Tag: Computer Configuration
Hide notifications about RD Licensing problems that affect the RD Session Host server
This policy setting determines whether notifications are displayed on an RD Session Host server when there are problems with RD Licensing that affect the RD Session Host server. By default notifications are displayed on an RD Session Host server after you log on as a local administrator if there are problems with RD Licensing that affect the RD Session Host server. If applicable a notification will also be displayed that notes the number of days until the licensing grace period for the RD Session Host server will expire. If you enable this policy setting these notifications will not be displayed on the RD Session Host server. If you disable or do not configure this policy setting these notifications will be displayed on the RD Session Host server after you log on as a local administrator.
Do not allow passwords to be saved
Controls whether passwords can be saved on this computer from Remote Desktop Connection. If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings any password that previously existed in the RDP file will be deleted. If you disable this setting or leave it not configured the user will be able to save passwords using Remote Desktop Connection.
Set client connection encryption level
This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computerss and RD Session Host servers during Remote Desktop Protocol (RDP) connections. If you enable this policy setting all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default the encryption level is set to High. The following encryption methods are available:* High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Session Host servers. * Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that do not support 128-bit encryption. * Low: The Low setting encrypts only data sent from the client to the server by using 56-bit encryption. If you disable or do not configure this setting the encryption level to be used for remote connections to RD Session Host servers is not enforced through Group Policy. ImportantFIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption hashing and signing settings in Group Policy (under Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. ) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client with the Federal Information Processing Standard (FIPS) 140 encryption algorithms by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption.
Always prompt for password upon connection
This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection. You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services even if they already provided the password in the Remote Desktop Connection client. By default Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client. If you enable this policy setting users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on. If you disable this policy setting users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client. If you do not configure this policy setting automatic logon is not specified at the Group Policy level.
Require use of specific security layer for remote (RDP) connections
This policy setting specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections. If you enable this policy setting all communications between clients and RD Session Host servers during remote connections must use the security method specified in this setting. The following security methods are available:* Negotiate: The Negotiate method enforces the most secure method that is supported by the client. If Transport Layer Security (TLS) version 1. 0 is supported it is used to authenticate the RD Session Host server. If TLS is not supported native Remote Desktop Protocol (RDP) encryption is used to secure communications but the RD Session Host server is not authenticated. * RDP: The RDP method uses native RDP encryption to secure communications between the client and RD Session Host server. If you select this setting the RD Session Host server is not authenticated. * SSL (TLS 1. 0): The SSL method requires the use of TLS 1. 0 to authenticate the RD Session Host server. If TLS is not supported the connection fails. If you disable or do not configure this policy setting the security method to be used for remote connections to RD Session Host servers is not specified at the Group Policy level.
Require user authentication for remote connections by using Network Level Authentication
This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication. This policy setting enhances security by requiring that user authentication occur earlier in the remote connection process. If you enable this policy setting only client computers that support Network Level Authentication can connect to the RD Session Host server. To determine whether a client computer supports Network Level Authentication start Remote Desktop Connection on the client computer click the icon in the upper-left corner of the Remote Desktop Connection dialog box and then click About. In the About Remote Desktop Connection dialog box look for the phrase Network Level Authentication supported. If you disable this policy setting Network Level Authentication is not required for user authentication before allowing remote connections to the RD Session Host server. If you do not configure this policy setting the local setting on the target computer will be enforced. On Windows Server 2012 and Windows 8 Network Level Authentication is enforced by default. Important: Disabling this policy setting provides less security because user authentication will occur later in the remote connection process.
Server authentication certificate template
This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically selected to authenticate an RD Session Host server. A certificate is needed to authenticate an RD Session Host server when SSL (TLS 1. 0) is used to secure communication between a client and an RD Session Host server during RDP connections. If you enable this policy setting you need to specify a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authenticate the RD Session Host server is automatically selected. Automatic certificate selection only occurs when a specific certificate has not been selected. If no certificate can be found that was created with the specified certificate template the RD Session Host server will issue a certificate enrollment request and will use the current certificate until the request is completed. If more than one certificate is found that was created with the specified certificate template the certificate that will expire latest and that matches the current name of the RD Session Host server will be selected. If you disable or do not configure this policy the certificate template name is not specified at the Group Policy level. By default a self-signed certificate is used to authenticate the RD Session Host server. Note: If you select a specific certificate to be used to authenticate the RD Session Host server that certificate will take precedence over this policy setting.
Automatic reconnection
Specifies whether to allow Remote Desktop Connection clients to automatically reconnect to sessions on an RD Session Host server if their network link is temporarily lost. By default a maximum of twenty reconnection attempts are made at five second intervals. If the status is set to Enabled automatic reconnection is attempted for all clients running Remote Desktop Connection whenever their network connection is lost. If the status is set to Disabled automatic reconnection of clients is prohibited. If the status is set to Not Configured automatic reconnection is not specified at the Group Policy level. However users can configure automatic reconnection using the “Reconnect if connection is dropped” checkbox on the Experience tab in Remote Desktop Connection.
Turn off Fair Share CPU Scheduling
Fair Share CPU Scheduling dynamically distributes processor time across all Remote Desktop Services sessions on the same RD Session Host server based on the number of sessions and the demand for processor time within each session. If you enable this policy setting Fair Share CPU Scheduling is turned off. If you disable or do not configure this policy setting Fair Share CPU Scheduling is turned on.
Turn off Windows Installer RDS Compatibility
This policy setting specifies whether Windows Installer RDS Compatibility runs on a per user basis for fully installed applications. Windows Installer allows one instance of the msiexec process to run at a time. By default Windows Installer RDS Compatibility is turned on. If you enable this policy setting Windows Installer RDS Compatibility is turned off and only one instance of the msiexec process can run at a time. If you disable or do not configure this policy setting Windows Installer RDS Compatibility is turned on and multiple per user application installation requests are queued and handled by the msiexec process in the order in which they are received.