Supported Windows security configurations for Remote Desktop Services VDI

Applies to: Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016

Windows and Windows Server have new layers of protection built into the operating system to:

• Safeguard against security breaches
• Help block malicious attacks
• Enhance the security of virtual machines, applications, and data.

Note

• Features like Credential Guard may have performance implication on user density. Ensure to test your scenarios. Learn more about other considerations for credential guard configuration.

• Make sure to review the Remote Desktop Services supported configuration information.

The following table outlines which of these new features are supported in a VDI deployment using RDS.

VDI collection type	Managed pooled	Managed personal	Unmanaged pooled	Unmanaged personal
Credential Guard	Yes	Yes	Yes	Yes
Device Guard	Yes	Yes	Yes	Yes
Remote Credential Guard	No	No	No	No
Shielded & Encryption Supported VMs	No	No	Encryption supported VMs with extra configuration	Encryption supported VMs with extra configuration

Remote Credential Guard

Remote Credential Guard is only supported for direct connections to the target machines and not for the ones via Remote Desktop Connection Broker and Remote Desktop Gateway.

Note

If you have a Connection Broker in a single-instance environment, and the DNS name matches the computer name, you may be able to use Remote Credential Guard, although this isn't supported.

Shielded VMs and Encryption Supported VMs

Shielded VMs aren't supported in Remote Desktop Services VDI.

For leveraging Encryption Supported VMs:

• Use an unmanaged collection and a provisioning technology outside of the Remote Desktop Services collection creation process to provision the virtual machines.
• User Profile Disks aren't supported as they rely on differential disks