restriction will be used.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

[!INCLUDE ADMX-backed policy note]

ADMX mapping:

Name Value
Name TS_CLIENT_CLIPBOARDRESTRICTION_CS
Friendly Name Restrict clipboard transfer from client to server
Location Computer and User Configuration
Path Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection
Registry Key Name SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
ADMX File Name TerminalServer.admx

LimitServerToClientClipboardRedirection

Scope Editions Applicable OS
Device
User		 Pro
Enterprise
Education
Windows SE
IoT Enterprise / IoT Enterprise LTSC		 [10.0.20348.2523] and later
[10.0.25398.946] and later
Windows 11, version 21H2 [10.0.22000.3014] and later
Windows 11, version 22H2 with KB5037853 [10.0.22621.3672] and later
Windows 11, version 23H2 with KB5037853 [10.0.22631.3672] and later
Windows 11, version 24H2 [10.0.26100] and later		 
./User/Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitServerToClientClipboardRedirection

./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitServerToClientClipboardRedirection

This policy setting allows you to restrict clipboard data transfers from server to client.

  • If you enable this policy setting, you must choose from the following behaviors:

  • Disable clipboard transfers from server to client.

  • Allow plain text copying from server to client.

  • Allow plain text and images copying from server to client.

  • Allow plain text, images and Rich Text Format copying from server to client.

  • Allow plain text, images, Rich Text Format and HTML copying from server to client.

  • If you disable or don't configure this policy setting, users can copy arbitrary contents from server to client if clipboard redirection is enabled.

Note

This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the stricter restriction will be used.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

[!INCLUDE ADMX-backed policy note]

ADMX mapping:

Name Value
Name TS_CLIENT_CLIPBOARDRESTRICTION_SC
Friendly Name Restrict clipboard transfer from server to client
Location Computer and User Configuration
Path Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection
Registry Key Name SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
ADMX File Name TerminalServer.admx

PromptForPasswordUponConnection

Scope Editions Applicable OS
Device
User		 Pro
Enterprise
Education
Windows SE
IoT Enterprise / IoT Enterprise LTSC		 Windows 10, version 1703 [10.0.15063] and later 
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/PromptForPasswordUponConnection

This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection.

You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.

By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client.

  • If you enable this policy setting, users can't automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on.

  • If you disable this policy setting, users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client.

  • If you don't configure this policy setting, automatic logon isn't specified at the Group Policy level.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

[!INCLUDE ADMX-backed policy note]

ADMX mapping:

Name Value
Name TS_PASSWORD
Friendly Name Always prompt for password upon connection
Location Computer Configuration
Path Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
Registry Key Name SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
Registry Value Name fPromptForPassword
ADMX File Name TerminalServer.admx

RequireSecureRPCCommunication

Scope Editions Applicable OS
Device
User		 Pro
Enterprise
Education
Windows SE
IoT Enterprise / IoT Enterprise LTSC		 Windows 10, version 1703 [10.0.15063] and later 
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/RequireSecureRPCCommunication

Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication.

You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.

If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and doesn't allow unsecured communication with untrusted clients.

If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that don't respond to the request.

If the status is set to Not Configured, unsecured communication is allowed.

Note

The RPC interface is used for administering and configuring Remote Desktop Services.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

[!INCLUDE ADMX-backed policy note]

ADMX mapping:

Name Value
Name TS_RPC_ENCRYPTION
Friendly Name Require secure RPC communication
Location Computer Configuration
Path Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
Registry Key Name SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
Registry Value Name fEncryptRPCTraffic
ADMX File Name TerminalServer.admx

TS_SERVER_REMOTEAPP_USE_SHELLAPPRUNTIME

Scope Editions Applicable OS
Device
User		 Pro
Enterprise
Education
Windows SE
IoT Enterprise / IoT Enterprise LTSC		 [10.0.20348.2400] and later
[10.0.25398.827] and later
Windows 11, version 21H2 [10.0.22000.2898] and later
Windows 11, version 22H2 with KB5035942 [10.0.22621.3374] and later
Windows 11, version 23H2 with KB5035942 [10.0.22631.3374] and later
Windows Insider Preview		 
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/TS_SERVER_REMOTEAPP_USE_SHELLAPPRUNTIME

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

[!INCLUDE ADMX-backed policy note]

ADMX mapping:

Name Value
Name TS_SERVER_REMOTEAPP_USE_SHELLAPPRUNTIME
ADMX File Name TerminalServer.admx

Related articles

Policy configuration service provider