This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 74%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKT%3C/text%3E%3C/svg%3E)
Hi,
We have RDS 2022 environment and a requirement to block all older OS from connecting to our RDS servers except Windows 11.
Can anyone help us with the steps here? What we need to think about here. I can create a script that will check the OS when user connects but that is a big risk. OS version can be modified and script is not good option here.
Hi Harry, can you please tell me how can CA policies and complience help here? We have hybrid environment and all PC's are hybrid joined. How can CA help here to control connection to local RDS server?
Do you have any guide for this (Network Level Authentication (NLA) combined with certificate-based authentication and Group Policy enforcement.)
I was thinking of TLS 1.3 but we can enable it on windows 10. There is no support but that does not mean that we cannot enable it on windows 10.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 61%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHP%3C/text%3E%3C/svg%3E)
To enforce access restrictions to only Windows 11 clients in your RDS 2022 environment, I recommend leveraging Network Level Authentication (NLA) combined with certificate-based authentication and Group Policy enforcement. This approach is more secure than scripting, as OS version checks can be spoofed, as you rightly pointed out. You can also configure Conditional Access policies via Azure AD if your environment supports hybrid identity, which allows device compliance checks before session initiation. Another layer of control can be added using RD Gateway policies to filter connections based on device attributes. Be sure to test thoroughly in a staging environment before rolling out to production.
If this guidance helps, feel free to hit "Accept Answer" so others can benefit too 😊.
