Set client connection encryption level

Supported OS tags: Windows10, Windows10RT, Windows11, Windows7, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2003, WindowsServer2008, WindowsServer2012, WindowsServer2012R2, WindowsServer2016, WindowsVista, WindowsXP

Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available: * High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Session Host servers. * Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that do not support 128-bit encryption. * Low: The Low setting encrypts only data sent from the client to the server by using 56-bit encryption. If you disable or do not configure this setting, the encryption level to be used for remote connections to RD Session Host servers is not enforced through Group Policy. Important FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption.

No explicit registry values are set for enabled or disabled states.

• Computer
  Always prompt for password upon connection

  At least Windows Server 2003 operating systems or Windows XP Professional
• Computer
  Disconnect remote session on lock for legacy authentication

  Windows 11 22H2 SERVER
• Computer
  Disconnect remote session on lock for Microsoft identity platform authentication

  Windows 11 22H2 SERVER
• Computer
  Do not allow local administrators to customize permissions

  At least Windows Server 2003
• Computer
  Enable Microsoft Entra ID Authentication Enforcement

  At least Windows 11 Version 24H2
• Computer
  Require secure RPC communication

  At least Windows Server 2003
• Computer
  Require use of specific security layer for remote (RDP) connections

  At least Windows Vista
• Computer
  Require user authentication for remote connections by using Network Level Authentication

  At least Windows Vista
• Computer
  Server authentication certificate template

  At least Windows Vista