Category: At least Windows Vista with Service Pack 1

This policy setting allows you to specify whether users can run Remote Desktop Protocol (. rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one that is issued by an authority recognized by the client such as the issuers in the client’s Third-Party Root Certification Authorities certificate store. This policy setting also controls whether the user can start an RDP session by using default . rdp settings (for example when a user directly opens the Remote Desktop Connection [RDC] client without specifying an . rdp file). If you enable or do not configure this policy setting users can run . rdp files that are signed with a valid certificate. Users can also start an RDP session with default . rdp settings by directly opening the RDC client. When a user starts an RDP session the user is asked to confirm whether they want to connect. If you disable this policy setting users cannot run . rdp files that are signed with a valid certificate. Additionally users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session the user receives a message that the publisher has been blocked. Note: You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer all users on the computer are affected.

This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (. rdp) file publishers. If you enable this policy setting any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an . rdp file that is signed by a trusted certificate the user does not receive any warning messages when they start the file. To obtain the thumbprint view the certificate details and then click the Thumbprint field. If you disable or do not configure this policy setting no publisher is treated as a trusted . rdp publisher. Notes:You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user. This policy setting overrides the behavior of the “Allow . rdp files from valid publishers and user’s default . rdp settings” policy setting. If the list contains a string that is not a certificate thumbprint it is ignored.

This policy setting determines whether a user will be prompted on the client computer to provide credentials for a remote connection to an RD Session Host server. If you enable this policy setting a user will be prompted on the client computer instead of on the RD Session Host server to provide credentials for a remote connection to an RD Session Host server. If saved credentials for the user are available on the client computer the user will not be prompted to provide credentials. Note: If you enable this policy setting in releases of Windows Server 2008 R2 with SP1 or Windows Server 2008 R2 and a user is prompted on both the client computer and on the RD Session Host server to provide credentials clear the Always prompt for password check box on the Log on Settings tab in Remote Desktop Session Host Configuration. If you disable or do not configure this policy setting the version of the operating system on the RD Session Host server will determine when a user is prompted to provide credentials for a remote connection to an RD Session Host server. For Windows Server 2003 and Windows 2000 Server a user will be prompted on the terminal server to provide credentials for a remote connection. For Windows Server 2008 and Windows Server 2008 R2 a user will be prompted on the client computer to provide credentials for a remote connection.

This policy setting allows you to specify whether the client will establish a connection to the RD Session Host server when the client cannot authenticate the RD Session Host server. If you enable this policy setting you must specify one of the following settings:Always connect even if authentication fails: The client connects to the RD Session Host server even if the client cannot authenticate the RD Session Host server. Warn me if authentication fails: The client attempts to authenticate the RD Session Host server. If the RD Session Host server can be authenticated the client establishes a connection to the RD Session Host server. If the RD Session Host server cannot be authenticated the user is prompted to choose whether to connect to the RD Session Host server without authenticating the RD Session Host server. Do not connect if authentication fails: The client establishes a connection to the RD Session Host server only if the RD Session Host server can be authenticated. If you disable or do not configure this policy setting the authentication setting that is specified in Remote Desktop Connection or in the . rdp file determines whether the client establishes a connection to the RD Session Host server when the client cannot authenticate the RD Session Host server.

This policy setting allows you to specify which Remote Desktop Protocol (RDP) compression algorithm to use. By default servers use an RDP compression algorithm that is based on the server’s hardware configuration. If you enable this policy setting you can specify which RDP compression algorithm to use. If you select the algorithm that is optimized to use less memory this option is less memory-intensive but uses more network bandwidth. If you select the algorithm that is optimized to use less network bandwidth this option uses less network bandwidth but is more memory-intensive. Additionally a third option is available that balances memory usage and network bandwidth. In Windows 8 only the compression algorithm that balances memory usage and bandwidth is used. You can also choose not to use an RDP compression algorithm. Choosing not to use an RDP compression algorithm will use more network bandwidth and is only recommended if you are using a hardware device that is designed to optimize network traffic. Even if you choose not to use an RDP compression algorithm some graphics data will still be compressed. If you disable or do not configure this policy setting the default RDP compression algorithm will be used.

This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (. rdp) files and . rdp files from unknown publishers on the client computer. If you enable or do not configure this policy setting users can run unsigned . rdp files and . rdp files from unknown publishers on the client computer. Before a user starts an RDP session the user receives a warning message and is asked to confirm whether they want to connect. If you disable this policy setting users cannot run unsigned . rdp files and . rdp files from unknown publishers on the client computer. If the user tries to start an RDP session the user receives a message that the publisher has been blocked.