Category: At least Windows Server 2012, Windows 8 or Windows RT

This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration for Standard User Lockout Duration equals this value all standard users are prevented from sending commands to the Trusted Platform Module (TPM) that require authorization. This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than the duration are ignored. For each standard user two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization. The Standard User Individual Lockout value is the maximum number of authorization failures each standard user may have before the user is not allowed to send commands requiring authorization to the TPM. This value is the maximum total number of authorization failures all standard users may have before all standard users are not allowed to send commands requiring authorization to the TPM. The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode it is global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. An administrator with the TPM owner password may fully reset the TPM’s hardware lockout logic using the TPM Management Console (tpm. msc). Each time an administrator resets the TPM’s hardware lockout logic all prior standard user TPM authorization failures are ignored; allowing standard users to use the TPM normally again immediately. If this value is not configured a default value of 9 is used. A value of zero means the OS will not allow standard users to send commands to the TPM which may cause an authorization failure.

This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information stored locally the operating system and TPM-based applications can perform certain TPM actions which require TPM owner authorization without requiring the user to enter the TPM owner password. You can choose to have the operating system store either the full TPM owner authorization value the TPM administrative delegation blob plus the TPM user delegation blob or none. If you enable this policy setting Windows will store the TPM owner authorization in the registry of the local computer according to the operating system managed TPM authentication setting you choose. Choose the operating system managed TPM authentication setting of “Full” to store the full TPM owner authorization the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting allows use of the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios which do not depend on preventing reset of the TPM’anti-hammering logic or changing the TPM owner authorization value. Some TPM-based applications may require this setting be changed before features which depend on the TPM’anti-hammering logic can be used. Choose the operating system managed TPM authentication setting of “Delegated” to store only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM anti-hammering logic. External or remote storage of the full TPM owner authorization value for example by backing up the value to Active Directory Domain Services (AD DS) is recommended when using this setting. Choose the operating system managed TPM authentication setting of “None” for compatibility with previous operating systems and applications or for use with scenarios that require TPM owner authorization not be stored locally. Using this setting might cause issues with some TPM-based applications. If this policy setting is disabled or not configured and the “Turn on TPM backup to Active Directory Domain Services” policy setting is also disabled or not configured the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not configured and the “Turn on TPM backup to Active Directory Domain Services” group policy setting is enabled then only the administrative delegation and the user delegation blobs are stored in the local registry. Note: If the operating system managed TPM authentication setting is changed from “Full” to “Delegated” the full TPM owner authorization value will be regenerated and any copies of the original TPM owner authorization value will be invalid. If you are backing up the TPM owner authorization value to AD DS the new owner authorization value will be automatically backed up to AD DS when it is changed.

This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. If the number of TPM commands with an authorization failure within the duration equals a threshold a standard user is prevented from sending commands requiring authorization to the TPM. This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than this duration are ignored. For each standard user two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization. The Standard User Lockout Threshold Individual value is the maximum number of authorization failures each standard user may have before the user is not allowed to send commands requiring authorization to the TPM. The Standard User Lockout Total Threshold value is the maximum total number of authorization failures all standard users may have before all standard users are not allowed to send commands requiring authorization to the TPM. The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode it is global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. An administrator with the TPM owner password may fully reset the TPM’s hardware lockout logic using the TPM Management Console (tpm. msc). Each time an administrator resets the TPM’s hardware lockout logic all prior standard user TPM authorization failures are ignored; allowing standard users to use the TPM normally again immediately. If this value is not configured a default value of 480 minutes (8 hours) is used.

This policy setting allows you to configure graphics encoding to use the RemoteFX Codec on the Remote Desktop Session Host server so that the sessions are compatible with non-Windows thin client devices designed for Windows Server 2008 R2 SP1. These clients only support the Windows Server 2008 R2 SP1 RemoteFX Codec. If you enable this policy setting users’ sessions on this server will only use the Windows Server 2008 R2 SP1 RemoteFX Codec for encoding. This mode is compatible with thin client devices that only support the Windows Server 2008 R2 SP1 RemoteFX Codec. If you disable or do not configure this policy setting non-Windows thin clients that only support the Windows Server 2008 R2 SP1 RemoteFX Codec will not be able to connect to this server. This policy setting applies only to clients that are using Remote Desktop Protocol (RDP) 7. 1 and does not affect clients that are using other RDP versions.

This policy setting allows you to specify how the Remote Desktop Protocol will try to detect the network quality (bandwidth and latency). You can choose to disable Connect Time Detect Continuous Network Detect or both Connect Time Detect and Continuous Network Detect. If you disable Connect Time Detect Remote Desktop Protocol will not determine the network quality at the connect time and it will assume that all traffic to this server originates from a low-speed connection. If you disable Continuous Network Detect Remote Desktop Protocol will not try to adapt the remote user experience to varying network quality. If you disable Connect Time Detect and Continuous Network Detect Remote Desktop Protocol will not try to determine the network quality at the connect time; instead it will assume that all traffic to this server originates from a low-speed connection and it will not try to adapt the user experience to varying network quality. If you disable or do not configure this policy setting Remote Desktop Protocol will spend up to a few seconds trying to determine the network quality prior to the connection and it will continuously try to adapt the user experience to varying network quality.

This policy setting allows you to specify which protocols can be used for Remote Desktop Protocol (RDP) access to this server. If you enable this policy setting you must specify if you would like RDP to use UDP. You can select one of the following options: “Use both UDP and TCP (default)” “Use only TCP” or “Use either UDP or TCP” If you select “Use either UDP or TCP” and the UDP connection is successful most of the RDP traffic will use UDP. If the UDP connection is not successful or if you select “Use only TCP” all of the RDP traffic will use TCP. If you disable or do not configure this policy setting RDP will choose the optimal protocols for delivering the best user experience.

This policy setting allows you to specify the visual quality for remote users when connecting to this computer by using Remote Desktop Connection. You can use this policy setting to balance the network bandwidth usage with the visual quality that is delivered. If you enable this policy setting and set quality to Medium RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. This mode consumes the lowest amount of network bandwidth of the quality modes. If you enable this policy setting and set quality to High RemoteFX Adaptive Graphics uses an encoding mechanism that results in high quality images and consumes moderate network bandwidth. If you enable this policy setting and set quality to Lossless RemoteFX Adaptive Graphics uses lossless encoding. In this mode the color integrity of the graphics data is not impacted. However this setting results in a significant increase in network bandwidth consumption. We recommend that you set this for very specific cases only. If you disable or do not configure this policy setting RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images.

This policy setting allows the administrator to configure the RemoteFX experience for Remote Desktop Session Host or Remote Desktop Virtualization Host servers. By default the system will choose the best experience based on available nework bandwidth. If you enable this policy setting the RemoteFX experience could be set to one of the following options:1. Let the system choose the experience for the network condition2. Optimize for server scalability3. Optimize for minimum bandwidth usageIf you disable or do not configure this policy setting the RemoteFX experience will change dynamically based on the network condition. ”