Limit number of monitors
This policy setting allows you to limit the number of monitors that a user can use to display a Remote Desktop Services session. Limiting the number of monitors to display a Remote Desktop Services session can improve connection performance particularly over slow links and reduce server load. If you enable this policy setting you can specify the number of monitors that can be used to display a Remote Desktop Services session. You can specify a number from 1 to 16. If you disable or do not configure this policy setting the number of monitors that can be used to display a Remote Desktop Services session is not specified at the Group Policy level.
Limit maximum color depth
This policy setting allows you to specify the maximum color resolution (color depth) for Remote Desktop Services connections. You can use this policy setting to set a limit on the color depth of any connection that uses RDP. Limiting the color depth can improve connection performance particularly over slow links and reduce server load. If you enable this policy setting the color depth that you specify is the maximum color depth allowed for a user’s RDP connection. The actual color depth for the connection is determined by the color support available on the client computer. If you select Client Compatible the highest color depth supported by the client will be used. If you disable or do not configure this policy setting the color depth for connections is not specified at the Group Policy level. Note: 1. Setting the color depth to 24 bits is only supported on Windows Server 2003 and Windows XP Professional. 2. The value specified in this policy setting is not applied to connections from client computers that are using at least Remote Desktop Protocol 8. 0 (computers running at least Windows 8 or Windows Server 2012 R2). The 32-bit color depth format is always used for these connections. 3. For connections from client computers that are using Remote Desktop Protocol 7. 1 or earlier versions that are connecting to computers running at least Windows 8 or Windows Server 2012 R2 the minimum of the following values is used as the color depth format: a. Value specified by this policy setting b. Maximum color depth supported by the client c. Value requested by the client If the client does not support at least 16 bits the connection is terminated.
Automatic reconnection
Specifies whether to allow Remote Desktop Connection clients to automatically reconnect to sessions on an RD Session Host server if their network link is temporarily lost. By default a maximum of twenty reconnection attempts are made at five second intervals. If the status is set to Enabled automatic reconnection is attempted for all clients running Remote Desktop Connection whenever their network connection is lost. If the status is set to Disabled automatic reconnection of clients is prohibited. If the status is set to Not Configured automatic reconnection is not specified at the Group Policy level. However users can configure automatic reconnection using the “Reconnect if connection is dropped” checkbox on the Experience tab in Remote Desktop Connection.
Set RD Gateway server address
Specifies the address of the RD Gateway server that clients must use when attempting to connect to an RD Session Host server. You can enforce this policy setting or you can allow users to overwrite this policy setting. By default when you enable this policy setting it is enforced. When this policy setting is enforced users cannot override this setting even if they select the “Use these RD Gateway server settings” option on the client. Note: It is highly recommended that you also specify the authentication method by using the “Set RD Gateway authentication method” policy setting. If you do not specify an authentication method by using this setting either the NTLM protocol that is enabled on the client or a smart card can be used. To allow users to overwrite the “Set RD Gateway server address” policy setting and connect to another RD Gateway server you must select the “Allow users to change this setting” check box and users will be allowed to specify an alternate RD Gateway server. Users can specify an alternative RD Gateway server by configuring settings on the client using an RDP file or using an HTML script. If users do not specify an alternate RD Gateway server the server that you specify in this policy setting is used by default. Note: If you disable or do not configure this policy setting but enable the “Enable connections through RD Gateway” policy setting client connection attempts to any remote computer will fail if the client cannot connect directly to the remote computer. If an RD Gateway server is specified by the user a client connection attempt will be made through that RD Gateway server.
Enable connection through RD Gateway
If you enable this policy setting when Remote Desktop Connection cannot connect directly to a remote computer (an RD Session Host server or a computer with Remote Desktop enabled) the clients will attempt to connect to the remote computer through an RD Gateway server. In this case the clients will attempt to connect to the RD Gateway server that is specified in the “Set RD Gateway server address” policy setting. You can enforce this policy setting or you can allow users to overwrite this setting. By default when you enable this policy setting it is enforced. When this policy setting is enforced users cannot override this setting even if they select the “Use these RD Gateway server settings” option on the client. Note: To enforce this policy setting you must also specify the address of the RD Gateway server by using the “Set RD Gateway server address” policy setting or client connection attempts to any remote computer will fail if the client cannot connect directly to the remote computer. To enhance security it is also highly recommended that you specify the authentication method by using the “Set RD Gateway authentication method” policy setting. If you do not specify an authentication method by using this policy setting either the NTLM protocol that is enabled on the client or a smart card can be used. To allow users to overwrite this policy setting select the “Allow users to change this setting” check box. When you do this users on the client can choose not to connect through the RD Gateway server by selecting the “Do not use an RD Gateway server” option. Users can specify a connection method by configuring settings on the client using an RDP file or using an HTML script. If users do not specify a connection method the connection method that you specify in this policy setting is used by default. If you disable or do not configure this policy setting clients will not use the RD Gateway server address that is specified in the “Set RD Gateway server address” policy setting. If an RD Gateway server is specified by the user a client connection attempt will be made through that RD Gateway server.
Set RD Gateway authentication method
Specifies the authentication method that clients must use when attempting to connect to an RD Session Host server through an RD Gateway server. You can enforce this policy setting or you can allow users to overwrite this policy setting. By default when you enable this policy setting it is enforced. When this policy setting is enforced users cannot override this setting even if they select the “Use these RD Gateway server settings” option on the client. To allow users to overwrite this policy setting select the “Allow users to change this setting” check box. When you do this users can specify an alternate authentication method by configuring settings on the client using an RDP file or using an HTML script. If users do not specify an alternate authentication method the authentication method that you specify in this policy setting is used by default. If you disable or do not configure this policy setting the authentication method that is specified by the user is used if one is specified. If an authentication method is not specified the NTLM protocol that is enabled on the client or a smart card can be used for authentication.
Server authentication certificate template
This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically selected to authenticate an RD Session Host server. A certificate is needed to authenticate an RD Session Host server when SSL (TLS 1. 0) is used to secure communication between a client and an RD Session Host server during RDP connections. If you enable this policy setting you need to specify a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authenticate the RD Session Host server is automatically selected. Automatic certificate selection only occurs when a specific certificate has not been selected. If no certificate can be found that was created with the specified certificate template the RD Session Host server will issue a certificate enrollment request and will use the current certificate until the request is completed. If more than one certificate is found that was created with the specified certificate template the certificate that will expire latest and that matches the current name of the RD Session Host server will be selected. If you disable or do not configure this policy the certificate template name is not specified at the Group Policy level. By default a self-signed certificate is used to authenticate the RD Session Host server. Note: If you select a specific certificate to be used to authenticate the RD Session Host server that certificate will take precedence over this policy setting.
Require user authentication for remote connections by using Network Level Authentication
This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication. This policy setting enhances security by requiring that user authentication occur earlier in the remote connection process. If you enable this policy setting only client computers that support Network Level Authentication can connect to the RD Session Host server. To determine whether a client computer supports Network Level Authentication start Remote Desktop Connection on the client computer click the icon in the upper-left corner of the Remote Desktop Connection dialog box and then click About. In the About Remote Desktop Connection dialog box look for the phrase Network Level Authentication supported. If you disable this policy setting Network Level Authentication is not required for user authentication before allowing remote connections to the RD Session Host server. If you do not configure this policy setting the local setting on the target computer will be enforced. On Windows Server 2012 and Windows 8 Network Level Authentication is enforced by default. Important: Disabling this policy setting provides less security because user authentication will occur later in the remote connection process.
Require use of specific security layer for remote (RDP) connections
This policy setting specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections. If you enable this policy setting all communications between clients and RD Session Host servers during remote connections must use the security method specified in this setting. The following security methods are available:* Negotiate: The Negotiate method enforces the most secure method that is supported by the client. If Transport Layer Security (TLS) version 1. 0 is supported it is used to authenticate the RD Session Host server. If TLS is not supported native Remote Desktop Protocol (RDP) encryption is used to secure communications but the RD Session Host server is not authenticated. * RDP: The RDP method uses native RDP encryption to secure communications between the client and RD Session Host server. If you select this setting the RD Session Host server is not authenticated. * SSL (TLS 1. 0): The SSL method requires the use of TLS 1. 0 to authenticate the RD Session Host server. If TLS is not supported the connection fails. If you disable or do not configure this policy setting the security method to be used for remote connections to RD Session Host servers is not specified at the Group Policy level.
Always prompt for password upon connection
This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection. You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services even if they already provided the password in the Remote Desktop Connection client. By default Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client. If you enable this policy setting users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on. If you disable this policy setting users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client. If you do not configure this policy setting automatic logon is not specified at the Group Policy level.