Skip to content
Reference Library
RDS

RDS

RDS Setup ( Remote desktop services )

Add roles to the servers for session host, connection broker and web access. This is required for a basic deployment:

1

New-RDSessionDeployment -ConnectionBroker "RDCB.Contoso.com" -WebAccessServer "RDWA.Contoso.com" -SessionHost @("RDSH01.Contoso.com","RDSH02.Contoso.com")

Add an RD Gateway server to the deployment:

1

Add-RDServer -Server "Gateway.Contoso.com" -Role "RDS-GATEWAY" -ConnectionBroker "RDCB.Contoso.com" -GatewayExternalFqdn "ExternalFQDN.NorthWindTraders.com"

Add other roles using the same command:

  • RDS-VIRTUALIZATION. Remote Desktop Virtualization Host (RD Virtualization Host).
  • RDS-RD-SERVER. Remote Desktop Session Host (RD Session Host).
  • RDS-CONNECTION-BROKER. RD Connection Broker.
  • RDS-WEB-ACCESS. Remote Desktop Web Access (RD Web Access).
  • RDS-GATEWAY. RD Gateway.
  • RDS-LICENSING. Remote Desktop Licensing (RD Licensing).

Other commands available here: MS Learn Documentation

To remove an RDS server from the deployment you can use the following command with the same parameters as the add command:

1

Remove-RDServer -Server "RDVH.Contoso.com" -Role "RDS-VIRTUALIZATION" -ConnectionBroker "RDCB.Contoso.com"

Certificates for RDS

Add certificate already imported to the server roles:

1

Set-RDCertificate -Role RDRedirector -Thumbprint  -ConnectionBroker ""

The acceptable values for this parameter are:

  • RDGateway
  • RDWebAccess
  • RDRedirector
  • RDPublishing

RDS certificates for host authentication

Use following guide to setup rds host certificates with internal ca certificates through group policy and certificate templates:

https://woshub.com/securing-rdp-connections-trusted-ssl-tls-certificates/

Get Assigned RDS CAL from User objects

powershell to get assigned user cals from the user objects in AD:

1

Get-ADUser -Filter {(msTSManagingLS -like '*' -and msTSLicenseVersion -like '*') -or (terminalServer -like '*')} -Properties * | fl -Property Name,sAMAccountName,msTS*

RDS licencing error

If you are getting an error with a session host not finding a licence server make sure the following settings are enabled in local group policy:

Computer Configuration\ Administrative Templates\ Windows Components\ Remote Desktop Services\ Remote Desktop Session Host\ Licensing

Use the specified Remote Desktop license servers Enabled

Set the Remote Desktop licensing mode Enabled

RDS Lockdown for end users

See this post for details:

http://www.it.ltsoy.com/windows/lock-down-remote-desktop-services-server-2012/

RDS Licencing for citrix error

Citrix sessions require RDS licences and if the RDS licence server is not online then an error will occur on user login

Use this to find the location of all RDS licence servers in the domain, run on domain controller:

  • Get-ADObject -Filter {objectClass -eq ‘serviceConnectionPoint’ -and Name -eq ‘TermServLicensing’} | fl

Customize RDS deployment

Rename the Workspace:

1
2

import-module remotedesktop
Set-RDWorkspace -Name "Your own RD Farm"

to change the look of the login page you can change the images in the following location:

c:\windows\web\rdweb\pages\images

Change the following images for a simple change to the theme:

Banner_01 (banner at  the top)

Bg_globe_01  (background)

Desktop logo logo_02 (logo next to workspace name)

To get the background image to tile and repeat edit the twsa.css file in “C:\Windows\Web\RDWeb\Pages\en-US\tswa.css”. In the body section set the background-repeat option to “repeat” from “no-repeat”

Add Self Service Password Reset:

Follow this guide to add password reset to remote desktop services:

https://woshub.com/allow-users-to-reset-expired-password-via-rd-webaccess-windows-server-2012/#:~:text=In%20Windows%20Server%202012

Remote desktop licencing issues

https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/troubleshoot-rds-licensing-guidance

Check licencing server being used:

1
2

$obj = gwmi -namespace "Root/CIMV2/TerminalServices" Win32_TerminalServiceSetting
$obj.GetSpecifiedLicenseServerList()

check time left on grace period:

1
2

$obj = gwmi -namespace "Root/CIMV2/TerminalServices" Win32_TerminalServiceSetting
$obj.GetGracePeriodDays()

Reset Grace period (violates MS terms of service)

Delete the following reg key. To do this you will need to take ownership of the key as its owner is the network service.

1
2

Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod" #get the keys from grace period
Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod" -name

check reg key for licencing type:

1
2
3

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\Licensing Core

#2 = Per Device, 4 = per user, 5 = not set

Set licencing mode to per user:

1
2

$RDSCALMode = 4
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\Licensing Core\" -Name "LicensingMode" -Value $RDSCALMode

https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-remoteconnectionmanager-licensingmode

Check Licensing keypacks:

1

Get-WmiObject Win32_TSLicenseKeyPack

Remove license pack:

1

wmic /namespace:\\root\CIMV2 PATH Win32_TSLicenseKeyPack CALL UninstallLicenseKeyPackWithId

Details on License usage:

https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-client-access-license

Per user CAL not being applied to AD user objects:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/license-attributes-not-updated-rdsh-server

After server 2019 you may need to allow SELF permissions to terminal server attributes on the user objects. In AD on the OU that contains the users delegate the permissions to SELF to read and write terminal server license server.

Integrate Remote Desktop Gateway with network policy server NPS and Entra ID

https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension-rdg

Set RDP file Defaults

To set the templates for the RDP files distributed by the rdweb page you need to set the values in the registry:

1
2
3
4
5
6

#Find the published farms here then edit the rdp config for each collection:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\CentralPublishedResources\PublishedFarms

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\CentralPublishedResources\PublishedFarms\\RemoteDesktops\\RDPFileContents

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\CentralPublishedResources\PublishedFarms\\DeploymentSettings\DeploymentRDPSettings

If you do not want to edit the string in the registry directly you can copy the string and then edit it. After editing it you will need to enter the value in once again but ensure that you put a new line in between the values

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

##Powershell to create a multi-line registry entry from a file
#_RDP registry location is : Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\CentralPublishedResources\PublishedFarms
##_Gather the Variable Information
#_The file to import the information from
$FileToImport = "\\Path\to\your\saved\RDP-Desktop.rdp"
#_Set the entry type - for RDPFileContents, this is String.
$RegType = "string"  # For New-ItemProperty, but not used in Set-ItemProperty
#_Set the path to the Key (Folder) level of registry.
$RegPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Test\PublishedFarms\{YourRDPName}\RemoteDesktops\{YourRDPName}"
#_The Registry entry to Edit
$RegEntry = "RDPFileContents"
#_Import the file contents to a variable
$rContents = [system.string]::Join("`r`n",(Get-Content -Path $FileToImport))
# Assign the value
Set-ItemProperty -Path $RegPath -Name $RegEntry -Value $rContents -Force

Customise RDP file to remove multi monitor:

Use set-rdscollectionconfiguration to customise the rdp file settings, this is better than using the registry key change

Find values that can be added: RDP file Configuration Options

Add in setting with ; delimiting them, eg: -CustomRdpProperty “selectedmonitors:s:0,1;desktopwidth:i:1920;desktopheight:i:1080;gatewayhostname:s:my.gateway.com”

1
2
3
4
5

$connectionbroker = "<connection briker fqdn>"
$sessioncollections = Get-RDSessionCollection -ConnectionBroker $connectionbroker
foreach ($collection in $sessioncollections){
Set-RDSessionCollectionConfiguration -CollectionName $collection.CollectionName -CustomRdpProperty "use multimon:i:0" -ConnectionBroker $connectionbroker
}
gMSANSG