Remote desktops can be incredibly flexible and fulfill numerous use cases, but they need all the right settings and configurations to make those use cases work.
IT administrators should learn all the most common settings for remote desktop protocol (RDP) sessions and how to manage the files that control them.
What are the components of an RDP session?
Knowing the basics of RDP before editing RDP files for end users is essential for an administrator. A Microsoft remote desktop implementation consists of the following components:
RD Connection Broker. This is the load balancer and broker for the environment. The server will check a user's credentials and which remote resources the user has access to. The connection broker also load balances the sessions over the available session hosts.
RD Licensing. As the name suggests, this is the licensing server for a remote desktop deployment. Each user who signs into the environment needs a valid license to create a session.
RD Web Access. This server creates a website -- or web server -- for end users to easily access their remote resources. When an end user clicks on a resource, an RDP file is generated for the user to start.
RD Gateway. This server allows a remote desktop session to be started over the internet. It translates RDP to HTTPS.
RD Session Hosts. These are the servers that host the resources that end users connect to and start their sessions on.
RD Virtualization Host. This is an optional component. Organizations that use Hyper-V can choose to set up a VDI with many hosts managed through the RDS console. This function is not used often.
What are the different RDP file settings and what do they do?
With the basics of RDP covered, IT administrators should look at the RDP files. The Remote Desktop Client can open RDP files on a computer via MSTSC.exe, and this is where administrators can see the status of different settings. Another way to look at the files as an administrator is with a text editor. Because an RDP file is a non-encrypted configuration file, administrators can easily edit it with text editors. Notepad++ has many extra features like line numbers and easy selections.
Figure 1. The 49 settings for an RDP file that define the session and how it functions.
Figure 1 shows an example of a basic RDP file for a local session to a server named test in Notepad++. Administrators can edit this file, save it, and distribute it to the clients.
As an administrator, it's important to know what most of these options mean for end users, especially if these settings go to users' Microsoft endpoint managed devices.
screen mode. This option determines whether the session starts in a window (1) or full screen (2).
use multimon. This option is used to allow the remote session to use multiple monitors.
desktopheight. This option specifies the session's height in pixels.
session bpp. This determines the color depth of the session.
winposstr. This option sets the start position of the Remote Desktop Connection window.
compression. This option enables or disables bulk compression for data transmission to the local device.
keyboardhook. With this option, admins can map the Windows and Alt+tab key combinations to the remote session or keep them locally.
audiocapturemode. With this option, admins can enable audio capture -- or microphone -- redirection to the remote session.
videoplaybackmode. This option determines whether administrators use RDP-efficient multimedia streaming for video playback. This can offload video GPU work to the local GPU instead of the remote GPU.
connection type. It can steer the maximum used bandwidth the remote session can use.
networkautodetect. With this option, administrators can autodetect network type and settings from the local client.
bandwidthautodetect. This option enables or disables the auto detect of network bandwidth.
displayconnectionbar. With this option, admins can enable or disable the connection bar that they would normally see on the top of the Remote Desktop Session.
enableworkspacereconnect. With this option, admins can determine if a Remote Desktop Session should reconnect when it is disconnected.
disable wallpaper. This setting allows administrators to turn off the wallpaper of the remote session, which can improve the session quality.
allow font smoothing. This will turn on ClearType in the RDP session.
allow desktop composition. This option determines if the admin can use the modern Windows interface within the remote desktop session.
disable full window drag. With this option, admins can disable the content in a window while a user is dragging it, which can improve session performance.
disable menu anims. With this option admins can disable menu animations, which improves session performance.
disable themes. This option disables Windows Themes in the remote session.
disable cursor setting. With this option, admins can disable cursor animations which will improve session performance.
bitmapcachepersistenable. This option allows the client device to create a cache of bitmaps that are rendered during the session, improving performance.
full address. This is the fully qualified domain name of the server the admin is trying to connect to. In full remote desktop deployment, this will have the connection broker address which then load balances the session.
audiomode. With this option admins can disable the local client to play audio from the remote host.
redirectlocation. This setting enables or disables the redirection from local location service to the remote session.
redirectcomports. This setting enables or disables the redirection from local COM ports to the remote session.
redirectsmartcards. This setting enables or disables the redirection from local smart cards to the remote session.
redirectwebauthn. This setting enables or disables the redirection from local web authentication -- such as Windows Hello -- to the remote session.
redirectclipboard. This setting enables or disables the redirection from local clipboard to the remote session.
redirectposdevices. This setting enables or disables the redirection from local point-of-service devices to the remote session.
autoreconnection enabled. This setting allows the RDP session to automatically reconnect on a disconnect.
authentication level. Determines what happens when authentication to the server fails.
prompt for credentials. Enables or disables the prompt for authentication.
negotiate security layer. Determines which level of security is negotiated.
remoteapplicationmode. This enables RemoteApp mode instead of a desktop.
alternate shell. If a RemoteApp is configured, this will launch the application instead of the full Windows shell desktop.
shell working directory. Working directory of the RemoteApp.
gatewayhostname. Determines whether a Remote Desktop Gateway is configured in the deployment.
gatewayusagemethod. Determines whether or not the connection uses an RD Gateway.
gatewaycredentialssource. Specifies which authentication method is used on the gateway.
gatewayprofileusagemethod. This option enables default profile for RD Gateway or a custom user profile.
promptcredentialonce. With this option, administrators can choose to save the user credentials after they have been put in.
gatewaybrokeringtype. Determines the type of Gateway server used.
Ensure your end users never open an unknown RDP file, and never email them an RDP file in the first place.
use redirection server name. This option enables the use of a redirection server for the RD Gateway.
rdgiskdcproxy. This option is to set the use of a proxy for the user credentials over Kerberos.
kdcproxyname. The name of the Kerberos Key Distribution Center proxy server.
enablerdsaadauth. This option decides whether admins can use Microsoft Entra ID to connect to the remote server.
Clearly there are a lot of options that remote desktop administrators can preconfigure in an RDP file for end users. A good tip for distributing preconfigured RDP files is to use an Azure storage container. Then, use a remediation PowerShell script in Microsoft Intune. This allows central management and a remediation script to check for changes to the RDP files.
Lastly, admins need to keep the dangers of RDP files in mind. Recently, a Russian cybercrime organization named Midnight Blizzard sent emails containing an RDP file. The file was configured to connect to their server and had all redirection enabled. When someone clicked on the email's file and connected to the remote session, all local drives, clipboard, printers, etc. would connect to the remote session, which the hacker group controlled. That way, it could easily steal information and deploy ransomware. Ensure your end users never open an unknown RDP file, and never email them an RDP file in the first place.
Chris Twiest works as a technology officer at RawWorks in the Netherlands, focusing on the future Workspace and Cloud technologies for the end user.
Dig Deeper on Virtual and remote desktop strategies
