Policy CSP - RemoteDesktopServices
Tip
This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see Understanding ADMX-backed policies.
The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.
Important
This CSP contains some settings that are under development and only applicable for Windows Insider Preview builds. These settings are subject to change and may have dependencies on other features or services in preview.
AllowUsersToConnectRemotely
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1703 [10.0.15063] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/AllowUsersToConnectRemotely
This policy setting allows you to configure remote access to computers by using Remote Desktop Services.
If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services.
If you disable this policy setting, users can't connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but won't accept any new incoming connections.
If you don't configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections aren't allowed.
Note
You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication.
You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | TS_DISABLE_CONNECTIONS |
| Friendly Name | Allow users to connect remotely by using Remote Desktop Services |
| Location | Computer Configuration |
| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
| ADMX File Name | TerminalServer.admx |
ClientConnectionEncryptionLevel
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1703 [10.0.15063] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/ClientConnectionEncryptionLevel
Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) isn't recommended. This policy doesn't apply to SSL encryption.
- If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available:
High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that don't support this encryption level can't connect to RD Session Host servers.
Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that don't support 128-bit encryption.
Low: The Low setting encrypts only data sent from the client to the server by using 56-bit encryption.
- If you disable or don't configure this setting, the encryption level to be used for remote connections to RD Session Host servers isn't enforced through Group Policy.
Important.
FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options). The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | TS_ENCRYPTION_POLICY |
| Friendly Name | Set client connection encryption level |
| Location | Computer Configuration |
| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
| ADMX File Name | TerminalServer.admx |
DisconnectOnLockLegacyAuthn
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows Insider Preview |
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DisconnectOnLockLegacyAuthn
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | TS_DISCONNECT_ON_LOCK_POLICY |
| ADMX File Name | terminalserver.admx |
DisconnectOnLockMicrosoftIdentityAuthn
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows Insider Preview |
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DisconnectOnLockMicrosoftIdentityAuthn
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | TS_DISCONNECT_ON_LOCK_AAD_POLICY |
| ADMX File Name | terminalserver.admx |
DoNotAllowDriveRedirection
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1703 [10.0.15063] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DoNotAllowDriveRedirection
This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection).
By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format <driveletter> on <computername>. You can use this policy setting to override this behavior.
If you enable this policy setting, client drive redirection isn't allowed in Remote Desktop Services sessions, and Clipboard file copy redirection isn't allowed on computers running Windows XP, Windows Server 2003, Windows Server 2012 (and later) or Windows 8 (and later).
If you disable this policy setting, client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed.
If you don't configure this policy setting, client drive redirection and Clipboard file copy redirection aren't specified at the Group Policy level.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | TS_CLIENT_DRIVE_M |
| Friendly Name | Do not allow drive redirection |
| Location | Computer Configuration |
| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
| Registry Value Name | fDisableCdm |
| ADMX File Name | TerminalServer.admx |
DoNotAllowPasswordSaving
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1703 [10.0.15063] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DoNotAllowPasswordSaving
Controls whether passwords can be saved on this computer from Remote Desktop Connection.
If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted.
If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | TS_CLIENT_DISABLE_PASSWORD_SAVING_2 |
| Friendly Name | Do not allow passwords to be saved |
| Location | Computer Configuration |
| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
| Registry Value Name | DisablePasswordSaving |
| ADMX File Name | TerminalServer.admx |
DoNotAllowWebAuthnRedirection
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DoNotAllowWebAuthnRedirection
This policy setting lets you control the redirection of web authentication (WebAuthn) requests from a Remote Desktop session to the local device. This redirection enables users to authenticate to resources inside the Remote Desktop session using their local authenticator (e.g., Windows Hello for Business, security key, or other).
By default, Remote Desktop allows redirection of WebAuthn requests.
If you enable this policy setting, users can't use their local authenticator inside the Remote Desktop session.
If you disable or don't configure this policy setting, users can use local authenticators inside the Remote Desktop session.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | TS_WEBAUTHN |
| Friendly Name | Do not allow WebAuthn redirection |
| Location | Computer Configuration |
| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
| Registry Value Name | fDisableWebAuthn |
| ADMX File Name | TerminalServer.admx |
LimitClientToServerClipboardRedirection
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows Insider Preview |
./User/Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitClientToServerClipboardRedirection
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitClientToServerClipboardRedirection
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | TS_CLIENT_CLIPBOARDRESTRICTION_CS |
| ADMX File Name | terminalserver.admx |
LimitServerToClientClipboardRedirection
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows Insider Preview |
./User/Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitServerToClientClipboardRedirection
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitServerToClientClipboardRedirection
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | TS_CLIENT_CLIPBOARDRESTRICTION_SC |
| ADMX File Name | terminalserver.admx |
PromptForPasswordUponConnection
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1703 [10.0.15063] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/PromptForPasswordUponConnection
This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection.
You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.
By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client.
If you enable this policy setting, users can't automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on.
If you disable this policy setting, users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client.
If you don't configure this policy setting, automatic logon isn't specified at the Group Policy level.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | TS_PASSWORD |
| Friendly Name | Always prompt for password upon connection |
| Location | Computer Configuration |
| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
| Registry Value Name | fPromptForPassword |
| ADMX File Name | TerminalServer.admx |
RequireSecureRPCCommunication
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1703 [10.0.15063] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/RequireSecureRPCCommunication
Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication.
You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.
If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and doesn't allow unsecured communication with untrusted clients.
If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that don't respond to the request.
If the status is set to Not Configured, unsecured communication is allowed.
Note
The RPC interface is used for administering and configuring Remote Desktop Services.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | TS_RPC_ENCRYPTION |
| Friendly Name | Require secure RPC communication |
| Location | Computer Configuration |
| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
| Registry Value Name | fEncryptRPCTraffic |
| ADMX File Name | TerminalServer.admx |
Related articles
Váš názor
Připravujeme: V průběhu roku 2024 budeme postupně vyřazovat problémy z GitHub coby mechanismus zpětné vazby pro obsah a nahrazovat ho novým systémem zpětné vazby. Další informace naleznete v tématu: https://aka.ms/ContentUserFeedback.
Odeslat a zobrazit názory pro