Use this policy setting to specify the name of the certificate template that determines which certificate is automatically selected to authenticate an RDS host.

A certificate is needed to authenticate an RDS host when SSL (TLS 1.0) is used to secure communication between a client and an RDS host during RDP connections.

If you enable this policy setting, you need to specify a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authenticate the RDS host is automatically selected. Automatic certificate selection only occurs when a specific certificate has not been selected.

If no certificate can be found that was created with the specified certificate template, the RDS host will issue a certificate enrollment request and will use the current certificate until the request is completed. If more than one certificate is found that was created with the specified certificate template, the certificate that will expire latest and that matches the current name of the RDS host will be selected.

If you disable or do not configure this policy setting, a self-signed certificate will be used by default to authenticate the RDS host. You can select a specific certificate to be used to authenticate the RDS host on the General tab of the Remote Desktop Session Host Configuration tool.

Specifies whether to require the use of a specific encryption level to secure communications between clients and RDS hosts during Remote Desktop Protocol (RDP) connections.

If you enable this setting, all communications between clients and RDS hosts during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available:

• High. The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RDS host servers.
• Client Compatible. The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that do not support 128-bit encryption.
• Low. The Low setting encrypts only data sent from the client to the server using 56-bit encryption.

If you disable or do not configure this setting, the encryption level to be used for remote connections to RDS host is not enforced through Group Policy. However, you can configure a required encryption level for these connections by using the Remote Desktop Session Host Configuration tool.

Specifies whether Remote Desktop Services always prompts the client for a password upon connection.

You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.

By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client.

If you enable this setting, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on.

If you disable this setting, users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client.

If you do not configure this setting, automatic logon is not specified at the Group Policy level. However, an administrator can still enforce password prompting by using the Remote Desktop Session Host Configuration tool.

Specifies whether an RDS host requires secure RPC communication with all clients or allows unsecured communication.

You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.

If you enable this setting, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients.

If you disable this setting, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the request.

If you do not configure this setting, unsecured communication is allowed.

Specifies whether to require the use of a specific security layer to secure communications between clients and RDS hosts during Remote Desktop Protocol (RDP) connections.

If you enable this setting, all communications between clients and RDS hosts during remote connections must use the security method specified in this setting. The following security methods are available:

• Negotiate. The Negotiate method enforces the most secure method that is supported by the client. If Transport Layer Security (TLS) version 1.0 is supported, it is used to authenticate the RDS host. If TLS is not supported, native Remote Desktop Protocol (RDP) encryption is used to secure communications, but the RDS host is not authenticated.
• RDP. The RDP method uses native RDP encryption to secure communications between the client and RDS host. If you select this setting, the RDS host is not authenticated.
• SSL (TLS 1.0). The SSL method requires the use of TLS 1.0 to authenticate the RDS host. If TLS is not supported, the connection fails.

If you disable or do not configure this setting, the security method to use for remote connections to RDS hosts is not enforced through Group Policy. However, you can configure a required security method for these connections by using the Remote Desktop Session Host Configuration tool.

Use this policy setting to specify whether to require user authentication for remote connections to the RDS host by using Network Level Authentication. This policy setting enhances security by requiring that user authentication occur earlier in the remote connection process.

If you enable this policy setting, only client computers that support Network Level Authentication can connect to the RDS host.

To determine whether a client computer supports Network Level Authentication, start Remote Desktop Connection on the client computer, click the icon in the upper-left corner of the Remote Desktop Connection dialog box, and then click About. In the About Remote Desktop Connection dialog box, look for the phrase "Network Level Authentication supported."

If you disable or do not configure this policy setting, Network Level Authentication is not required for user authentication before allowing remote connections to the RDS host.

You can specify that Network Level Authentication be required for user authentication by using Remote Desktop Session Host Configuration tool or the Remote tab in System Properties.

Specifies whether to disable the administrator rights to customize security permissions in the Remote Desktop Session Host Configuration tool.

You can use this setting to prevent administrators from making changes to the user groups on the Permissions tab in the Remote Desktop Session Host Configuration tool. By default, administrators are able to make such changes.

If the status is set to Enabled, the Permissions tab in the Remote Desktop Session Host Configuration tool cannot be used to customize per-connection security descriptors or to change the default security descriptors for an existing group. All of the security descriptors are Read Only.

If the status is set to Disabled or Not Configured, server administrators have full Read/Write privileges to the user security descriptors on the Permissions tab in the Remote Desktop Session Host Configuration tool.