Initial RemoteApp deployment does not work if NTLM is forbidden

Question

Hi Microsoft.

Let me share the following finding which smells like a windows bug:

1 Take a cleanly installed server OS (2019/2022), setup the remote desktop server role (session based) and publish a remoteApp ready for deployment.

2 configure the GPO that sets the URL for remote app deployment: User configurations>Administrative Templates>Windows Components> Remote Desktop Services> RemoteApp and Desktop connection -> Specify default connection URL

3 logon to a clean Win11 23H2 (1st logon!) with a user to whom the GPO (2) applies

->Expected result: the Remote app(s) gets deployed to the start menu

->observed result: the remoteApp(s) only get deployed if outgoing NTLM traffic is allowed to the RD session host. Else, no RemoteApps are deployed at all.

Side note: as said, when I allow NTLM traffic to that server, it works. Now when I disallow traffic after initially deploying remoteApps and then publish a brand new remoteApp, it gets deployed no matter whether I allow NTLM or not! So clearly, this should work without allowing NTLM and very probably, this is a bug.

Please try to confirm and fix.

Answer 1

Hello,

Firstly, it seems you are aiming to protect your PCs from an NTLM attack. To disable NTLM traffic, you should switch your remote desktop security layer to RDP (the default is 'negotiate', which usually means SSL/TLS).

Steps:

Navigate to Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security.

Enable 'Require use of specific security layer for remote (RDP) connections' and select 'RDP' as the Security Layer.

---

If the Answer is helpful, please click "Accept Answer" and upvote it.