Option 2 - Set the following Group Policy: Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require use of specific security layer for remote (RDP) connections
To the following value: SSL (TLS 1.0)
--------------
I believe my machines should be passing this test, but due to out-of-order validation steps they are still marked as unresolved. I've checked my group policy settings and the corresponding registry key at (HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\SecurityLayer) and it's set to '2'. As far as I understand it, this should take precedence over the value that I have in HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer which is '1'. I don't bother setting that key/value since I believe the group policy takes precedence. Unfortunately, WDATP is checking Option 1 first and short-circuiting if it's not set to '2'. In my opinion, it should be checking Option 2 first and short-circuiting a pass if the value is set to '2'.
