From 9fce51d7eed3ca2a368cefcc53a0e829729b20bf Mon Sep 17 00:00:00 2001
From: gpotter2 <10530980+gpotter2@users.noreply.github.com>
Date: Thu, 1 May 2025 19:47:11 +0200
Subject: [PATCH] Add FreeRDP_RestrictedAdminModeSupported for server-side

---
 include/freerdp/settings_types_private.h      |  3 ++-
 libfreerdp/common/settings_getters.c          |  7 ++++++
 libfreerdp/common/settings_str.h              |  2 ++
 libfreerdp/core/nego.c                        | 25 ++++++++++++++++---
 libfreerdp/core/nego.h                        |  1 +
 libfreerdp/core/peer.c                        |  2 ++
 libfreerdp/core/settings.c                    |  1 +
 .../core/test/settings_property_lists.h       |  1 +
 8 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/include/freerdp/settings_types_private.h b/include/freerdp/settings_types_private.h
index 00314063e..2cc00d761 100644
--- a/include/freerdp/settings_types_private.h
+++ b/include/freerdp/settings_types_private.h
@@ -289,7 +289,8 @@ struct rdp_settings
 	SETTINGS_DEPRECATED(ALIGN64 BOOL AadSecurity);                  /* 1112 */
 	SETTINGS_DEPRECATED(ALIGN64 char* WinSCardModule);              /* 1113 */
 	SETTINGS_DEPRECATED(ALIGN64 BOOL RemoteCredentialGuard);        /* 1114 */
-	UINT64 padding1152[1152 - 1115];                                /* 1115 */
+	SETTINGS_DEPRECATED(ALIGN64 BOOL RestrictedAdminModeSupported); /* 1115 */
+	UINT64 padding1152[1152 - 1116];                                /* 1116 */
 
 	/* Connection Cookie */
 	SETTINGS_DEPRECATED(ALIGN64 BOOL MstscCookieMode);      /* 1152 */
diff --git a/libfreerdp/common/settings_getters.c b/libfreerdp/common/settings_getters.c
index ed7330325..23ffde07f 100644
--- a/libfreerdp/common/settings_getters.c
+++ b/libfreerdp/common/settings_getters.c
@@ -493,6 +493,9 @@ BOOL freerdp_settings_get_bool(WINPR_ATTR_UNUSED const rdpSettings* settings,
 		case FreeRDP_RestrictedAdminModeRequired:
 			return settings->RestrictedAdminModeRequired;
 
+		case FreeRDP_RestrictedAdminModeSupported:
+			return settings->RestrictedAdminModeSupported;
+
 		case FreeRDP_SaltedChecksum:
 			return settings->SaltedChecksum;
 
@@ -1245,6 +1248,10 @@ BOOL freerdp_settings_set_bool(WINPR_ATTR_UNUSED rdpSettings* settings,
 			settings->RestrictedAdminModeRequired = cnv.c;
 			break;
 
+		case FreeRDP_RestrictedAdminModeSupported:
+			settings->RestrictedAdminModeSupported = cnv.c;
+			break;
+
 		case FreeRDP_SaltedChecksum:
 			settings->SaltedChecksum = cnv.c;
 			break;
diff --git a/libfreerdp/common/settings_str.h b/libfreerdp/common/settings_str.h
index 19cbf3a12..dea577748 100644
--- a/libfreerdp/common/settings_str.h
+++ b/libfreerdp/common/settings_str.h
@@ -207,6 +207,8 @@ static const struct settings_str_entry settings_map[] = {
 	{ FreeRDP_RemoteFxOnly, FREERDP_SETTINGS_TYPE_BOOL, "FreeRDP_RemoteFxOnly" },
 	{ FreeRDP_RestrictedAdminModeRequired, FREERDP_SETTINGS_TYPE_BOOL,
 	  "FreeRDP_RestrictedAdminModeRequired" },
+	{ FreeRDP_RestrictedAdminModeSupported, FREERDP_SETTINGS_TYPE_BOOL,
+	  "FreeRDP_RestrictedAdminModeSupported" },
 	{ FreeRDP_SaltedChecksum, FREERDP_SETTINGS_TYPE_BOOL, "FreeRDP_SaltedChecksum" },
 	{ FreeRDP_SendPreconnectionPdu, FREERDP_SETTINGS_TYPE_BOOL, "FreeRDP_SendPreconnectionPdu" },
 	{ FreeRDP_ServerLicenseRequired, FREERDP_SETTINGS_TYPE_BOOL, "FreeRDP_ServerLicenseRequired" },
diff --git a/libfreerdp/core/nego.c b/libfreerdp/core/nego.c
index 2c9b3a64a..24a8fea32 100644
--- a/libfreerdp/core/nego.c
+++ b/libfreerdp/core/nego.c
@@ -59,7 +59,8 @@ struct rdp_nego
 	UINT32 RequestedProtocols;
 	BOOL NegotiateSecurityLayer;
 	BOOL EnabledProtocols[32];
-	BOOL RestrictedAdminModeRequired;
+	BOOL RestrictedAdminModeRequired;  /* Client-side */
+	BOOL RestrictedAdminModeSupported; /* Server-side */
 	BOOL RemoteCredsGuardRequired;
 	BOOL RemoteCredsGuardActive;
 	BOOL RemoteCredsGuardSupported;
@@ -1254,7 +1255,18 @@ BOOL nego_process_negotiation_request(rdpNego* nego, wStream* s)
 		return FALSE;
 	}
 	if (flags & RESTRICTED_ADMIN_MODE_REQUIRED)
-		WLog_Print(nego->log, WLOG_INFO, "RDP_NEG_REQ::flags RESTRICTED_ADMIN_MODE_REQUIRED");
+	{
+		if (nego->RestrictedAdminModeSupported)
+		{
+			WLog_Print(nego->log, WLOG_INFO, "RDP_NEG_REQ::flags RESTRICTED_ADMIN_MODE_REQUIRED");
+		}
+		else
+		{
+			WLog_Print(nego->log, WLOG_ERROR,
+			           "RDP_NEG_REQ::flags RESTRICTED_ADMIN_MODE_REQUIRED but disabled");
+			return FALSE;
+		}
+	}
 
 	if (flags & REDIRECTED_AUTHENTICATION_MODE_REQUIRED)
 	{
@@ -1483,7 +1495,7 @@ BOOL nego_send_negotiation_response(rdpNego* nego)
 		if (freerdp_settings_get_bool(settings, FreeRDP_SupportGraphicsPipeline))
 			flags |= DYNVC_GFX_PROTOCOL_SUPPORTED;
 
-		if (freerdp_settings_get_bool(settings, FreeRDP_RestrictedAdminModeRequired))
+		if (nego->RestrictedAdminModeSupported)
 			flags |= RESTRICTED_ADMIN_MODE_SUPPORTED;
 
 		if (nego->RemoteCredsGuardSupported)
@@ -1721,6 +1733,13 @@ void nego_set_restricted_admin_mode_required(rdpNego* nego, BOOL RestrictedAdmin
 	nego->RestrictedAdminModeRequired = RestrictedAdminModeRequired;
 }
 
+void nego_set_restricted_admin_mode_supported(rdpNego* nego, BOOL enabled)
+{
+	WINPR_ASSERT(nego);
+
+	nego->RestrictedAdminModeSupported = enabled;
+}
+
 void nego_set_RCG_required(rdpNego* nego, BOOL enabled)
 {
 	WINPR_ASSERT(nego);
diff --git a/libfreerdp/core/nego.h b/libfreerdp/core/nego.h
index 79b5b643e..aa75cee62 100644
--- a/libfreerdp/core/nego.h
+++ b/libfreerdp/core/nego.h
@@ -116,6 +116,7 @@ FREERDP_LOCAL BOOL nego_set_target(rdpNego* nego, const char* hostname, UINT16 p
 FREERDP_LOCAL void nego_set_negotiation_enabled(rdpNego* nego, BOOL NegotiateSecurityLayer);
 FREERDP_LOCAL void nego_set_restricted_admin_mode_required(rdpNego* nego,
                                                            BOOL RestrictedAdminModeRequired);
+FREERDP_LOCAL void nego_set_restricted_admin_mode_supported(rdpNego* nego, BOOL enabled);
 FREERDP_LOCAL void nego_set_RCG_required(rdpNego* nego, BOOL enabled);
 FREERDP_LOCAL void nego_set_RCG_supported(rdpNego* nego, BOOL enabled);
 FREERDP_LOCAL BOOL nego_get_remoteCredentialGuard(rdpNego* nego);
diff --git a/libfreerdp/core/peer.c b/libfreerdp/core/peer.c
index 9cd4e7c7f..4c4f88100 100644
--- a/libfreerdp/core/peer.c
+++ b/libfreerdp/core/peer.c
@@ -275,6 +275,8 @@ static BOOL freerdp_peer_initialize(freerdp_peer* client)
 	}
 
 	nego_set_RCG_supported(rdp->nego, settings->RemoteCredentialGuard);
+	nego_set_restricted_admin_mode_supported(rdp->nego, settings->RestrictedAdminModeSupported);
+
 	if (!rdp_server_transition_to_state(rdp, CONNECTION_STATE_INITIAL))
 		return FALSE;
 
diff --git a/libfreerdp/core/settings.c b/libfreerdp/core/settings.c
index c311bf716..d52626480 100644
--- a/libfreerdp/core/settings.c
+++ b/libfreerdp/core/settings.c
@@ -884,6 +884,7 @@ rdpSettings* freerdp_settings_new(DWORD flags)
 	    !freerdp_settings_set_bool(settings, FreeRDP_RdstlsSecurity, FALSE) ||
 	    !freerdp_settings_set_bool(settings, FreeRDP_NegotiateSecurityLayer, TRUE) ||
 	    !freerdp_settings_set_bool(settings, FreeRDP_RestrictedAdminModeRequired, FALSE) ||
+	    !freerdp_settings_set_bool(settings, FreeRDP_RestrictedAdminModeSupported, TRUE) ||
 	    !freerdp_settings_set_bool(settings, FreeRDP_MstscCookieMode, FALSE) ||
 	    !freerdp_settings_set_uint32(settings, FreeRDP_CookieMaxLength,
 	                                 DEFAULT_COOKIE_MAX_LENGTH) ||
diff --git a/libfreerdp/core/test/settings_property_lists.h b/libfreerdp/core/test/settings_property_lists.h
index fd1762e8a..bafe09386 100644
--- a/libfreerdp/core/test/settings_property_lists.h
+++ b/libfreerdp/core/test/settings_property_lists.h
@@ -148,6 +148,7 @@ static const size_t bool_list_indices[] = {
 	FreeRDP_RemoteFxImageCodec,
 	FreeRDP_RemoteFxOnly,
 	FreeRDP_RestrictedAdminModeRequired,
+	FreeRDP_RestrictedAdminModeSupported,
 	FreeRDP_SaltedChecksum,
 	FreeRDP_SendPreconnectionPdu,
 	FreeRDP_ServerLicenseRequired,