Not me though, I wanted to use WDDM drivers, but found it lead to frequent crashed Remote Desktop sessions on my Win 10 2004+ machines. Block launching Universal Windows apps with Windows Runtime API access from hosted content. If you enable or do not configure this policy setting, Remote Desktop Connections will use WDDM graphics display driver. Turn on dynamic Content URI Rules for Windows store apps, Prevent backing up to optical media (CD/DVD), Prevent the user from running the Backup Status and Configuration program, Turn off the ability to back up data files, Turn off the ability to create a system image, Disallow locally attached storage as backup target, Allow domain users to log on using biometrics, Specify timeout for fast user switching events, Allow access to BitLocker-protected fixed data drives from earlier versions of Windows, Choose how BitLocker-protected fixed drives can be recovered, Configure use of hardware-based encryption for fixed data drives, Configure use of passwords for fixed data drives, Configure use of smart cards on fixed data drives, Deny write access to fixed drives not protected by BitLocker, Enforce drive encryption type on fixed data drives. Ignore the default list of blocked TPM commands, Ignore the local list of blocked TPM commands, Standard User Individual Lockout Threshold, Turn on TPM backup to Active Directory Domain Services, Add the Administrators security group to roaming user profiles, Control slow network connection timeout for user profiles, Delete user profiles older than a specified number of days on system restart, Disable detection of slow network connections, Do not check for user ownership of Roaming Profile Folders, Do not forcefully unload the users registry at user logoff, Do not log users on with temporary profiles, Download roaming profiles on primary computers only, Leave Windows Installer and Group Policy Software Installation Data, Maximum retries to unload and update user profile, Prevent Roaming Profile changes from propagating to the server, Prompt user when a slow network connection is detected, Set maximum wait time for the network if a user has a roaming user profile or remote home directory, Set roaming profile path for all users logging onto this computer, Set the schedule for background upload of a roaming user profile's registry file while user is logged on, User management of sharing user name, account picture, and domain information with apps (not desktop apps), Specify Windows File Protection cache location, Activate Shutdown Event Tracker System State Data feature, Allow Distributed Link Tracking clients to use domain resources, Do not automatically encrypt files moved to encrypted folders, Do not display Manage Your Server page at logon. Go to Use WDDM graphics display driver for Remote Desktop Connections, double-click it and choose Disabled . Turn off the display of thumbnails and only display icons on network folders, Turn off Windows Libraries features that rely on indexed file data, Allow Windows Runtime apps to revoke enterprise data, Configure Traditional Chinese IME version, Do not include Non-Publishing Standard Glyph in the candidate list, Restrict character code range of conversion, Turn on misconversion logging for misconversion report, Custom Instant Search Internet search provider, File menu: Disable closing the browser and Explorer windows, File menu: Disable Save As menu option, File menu: Disable Save As Web Page Complete, Help menu: Remove 'For Netscape Users' menu option, Help menu: Remove 'Send Feedback' menu option, Help menu: Remove 'Tip of the Day' menu option, Tools menu: Disable Internet Options menu option, View menu: Disable Full Screen menu option, Hide the button (next to the New Tab button) that opens Microsoft Edge, Turn off details in messages about Internet connection problems, Start the Internet Connection Wizard automatically, Allow the display of image download placeholders, Turn on printing of background colors and images, Turn off inline AutoComplete in File Explorer, Prevent specifying the color of links that have already been clicked, Prevent specifying the color of links that have not yet been clicked, Disable adding schedules for offline pages, Disable channel user interface completely, Disable downloading of site subscription content, Disable editing and creating of schedule groups, Disable editing schedules for offline pages, Disable removing schedules for offline pages, File size limits for Restricted Sites zone, Turn off automatic download of the ActiveX VersionList, Disable customizing browser toolbar buttons, Disable changing Calendar and Contact settings, Disable changing Profile Assistant settings, Disable changing Temporary Internet files settings, Disable external branding of Internet Explorer, Display error message on proxy script download failure, Identity Manager: Prevent users from using Identities, Notify users if Internet Explorer is not the default web browser, Position the menu bar above the navigation bar, Search: Disable Find Files via F3 within the browser, Turn on the auto-complete feature for user names and passwords on forms, Use Automatic Detection for dial-up connections, Permit use of Applications preference extension, Permit use of Control Panel Settings (Computers), Permit use of Control Panel Settings (Users), Permit use of Data Sources preference extension, Permit use of Devices preference extension, Permit use of Drive Maps preference extension, Permit use of Environment preference extension, Permit use of Folder Options preference extension, Permit use of Folders preference extension, Permit use of Ini Files preference extension, Permit use of Internet Settings preference extension, Permit use of Local Users and Groups preference extension, Permit use of Network Options preference extension, Permit use of Network Shares preference extension, Permit use of Power Options preference extension, Permit use of Printers preference extension, Permit use of Regional Options preference extension, Permit use of Registry preference extension, Permit use of Scheduled Tasks preference extension, Permit use of Services preference extension, Permit use of Shortcuts preference extension, Permit use of Start Menu preference extension, Group Policy tab for Active Directory Tools, Restrict the user from entering author mode, Restrict users to the explicitly permitted list of snap-ins, Configure the inclusion of Microsoft Edge tabs into Alt-Tab, Prevent Application Sharing in true color, Prevent changing DirectSound Audio setting, Allow persisting automatic acceptance of Calls. The first RDP connection after a reboot or power up works but subsequent connections receive an error message saying the login was refused. Click Apply, OK and close the Local Group Policy Editor. Check the status of RDP Services in Services Step 2: Expand the Display adapters and right-click on the built-in graphics device. To delegate administration of this GPO to Citrix Admins: On the right, switch to the Delegation tab, and click Add. Disable WDDM graphics driver. blank windows. Turn off storage and display of search history, Prevent removable media source for any installation, Specify the order in which Windows Installer searches for installation files, Set action to take when logon hours expire, Prevent CD and DVD Media Information Retrieval, Prevent Music File Media Information Retrieval, Enables the use of Token Broker for AD FS authentication, SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services. Disable the built-in graphics card will force the system to use a single card. If you disable this policy setting, Remote Desktop Connections will NOT use WDDM graphics display driver. Always prompt for password upon connection; Do not allow local administrators to customize permissions WDDM 1.2 compatible driver . Step 1: Select an appropriate GPU optimized Azure virtual machine size When the Optiplex is the client in a remote desktop session and the host executes a restart, after . Do not reinitialize a pre-existing roamed user profile when it is loaded on a machine for the first time, Do not show the 'new application installed' notification. (I don't remember the exact error message.) go to " Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment " set the following parameters to Enabled Use hardware graphics adapters for all Remote Desktop Services sessions Computer Configuration > Administrative Templates >Windows Components > Remote Desktop Service Host > Remote Session Environment . Hide the TPM Firmware Update recommendation. Open Local Group Policy Editor You must restart the VM after enabling the WDDM graphics display driver for the changes to take effect. Sign up for a free GitHub account to open an issue and contact its maintainers and the community. The Windows Display Driver Model (WDDM) requires that a graphics hardware vendor supply a paired user-mode display driver and kernel-mode display driver (or display miniport driver ). Have a question about this project? Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0. WDDM is an acronym for the Windows* Display Driver Model. The WDDM graphics display driver for Remote Desktop Connection which is enabled by default in Windows 10 v2004 and above needs to be disabled as it is not supported by the Citrix VDA. Click Display Make sure "Use all my monitory for the remote session" is checked. Configure telemetry opt-in setting user interface. You are right - when I set the GPO "Use WDDM graphics display driver for Remote Desktop Connections -> Disable" it does fix the CPU issue and the freezing issue. (Image-2) Version of WDDM of the GPU driver on The Windows System Back to the top Info: Define the number of days after which a catch-up security intelligence update is required, Define the number of days before spyware security intelligence is considered out of date, Define the number of days before virus security intelligence is considered out of date, Define the order of sources for downloading security intelligence updates, Initiate security intelligence update on startup, Specify the day of the week to check for security intelligence updates, Specify the interval to check for security intelligence updates, Specify the time to check for security intelligence updates, Turn on scan after security intelligence update, Specify threat alert levels at which default action should not be taken when detected, Specify threats upon which default action should not be taken when detected, Allow antimalware service to remain running always, Allow antimalware service to startup with normal priority, Configure detection for potentially unwanted applications, Configure local administrator merge behavior for lists, Define proxy auto-config (.pac) for connecting to the network, Define proxy server for connecting to the network, Allow auditing events in Microsoft Defender Application Guard, Allow camera and microphone access in Microsoft Defender Application Guard, Allow data persistence for Microsoft Defender Application Guard, Allow files to download and save to the host operating system from Microsoft Defender Application Guard, Allow hardware-accelerated rendering for Microsoft Defender Application Guard, Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device, Allow users to trust files that open in Windows Defender Application Guard. Do not allow pinning programs to the Taskbar, Do not allow pinning Store app to the Taskbar, Do not allow taskbars on more than one display, Do not display any custom toolbars in the taskbar, Do not display or track items in Jump Lists from remote locations, Do not keep history of recently opened documents, Do not search programs and Control Panel items, Do not use the search-based method when resolving shell shortcuts, Do not use the tracking-based method when resolving shell shortcuts, Force Start to be either full screen size or menu size, Go to the desktop instead of Start when signing in, Gray unavailable Windows Installer programs Start Menu shortcuts, Prevent changes to Taskbar and Start Menu Settings, Prevent users from adding or removing toolbars, Prevent users from customizing their Start Screen, Prevent users from moving taskbar to another screen dock location, Prevent users from uninstalling applications from Start, Remove access to the context menus for the taskbar, Remove All Programs list from the Start menu, Remove Clock from the system notification area, Remove common program groups from Start Menu. In Group Policy Editor under Remote Desktop Session Host -> Remote Session Environment . By default, the display adapter driver for Remote Desktop connection is WDDM. set the policy "Use WDDM graphics display driver for Remote Desktop Connections" to DISABLED. Then reboot! Use WDDM graphics display driver for Remote Desktop Connections to DISABLED . * Right-click the current Graphics item in Device manager, and select "Update driver". Show message when opening sites in Microsoft Edge using Enterprise Mode, Specify use of ActiveX Installer Service for installation of ActiveX controls, Turn off ability to pin sites in Internet Explorer on the desktop, Turn off add-on performance notifications, Turn off configuration of pop-up windows in tabbed browsing, Turn off Managing SmartScreen Filter for Internet Explorer 8, Turn off suggestions for all user-installed providers, Turn off the auto-complete feature for web addresses, Turn off the Security Settings Check feature, Automatic Maintenance Activation Boundary, Turn off Automatic Download and Update of Map Data, Turn off unsolicited network traffic on the Offline Maps settings page, Enable automatic MDM enrollment using default Azure AD credentials, Block all consumer Microsoft account user authentication, Display additional text to clients when they need to perform an action, Configure local setting override for reporting to Microsoft MAPS, Configure the 'Block at First Sight' feature, Send file samples when further analysis is required, Exclude files and paths from Attack Surface Reduction Rules, Prevent users and apps from accessing dangerous websites, Define the rate of detection events for logging, Specify additional definition sets for network traffic inspection, Configure local setting override for the removal of items from Quarantine folder, Configure removal of items from Quarantine folder, Configure local setting override for monitoring file and program activity on your computer, Configure local setting override for monitoring for incoming and outgoing file activity, Configure local setting override for scanning all downloaded files and attachments, Configure local setting override for turn on behavior monitoring, Configure local setting override to turn off Intrusion Prevention System, Configure local setting override to turn on real-time protection, Configure monitoring for incoming and outgoing file and program activity, Define the maximum size of downloaded files and attachments to be scanned, Monitor file and program activity on your computer, Scan all downloaded files and attachments, Turn on network protection against exploits of known vulnerabilities, Turn on process scanning whenever real-time protection is enabled, Configure local setting override for the time of day to run a scheduled full scan to complete remediation, Specify the day of the week to run a scheduled full scan to complete remediation, Specify the time of day to run a scheduled full scan to complete remediation, Configure time out for detections in critically failed state, Configure time out for detections in non-critical failed state, Configure time out for detections in recently remediated state, Configure time out for detections requiring additional action, Configure Windows software trace preprocessor components, Check for the latest virus and spyware security intelligence before running a scheduled scan, Configure local setting override for maximum percentage of CPU utilization, Configure local setting override for scheduled quick scan time, Configure local setting override for scheduled scan time, Configure local setting override for schedule scan day, Configure local setting override for the scan type to use for a scheduled scan, Configure low CPU priority for scheduled scans, Define the number of days after which a catch-up scan is forced, Specify the day of the week to run a scheduled scan, Specify the interval to run quick scans per day, Specify the maximum depth to scan archive files, Specify the maximum percentage of CPU utilization during a scan, Specify the maximum size of archive files to be scanned, Specify the scan type to use for a scheduled scan, Specify the time of day to run a scheduled scan, Start the scheduled scan only when computer is on but not in use, Turn on removal of items from scan history folder, Allow notifications to disable security intelligence based reports to Microsoft MAPS, Allow real-time security intelligence updates based on reports to Microsoft MAPS, Allow security intelligence updates from Microsoft Update, Allow security intelligence updates when running on battery power, Check for the latest virus and spyware security intelligence on startup, Define file shares for downloading security intelligence updates. Under Setting, right-click Use WDDM graphics display driver for Remote Desktop Connections, and click Edit. Can confirm this works around the issue for me as well (only had to reconnect RDP, not reboot though). . Prevent users from sharing files within their profile. To create these display drivers, perform the following steps: Step 1: Learn about Windows architecture and drivers. Specifically, those with onboard + Nvidia Quadro cards. Use DNS name resolution when a single-label domain name is used, by appending different registered DNS suffixes, if the AllowSingleLabelDnsDomain setting is not enabled. start Hyper-V manager go to Hyper-V Settings > Physical GPUs select your GPU check the box Use this GPU with RemoteFX click OK select your virtual machine click Settings click Add Hardware > RemoteFX 3D Video Adapter click Add update RemoteFX settings for your needs click OK That is. Specify contact email address or Email ID, Hide the Firewall and network protection area, Hide the Virus and threat protection area, Select when Preview Builds and Feature Updates are received, Allow Automatic Updates immediate installation, Allow non-administrators to receive update notifications, Allow signed updates from an intranet Microsoft update service location, Allow updates to be downloaded automatically over metered connections, Always automatically restart at the scheduled time, Configure auto-restart reminder notifications for updates, Configure auto-restart required notification for updates, Configure auto-restart warning notifications schedule for updates, Delay Restart for scheduled installations, Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box, Do not allow update deferral policies to cause scans against Windows Update, Do not connect to any Windows Update Internet locations, Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box, Do not include drivers with Windows Updates, Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates, No auto-restart with logged on users for scheduled automatic updates installations, Re-prompt for restart with scheduled installations, Remove access to use all Windows Update features, Reschedule Automatic Updates scheduled installations, Specify active hours range for auto-restarts, Specify deadline before auto-restart for update installation, Specify deadlines for automatic updates and restarts, Specify Engaged restart transition and notification schedule for updates, Specify intranet Microsoft update service location, Specify source service for specific classes of Windows Updates, Turn off auto-restart for updates during active hours, Turn off auto-restart notifications for update installations, Turn on recommended updates via Automatic Updates, User State Management Client Side Extension, Hide the "Add a program from CD-ROM or floppy disk" option, Hide the "Add programs from Microsoft" option, Hide the "Add programs from your network" option, Hide the Set Program Access and Defaults page, Specify default category for Add New Programs, Force a specific visual style file or force Windows Classic, Prevent changing visual style for windows and buttons, Prohibit selection of visual style font size, Browse a common web site to find printers, Default Active Directory path when searching for printers, Turn off Windows default printer management, Hide "Set Program Access and Computer Defaults" page, Hide Regional and Language Options administrative options, Hide user locale selection and customization options, Restrict selection of Windows menus and dialogs language, Restricts the UI languages Windows should use for the selected user, Turn off insert a space after selecting a text prediction, Turn off offer text predictions as I type, Always open All Control Panel Items when opening Control Panel, Prohibit access to Control Panel and PC settings, Maximum size of Active Directory searches, Do not add shares of recently opened documents to Network Locations, Hide and disable all items on the desktop, Prevent adding, dragging, dropping and closing the Taskbar's toolbars, Prohibit User from manually redirecting Profile Folders, Remove Properties from the Computer icon context menu, Remove Properties from the Documents icon context menu, Remove Properties from the Recycle Bin context menu, Turn off Aero Shake window minimizing mouse gesture, Ability to change properties of an all user remote access connection, Ability to delete all user remote access connections, Ability to Enable/Disable a LAN connection, Ability to rename all user remote access connections, Ability to rename LAN connections or remote access connections available to all users, Enable Windows 2000 Network Connections settings for Administrators, Prohibit access to properties of a LAN connection, Prohibit access to properties of components of a LAN connection, Prohibit access to properties of components of a remote access connection, Prohibit access to the Advanced Settings item on the Advanced menu, Prohibit access to the New Connection Wizard, Prohibit access to the Remote Access Preferences item on the Advanced menu, Prohibit adding and removing components for a LAN or remote access connection, Prohibit changing properties of a private remote access connection, Prohibit connecting and disconnecting a remote access connection, Prohibit deletion of remote access connections, Prohibit Enabling/Disabling components of a LAN connection, Prohibit renaming private remote access connections, Prohibit viewing of status for an active connection, Turn off notifications when a connection has only limited or no connectivity, Turn off toast notifications on the lock screen, Add "Run in Separate Memory Space" check box to Run dialog box, Clear history of recently opened documents on exit, Clear the recent programs list for new users. If you have an RDP shortcut you use right click it and select edit, other wise when you open RDP click show options in the bottom left. The Primary Machine is a Windows PC, laptop or Surface Pro tablet. In the Add Group or User window, change the Permissions to Edit settings, and click OK. Do not turn off system power after a Windows system shutdown has occurred. Share Improve this answer Follow answered Oct 4, 2019 at 16:32 A lot of people preferred using XDDM drivers in these scenarios as it let you squeeze out every last drop of performance. Prevent users from adding files to the root of their Users Files folder. Worked for me on three machines. Configure additional sources for untrusted files in Windows Defender Application Guard. Step 6. WDDM graphic driver is an important feature in Windows 10. Resolution 2: If the first resolution does not work, try following these instructions: On your local computer, open an explorer window and paste this into the location . Simple fix! - Use WDDM graphics display driver for Remote Desktop Connections Background: PAM was experiencing slowness in opening RDP session for some Windows target device The issue was solved after turn off this group policy for Windows target device side. Use DNS name resolution with a single-label domain name instead of NetBIOS name resolution to locate the DC, Allow cryptography algorithms compatible with Windows NT 4.0, Specify negative DC Discovery cache setting, Specify positive periodic DC Cache refresh for non-background callers, Use final DC discovery retry setting for background callers, Use initial DC discovery retry setting for background callers, Use maximum DC discovery retry interval setting for background callers, Use positive periodic DC cache refresh for background callers, Use urgent mode when pinging domain controllers, Allow Clipboard synchronization across devices, Select the lid switch action (on battery), Select the lid switch action (plugged in), Select the Power button action (on battery), Select the Power button action (plugged in), Select the Sleep button action (on battery), Select the Sleep button action (plugged in), Select the Start menu Power button action (on battery), Select the Start menu Power button action (plugged in), Energy Saver Battery Threshold (on battery), Energy Saver Battery Threshold (plugged in), Allow applications to prevent automatic sleep (on battery), Allow applications to prevent automatic sleep (plugged in), Allow automatic sleep with Open Network Files (on battery), Allow automatic sleep with Open Network Files (plugged in), Allow network connectivity during connected-standby (on battery), Allow network connectivity during connected-standby (plugged in), Allow standby states (S1-S3) when sleeping (on battery), Allow standby states (S1-S3) when sleeping (plugged in), Require a password when a computer wakes (on battery), Require a password when a computer wakes (plugged in), Specify the system hibernate timeout (on battery), Specify the system hibernate timeout (plugged in), Specify the system sleep timeout (on battery), Specify the system sleep timeout (plugged in), Specify the unattended sleep timeout (on battery), Specify the unattended sleep timeout (plugged in), Turn on the ability for applications to prevent sleep transitions (on battery), Turn on the ability for applications to prevent sleep transitions (plugged in), Specify the display dim brightness (on battery), Specify the display dim brightness (plugged in), Turn off adaptive display timeout (on battery), Turn off adaptive display timeout (plugged in), Turn on desktop background slideshow (on battery), Turn on desktop background slideshow (plugged in), Minimum Idle Connection Timeout for RPC/HTTP connections, Propagation of extended error information, Restrictions for Unauthenticated RPC clients, RPC Endpoint Mapper Client Authentication, All Removable Storage: Allow direct access in remote sessions, All Removable Storage classes: Deny all access, Allow logon scripts when NetBIOS or WINS is disabled, Maximum wait time for Group Policy scripts, Run Windows PowerShell scripts first at computer startup, shutdown, Run Windows PowerShell scripts first at user logon, logoff, Configure the refresh interval for Server Manager, Do not display Initial Configuration Tasks window automatically at logon, Do not display Server Manager automatically at logon, Turn off automatic termination of applications that block or cancel shutdown, Allow downloading updates to the Disk Failure Prediction Model, Allow Storage Sense Temporary Files cleanup, Configure Storage Sense Cloud Content dehydration threshold, Configure Storage Sense Recycle Bin cleanup threshold, Configure Storage Storage Downloads cleanup threshold, Detect application failures caused by deprecated COM objects, Detect application failures caused by deprecated Windows DLLs, Detect application installers that need to be run as administrator, Detect applications unable to launch installers under UAC, Detect compatibility issues for applications and drivers, Configure Corrupted File Recovery Behavior, Disk Diagnostic: Configure custom alert text, Disk Diagnostic: Configure execution level, Microsoft Support Diagnostic Tool: Configure execution level, Microsoft Support Diagnostic Tool: Restrict tool download, Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider, Troubleshooting: Allow users to access recommended troubleshooting for known problems, Configure MSI Corrupted File Recovery Behavior, Configure Security Policy for Scripted Diagnostics, Troubleshooting: Allow users to access and run Troubleshooting Wizards, Troubleshooting: Allow users to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via the Windows Online Troubleshooting Service - WOTS), Diagnostics: Configure scenario execution level, Diagnostics: Configure scenario retention, Configure the level of TPM owner authorization information available to the operating system, Configure the list of blocked TPM commands.