Apply policies

Administrative templates facilitate the management of registry-based policy settings, which can be applied on the computer and/or user configuration. Group policy (GPO) is a tool that enables your organization to enforce global settings on all computers, and at the same time, harden Remote Desktop Manager security.

Administrative Templates are registry settings that are enforced by domains. They contain registry keys that can also be set on computers that are not joined to domains. In this case, however, proper Access Control Lists (ACLs) must be put in place to prevent users from modifying registry settings. Refer to the tables below to find the registry key for each policy setting.

To learn more on how to deploy the Remote Desktop Manager administrative templates on your domain, please refer to the Microsoft documentation.

For now, the additional support is exclusively for the policies that require a numerical input higher than 0-1 (ex: ForceLockOnIdle).

Remote Desktop Manager includes an administrative template file (.admx), which describes the policies that are offered. You will find it in the policies subfolder. Before you can manage GPOs in Remote Desktop Manager, you first need to list them in the Local Group Policy Editor. Here are the steps:

Go to your policies subfolder. By default, the path is C:\Program Files (x86)\Devolutions\Remote Desktop Manager\Policies.
Copy the Devolutions.admx file.
Go to C:\Windows\PolicyDefinitions.
Paste the Devolutions.admx file in the root of C:\Windows\PolicyDefinitions.
Go to C:\Program Files\Devolutions\Remote Desktop Manager\Policies\en-US.
Copy the Devolutions.adml file.
Paste the Devolutions.adml file in C:\Windows\PolicyDefinitions\en-US.
Open your Group Policy Editor and go to Computer Configuration – Administrative Templates – Devolutions – Remote Desktop Manager.
Browse the different folders for the desired policies.
Right-click the specific policy, edit it accordingly, and save.

If Remote Desktop Manager is open when you make this change, then you will need to restart it for the new policy to take effect.

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\AllowSyncAllVaultsBackground

0 = Not configured
1 = Allowed
2 = Not allowed

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableExportVaultMenus

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\NoInternetConnection

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableOnboarding

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableAutoUpdate

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableUpdate

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableLaunchAtStartup

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableLicenseExpirationMessage

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableAnalytics

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableGlobalVaultInUserVault

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\EnablePowerShellRemoteConsoleHooking

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceCloseOnIdle

The number of minutes.

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceSystemProxy

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceRefreshBeforeEditEntry

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceCurrentConfigurationLoading

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceDefaultConfigurationLoading

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceUpdatingMajorUpdate

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceUpdatingAllUpdate

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceUpdatingAllUpdateAndBeta

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceUpdatingOnceAMonth

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ApplyForcedPasswordTemplateInPasswordGeneratorTool

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceEnableDPAPICryptographyOnLocalFiles

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\CheckForServerCertificateRevocation

0 = Disabled (no changes)
1 = Enable check for certificates
2 = Disable check for certificates

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableExecuteScriptsViaTerminal

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableUserVaultExport

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableLocalDriveSharing

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableMaskPasswordInViewPassword

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableMyAccountSettings

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableMyPersonalPrivateKey

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableMyPrivilegedAccount

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableReadWriteOffline

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableCyberArkPasswordRetrieval

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableCaching

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableOffline

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableRDPHardDrivesSpecificSettings

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisablePasswordGenerator

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableRevealPasswordInMyAccountSettings

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\EnableDPAPICryptographyOnLocalFiles

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\Application2faMode

0 = Disabled
1 = Check against all configured methods
2 = Prompt for selection on use

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceLockOnStandby

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceLockOnIdle

The number of minutes.

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceLockOnMinimize

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceLockOnWindowsLock

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceLocalApplicationPassword

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceClearCacheOnCloseChrome

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceClearCacheOnCloseMSEdge

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceApplicationMFA

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceSecureDesktop

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceLocalMyAccountSettings

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceLogin

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\AlwaysPromptForPassphrase

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceWindowsHello

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\IgnoreApplicationCertificateErrors

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\LastPass2FAMode

0 = Disabled
1 = Do not trust this device
2 = Trust this device
3 = Trust this device (clear on application close)

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceHidePasswordForAdministrators

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceWindowsCredentialsAndCurrentlyLoggedOnUsernameAndDomain

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\EnableConnectionAfterExpiration

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\LimitEntriesLaunchedInASingleAction

Value = Session count must be equal or smaller than this number.

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ConfirmSessionsOpenOnCountGreaterThan

The configured count will affect the feature directly.

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceDisableAllSessionEvents

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableImportInPrivateVault

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableRevealPassword

Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableAddOn

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableAddOnEntries

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableAddOnManager

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableCustomImage

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableMouseJiggler

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableSessionRecording

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableNetworkScan

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableWebsiteCredentialAutofillAfterDelay

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\EnableRDPHooking

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceRefreshBeforeCopyFromEntry

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceRefreshBeforeExecuteEntry

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceRefreshBeforeViewPassword

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceUserSpecificSettingsMigration

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\HidePortInRDP

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\OnlyAllowCredentialsInPrivateVault

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DefaultPowershellVersion

0 = Disabled
1 = Default
2 = Windows PowerShell (2.0)
3 = Windows PowerShell (5.1)
4 = PowerShell 7

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DashboardAutoFocusItemOnTabSelect

0 = GPO disabled (no changes)
1 = Disable auto-focus
2 = Enable auto-focus

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ClipboardCopyMethod

0 = Disabled
1 = Legacy
2 = Paste once (secure)

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DashboardAutoFocusTabOnItemSelect

0 = GPO disabled (no changes)
1 = Disable auto-focus
2 = Enable auto-focus

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\EnableLegacyChromeProfileHandling

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableApplicationTools

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DashboardHideAllRecordingsPanels

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableDragAndDrop

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableImportExportOptions

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableMyPersonalCredentials

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableQuickConnect

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableSendMessageInDashboard

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableAbout

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableToolsAddOnManager

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableAutoFocusDashboard

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableToolsChocolateyConsole

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableOnlineAccount

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableSendErrorReportDialog

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableToolsExtensionManager

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableHelp

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableToolsLocalRDPRemoteAppManager

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableFileDataSources

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableFileOptions

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableToolsOpenNewRemoteDesktop

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableOpenWithParameters

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableToolsPowershellRDMCmdlet

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableToolsRDMAgent

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableToolsMenu

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableTopPane

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\ForceTreeViewCollapseAtLaunch

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DashboardHideAllAssetPanels

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DashboardHideAllAttachmentsPanels

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\HideDashboard

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DashboardHideAllDocumentationPanels

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DashboardHideAllEntriesPanels

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DashboardHideAllLogsPanels

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DashboardHideAllMacroScriptToolsPanels

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DashboardHideAllManagementToolsPanels

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\HideNavigationPane

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DashboardHideAllOverviewPanels

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DashboardHideAllPasswordListPanels

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DashboardHideAllPermissionsPanels

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DashboardHideAllReferencedByPanels

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DashboardHideAllSubConnectionsPanels

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DashboardHideAllSummaryPanels

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DashboardHideAllTaskPanels

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\HideWhatsNewPage

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\LockNavigationPane

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DefaultNavigationPaneTab

0 = Disabled
1 = Main vault
2 = Opened sessions
3 = Favorites
4 = Recent
5 = Tools (local)
6 = User vault
7 = Last selected tab
8 = PAM vault
9 = My account

%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\SQLiteDefaultLocation

The folder path.

For each GPO’s corresponding Registry Key, the %Root% can either be HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER, depending on how you want to enforce the policy. Please refer to Microsoft's online documentation to make the best choice for your organization's requirements.

List Remote Desktop Manager GPOs in the Local Group Policy Editor

Policies

General

Allow sync all vaults in background

Disable export vault menus in export menus

Disable features requiring an internet connection

Disable Onboarding

Disable the application's automatic update check

Disable the application's update menus

Disable the launching of entries at startup

Disable the license expiration message in the Overview

Disable the telemetry data collection

Disable the system Contacts, Macros and VPNs in the user vault

Enable PowerShell Remote Console API hooking

Force application close when idle

Force proxy settings to System

Force refresh before edit entry

Force the loading of the current configuration file

Force the loading of the default.cfg file

Force updating all major updates

Force updating all updates

Force updating all updates and beta

Force updating once a month

Security

Apply forced password template in Password Generator tool

Force enable DPAPI cryptography on local files

Check for server certificate revocation

Disable execute scripts via terminal

Disable exporting the user vault

Disable local drive sharing of RDP entries

Disable Mask Password in View Password

Disable My Account Settings

Disable My Personal Private Key

Disable My Privileged Account

Disable read/write in Offline Mode

Disable retrieval of passwords from CyberArk accounts

Disable the Caching mode

Disable the Offline Mode

Disable the override hard drive specific settings for RDP entries

Disable the Password Generator

Disable the Reveal Password option in My Account Settings for all users, including administrators

Enable DPAPI cryptography on local files

Force an application two-factor authentication mode (check against all configured methods or prompt for selection on use)

Force application lock on standby

Force application lock when idle

Force application lock when minimizing

Force application lock when Windows locks

Force Application Password

Force clear cache on close (Chrome)

Force clear cache on close (MSEdge)

Force multi-factor authentication on the application login

Force secure desktop usage

Force the local save of My Account Settings

Force the user to always be prompted for their credentials when launching the application

Force the user to always be prompted for their passphrase while connecting to a data source that is protected by a Shared Passphrase Security Provider

Force Windows Hello authentication on the application login

Ignore application certification errors

LastPass two-factor authentication mode

Remove the possibility to see passwords entirely

Use Windows credentials as the application password and force the currently logged on username and domain (unless an application password is already set)

Sessions

Allow the user to connect even after the entry has expired

Limit entries launched in a single action

Confirm on multiple sessions open if open count greater than

Disable all session events

Disable import in user vault

Disable Reveal Password

Disable the Add-on creation and the Add-on Manager. Deprecated, use DisableAddOnEntries and DisableAddOnManager instead

Disable the Add-on creation of entries

Disable the Add-on Manager

Disable the custom image edition in the session configuration

Disable the mouse jiggler option

Disable the session recording feature

Disable network scan

Disable Website Session and Website (legacy) Information (Deprecated) credential autofill after one minute

Enable RDP API hooking

Force refresh before copy password/username/domain

Force refresh before execute entry

Force refresh before view password