xfreerdp - Man Page

• Connect to a FreeRDP server: xfreerdp /u:username /p:password /v:ip_address
• Connect to a FreeRDP server and activate audio output redirection using sys:alsa device: xfreerdp /u:username /p:password /v:ip_address /sound:sys:alsa
• Connect to a FreeRDP server with dynamic resolution: xfreerdp /v:ip_address /u:username /p:password /dynamic-resolution
• Connect to a FreeRDP server with clipboard redirection: xfreerdp /v:ip_address /u:username /p:password +clipboard
• Connect to a FreeRDP server ignoring any certificate checks: xfreerdp /v:ip_address /u:username /p:password /cert:ignore
• Connect to a FreeRDP server with a shared directory: xfreerdp /v:ip_address /u:username /p:password /drive:path/to/directory,share_name

tldr.sh

xfreerdp [file] [options] [/v:server[:port]]

xfreerdp is an X11 Remote Desktop Protocol (RDP) client which is part of the FreeRDP project. An RDP server is built-in to many editions of Windows. Alternative servers included ogon, gnome-remote-desktop, xrdp and VRDP (VirtualBox).

/a:addin[,options], /addin:addin[,options]

Addin

/azure:[tenantid:id],[use-tenantid[:[on|off]],[ad:url][avd-access:format string],[avd-token:format string],[avd-scope:format string]

AzureAD options

/action-script:file-name

Action script (default:~/.config/freerdp/action.sh)

/admin,  /console

Admin (or console) session

+aero

desktop composition (default:off)

/app:program:[path|||alias],cmd:command,file:filename,guid:guid,icon:filename,name:name,workdir:directory,hidef:[on|off]

Remote application program

/assistance:password

Remote assistance password

/auto-request-control:

Automatically request remote assistance input control

+async-channels

Asynchronous channels (experimental) (default:off)

+async-update

Asynchronous update (default:off)

/audio-mode:mode

Audio output mode

+auth-only

Authenticate only (default:off)

/auth-pkg-list:!ntlm,kerberos

Authentication package filter (comma-separated list, use '!' to exclude)

-authentication

Authentication (experimental) (default:on)

+auto-reconnect

Automatic reconnection (default:off)

/auto-reconnect-max-retries:retries

Automatic reconnection maximum retries, 0 for unlimited [0,1000]

/bpp:depth

Session bpp (color depth) (default:16)

/buildconfig

Print the build configuration

/cache:[bitmap[:on|off],codec[:rfx|nsc],glyph[:on|off],offscreen[:on|off],persist,persist-file:filename]

/cert:[deny,ignore,name:name,tofu,fingerprint:hash:hash as hex[,fingerprint:hash:another hash]]

Certificate accept options. Use with care!
* deny         ... Automatically abort connection if the certificate does not match, no user interaction.
* ignore       ... Ignore the certificate checks altogether (overrules all other options)
* name         ... Use the alternate <name> instead of the certificate subject to match locally stored certificates
* tofu         ... Accept certificate unconditionally on first connect and deny on subsequent connections if the certificate does not match
* fingerprints ... A list of certificate hashes that are accepted unconditionally for a connection

/client-build-number:number

Client Build Number sent to server (influences smartcard behaviour, see [MS-RDPESC])

/client-hostname:name

Client Hostname to send to server

/clipboard:[[use-selection:atom],[direction-to:[all|local|remote|off]],[files-to[:all|local|remote|off]]]

Redirect clipboard:
* use-selection:<atom>  ... (X11) Specify which X selection to access. Default is CLIPBOARD. PRIMARY is the X-style middle-click selection.
* direction-to:[all|local|remote|off] control enabled clipboard direction
* files-to:[all|local|remote|off] control enabled file clipboard direction (default:on)

-compression,  -z

compression (default:on)

/compression-level:level

Compression level (0,1,2)

+credentials-delegation

credentials delegation (default:off)

/d:domain

Domain

-decorations

Window decorations (default:on)

/disp

Display control

/drive:name,path

Redirect directory <path> as named share <name>. Hotplug support is enabled with /drive:hotplug,*. This argument provides the same function as "Drives that I plug in later" option in MSTSC.

+drives

Redirect all mount points as shares (default:off)

/dump:record|replay,file:file[,nodelay]

record or replay dump

/dvc:channel[,options]

Dynamic virtual channel

+dynamic-resolution

Send resolution updates when the window is resized (default:off)

/echo, /echo

Echo channel

-encryption

Encryption (experimental) (default:on)

/encryption-methods:[40,][56,][128,][FIPS]

RDP standard security encryption methods

/f

Fullscreen mode (<Ctrl>+<Alt>+<Enter> toggles fullscreen)

+fipsmode

FIPS mode (default:off)

/floatbar[:sticky:[on|off],default:[visible|hidden],show:[always|fullscreen|window]]

floatbar is disabled by default (when enabled defaults to sticky in fullscreen mode)

-fonts

smooth fonts (ClearType) (default:on)

+force-console-callbacks

Use default callbacks (console) for certificate/credential/... (default:off)

/frame-ack:number

Number of frame acknowledgement

/args-from:file|stdin|fd:number|env:name

Read command line from a file, stdin or file descriptor. This argument can not be combined with any other. Provide one argument per line.

/from-stdin[:force]

Read credentials from stdin. With <force> the prompt is done before connection, otherwise on server request.

/gateway:g:gateway[:port],u:user,d:domain,p:password,usage-method:[direct|detect],access-token:token,type:[rpc|http[,no-websockets][,extauth-sspi-ntlm]|auto[,no-websockets][,extauth-sspi-ntlm]]|arm,url:wss://url,bearer:oauth2-bearer-token, /gw:g:gateway[:port],u:user,d:domain,p:password,usage-method:[direct|detect],access-token:token,type:[rpc|http[,no-websockets][,extauth-sspi-ntlm]|auto[,no-websockets][,extauth-sspi-ntlm]]|arm,url:wss://url,bearer:oauth2-bearer-token

Gateway Hostname

/gdi:sw|hw

GDI rendering

/geometry

Geometry tracking channel

+gestures

Consume multitouch input locally (default:off)

/gfx[:[[progressive[:on|off]|RFX[:on|off]|AVC420[:on|off]AVC444[:on|off]],mask:value,small-cache[:on|off],thin-client[:on|off],progressive[:on|off],frame-ack[:on|off]]]

RDP8 graphics pipeline

-grab-keyboard

Grab keyboard focus, forward all keys to remote (default:on)

-grab-mouse

Grab mouse focus, forward all events to remote (default:on)

/h:height

Height (default:768)

-heartbeat

Support heartbeat PDUs (default:on)

/help,  /?

Print help

+home-drive

Redirect user home as share (default:off)

/ipv4[:[:force]], /4[:[:force]]

Prefer IPv4 A record over IPv6 AAAA record

/ipv6[:[:force]], /6[:[:force]]

Prefer IPv6 AAAA record over IPv4 A record

/jpeg

JPEG codec support

/jpeg-quality:percentage

JPEG quality

/kbd:[layout:[0xid|name],lang:0xid,fn-key:value,type:value,subtype:value,unicode[:on|off],remap:key1=value1,remap:key2=value2,pipe:filename]

Keyboard related options:
* layout: set the keybouard layout announced to the server
* lang: set the keyboard language identifier sent to the server
* fn-key: Function key value
* remap: RDP scancode to another one. Use /list:kbd-scancode to get the mapping. Example: To switch 'a' and 's' on a US keyboard: /kbd:remap:0x1e=0x1f,remap:0x1f=0x1e
* pipe: Name of a named pipe that can be used to type text into the RDP session

/kerberos:[kdc-url:url,lifetime:time,start-time:time,renewable-lifetime:time,cache:path,armor:path,pkinit-anchors:path,pkcs11-module:name]

Kerberos options

/load-balance-info:info-string

Load balance info

/list:[kbd|kbd-scancode|kbd-lang[:value]|smartcard[:[pkinit-anchors:path][,pkcs11-module:name]]|monitor|tune|timezones]

List available options for subcommand (default:List available options for subcommand)

/log-filters:tag:level[,tag:level[,...]]

Set logger filters, see wLog(7) for details

/log-level:[OFF|FATAL|ERROR|WARN|INFO|DEBUG|TRACE]

Set the default log level, see wLog(7) for details

/max-fast-path-size:size

Specify maximum fast-path update size

/max-loop-time:time

Specify maximum time in milliseconds spend treating packets

+menu-anims

menu animations (default:off)

/microphone[:[sys:sys,][dev:dev,][format:format,][rate:rate,][channel:channel]], /mic[:[sys:sys,][dev:dev,][format:format,][rate:rate,][channel:channel]]

Audio input (microphone)

/monitors:id[,id[,...]]

Select monitors to use (only effective in fullscreen or multimonitor mode)

-mouse-motion

Send mouse motion events (default:on)

+mouse-relative

Send mouse motion with relative addressing (default:off)

/mouse:[relative:[on|off],grab:[on|off]]

Mouse related options:
* relative:   send relative mouse movements if supported by server
* grab:       grab the mouse if within the window

/multimon[:force]

Use multiple monitors

+multitouch

Redirect multitouch input (default:off)

-multitransport

Support multitransport protocol (default:on)

-nego

protocol security negotiation (default:on)

/network:[invalid|modem|broadband|broadband-low|broadband-high|wan|lan|auto]

Network connection type

/nsc,  /nscodec

NSCodec support

/orientation:[0|90|180|270]

Orientation of display in degrees

+old-license

Use the old license workflow (no CAL and hwId set to 0) (default:off)

/p:password

Password

/parallel[:name[,path]]

Redirect parallel device

/parent-window:window-id

Parent window id

/pcb:blob

Preconnection Blob

/pcid:id

Preconnection Id

/pheight:height

Physical height of display (in millimeters)

/play-rfx:pcap-file

Replay rfx pcap file

/port:number

Server port

-suppress-output

suppress output when minimized (default:on)

+print-reconnect-cookie

Print base64 reconnect cookie after connecting (default:off)

/printer[:name[,driver[,default]]]

Redirect printer device

/proxy:[proto://][user:password@]host[:port]

Proxy settings: override env. var (see also environment variable below). Protocol "socks5" should be given explicitly where "http" is default.

/pth:password-hash, /pass-the-hash:password-hash

Pass the hash (restricted admin mode)

/pwidth:width

Physical width of display (in millimeters)

/rdp2tcp:executable path[:arg...]

TCP redirection

/reconnect-cookie:base64-cookie

Pass base64 reconnect cookie to the connection

/redirect-prefer:FQDN|IP|NETBIOS,[...]

Override the preferred redirection order

/relax-order-checks, /relax-order-checks

Do not check if a RDP order was announced during capability exchange, only use when connecting to a buggy server

/restricted-admin,  /restrictedAdmin

Restricted admin mode

/remoteGuard, /remoteGuard

Remote guard credentials

/rfx

RemoteFX

/rfx-mode:[image|video]

RemoteFX mode

/scale:[100|140|180]

Scaling factor of the display (default:100)

/scale-desktop:percentage

Scaling factor for desktop applications (value between 100 and 500) (default:100)

/scale-device:100|140|180

Scaling factor for app store applications (default:100)

/sec:[rdp[:[on|off]]|tls[:[on|off]]|nla[:[on|off]]|ext[:[on|off]]|aad[:[on|off]]]

Force specific protocol security. e.g. /sec:nla enables NLA and disables all others, while /sec:nla:[on|off] just toggles NLA

/serial[:name[,path[,driver[,permissive]]]], /tty[:name[,path[,driver[,permissive]]]]

Redirect serial device

/server-name:name

User-specified server name to use for validation (TLS, Kerberos)

/shell:shell

Alternate shell

/shell-dir:dir

Shell working directory

/size:widthxheight or percent%[wh]

Screen size (default:1024x768)

/smart-sizing[:widthxheight]

Scale remote desktop to window size

/smartcard[:str[,str...]]

Redirect the smartcard devices containing any of the <str> in their names.

/smartcard-logon[:[cert:path,key:key,pin:pin,csp:csp name,reader:reader,card:card]]

Activates Smartcard (optional certificate) Logon authentication.

/sound[:[sys:sys,][dev:dev,][format:format,][rate:rate,][channel:channel,][latency:latency,][quality:quality]], /audio[:[sys:sys,][dev:dev,][format:format,][rate:rate,][channel:channel,][latency:latency,][quality:quality]]

Audio output (sound)

/span

Span screen over multiple monitors

/spn-class:service-class

SPN authentication service class

/ssh-agent, /ssh-agent

SSH Agent forwarding channel

/sspi-module:SSPI module path

SSPI shared library module file path

/winscard-module:WinSCard module path

WinSCard shared library module file path

/disable-output

Deactivate all graphics decoding in the client session. Useful for load tests with many simultaneous connections

/t:title, /title:title

Window title

-themes

themes (default:on)

/timeout:time in ms, /timeout:time in ms

Advanced setting for high latency links: Adjust connection timeout, use if you encounter timeout failures with your connection (default:9000)

/timezone:windows timezone

Use supplied windows timezone for connection (requires server support), see /list:timezones for allowed values

/tls:[ciphers|seclevel|secrets-file|enforce]

TLS configuration options: * ciphers:[netmon|ma|<cipher names>]
* seclevel:<level>, default: 1, range: [0-5] Override the default TLS security level, might be required for older target servers
* secrets-file:<filename>
* enforce[:[ssl3|1.0|1.1|1.2|1.3]] Force use of SSL/TLS version for a connection. Some servers have a buggy TLS version negotiation and might fail without this. Defaults to TLS 1.2 if no argument is supplied. Use 1.0 for windows 7

-toggle-fullscreen

Alt+Ctrl+Enter to toggle fullscreen (default:on)

/tune:setting:value,setting:value

/u:[[domain]user|user[@domain]]

Username

+unmap-buttons

Let server see real physical pointer button (default:off)

/usb:[dbg,][id:vid:pid#...,][addr:bus:addr#...,][auto]

Redirect USB device

/v:server[:port]

Server hostname|URL|IPv4|IPv6 or /some/path/to/pipe or |:1234 to pass a TCP socket to use

/vc:channel[,options]

Static virtual channel

/version

Print version

/video

Video optimized remoting channel

/prevent-session-lock[:time in sec]

Prevent session locking by injecting fake mouse motion events to the server when the connection is idle (default interval: 180 seconds)

/vmconnect[:vmid]

Hyper-V console (use port 2179, disable negotiation)

/w:width

Width (default:1024)

-wallpaper

wallpaper (default:on)

+window-drag

full window drag (default:off)

/window-position:xposxypos

window position

/wm-class:class-name

Set the WM_CLASS hint for the window instance

/workarea

Use available work area

<Right CTRL>

releases keyboard and mouse grab.
If keyboard is grabbed the local system shortcuts do no longer work and are sent to the remote system.
If the Mouse is grabbed (optional) local gesture detection does not work and the mouse might not be able to leave the RDP window. Mouse events are not altered.

<CTRL>+<ALT>+<Return>

toggles fullscreen state of the application

<CTRL>+<ALT>+<m>

Minimizes the application

<CTRL>+<ALT>+c

toggles remote control in a remote assistance session

<CTRL>+<ALT>+<d>

Disconnect the session and terminate application

Action Script

executes a predefined script on key press. Should the script not exist it is ignored. Scripts can be provided at the default location $XDG_CONFIG_HOME/freerdp/action.sh or as command line argument /action:script:<path>. The script will receive the current key combination as argument. The output of the script is parsed for key-local which tells that the script used the key combination, otherwise the combination is forwarded to the remote.

wlog environment variable

Format and Location:

Supported options:

#!/bin/bash

# we got a key combination
if [ "$1" = "key" ];
then
	# we only got one argument 'key'
	# list all supported combinations with echo
	if [ $# -eq 1 ];
	then
		echo "ctrl+alt+f1"
		echo "ctrl+alt+f2"
	else
		# We want the action for a single combination
		# use 'key-local' to not forward to RDP session
		if [ "$2" = "ctrl+alt+f1" ];
		then
			echo "key-local"
		fi
		if [ "$2" = "ctrl+alt+f2" ];
		then
				echo "/usr/local/bin/somescript.sh"
		fi
	fi
fi
if [ "$1" = "xevent" ];
	then
		if [ $# -eq 1 ];
		then
			echo "FocusIn"
			echo "SelectionClear"
		else
			if [ "$2" = "SelectionNotify" ];
			then
				echo "/usr/local/bin/someprogram"
			fi
		fi
	fi

xfreerdp connection.rdp /p:Pwd123! /f

Connect in fullscreen mode using a stored configuration connection.rdp and the password Pwd123!

xfreerdp /u:USER /size:50%h /v:rdp.contoso.com

Connect to host rdp.contoso.com with user USER and a size of 50 percent of the height. If width (w) is set instead of height (h) like /size:50%w. 50 percent of the width is used.

xfreerdp /u:CONTOSO\\JohnDoe /p:Pwd123! /v:rdp.contoso.com

Connect to host rdp.contoso.com with user CONTOSO\\JohnDoe and password Pwd123!

xfreerdp /u:JohnDoe /p:Pwd123! /w:1366 /h:768 /v:192.168.1.100:4489

Connect to host 192.168.1.100 on port 4489 with user JohnDoe, password Pwd123!. The screen width is set to 1366 and the height to 768

xfreerdp /u:JohnDoe /p:Pwd123! /vmconnect:C824F53E-95D2-46C6-9A18-23A5BB403532 /v:192.168.1.100

Establish a connection to host 192.168.1.100 with user JohnDoe, password Pwd123! and connect to Hyper-V console (use port 2179, disable negotiation) with VMID C824F53E-95D2-46C6-9A18-23A5BB403532

+clipboard

Activate clipboard redirection

/drive:home,/home/user

Activate drive redirection of /home/user as home drive

/smartcard:<device>

Activate smartcard redirection for device device

/printer:<device>,<driver>

Activate printer redirection for printer device using driver driver

/serial:<device>

Activate serial port redirection for port device

/parallel:<device>

Activate parallel port redirection for port device

/sound:sys:alsa

Activate audio output redirection using device sys:alsa

/microphone:sys:alsa

Activate audio input redirection using device sys:alsa

/multimedia:sys:alsa

Activate multimedia redirection using device sys:alsa

/usb:id,dev:054c:0268

Activate USB device redirection for the device identified by 054c:0268

http://www.freerdp.com/

The FreeRDP Team

wlfreerdp(1).