- 404 Bypass 1 0 4 – Redirection Made Easy Quick
- 0.4 As A Fraction
- 404 Bypass 1 0 4 – Redirection Made Easy Download
- Math 0-4=
- 0 Mod 4
By Andrew Marshall
Principal Security Program Manager
Microsoft Corporation
Executive Summary
This document presents the latest guidance on rapidly identifying and removing Transport Layer Security (TLS) protocol version 1.0 dependencies in software built on top of Microsoft operating systems, following up with details on product changes and new features delivered by Microsoft to protect your own customers and online services. It is intended to be used as a starting point for building a migration plan to a TLS 1.2+ network environment. While the solutions discussed here may carry over and help with removing TLS 1.0 usage in non-Microsoft operating systems or crypto libraries, they are not a focus of this document.
A handy guide of sorts for any computer Science professional, data structures and algorithms made easy: data structures and algorithmic puzzles is a solution Bank for various complex problems related to data structures and algorithms. It can be used as a reference manual by those readers in the computer Science industry. The 1.5 Ah and 4.0 Ah Batteries feature lithium-ion cells for longer overall life. The 18-Volt Charger is compatible with all ONE+ Lithium-Ion Batteries. Best of all, this kit is part of the RYOBI ONE+ System of over 175 Cordless Tools that all work on the same battery platform.
TLS 1.0 is a security protocol first defined in 1999 for establishing encryption channels over computer networks. Microsoft has supported this protocol since Windows XP/Server 2003. While no longer the default security protocol in use by modern OSes, TLS 1.0 is still supported for backwards compatibility. Evolving regulatory requirements as well as new security vulnerabilities in TLS 1.0 provide corporations with the incentive to disable TLS 1.0 entirely.
Microsoft recommends customers get ahead of this issue by removing TLS 1.0 dependencies in their environments and disabling TLS 1.0 at the operating system level where possible. Given the length of time TLS 1.0 has been supported by the software industry, it is highly recommended that any TLS 1.0 deprecation plan include the following:
Code analysis to find/fix hardcoded instances of TLS 1.0 or older security protocols.
Network endpoint scanning and traffic analysis to identify operatingsystems using TLS 1.0 or older protocols.
Full regression testing through your entire application stack withTLS 1.0 disabled.
Migration of legacy operating systems and development libraries/frameworks to versions capable of negotiating TLS 1.2 by default.
Compatibility testing across operating systems used by your businessto identify any TLS 1.2 support issues.
Coordination with your own business partners and customers to notifythem of your move to deprecate TLS 1.0.
Understanding which clients may no longer be able to connect to your servers once TLS 1.0 is disabled.
The goal of this document is to provide recommendations which can help remove technical blockers to disabling TLS 1.0 while at the same time increasing visibility into the impact of this change to your own customers. Completing such investigations can help reduce the business impact of the next security vulnerability in TLS 1.0. For the purposes of this document, references to the deprecation of TLS 1.0 also include TLS 1.1.
TLS 1.0 is a security protocol first defined in 1999 for establishing encryption channels over computer networks. Microsoft has supported this protocol since Windows XP/Server 2003. While no longer the default security protocol in use by modern OSes, TLS 1.0 is still supported for backwards compatibility. Evolving regulatory requirements as well as new security vulnerabilities in TLS 1.0 provide corporations with the incentive to disable TLS 1.0 entirely.
Microsoft recommends customers get ahead of this issue by removing TLS 1.0 dependencies in their environments and disabling TLS 1.0 at the operating system level where possible. Given the length of time TLS 1.0 has been supported by the software industry, it is highly recommended that any TLS 1.0 deprecation plan include the following:
Code analysis to find/fix hardcoded instances of TLS 1.0 or older security protocols.
Network endpoint scanning and traffic analysis to identify operatingsystems using TLS 1.0 or older protocols.
Full regression testing through your entire application stack withTLS 1.0 disabled.
Migration of legacy operating systems and development libraries/frameworks to versions capable of negotiating TLS 1.2 by default.
Compatibility testing across operating systems used by your businessto identify any TLS 1.2 support issues.
Coordination with your own business partners and customers to notifythem of your move to deprecate TLS 1.0.
Understanding which clients may no longer be able to connect to your servers once TLS 1.0 is disabled.
The goal of this document is to provide recommendations which can help remove technical blockers to disabling TLS 1.0 while at the same time increasing visibility into the impact of this change to your own customers. Completing such investigations can help reduce the business impact of the next security vulnerability in TLS 1.0. For the purposes of this document, references to the deprecation of TLS 1.0 also include TLS 1.1.
404 Bypass 1 0 4 – Redirection Made Easy Quick
Enterprise software developers have a strategic need to adopt more future-safe and agile solutions (otherwise known as Crypto Agility) to deal with future security protocol compromises. While this document proposes agile solutions to the elimination of TLS hardcoding, broader Crypto Agility solutions are beyond the scope of this document.
The Current State of Microsoft's TLS 1.0 implementation
Microsoft's TLS 1.0implementation is freeof known security vulnerabilities. Due to the potential for futureprotocol downgradeattacks and other TLS 1.0vulnerabilities not specific to Microsoft's implementation, it isrecommended that dependencies on all security protocols older than TLS1.2 be removed where possible (TLS 1.1/1.0/ SSLv3/SSLv2).
In planning for this migration to TLS 1.2+, developers and systemadministrators should be aware of the potential for protocol versionhardcoding in applications developed by their employees andpartners. Hardcoding here means that the TLS version is fixed to a version that is outdated and less secure than newer versions. TLS versions newer than the hardcoded version cannot be used without modifying the program in question. This class of problem cannot be addressed without source code changes and software update deployment. Protocol version hardcoding was commonplace in the past fortesting and supportability purposes as many different browsers andoperating systems had varying levels of TLS support.
Ensuring support for TLS 1.2 across deployed operating systems
Many operating systems have outdated TLS version defaults or supportceilings that need to be accounted for. Usage of Windows 8/Server 2012or later means that TLS 1.2 will be the default security protocolversion:
Figure 1: Security Protocol Support by OS Version
| Windows OS | SSLv2 | SSLv3 | TLS 1.0 | TLS 1.1 | TLS 1.2 |
|---|---|---|---|---|---|
| Windows Vista | Enabled | Enabled | Default | Not Supported | Not Supported |
| Windows Server 2008 | Enabled | Enabled | Default | Disabled* | Disabled* |
| Windows 7 (WS2008 R2) | Enabled | Enabled | Default | Disabled* | Disabled* |
| Windows 8 (WS2012) | Disabled | Enabled | Enabled | Enabled | Default |
| Windows 8.1 (WS2012 R2) | Disabled | Enabled | Enabled | Enabled | Default |
| Windows 10 | Disabled | Enabled | Enabled | Enabled | Default |
| Windows Server 2016 | Not Supported | Disabled | Enabled | Enabled | Default |
*TLS 1.1/1.2 can be enabled on Windows Server 2008 via this optional Windows Update package.
For more information on TLS 1.0/1.1 deprecation in IE/Edge, see Modernizing TLS connections in Microsoft Edge and Internet Explorer 11, Site compatibility-impacting changes coming to Microsoft Edge and Disabling TLS/1.0 and TLS/1.1 in the new Edge Browser
A quick way to determine what TLS version will be requested by variousclients when connecting to your online services is by referring to theHandshake Simulation at Qualys SSL Labs.This simulation covers client OS/browser combinations acrossmanufacturers. See AppendixAat the end of this document for a detailed example showing the TLSprotocol versions negotiated by various simulated client OS/browsercombinations when connecting towww.microsoft.com.
If not already complete, it is highly recommended to conduct aninventory of operating systems used by your enterprise, customers andpartners (the latter two via outreach/communication or at least HTTPUser-Agent string collection). This inventory can be furthersupplemented by traffic analysis at your enterprise network edge. Insuch a situation, traffic analysis will yield the TLS versionssuccessfully negotiated by customers/partners connecting to yourservices, but the traffic itself will remain encrypted.
0.4 As A Fraction
Microsoft's Engineering Improvements to eliminate TLS 1.0 dependencies
Since the v1 release of this document, Microsoft has shipped a number of software updates and new features in support of TLS 1.0 deprecation. These include:
IIS custom logging to correlate client IP/user agent string, service URI, TLS protocol version and cipher suite.
- With this logging, admins can finally quantify their customers' exposure to weak TLS.
SecureScore - To help Office 365 tenant admins identify their own weak TLS usage, the SecureScore portal has been built to share this information as TLS 1.0 exited support in Office 365 in October 2018.
This portal provides Office 365 tenant admins with the valuable information they need to reach out to their own customers who may be unaware of their own TLS 1.0 dependencies.
Please visit https://securescore.microsoft.com/ for more information. Keyboard trainer mac.
.Net Framework updates to eliminate app-level hardcoding and prevent framework-inherited TLS 1.0 dependencies.
Developer Guidance and software updates have been released to help customers identify and eliminate .Net dependencies on weak TLS: Transport Layer Security (TLS) best practices with the .NET Framework
- FYI: All apps targeting .NET 4.5 or below are likely going to have to be modified in order to support TLS 1.2.
TLS 1.2 has been backported to Windows Server 2008 SP2 and XP POSReady 2009 to help customers with legacy obligations.
More announcements will be made in early 2019 and communicated in subsequent updates of this document.
Finding and fixing TLS 1.0 dependencies in code
For products using the Windows OS-provided cryptography libraries andsecurity protocols, the following steps should help identify anyhardcoded TLS 1.0 usage in your applications:
Identify all instances ofAcquireCredentialsHandle().This helps reviewers get closer proximity to code blocks where TLSmay be hardcoded.
Review any instances of theSecPkgContext_SupportedProtocolsandSecPkgContext_ConnectionInfostructures for hardcoded TLS.
In native code, set any non-zero assignments ofgrbitEnabledProtocolsto zero. This allows the operating system to use its default TLSversion.
Disable FIPSModeif it is enabled due to the potential for conflict with settingsrequired for explicitly disabling TLS 1.0/1.1 in this document. SeeAppendixB formore information.
Update and recompile any applications using WinHTTP hosted on Server2012 or older.
Managed apps – rebuild and retarget against the latest .NET Framework version
Applications must add code to support TLS 1.2 viaWinHttpSetOption
To cover all the bases, scan source code and online serviceconfiguration files for the patterns below corresponding toenumerated type values commonly used in TLS hardcoding:
SecurityProtocolType
SSLv2, SSLv23, SSLv3, TLS1, TLS 10, TLS11
WINHTTP_FLAG_SECURE_PROTOCOL_
SP_PROT_
NSStreamSocketSecurityLevel
PROTOCOL_SSL or PROTOCOL_TLS
The recommended solution in all cases above is to remove the hardcoded protocol version selection and defer to the operating system default. If you are using DevSkim, click here to see rules covering the above checks which you can use with your own code.
Update Windows PowerShell scripts or related registry settings
Windows PowerShell uses .NET Framework 4.5, which does not include TLS 1.2 as an available protocol. To work around this, two solutions are available:
Solutions (1) and (2) are mutually-exclusive, meaning they need not be implemented together.
Rebuild/retarget managed applications using the latest .Net Framework version
Applications using .NET framework versions prior to 4.7 may have limitations effectively capping support to TLS 1.0 regardless of the underlying OS defaults. Refer to the below diagram and https://docs.microsoft.com/dotnet/framework/network-programming/tls for more information.
SystemDefaultTLSVersion takes precedence over app-level targeting of TLS versions. The recommended best practice is to always defer to the OS default TLS version. It is also the only crypto-agile solution that lets your apps take advantage of future TLS 1.3 support.
If you are targeting older versions of .NET Framework such as 4.5.2 or 3.5, then by default your application will use the older and not recommended protocols such as SSL 3.0 or TLS 1.0. It is strongly recommended that you upgrade to newer versions of .NET Framework such as .NET Framework 4.6 or set the appropriate registry keys for 'UseStrongCrypto'.
Testing with TLS 1.2+
Following the fixes recommended in the section above, products should beregression-tested for protocol negotiation errors and compatibility withother operating systems in your enterprise.
The most common issue in this regression testing will be a TLSnegotiation failure due to a client connection attempt from anoperating system or browser that does not support TLS 1.2.
- For example, a Vista client will fail to negotiate TLS with aserver configured for TLS 1.2+ as Vista's maximum supported TLSversion is 1.0. That client should be either upgraded ordecommissioned in a TLS 1.2+ environment.
Products using certificate-based Mutual TLS authentication mayrequire additional regression testing as the certificate-selectioncode associated with TLS 1.0 was less expressive than that for TLS1.2.
- If a product negotiates MTLS with a certificate from anon-standard location (outside of the standard named certificatestores in Windows), then that code may need updating to ensurethe certificate is acquired correctly.
Service interdependencies should be reviewed for trouble spots.
Any services which interoperate with 3rd-partyservices should conduct additional interop testing with those3rd parties.
Any non-Windows applications or server operating systems in userequire investigation / confirmation that they can support TLS1.2. Scanning is the easiest way to determine this.
A simple blueprint for testing these changes in an online serviceconsists of the following:
Conduct a scan of production environment systems to identifyoperating systems which do not support TLS 1.2.
Scan source code and online service configuration files forhardcoded TLS as described in 'Finding and fixing TLS 1.0dependencies incode'
Update/recompile applications as required:
Managed apps
Rebuild against the latest .NET Framework version.
Verify any usage of theSSLProtocolsenumeration is set to SSLProtocols.None in order to use OSdefault settings.
WinHTTP apps – rebuild withWinHttpSetOptionto support TLS 1.2
Start testing in a pre-production or staging environment with allsecurity protocols older than TLS 1.2 disabled viaregistry.
Fix any remaining instances of TLS hardcoding as they areencountered in testing. Redeploy the software and perform a newregression test run.
Notifying partners of your TLS 1.0 deprecation plans
After TLS hardcoding is addressed and operating system/developmentframework updates are completed, should you opt to deprecate TLS 1.0 itwill be necessary to coordinate with customers and partners:
404 Bypass 1 0 4 – Redirection Made Easy Download
Early partner/customer outreach is essential to a successful TLS 1.0deprecation rollout. At a minimum this should consist of blogpostings, whitepapers or other web content.
Partners each need to evaluate their own TLS 1.2 readiness throughthe operating system/code scanning/regression testing initiativesdescribed in above sections.
Conclusion
Removing TLS 1.0 dependencies is a complicated issue to drive end toend. Microsoft and industry partners are taking action on this today toensure our entire product stack is more secure by default, from our OScomponents and development frameworks up to the applications/servicesbuilt on top of them. Following the recommendations made in thisdocument will help your enterprise chart the right course and know whatchallenges to expect. It will also help your own customers become moreprepared for thetransition.
Appendix A: Handshake Simulation for various clients connecting to www.microsoft.com, courtesy SSLLabs.com
Appendix B: Deprecating TLS 1.0/1.1 while retaining FIPS Mode
Follow the steps below if your network requires FIPS Mode but you alsowant to deprecate TLS 1.0/1.1:
Math 0-4=
Configure TLS versions via theregistry,by setting 'Enabled' to zero for the unwanted TLS versions.
Disable Curve 25519 (Server 2016 only) via Group Policy.
Disable any cipher suites using algorithms that aren't allowed bythe relevant FIPS publication. For Server 2016 (assuming the defaultsettings are in effect) this is means disabling RC4, PSK and NULLciphers.
Contributors/Thanks to
Mark Cartwright
Bryan Sullivan
Patrick Jungles
Michael Scovetta
Tony Rice
David LeBlanc
Mortimer Cook
Daniel Sommerfeld
Andrei Popov
Michiko Short
Justin Burke
Gov Maharaj
Brad Turner
Sean Stevenson
The following table includes the list of supported RDP file settings that you can use with the Remote Desktop clients. When configuring settings, check Client comparisons to see which redirections each client supports.
The table also highlights which settings are supported as custom properties with Windows Virtual Desktop. You can refer to this documentation detailing how to use PowerShell to customize RDP properties for Windows Virtual Desktop host pools.
0 Mod 4
Connection information
| RDP setting | Description | Values | Default value | Windows Virtual Desktop support |
|---|---|---|---|---|
| full address:s:value | PC Name: This setting specifies the name or IP address of the remote computer that you want to connect to. This is the only required setting in an RDP file. | A valid name, IPv4 address, or IPv6 address. | No | |
| alternate full address:s:value | Specifies an alternate name or IP address of the remote computer. | A valid name, IPv4 address, or IPv6 address. | No | |
| username:s:value | Specifies the name of the user account that will be used to sign in to the remote computer. | Any valid username. | No | |
| domain:s:value | Specifies the name of the domain in which the user account that will be used to sign in to the remote computer is located. | A valid domain name, such as 'CONTOSO'. | No | |
| gatewayhostname:s:value | Specifies the RD Gateway host name. | A valid name, IPv4 address, or IPv6 address. | No | |
| gatewaycredentialssource:i:value | Specifies the RD Gateway authentication method. | - 0: Ask for password (NTLM) - 1: Use smart card - 2: Use the credentials for the currently logged on user. - 3: Prompt the user for their credentials and use basic authentication - 4: Allow user to select later - 5: Use cookie-based authentication | 0 | No |
| gatewayprofileusagemethod:i:value | Specifies whether to use default RD Gateway settings. | - 0: Use the default profile mode, as specified by the administrator - 1: Use explicit settings, as specified by the user | 0 | No |
| gatewayusagemethod:i:value | Specifies when to use an RD Gateway for the connection. | - 0: Don't use an RD Gateway - 1: Always use an RD Gateway - 2: Use an RD Gateway if a direct connection cannot be made to the RD Session Host - 3: Use the default RD Gateway settings - 4: Don't use an RD Gateway, bypass gateway for local addresses Setting this property value to 0 or 4 are effectively equivalent, but setting this property to 4 enables the option to bypass local addresses. | 0 | No |
| promptcredentialonce:i:value | Determines whether a user's credentials are saved and used for both the RD Gateway and the remote computer. | - 0: Remote session will not use the same credentials - 1: Remote session will use the same credentials | 1 | No |
| authentication level:i:value | Defines the server authentication level settings. | - 0: If server authentication fails, connect to the computer without warning (Connect and don't warn me) - 1: If server authentication fails, don't establish a connection (Don't connect) - 2: If server authentication fails, show a warning and allow me to connect or refuse the connection (Warn me) - 3: No authentication requirement specified. | 3 | No |
| enablecredsspsupport:i:value | Determines whether the client will use the Credential Security Support Provider (CredSSP) for authentication if it is available. | - 0: RDP will not use CredSSP, even if the operating system supports CredSSP - 1: RDP will use CredSSP if the operating system supports CredSSP | 1 | Yes |
| disableconnectionsharing:i:value | Determines whether the client reconnects to any existing disconnected session or initiate a new connection when a new connection is launched. | - 0: Reconnect to any existing session - 1: Initiate new connection | 0 | No |
| alternate shell:s:value | Specifies a program to be started automatically in the remote session as the shell instead of explorer. | Valid path to an executable file, such as 'C:ProgramFilesOfficeword.exe' | Yes |
Session behavior
| RDP setting | Description | Values | Default value | Windows Virtual Desktop support |
|---|---|---|---|---|
| autoreconnection enabled:i:value | Determines whether the client will automatically try to reconnect to the remote computer if the connection is dropped, such as when there's a network connectivity interruption. | - 0: Client does not automatically try to reconnect - 1: Client automatically tries to reconnect | 1 | Yes |
| bandwidthautodetect:i:value | Determines whether or not to use automatic network bandwidth detection. Requires bandwidthautodetect to be set to 1. | - 0: Disable automatic network type detection - 1: Enable automatic network type detection | 1 | Yes |
| networkautodetect:i:value | Determines whether automatic network type detection is enabled | - 0: Don't use automatic network bandwidth detection - 1: Use automatic network bandwidth detection | 1 | Yes |
| compression:i:value | Determines whether bulk compression is enabled when it is transmitted by RDP to the local computer. | - 0: Disable RDP bulk compression - 1: Enable RDP bulk compression | 1 | Yes |
| videoplaybackmode:i:value | Determines if the connection will use RDP-efficient multimedia streaming for video playback. | - 0: Don't use RDP efficient multimedia streaming for video playback - 1: Use RDP-efficient multimedia streaming for video playback when possible | 1 | Yes |
Device redirection
| RDP setting | Description | Values | Default value | Windows Virtual Desktop support |
|---|---|---|---|---|
| audiocapturemode:i:value | Microphone redirection: Indicates whether audio input redirection is enabled. | - 0: Disable audio capture from the local device - 1: Enable audio capture from the local device and redirection to an audio application in the remote session | 0 | Yes |
| encode redirected video capture:i:value | Enables or disables encoding of redirected video. | - 0: Disable encoding of redirected video - 1: Enable encoding of redirected video | 1 | Yes |
| redirected video capture encoding quality:i:value | Controls the quality of encoded video. | - 0: High compression video. Quality may suffer when there is a lot of motion. - 1: Medium compression. - 2: Low compression video with high picture quality. | 0 | Yes |
| audiomode:i:value | Audio output location: Determines whether the local or remote machine plays audio. | - 0: Play sounds on the local computer (Play on this computer) - 1: Play sounds on the remote computer (Play on remote computer) - 2: Do not play sounds (Do not play) | 0 | Yes |
| camerastoredirect:s:value | Camera redirection: Configures which cameras to redirect. This setting uses a semicolon-delimited list of KSCATEGORY_VIDEO_CAMERA interfaces of cameras enabled for redirection. | - * : Redirect all cameras - List of cameras, such as camerastoredirect:s:?usb#vid_0bda&pid_58b0&mi - One can exclude a specific camera by prepending the symbolic link string with '-' | Don't redirect any cameras | Yes |
| devicestoredirect:s:value | Plug and play device redirection: Determines which devices on the local computer will be redirected and available in the remote session. | - *: Redirect all supported devices, including ones that are connected later - Valid hardware ID for one or more devices - DynamicDevices: Redirect all supported devices that are connected later | Don't redirect any devices | Yes |
| drivestoredirect:s:value | Drive/storage redirection: Determines which disk drives on the local computer will be redirected and available in the remote session. | - No value specified: don't redirect any drives - * : Redirect all disk drives, including drives that are connected later - DynamicDrives: redirect any drives that are connected later - The drive and labels for one or more drives, such as 'drivestoredirect:s:C:;E:;': redirect the specified drive(s) | Don't redirect any drives | Yes |
| keyboardhook:i:value | Determines when Windows key combinations (WIN key, ALT+TAB) are applied to the remote session for desktop connections. | - 0: Windows key combinations are applied on the local computer - 1: Windows key combinations are applied on the remote computer when in focus - 2: Windows key combinations are applied on the remote computer in full screen mode only | 2 | Yes |
| redirectclipboard:i:value | Clipboard redirection: Determines whether clipboard redirection is enabled. | - 0: Clipboard on local computer isn't available in remote session - 1: Clipboard on local computer is available in remote session | 1 | Yes |
| redirectcomports:i:value | COM ports redirection: Determines whether COM (serial) ports on the local computer will be redirected and available in the remote session. | - 0: COM ports on the local computer are not available in the remote session - 1: COM ports on the local computer are available in the remote session | 0 | Yes |
| redirectprinters:i:value | Printer redirection: Determines whether printers configured on the local computer will be redirected and available in the remote session | - 0: The printers on the local computer are not available in the remote session - 1: The printers on the local computer are available in the remote session | 1 | Yes |
| redirectsmartcards:i:value | Smart card redirection: Determines whether smart card devices on the local computer will be redirected and available in the remote session. | - 0: The smart card device on the local computer is not available in the remote session - 1: The smart card device on the local computer is available in the remote session | 1 | Yes |
| usbdevicestoredirect:s:value | USB redirection | - *: Redirect all USB devices that are not already redirected by another high-level redirection - {Device Setup Class GUID}: Redirect all devices that are members of the specified device setup class - USBInstanceID: Redirect a specific USB device identified by the instance ID | Don't redirect any USB devices | Yes |
Display settings
| RDP setting | Description | Values | Default value | Windows Virtual Desktop support |
|---|---|---|---|---|
| use multimon:i:value | Determines whether the remote session will use one or multiple displays from the local computer. | - 0: Don't enable multiple display support - 1: Enable multiple display support | 1 | Yes |
| selectedmonitors:s:value | Specifies which local displays to use from the remote session. The selected displays must be contiguous. Requires use multimon to be set to 1. Only available on the Windows Inbox (MSTSC) and Windows Desktop (MSRDC) clients. | Comma separated list of machine-specific display IDs. IDs can be retrieved by calling mstsc.exe /l. The first ID listed will be set as the primary display in the session. | All displays | Yes |
| maximizetocurrentdisplays:i:value | Determines which display the remote session goes full screen on when maximizing. Requires use multimon to be set to 1. Only available on the Windows Desktop (MSRDC) client. | - 0: Session goes full screen on the displays initially selected when maximizing - 1: Session dynamically goes full screen on the displays touched by the session window when maximizing | 0 | Yes |
| singlemoninwindowedmode:i:value | Determines whether a multi display remote session automatically switches to single display when exiting full screen. Requires use multimon to be set to 1. Only available on the Windows Desktop (MSRDC) client. | - 0: Session retains all displays when exiting full screen - 1: Session switches to single display when exiting full screen | 0 | Yes |
| screen mode id:i:value | Determines whether the remote session window appears full screen when you launch the connection. | - 1: The remote session will appear in a window - 2: The remote session will appear full screen | 2 | Yes |
| smart sizing:i:value | Determines whether or not the local computer scales the content of the remote session to fit the window size. | - 0: The local window content won't scale when resized - 1: The local window content will scale when resized | 0 | Yes |
| dynamic resolution:i:value | Determines whether the resolution of the remote session is automatically updated when the local window is resized. | - 0: Session resolution remains static for the duration of the session - 1: Session resolution updates as the local window resizes | 1 | Yes |
| desktop size id:i:value | Specifies the dimensions of the remote session desktop from a set of pre-defined options. This setting is overridden if desktopheight and desktopwidth are specified. | -0: 640×480 - 1: 800×600 - 2: 1024×768 - 3: 1280×1024 - 4: 1600×1200 | 1 | Yes |
| desktopheight:i:value | Specifies the resolution height (in pixels) of the remote session. | Numerical value between 200 and 8192 | Match the local computer | Yes |
| desktopwidth:i:value | Specifies the resolution width (in pixels) of the remote session. | Numerical value between 200 and 8192 | Match the local computer | Yes |
| desktopscalefactor:i:value | Specifies the scale factor of the remote session to make the content appear larger. | Numerical value from the following list: 100, 125, 150, 175, 200, 250, 300, 400, 500 | 100 | Yes |
RemoteApp
| RDP setting | Description | Values | Default value | Windows Virtual Desktop support |
|---|---|---|---|---|
| remoteapplicationcmdline:s:value | Optional command-line parameters for the RemoteApp. | Valid command-line parameters. | No | |
| remoteapplicationexpandcmdline:i:value | Determines whether environment variables contained in the RemoteApp command-line parameter should be expanded locally or remotely. | - 0: Environment variables should be expanded to the values of the local computer - 1: Environment variables should be expanded to the values of the remote computer | 1 | No |
| remoteapplicationexpandworkingdir:i:value | Determines whether environment variables contained in the RemoteApp working directory parameter should be expanded locally or remotely. | - 0: Environment variables should be expanded to the values of the local computer - 1: Environment variables should be expanded to the values of the remote computer. The RemoteApp working directory is specified through the shell working directory parameter. | 1 | No |
| remoteapplicationfile:s:value | Specifies a file to be opened on the remote computer by the RemoteApp. For local files to be opened, you must also enable drive redirection for the source drive. | Valid file path. | No | |
| remoteapplicationicon:s:value | Specifies the icon file to be displayed in the client UI while launching a RemoteApp. If no file name is specified, the client will use the standard Remote Desktop icon. Only '.ico' files are supported. | Valid file path. | No | |
| remoteapplicationmode:i:value | Determines whether a connection is launched as a RemoteApp session. | - 0: Don't launch a RemoteApp session - 1: Launch a RemoteApp session | 1 | No |
| remoteapplicationname:s:value | Specifies the name of the RemoteApp in the client interface while starting the RemoteApp. | App display name. For example, 'Excel 2016.' | No | |
| remoteapplicationprogram:s:value | Specifies the alias or executable name of the RemoteApp. | Valid alias or name. For example, 'EXCEL.' | No |
