Provided by: freerdp3-x11_3.16.0+dfsg-1ubuntu1_amd64 
NAME
xfreerdp3 - FreeRDP X11 client
SYNOPSIS
xfreerdp3 [file] [options] [/v:server[:port]]
DESCRIPTION
xfreerdp3 is an X11 Remote Desktop Protocol (RDP) client which is part of the FreeRDP project. An RDP
server is built-in to many editions of Windows. Alternative servers included ogon, gnome-remote-desktop,
xrdp and VRDP (VirtualBox).
OPTIONS
/a:addin[,options], /addin:addin[,options]
Addin
/azure:[tenantid:id],[use-tenantid[:[on|off]],[ad:url][avd-access:format string],[avd-token:format
string],[avd-scope:format string]
AzureAD options
/action-script:file-name
Action script (default:~/.config/freerdp/action.sh)
/admin, /console
Admin (or console) session
+aero
desktop composition (default:off)
/app:program:[path|||alias],cmd:command,file:filename,guid:guid,icon:filename,name:name,workdir:directory,hidef:[on|off]
Remote application program
/assistance:password
Remote assistance password
/auto-request-control:
Automatically request remote assistance input control
+async-channels
Asynchronous channels (experimental) (default:off)
+async-update
Asynchronous update (default:off)
/audio-mode:mode
Audio output mode
+auth-only
Authenticate only (default:off)
/auth-pkg-list:!ntlm,kerberos
Authentication package filter (comma-separated list, use '!' to exclude)
-authentication
Authentication (experimental) (default:on)
+auto-reconnect
Automatic reconnection (default:off)
/auto-reconnect-max-retries:retries
Automatic reconnection maximum retries, 0 for unlimited [0,1000]
/bpp:depth
Session bpp (color depth) (default:16)
/buildconfig
Print the build configuration
/cache:[bitmap[:on|off],codec[:rfx|nsc],glyph[:on|off],offscreen[:on|off],persist,persist-file:filename]
/cert:[deny,ignore,name:name,tofu,fingerprint:hash:hash as hex[,fingerprint:hash:another hash]]
Certificate accept options. Use with care!
* deny ... Automatically abort connection if the certificate does not match, no user
interaction.
* ignore ... Ignore the certificate checks altogether (overrules all other options)
* name ... Use the alternate <name> instead of the certificate subject to match locally
stored certificates
* tofu ... Accept certificate unconditionally on first connect and deny on subsequent
connections if the certificate does not match
* fingerprints ... A list of certificate hashes that are accepted unconditionally for a connection
/client-build-number:number
Client Build Number sent to server (influences smartcard behaviour, see [MS-RDPESC])
/client-hostname:name
Client Hostname to send to server
/clipboard:[[use-selection:atom],[direction-to:[all|local|remote|off]],[files-to[:all|local|remote|off]]]
Redirect clipboard:
* use-selection:<atom> ... (X11) Specify which X selection to access. Default is CLIPBOARD. PRIMARY
is the X-style middle-click selection.
* direction-to:[all|local|remote|off] control enabled clipboard direction
* files-to:[all|local|remote|off] control enabled file clipboard direction (default:on)
-compression, -z
compression (default:on)
/compression-level:level
Compression level (0,1,2)
+credentials-delegation
credentials delegation (default:off)
/d:domain
Domain
-decorations
Window decorations (default:on)
/disp
Display control
/drive:name,path
Redirect directory <path> as named share <name>. Hotplug support is enabled with /drive:hotplug,*.
This argument provides the same function as "Drives that I plug in later" option in MSTSC.
+drives
Redirect all mount points as shares (default:off)
/dump:record|replay,file:file[,nodelay]
record or replay dump
/dvc:channel[,options]
Dynamic virtual channel
+dynamic-resolution
Send resolution updates when the window is resized (default:off)
/echo, /echo
Echo channel
-encryption
Encryption (experimental) (default:on)
/encryption-methods:[40,][56,][128,][FIPS]
RDP standard security encryption methods
/f
Fullscreen mode (<Ctrl>+<Alt>+<Enter> toggles fullscreen)
+fipsmode
FIPS mode (default:off)
/floatbar[:sticky:[on|off],default:[visible|hidden],show:[always|fullscreen|window]]
floatbar is disabled by default (when enabled defaults to sticky in fullscreen mode)
-fonts
smooth fonts (ClearType) (default:on)
+force-console-callbacks
Use default callbacks (console) for certificate/credential/... (default:off)
/frame-ack:number
Number of frame acknowledgement
/args-from:file|stdin|fd:number|env:name
Read command line from a file, stdin or file descriptor. This argument can not be combined with any
other. Provide one argument per line.
/from-stdin[:force]
Read credentials from stdin. With <force> the prompt is done before connection, otherwise on server
request.
/gateway:g:gateway[:port],u:user,d:domain,p:password,usage-method:[direct|detect],access-token:token,type:[rpc|http[,no-websockets][,extauth-sspi-ntlm]|auto[,no-websockets][,extauth-sspi-ntlm]]|arm,url:wss://url,bearer:oauth2-bearer-token,
/gw:g:gateway[:port],u:user,d:domain,p:password,usage-method:[direct|detect],access-token:token,type:[rpc|http[,no-websockets][,extauth-sspi-ntlm]|auto[,no-websockets][,extauth-sspi-ntlm]]|arm,url:wss://url,bearer:oauth2-bearer-token
Gateway Hostname
/gdi:sw|hw
GDI rendering
/geometry
Geometry tracking channel
+gestures
Consume multitouch input locally (default:off)
/gfx[:[progressive[:on|off]|RFX[:on|off]|AVC420[:on|off]AVC444[:on|off]],mask:value,small-cache[:on|off],thin-client[:on|off],progressive[:on|off]]]
RDP8 graphics pipeline
-grab-keyboard
Grab keyboard focus, forward all keys to remote (default:on)
-grab-mouse
Grab mouse focus, forward all events to remote (default:on)
/h:height
Height (default:768)
-heartbeat
Support heartbeat PDUs (default:on)
/help, /?
Print help
+home-drive
Redirect user home as share (default:off)
/ipv4[:[:force]], /4[:[:force]]
Prefer IPv4 A record over IPv6 AAAA record
/ipv6[:[:force]], /6[:[:force]]
Prefer IPv6 AAAA record over IPv4 A record
/jpeg
JPEG codec support
/jpeg-quality:percentage
JPEG quality
/kbd:[layout:[0xid|name],lang:0xid,fn-key:value,type:value,subtype:value,unicode[:on|off],remap:key1=value1,remap:key2=value2,pipe:filename]
Keyboard related options:
* layout: set the keybouard layout announced to the server
* lang: set the keyboard language identifier sent to the server
* fn-key: Function key value
* remap: RDP scancode to another one. Use /list:kbd-scancode to get the mapping. Example: To switch
'a' and 's' on a US keyboard: /kbd:remap:0x1e=0x1f,remap:0x1f=0x1e
* pipe: Name of a named pipe that can be used to type text into the RDP session
/kerberos:[kdc-url:url,lifetime:time,start-time:time,renewable-lifetime:time,cache:path,armor:path,pkinit-anchors:path,pkcs11-module:name]
Kerberos options
/load-balance-info:info-string
Load balance info
/list:[kbd|kbd-scancode|kbd-lang[:value]|smartcard[:[pkinit-anchors:path][,pkcs11-module:name]]|monitor|tune|timezones]
List available options for subcommand (default:List available options for subcommand)
/log-filters:tag:level[,tag:level[,...]]
Set logger filters, see wLog(7) for details
/log-level:[OFF|FATAL|ERROR|WARN|INFO|DEBUG|TRACE]
Set the default log level, see wLog(7) for details
/max-fast-path-size:size
Specify maximum fast-path update size
/max-loop-time:time
Specify maximum time in milliseconds spend treating packets
+menu-anims
menu animations (default:off)
/microphone[:[sys:sys,][dev:dev,][format:format,][rate:rate,][channel:channel]],
/mic[:[sys:sys,][dev:dev,][format:format,][rate:rate,][channel:channel]]
Audio input (microphone)
/monitors:id[,id[,...]]
Select monitors to use (only effective in fullscreen or multimonitor mode)
-mouse-motion
Send mouse motion events (default:on)
+mouse-relative
Send mouse motion with relative addressing (default:off)
/mouse:[relative:[on|off],grab:[on|off]]
Mouse related options:
* relative: send relative mouse movements if supported by server
* grab: grab the mouse if within the window
/multimon[:force]
Use multiple monitors
+multitouch
Redirect multitouch input (default:off)
-multitransport
Support multitransport protocol (default:on)
-nego
protocol security negotiation (default:on)
/network:[invalid|modem|broadband|broadband-low|broadband-high|wan|lan|auto]
Network connection type
/nsc, /nscodec
NSCodec support
/orientation:[0|90|180|270]
Orientation of display in degrees
+old-license
Use the old license workflow (no CAL and hwId set to 0) (default:off)
/p:password
Password
/parallel[:name[,path]]
Redirect parallel device
/parent-window:window-id
Parent window id
/pcb:blob
Preconnection Blob
/pcid:id
Preconnection Id
/pheight:height
Physical height of display (in millimeters)
/play-rfx:pcap-file
Replay rfx pcap file
/port:number
Server port
-suppress-output
suppress output when minimized (default:on)
+print-reconnect-cookie
Print base64 reconnect cookie after connecting (default:off)
/printer[:name[,driver[,default]]]
Redirect printer device
/proxy:[proto://][user:password@]host[:port]
Proxy settings: override env. var (see also environment variable below). Protocol "socks5" should be
given explicitly where "http" is default.
/pth:password-hash, /pass-the-hash:password-hash
Pass the hash (restricted admin mode)
/pwidth:width
Physical width of display (in millimeters)
/rdp2tcp:executable path[:arg...]
TCP redirection
/reconnect-cookie:base64-cookie
Pass base64 reconnect cookie to the connection
/redirect-prefer:FQDN|IP|NETBIOS,[...]
Override the preferred redirection order
/relax-order-checks, /relax-order-checks
Do not check if a RDP order was announced during capability exchange, only use when connecting to a
buggy server
/restricted-admin, /restrictedAdmin
Restricted admin mode
/remoteGuard, /remoteGuard
Remote guard credentials
/rfx
RemoteFX
/rfx-mode:[image|video]
RemoteFX mode
/scale:[100|140|180]
Scaling factor of the display (default:100)
/scale-desktop:percentage
Scaling factor for desktop applications (value between 100 and 500) (default:100)
/scale-device:100|140|180
Scaling factor for app store applications (default:100)
/sec:[rdp[:[on|off]]|tls[:[on|off]]|nla[:[on|off]]|ext[:[on|off]]|aad[:[on|off]]]
Force specific protocol security. e.g. /sec:nla enables NLA and disables all others, while
/sec:nla:[on|off] just toggles NLA
/serial[:name[,path[,driver[,permissive]]]], /tty[:name[,path[,driver[,permissive]]]]
Redirect serial device
/server-name:name
User-specified server name to use for validation (TLS, Kerberos)
/shell:shell
Alternate shell
/shell-dir:dir
Shell working directory
/size:widthxheight or percent%[wh]
Screen size (default:1024x768)
/smart-sizing[:widthxheight]
Scale remote desktop to window size
/smartcard[:str[,str...]]
Redirect the smartcard devices containing any of the <str> in their names.
/smartcard-logon[:[cert:path,key:key,pin:pin,csp:csp name,reader:reader,card:card]]
Activates Smartcard (optional certificate) Logon authentication.
/sound[:[sys:sys,][dev:dev,][format:format,][rate:rate,][channel:channel,][latency:latency,][quality:quality]],
/audio[:[sys:sys,][dev:dev,][format:format,][rate:rate,][channel:channel,][latency:latency,][quality:quality]]
Audio output (sound)
/span
Span screen over multiple monitors
/spn-class:service-class
SPN authentication service class
/ssh-agent, /ssh-agent
SSH Agent forwarding channel
/sspi-module:SSPI module path
SSPI shared library module file path
/winscard-module:WinSCard module path
WinSCard shared library module file path
/disable-output
Deactivate all graphics decoding in the client session. Useful for load tests with many simultaneous
connections
/t:title, /title:title
Window title
-themes
themes (default:on)
/timeout:time in ms, /timeout:time in ms
Advanced setting for high latency links: Adjust connection timeout, use if you encounter timeout
failures with your connection (default:9000)
/timezone:windows timezone
Use supplied windows timezone for connection (requires server support), see /list:timezones for
allowed values
/tls:[ciphers|seclevel|secrets-file|enforce]
TLS configuration options: * ciphers:[netmon|ma|<cipher names>]
* seclevel:<level>, default: 1, range: [0-5] Override the default TLS security level, might be
required for older target servers
* secrets-file:<filename>
* enforce[:[ssl3|1.0|1.1|1.2|1.3]] Force use of SSL/TLS version for a connection. Some servers have
a buggy TLS version negotiation and might fail without this. Defaults to TLS 1.2 if no argument is
supplied. Use 1.0 for windows 7
-toggle-fullscreen
Alt+Ctrl+Enter to toggle fullscreen (default:on)
/tune:setting:value,setting:value
[experimental] directly manipulate freerdp settings, use with extreme caution! (default:)
/u:[[domain]user|user[@domain]]
Username
+unmap-buttons
Let server see real physical pointer button (default:off)
/usb:[dbg,][id:vid:pid#...,][addr:bus:addr#...,][auto]
Redirect USB device
/v:server[:port]
Server hostname|URL|IPv4|IPv6 or /some/path/to/pipe or |:1234 to pass a TCP socket to use
/vc:channel[,options]
Static virtual channel
/version
Print version
/video
Video optimized remoting channel
/prevent-session-lock[:time in sec]
Prevent session locking by injecting fake mouse motion events to the server when the connection is
idle (default interval: 180 seconds)
/vmconnect[:vmid]
Hyper-V console (use port 2179, disable negotiation)
/w:width
Width (default:1024)
-wallpaper
wallpaper (default:on)
+window-drag
full window drag (default:off)
/window-position:xposxypos
window position
/wm-class:class-name
Set the WM_CLASS hint for the window instance
/workarea
Use available work area
KEYBOARD SHORTCUTS
<Right CTRL>
releases keyboard and mouse grab.
If keyboard is grabbed the local system shortcuts do no longer work and are sent to the remote
system.
If the Mouse is grabbed (optional) local gesture detection does not work and the mouse might not be
able to leave the RDP window. Mouse events are not altered.
<CTRL>+<ALT>+<Return>
toggles fullscreen state of the application
<CTRL>+<ALT>+<m>
Minimizes the application
<CTRL>+<ALT>+c
toggles remote control in a remote assistance session
<CTRL>+<ALT>+<d>
Disconnect the session and terminate application
Action Script
executes a predefined script on key press. Should the script not exist it is ignored. Scripts can
be provided at the default location $XDG_CONFIG_HOME/freerdp/action.sh or as command line argument
/action:script:<path>. The script will receive the current key combination as argument. The output
of the script is parsed for key-local which tells that the script used the key combination, otherwise
the combination is forwarded to the remote.
ENVIRONMENT VARIABLES
wlog environment variable
xfreerdp3 uses wLog as its log facility, you can refer to the corresponding man page (wlog(7)) for
more information. Arguments passed via the /log-level or /log-filters have precedence over the
environment variables.
GLOBAL CONFIGURATION
Format and Location:
The configuration file is stored in global system configuration.
The location is /etc/FreeRDP/FreeRDP/certificates.json
File format is JSON
Supported options:
deny
JSON boolean
Deny the certificate if the check against system SSL store was not successful
ignore
JSON boolean
Ignore certificate failures, just ignore the certificate
deny-userconfig
JSON boolean
If the checks in the global configuration do not accept the certificate do not ask the user
certificate-db
JSON array
An array of JSON objects with:
type
JSON string
a string identifying the hash algorithm used, e.g. sha256
hash
JSON string
a string of hex integer values representing the certificate hash, e.g. 0123456789abcdef
EXAMPLES
#!/bin/bash
# we got a key combination
if [ "$1" = "key" ];
then
# we only got one argument 'key'
# list all supported combinations with echo
if [ $# -eq 1 ];
then
echo "ctrl+alt+f1"
echo "ctrl+alt+f2"
else
# We want the action for a single combination
# use 'key-local' to not forward to RDP session
if [ "$2" = "ctrl+alt+f1" ];
then
echo "key-local"
fi
if [ "$2" = "ctrl+alt+f2" ];
then
echo "/usr/local/bin/somescript.sh"
fi
fi
fi
if [ "$1" = "xevent" ];
then
if [ $# -eq 1 ];
then
echo "FocusIn"
echo "SelectionClear"
else
if [ "$2" = "SelectionNotify" ];
then
echo "/usr/local/bin/someprogram"
fi
fi
fi
Example action script for key events, listing ctrl+alt+f1 to be handled by local window manager and
ctrl+alt+f2 executing a script
The return value of the program determines if the key is handled locally or remotely (0 for local, >
0 for remote, < 0 for errors)
xfreerdp3 connection.rdp /p:Pwd123! /f
Connect in fullscreen mode using a stored configuration connection.rdp and the password Pwd123!
xfreerdp3 /u:USER /size:50%h /v:rdp.contoso.com
Connect to host rdp.contoso.com with user USER and a size of 50 percent of the height. If width (w)
is set instead of height (h) like /size:50%w. 50 percent of the width is used.
xfreerdp3 /u:CONTOSO\\JohnDoe /p:Pwd123! /v:rdp.contoso.com
Connect to host rdp.contoso.com with user CONTOSO\\JohnDoe and password Pwd123!
xfreerdp3 /u:JohnDoe /p:Pwd123! /w:1366 /h:768 /v:192.168.1.100:4489
Connect to host 192.168.1.100 on port 4489 with user JohnDoe, password Pwd123!. The screen width is
set to 1366 and the height to 768
xfreerdp3 /u:JohnDoe /p:Pwd123! /vmconnect:C824F53E-95D2-46C6-9A18-23A5BB403532 /v:192.168.1.100
Establish a connection to host 192.168.1.100 with user JohnDoe, password Pwd123! and connect to
Hyper-V console (use port 2179, disable negotiation) with VMID C824F53E-95D2-46C6-9A18-23A5BB403532
+clipboard
Activate clipboard redirection
/drive:home,/home/user
Activate drive redirection of /home/user as home drive
/smartcard:<device>
Activate smartcard redirection for device device
/printer:<device>,<driver>
Activate printer redirection for printer device using driver driver
/serial:<device>
Activate serial port redirection for port device
/parallel:<device>
Activate parallel port redirection for port device
/sound:sys:alsa
Activate audio output redirection using device sys:alsa
/microphone:sys:alsa
Activate audio input redirection using device sys:alsa
/multimedia:sys:alsa
Activate multimedia redirection using device sys:alsa
/usb:id,dev:054c:0268
Activate USB device redirection for the device identified by 054c:0268
LINKS
http://www.freerdp.com/
AUTHOR
The FreeRDP Team
freerdp 2025-07-09 xfreerdp3(1)