Policy CSP - RemoteDesktopServices
Tip
This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>
. For details, see Understanding ADMX-backed policies.
The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.
Important
This CSP contains some settings that are under development and only applicable for Windows Insider Preview builds. These settings are subject to change and may have dependencies on other features or services in preview.
AllowUsersToConnectRemotely
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1703 [10.0.15063] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/AllowUsersToConnectRemotely
This policy setting allows you to configure remote access to computers by using Remote Desktop Services.
If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services.
If you disable this policy setting, users can't connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but won't accept any new incoming connections.
If you don't configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections aren't allowed.
Note
You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication.
You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | TS_DISABLE_CONNECTIONS |
Friendly Name | Allow users to connect remotely by using Remote Desktop Services |
Location | Computer Configuration |
Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections |
Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
ADMX File Name | TerminalServer.admx |
ClientConnectionEncryptionLevel
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1703 [10.0.15063] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/ClientConnectionEncryptionLevel
Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) isn't recommended. This policy doesn't apply to SSL encryption.
- If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available:
High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that don't support this encryption level can't connect to RD Session Host servers.
Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that don't support 128-bit encryption.
Low: The Low setting encrypts only data sent from the client to the server by using 56-bit encryption.
- If you disable or don't configure this setting, the encryption level to be used for remote connections to RD Session Host servers isn't enforced through Group Policy.
Important.
FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options). The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | TS_ENCRYPTION_POLICY |
Friendly Name | Set client connection encryption level |
Location | Computer Configuration |
Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security |
Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
ADMX File Name | TerminalServer.admx |
DisconnectOnLockLegacyAuthn
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 24H2 [10.0.26100] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DisconnectOnLockLegacyAuthn
This policy setting allows you to configure the user experience when the Remote Desktop session is locked by the user or by a policy. You can specify whether the remote session will show the remote lock screen or disconnect when the remote session is locked. Disconnecting the remote session ensures that a remote session can't be left on the lock screen and can't reconnect automatically due to loss of network connectivity.
This policy applies only when using legacy authentication to authenticate to the remote PC. Legacy authentication is limited to username and password, or certificates like smartcards. Legacy authentication doesn't leverage the Microsoft identity platform, such as Microsoft Entra ID. Legacy authentication includes the NTLM, CredSSP, RDSTLS, TLS, and RDP basic authentication protocols.
If you enable this policy setting, Remote Desktop connections using legacy authentication will disconnect the remote session when the remote session is locked. Users can reconnect when they're ready and re-enter their credentials when prompted.
If you disable or don't configure this policy setting, Remote Desktop connections using legacy authentication will show the remote lock screen when the remote session is locked. Users can unlock the remote session using their username and password, or certificates.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | TS_DISCONNECT_ON_LOCK_POLICY |
Friendly Name | Disconnect remote session on lock for legacy authentication |
Location | Computer Configuration |
Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security |
Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
Registry Value Name | fDisconnectOnLockLegacy |
ADMX File Name | TerminalServer.admx |
DisconnectOnLockMicrosoftIdentityAuthn
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 24H2 [10.0.26100] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DisconnectOnLockMicrosoftIdentityAuthn
This policy setting allows you to configure the user experience when the Remote Desktop session is locked by the user or by a policy. You can specify whether the remote session will show the remote lock screen or disconnect when the remote session is locked. Disconnecting the remote session ensures that a remote session can't be left on the lock screen and can't reconnect automatically due to loss of network connectivity.
This policy applies only when using an identity provider that uses the Microsoft identity platform, such as Microsoft Entra ID, to authenticate to the remote PC. This policy doesn't apply when using Legacy authentication which includes the NTLM, CredSSP, RDSTLS, TLS, and RDP basic authentication protocols.
If you enable or don't configure this policy setting, Remote Desktop connections using the Microsoft identity platform will disconnect the remote session when the remote session is locked. Users can reconnect when they're ready and can use passwordless authentication if configured.
If you disable this policy setting, Remote Desktop connections using the Microsoft identity platform will show the remote lock screen when the remote session is locked. Users can unlock the remote session using their username and password, or certificates.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | TS_DISCONNECT_ON_LOCK_AAD_POLICY |
Friendly Name | Disconnect remote session on lock for Microsoft identity platform authentication |
Location | Computer Configuration |
Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security |
Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
Registry Value Name | fDisconnectOnLockMicrosoftIdentity |
ADMX File Name | TerminalServer.admx |
DoNotAllowDriveRedirection
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1703 [10.0.15063] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DoNotAllowDriveRedirection
This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection).
By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format <driveletter>
on <computername>
. You can use this policy setting to override this behavior.
If you enable this policy setting, client drive redirection isn't allowed in Remote Desktop Services sessions, and Clipboard file copy redirection isn't allowed on computers running Windows XP, Windows Server 2003, Windows Server 2012 (and later) or Windows 8 (and later).
If you disable this policy setting, client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed.
If you don't configure this policy setting, client drive redirection and Clipboard file copy redirection aren't specified at the Group Policy level.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | TS_CLIENT_DRIVE_M |
Friendly Name | Do not allow drive redirection |
Location | Computer Configuration |
Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection |
Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
Registry Value Name | fDisableCdm |
ADMX File Name | TerminalServer.admx |
DoNotAllowPasswordSaving
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1703 [10.0.15063] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DoNotAllowPasswordSaving
Controls whether passwords can be saved on this computer from Remote Desktop Connection.
If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted.
If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | TS_CLIENT_DISABLE_PASSWORD_SAVING_2 |
Friendly Name | Do not allow passwords to be saved |
Location | Computer Configuration |
Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client |
Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
Registry Value Name | DisablePasswordSaving |
ADMX File Name | TerminalServer.admx |
DoNotAllowWebAuthnRedirection
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DoNotAllowWebAuthnRedirection
This policy setting lets you control the redirection of web authentication (WebAuthn) requests from a Remote Desktop session to the local device. This redirection enables users to authenticate to resources inside the Remote Desktop session using their local authenticator (e.g., Windows Hello for Business, security key, or other).
By default, Remote Desktop allows redirection of WebAuthn requests.
If you enable this policy setting, users can't use their local authenticator inside the Remote Desktop session.
If you disable or don't configure this policy setting, users can use local authenticators inside the Remote Desktop session.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | TS_WEBAUTHN |
Friendly Name | Do not allow WebAuthn redirection |
Location | Computer Configuration |
Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection |
Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
Registry Value Name | fDisableWebAuthn |
ADMX File Name | TerminalServer.admx |
LimitClientToServerClipboardRedirection
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ [10.0.20348.2523] and later ✅ [10.0.25398.946] and later ✅ Windows 11, version 21H2 [10.0.22000.3014] and later ✅ Windows 11, version 22H2 with KB5037853 [10.0.22621.3672] and later ✅ Windows 11, version 23H2 with KB5037853 [10.0.22631.3672] and later ✅ Windows 11, version 24H2 [10.0.26100] and later |
./User/Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitClientToServerClipboardRedirection
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitClientToServerClipboardRedirection
This policy setting allows you to restrict clipboard data transfers from client to server.
If you enable this policy setting, you must choose from the following behaviors:
Disable clipboard transfers from client to server.
Allow plain text copying from client to server.
Allow plain text and images copying from client to server.
Allow plain text, images and Rich Text Format copying from client to server.
Allow plain text, images, Rich Text Format and HTML copying from client to server.
If you disable or don't configure this policy setting, users can copy arbitrary contents from client to server if clipboard redirection is enabled.
Note
This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the stricter restriction will be used.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | TS_CLIENT_CLIPBOARDRESTRICTION_CS |
Friendly Name | Restrict clipboard transfer from client to server |
Location | Computer and User Configuration |
Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection |
Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
ADMX File Name | TerminalServer.admx |
LimitServerToClientClipboardRedirection
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ [10.0.20348.2523] and later ✅ [10.0.25398.946] and later ✅ Windows 11, version 21H2 [10.0.22000.3014] and later ✅ Windows 11, version 22H2 with KB5037853 [10.0.22621.3672] and later ✅ Windows 11, version 23H2 with KB5037853 [10.0.22631.3672] and later ✅ Windows 11, version 24H2 [10.0.26100] and later |
./User/Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitServerToClientClipboardRedirection
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitServerToClientClipboardRedirection
This policy setting allows you to restrict clipboard data transfers from server to client.
If you enable this policy setting, you must choose from the following behaviors:
Disable clipboard transfers from server to client.
Allow plain text copying from server to client.
Allow plain text and images copying from server to client.
Allow plain text, images and Rich Text Format copying from server to client.
Allow plain text, images, Rich Text Format and HTML copying from server to client.
If you disable or don't configure this policy setting, users can copy arbitrary contents from server to client if clipboard redirection is enabled.
Note
This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the stricter restriction will be used.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | TS_CLIENT_CLIPBOARDRESTRICTION_SC |
Friendly Name | Restrict clipboard transfer from server to client |
Location | Computer and User Configuration |
Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection |
Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
ADMX File Name | TerminalServer.admx |
PromptForPasswordUponConnection
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1703 [10.0.15063] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/PromptForPasswordUponConnection
This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection.
You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.
By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client.
If you enable this policy setting, users can't automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on.
If you disable this policy setting, users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client.
If you don't configure this policy setting, automatic logon isn't specified at the Group Policy level.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | TS_PASSWORD |
Friendly Name | Always prompt for password upon connection |
Location | Computer Configuration |
Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security |
Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
Registry Value Name | fPromptForPassword |
ADMX File Name | TerminalServer.admx |
RequireSecureRPCCommunication
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1703 [10.0.15063] and later |
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/RequireSecureRPCCommunication
Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication.
You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.
If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and doesn't allow unsecured communication with untrusted clients.
If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that don't respond to the request.
If the status is set to Not Configured, unsecured communication is allowed.
Note
The RPC interface is used for administering and configuring Remote Desktop Services.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | TS_RPC_ENCRYPTION |
Friendly Name | Require secure RPC communication |
Location | Computer Configuration |
Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security |
Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
Registry Value Name | fEncryptRPCTraffic |
ADMX File Name | TerminalServer.admx |
TS_SERVER_REMOTEAPP_USE_SHELLAPPRUNTIME
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ [10.0.20348.2400] and later ✅ [10.0.25398.827] and later ✅ Windows 11, version 21H2 [10.0.22000.2898] and later ✅ Windows 11, version 22H2 with KB5035942 [10.0.22621.3374] and later ✅ Windows 11, version 23H2 with KB5035942 [10.0.22631.3374] and later ✅ Windows Insider Preview |
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/TS_SERVER_REMOTEAPP_USE_SHELLAPPRUNTIME
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | TS_SERVER_REMOTEAPP_USE_SHELLAPPRUNTIME |
ADMX File Name | TerminalServer.admx |