I have a RDP security question:

When you allow RDP over both TCP/UDP, are the client required to set up a connection via TCP and do handshake with encryption keys, before being allowed to use UDP during session?

The reason I ask, is that I have a external authentication via a proxy server, which requires the user to authenticate securely via  one-time token. When the user have been authenticated, the user's IP is added to firewall rule allowing RDP access.

So basically, the RDP server (Windows 10 Pro), is set to allow passwordless login (autologin via the "Log in" button in the windows logon screen) via RDP with built-in encryption (no SSL).

The RDP port in firewall is then controlled by a external authentication mechanism, that will allow certain source IPs after authenticating.

The initial question is because, if the client can set up a session using ONLY UDP, then a client could spoof the source IP of an authenticated user. In TCP its not possible to spoof IP because of the requirement of the three-way SYN-ACKSYN-ACK handshake, and if a session setup is required using TCP, then it does not matter if UDP is later used.