policy-csp-remoteshell.md

title	description	ms.date
RemoteShell Policy CSP	Learn more about the RemoteShell Area in Policy CSP.	01/18/2024

Policy CSP - RemoteShell

[!INCLUDE ADMX-backed CSP tip]

AllowRemoteShellAccess

Scope	Editions	Applicable OS
✅ Device ❌ User	✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC	✅ Windows 10, version 1709 [10.0.16299] and later

./Device/Vendor/MSFT/Policy/Config/RemoteShell/AllowRemoteShellAccess

This policy setting configures access to remote shells.

If you enable or don't configure this policy setting, new remote shell connections are accepted by the server.

If you set this policy to 'disabled', new remote shell connections are rejected by the server.

Description framework properties:

Property name	Property value
Format	chr (string)
Access Type	Add, Delete, Get, Replace

[!INCLUDE ADMX-backed policy note]

ADMX mapping:

Name	Value
Name	AllowRemoteShellAccess
Friendly Name	Allow Remote Shell Access
Location	Computer Configuration
Path	Windows Components > Windows Remote Shell
Registry Key Name	Software\Policies\Microsoft\Windows\WinRM\Service\WinRS
Registry Value Name	AllowRemoteShellAccess
ADMX File Name	WindowsRemoteShell.admx

MaxConcurrentUsers

Scope	Editions	Applicable OS
✅ Device ❌ User	✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC	✅ Windows 10, version 1709 [10.0.16299] and later

./Device/Vendor/MSFT/Policy/Config/RemoteShell/MaxConcurrentUsers

This policy setting configures the maximum number of users able to concurrently perform remote shell operations on the system.

The value can be any number from 1 to 100.

• If you enable this policy setting, the new shell connections are rejected if they exceed the specified limit.

• If you disable or don't configure this policy setting, the default number is five users.

Description framework properties:

Property name	Property value
Format	chr (string)
Access Type	Add, Delete, Get, Replace

[!INCLUDE ADMX-backed policy note]

ADMX mapping:

Name	Value
Name	MaxConcurrentUsers
Friendly Name	MaxConcurrentUsers
Location	Computer Configuration
Path	Windows Components > Windows Remote Shell
Registry Key Name	Software\Policies\Microsoft\Windows\WinRM\Service\WinRS
ADMX File Name	WindowsRemoteShell.admx

SpecifyIdleTimeout

Scope	Editions	Applicable OS
✅ Device ❌ User	✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC	✅ Windows 10, version 1709 [10.0.16299] and later

./Device/Vendor/MSFT/Policy/Config/RemoteShell/SpecifyIdleTimeout

This policy setting configures the maximum time in milliseconds remote shell will stay open without any user activity until it's automatically deleted.

Any value from 0 to 0x7FFFFFFF can be set. A minimum of 60000 milliseconds (1 minute) is used for smaller values.

• If you enable this policy setting, the server will wait for the specified amount of time since the last received message from the client before terminating the open shell.

• If you don't configure or disable this policy setting, the default value of 900000 or 15 min will be used.

Description framework properties:

Property name	Property value
Format	chr (string)
Access Type	Add, Delete, Get, Replace

[!INCLUDE ADMX-backed policy note]

ADMX mapping:

Name	Value
Name	IdleTimeout
Friendly Name	Specify idle Timeout
Location	Computer Configuration
Path	Windows Components > Windows Remote Shell
Registry Key Name	Software\Policies\Microsoft\Windows\WinRM\Service\WinRS
ADMX File Name	WindowsRemoteShell.admx

SpecifyMaxMemory

Scope	Editions	Applicable OS
✅ Device ❌ User	✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC	✅ Windows 10, version 1709 [10.0.16299] and later

./Device/Vendor/MSFT/Policy/Config/RemoteShell/SpecifyMaxMemory

This policy setting configures the maximum total amount of memory in megabytes that can be allocated by any active remote shell and all its child processes.

Any value from 0 to 0x7FFFFFFF can be set, where 0 equals unlimited memory, which means the ability of remote operations to allocate memory is only limited by the available virtual memory.

• If you enable this policy setting, the remote operation is terminated when a new allocation exceeds the specified quota.

• If you disable or don't configure this policy setting, the value 150 is used by default.

Description framework properties:

Property name	Property value
Format	chr (string)
Access Type	Add, Delete, Get, Replace

[!INCLUDE ADMX-backed policy note]

ADMX mapping:

Name	Value
Name	MaxMemoryPerShellMB
Friendly Name	Specify maximum amount of memory in MB per Shell
Location	Computer Configuration
Path	Windows Components > Windows Remote Shell
Registry Key Name	Software\Policies\Microsoft\Windows\WinRM\Service\WinRS
ADMX File Name	WindowsRemoteShell.admx

SpecifyMaxProcesses

Scope	Editions	Applicable OS
✅ Device ❌ User	✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC	✅ Windows 10, version 1709 [10.0.16299] and later

./Device/Vendor/MSFT/Policy/Config/RemoteShell/SpecifyMaxProcesses

This policy setting configures the maximum number of processes a remote shell is allowed to launch.

• If you enable this policy setting, you can specify any number from 0 to 0x7FFFFFFF to set the maximum number of process per shell. Zero (0) means unlimited number of processes.

• If you disable or don't configure this policy setting, the limit's five processes per shell.

Description framework properties:

Property name	Property value
Format	chr (string)
Access Type	Add, Delete, Get, Replace

[!INCLUDE ADMX-backed policy note]

ADMX mapping:

Name	Value
Name	MaxProcessesPerShell
Friendly Name	Specify maximum number of processes per Shell
Location	Computer Configuration
Path	Windows Components > Windows Remote Shell
Registry Key Name	Software\Policies\Microsoft\Windows\WinRM\Service\WinRS
ADMX File Name	WindowsRemoteShell.admx

SpecifyMaxRemoteShells

Scope	Editions	Applicable OS
✅ Device ❌ User	✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC	✅ Windows 10, version 1709 [10.0.16299] and later

./Device/Vendor/MSFT/Policy/Config/RemoteShell/SpecifyMaxRemoteShells

This policy setting configures the maximum number of concurrent shells any user can remotely open on the same system.

Any number from 0 to 0x7FFFFFFF cand be set, where 0 means unlimited number of shells.

• If you enable this policy setting, the user can't open new remote shells if the count exceeds the specified limit.

• If you disable or don't configure this policy setting, by default the limit's set to two remote shells per user.

Description framework properties:

Property name	Property value
Format	chr (string)
Access Type	Add, Delete, Get, Replace

[!INCLUDE ADMX-backed policy note]

ADMX mapping:

Name	Value
Name	MaxShellsPerUser
Friendly Name	Specify maximum number of remote shells per user
Location	Computer Configuration
Path	Windows Components > Windows Remote Shell
Registry Key Name	Software\Policies\Microsoft\Windows\WinRM\Service\WinRS
ADMX File Name	WindowsRemoteShell.admx

SpecifyShellTimeout

Scope	Editions	Applicable OS
✅ Device ❌ User	✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC	✅ Windows 10, version 1709 [10.0.16299] and later

./Device/Vendor/MSFT/Policy/Config/RemoteShell/SpecifyShellTimeout

This policy setting is deprecated and has no effect when set to any state: Enabled, Disabled, or Not Configured.

Description framework properties:

Property name	Property value
Format	chr (string)
Access Type	Add, Delete, Get, Replace

[!INCLUDE ADMX-backed policy note]

ADMX mapping:

Name	Value
Name	ShellTimeOut
Friendly Name	Specify Shell Timeout
Location	Computer Configuration
Path	Windows Components > Windows Remote Shell
Registry Key Name	Software\Policies\Microsoft\Windows\WinRM\Service\WinRS
ADMX File Name	WindowsRemoteShell.admx

Related articles

Policy configuration service provider