Hi

All applications I publish for RemoteApp on Windows Server 2016 gets "Current directory" set to "C:\Windows\system32\", no matter where I have the application (only tried with applications stored on C:\ fyi)

This is the environment-settings all applications I've published on a Server 2016 gets (besides the command line ofc).

My current solution is to use a cmd-script to enter the correct directory and then start it and just publish the .cmd-script.

New Windows Server 2016 Standard installation

Single server for domain, so all roles on same server: File Server, DNS, AD DS and Remote Desktop Services.

Remote Desktop services installed via add roles, Licensing and Session Host only, without Connection Broker. 

I used the PowerShell commands from the single server RDS configuration that was meant for WS 2012:

https://support.microsoft.com/en-us/help/2833839/guidelines-for-installing-the-remote-desktop-session-host-role-service-on-a-computer-running-windows-server-2012-without-the-remote-desktop-connection-broker-role-service

Licensing Diagnoser shows no errors, and Licensing Manager shows the correct number of 10 CALS, configured as Per User. However, the number of issued licenses is always listed as being one more than are actually in use, i.e. 2 with one user and 3 with two users.

I found a section in gpedit that looks like I could have used it rather than powershell, in computer configuration/administrative templates/windows components/remote desktop services/remote desktop session host/licensing to specify the licensing server and licensing mode. They were listed as Not Configured, so I changed them to match the actual settings. This didn't change the mismatch between actually issued licenses and the number of issued licenses in license manager.

1) Why aren't the actual number of unused CALs being displayed?

2) Shouldn't I have been able to go directly to the relevant sections in computer configuration to specify the license server and licensing mode? My searches on TechNet only resulted in the article referenced above.

Thanks

We have two RD servers, we had it setup so that when someone logs on to rds1 it will push the second login to rds2 then server 1 for the third person and so on.

I honestly can't remember how to perform this task, could someone enlighten me?

My client is using RDS on Win2016.  The users are connecting mostly via Chromebooks. They need the NumLock button enabled during the RDS sessions. Setting the "InitialKeyboardIndicators" registry key on the server for does not work. 

I then wrote a script:

set WshShell = CreateObject(“WScript.Shell”)
WshShell.SendKeys “{NUMLOCK}”

and then used a GPO to run it per https://technet.microsoft.com/en-us/library/cc770821.aspx.  However, when the script finishes the user is automatically logged out.  Since the script takes about 1 second to complete the user session is useless.  Is there a better way to run this script at logon to the RDS session?

Thanks,
Joe

Hello all,

I'va got a broker server for RDP connections and two RDS servers. All works fine, my users can open a session on a RDP server via the broker server. But, sometimes, when I look at in my event logs on the broker server, I'vre got 10+ event with id 4625 which explain me the account domain\srv-broker can't open a session becaues the user or the password is wrong.

the eventlog (sorry in french):

Échec d’ouverture de session d’un compte.

Sujet :
	ID de sécurité :		S-1-0-0
	Nom du compte :		-
	Domaine du compte :		-
	ID d’ouverture de session :		0x0

Type d’ouverture de session :			3

Compte pour lequel l’ouverture de session a échoué :
	ID de sécurité :		S-1-0-0
	Nom du compte :		server-SBK
	Domaine du compte :		DOM

Informations sur l’échec :
	Raison de l’échec :		Nom d’utilisateur inconnu ou mot de passe incorrect.
	État :			0xC000006D
	Sous-état :		0xC0000064

Informations sur le processus :
	ID du processus de l’appelant :	0x0
	Nom du processus de l’appelant :	-

Informations sur le réseau :
	Nom de la station de travail :	server-SBK
	Adresse du réseau source :	::1
	Port source :		53548

Informations détaillées sur l’authentification :
	Processus d’ouverture de session :		NtLmSsp 
	Package d’authentification :	NTLM
	Services en transit :	-
	Nom du package (NTLM uniquement) :	-
	Longueur de clé :		0

My doubts are in the name of the account: why it's a name composed of my domaine name\ and the name of the server without the $ ?

I tried to log the netlogon process and in the log file I can find trace of the failure :

06/06 09:34:49 [LOGON] [3016] SamLogon: Network logon of DOM\server-SBK from server-SBK Entered
06/06 09:34:49 [CRITICAL] [3016] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000064)
06/06 09:34:49 [LOGON] [3016] SamLogon: Network logon of DOM\server-SBK from server-SBK Returns 0xC0000064

So, my question is why and what trie to connect to my server broker from itself with a username like dom\server-sbk ?

And what can I do to stop these login ?

Thanks a all

Good afternoon, when I create a collection of VDI on Winserv2016 I get errors:

The Remote Desktop Virtualization node failed to start the WMI Hyper-V job.

Error description: Failed to set the value of the TS integration service element "tsv-CB1FCC35-F807-4402-9E16-2880669DB61C" for the virtual machine "tst-0": The specified file can not be found. (0x80070002). (Virtual Machine ID {0A47F5B0-00B2-0000-90F5-470AB2000000})
See also Hyper-V event logs
Hresult: 0x8007800B

Failed to set the value of the "0x80070002" data integration service item for the virtual machine "tst-0": 킠 䛌 翶 (The specified file can not be found.). (Virtual Machine ID ੇ²)

Hi there

I am currently trying to make the last changes to our RDS Server before roll-out.

The changes are simply for aesthetics. I want to create a Default Start Layout for all users and where they can still pin/unpin stuff. Same of course to the taskbar (Remove IE)

What i tried is the following:

Created Start Layout file:

<LayoutModificationTemplate Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"><LayoutOptions StartTileGroupCellWidth="6" /><DefaultLayoutOverride LayoutCustomizationRestrictionType="OnlySpecifiedGroups"><StartLayoutCollection><defaultlayout:StartLayout GroupCellWidth="6" xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"><start:Group Name="Standard" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"><start:DesktopApplicationTile Size="2x2" Column="4" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" /><start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk" /><start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk" /><start:DesktopApplicationTile Size="2x2" Column="2" Row="2" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Excel 2016.lnk" /><start:DesktopApplicationTile Size="2x2" Column="4" Row="2" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\PowerPoint 2016.lnk" /><start:DesktopApplicationTile Size="2x2" Column="0" Row="2" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Word 2016.lnk" /></start:Group><start:Group Name="Extras" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"><start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\VariCAD\VariCAD Viewer 2018-1.03 EN.lnk" /><start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Ghostscript\Ghostscript 9.23.LNK" /><start:DesktopApplicationTile Size="2x2" Column="4" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\PuTTY (64-bit)\PuTTY.lnk" /><start:DesktopApplicationTile Size="2x2" Column="0" Row="2" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\RealVNC\VNC Viewer.lnk" /><start:DesktopApplicationTile Size="2x2" Column="2" Row="2" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\ThinLinc\ThinLinc Client.lnk" /></start:Group></defaultlayout:StartLayout></StartLayoutCollection></DefaultLayoutOverride><CustomTaskbarLayoutCollection><defaultlayout:TaskbarLayout><taskbar:TaskbarPinList><taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk" /><taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" /></taskbar:TaskbarPinList></defaultlayout:TaskbarLayout></CustomTaskbarLayoutCollection></LayoutModificationTemplate>

Then placed it in a share user should be able to access. (Same share used for background image).

Created the GPO and linked the File:

After that i tested it with different users.

All have the same issues. Icons do not get changed, but the icons present cannot be changed, moved or anything(LOCKED).

I would appreciate some help in this matter as it is driving me crazy.

Best,

Pkey

Hello,

We have an issue with RDS Licensing. In RDS licensing we have a lot of the same HW IDs and im looking for a good solution.
I know the cause is a faulty image, maybe even some EWF settings on some of our thinclients.

So i know i can re-generate a hardware ID by deleting the MSLicensing reg keys so thats not a problem, i can build a GPO for it. The problem is i need to run MSTSC as administrator to re-generate the hardware key in the register.
My users login by RDWeb, RDWeb starts MSTSC. Is there anyway i can temporary let it run as administrator, so the HW ID is regenerated?

Also after we fixed the issue with the image / EWF, deleted and regenerated the HW ID's. How can i empty the RDS Licensing DB so we can start fresh?

Thanks,

LEVD

I am trying to transfer Remote Desktop licenses from Windows Server 2008 Standard to Windows Server 2016 Standard.  I cannot find the license server ID on the Windows Server 2008 Standard.

I checked the properties of the server in TS Licensing Manager.  I right clicked the server name and selected Properties.  The Product ID at the bottom of the Connection Method tab is not enough characters (XXXXX-XXX-XXXXXXX-XXXXX) and does not appear to be in the correct sequence.  There is no way to click in the field to see more characters.  I don't think there are any more characters.  It looks like the server license ID needs to be 35 characters long in groupings of 5 characters.

The two servers are not on the same network.

I entered the IP address of the source license server

I selected Windows Server 2008 as the source license server.

I checked the box for "The specified source license server is not available on the network"

I clicked on the link "More about finding the license server ID" under where the license server ID goes on Windows Server 2016 Standard, but nothing happens.  

Any suggestions on the location of the license server ID?

Hello,

Here's the thing.

I'm running Windows server 2016. I have three users which concted via RDP. The local printers redirect fine, but...

When I try to print from a specific application, it not print to default redirected printer, but to another one which is default for server, not for client machine.

In registry there is

1.HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows:Device - Print to PDF

and

2.HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\SessionDefaultDevices\S-1-5-5-0-3868501870 - The name of default client redirected printer.

So the application try to print to printer from point 1, not to printer from point 2.

How can I set the printer from point 1 to get the name of printer from point 2?

The printer from point 2 has different name each time I log on to server. So I can't set it manually.

Thanks

Hi,

I have a setup with the following servers running Windows Server 2016

1x RDGW, RDCB, RDWA, RDLicensing.

5x RDSH

Im using UPD on the collection.

I have noticed very long login times, after policys etc are shown on screen it sits at a black screen for between 20sec and sometimes up to 5min.

I have also noticed that the svchost.exe that controls the Windows Firewall is using 25% to 50% when a user logs in and using around 1200Mb memory.

After I found this I checked the Windows Firewall with Advanced Security and found thousands of Cortana, Work or school account, Your account, Contact Support rules. 

I found a script in this thread that could delete the rules https://social.technet.microsoft.com/Forums/windows/en-US/9aad7675-d1ba-4900-9d85-0cd117f5514f/new-firewall-rules-created-for-each-user?forum=win10itprosetup

This made the CPU usage and memory usage go down to normal levels, but after every login a user does it builds up the list of rules again. With many users logging in to the system the rules build up very fast and the login times gets high and every server gets slow.

Example on our RDSH01 server that have been running in production since 2017-04-13 the script found and deleted 66153 rules that it found with "$Rules = Get-NetFirewallRule -All | Where-Object {$profiles.sid -notcontains $_.owner -and $_.owner }"

The script also tryed to get rules with this command "$rules2 = Get-NetFirewallRule -All -PolicyStore ConfigurableServiceStore | Where-Object { $profiles.sid -notcontains $_.owner -and $_.owner }" but fails with an "not enough space error"

The script removes the rules from here with the content of $rules "HKLM:\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules"

and $rules2 was meant to clean up at "HKLM:\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System"

but doesnt do anything because of the error on the Get-command. If I try to access it with regedit it stops to respond, guessing there are too many items in that container for it to handle.

Anyone know a solution for this problem? 

Regards Fredrik

In 2008 R2 you could modify the login.aspx page and change the default radio button selection on this page so that the "this is a private computer" option was selected by default.  (see this thread: http://social.technet.microsoft.com/Forums/windowsserver/en-US/320d979f-9067-4dcd-9424-ab65a7bf6486/this-is-a-private-computer?forum=winserverTS)

now its seems this does not work.

I have changed the code on login.aspx to reflect my wish to make the "Private" option radio buttonthe default selected one by adding checked="checked" to the proper Input section and removing it from the other, but it does nothing (and I restarted the website too):

                    <label><input id="rdoPblc" type="radio" name="MachineType" value="public" class="rdo" onclick="onClickSecurity()" /></label>
...

...

                   <label><input id="rdoPrvt" type="radio" name="MachineType" value="private" class="rdo" onclick="onClickSecurity()"checked="checked" /></label>
                 

I have also looked through the renderscripts.jsp file but I dont't see an option to make the default checkbox change.

So where is this option located now?

Thanks!

Hello,

We are required to disable TLS1.0 on all our servers and found that in one RDS deployment FIPS is enabled which is basically forcing TSL1.0 and 1.1 to be on.  In our config we have the broker, gateway, and rdweb on one server with remoteapps and full desktop sessions on 2 separate session hosts.

Only the broker has FIPS enabled. The Session hosts do not have it. All servers have the registry keys to disable TLS1.0, TLS1.1, SSL2 & 3, PCT and MPUH as well as disabled weak ciphers (RC2 RC4 DES etc). When we turn off FIPS on the broker/gateway we see that it can no longer manage the RDS settings for any of the servers in the RDS pool including itself.

In the System log we get SCHANNEL event IDs:

Log Name:      System
Source:        Schannel
Date:          6/19/2018 2:36:42 PM
Event ID:      36871
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      <removed>
Description:
A fatal error occurred while creating an SSL client credential. The internal error state is 10013.


Log Name:      System
Source:        Schannel
Date:          6/19/2018 2:56:56 PM
Event ID:      36874
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      <removed>
Description:
An TLS 1.1 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.


Log Name:      System
Source:        Schannel
Date:          6/19/2018 2:56:56 PM
Event ID:      36888
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      <removed>
Description:
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.

We have a public (InCommon) cert signed with SHA256 (not SHA512 as I've read about issues with that) that has been working fine for over a year with FIPS on. Everything else we've found so far makes it seem like it should work, but it does not for us. We've even tried using IISCrypto and that makes no difference.

Any help in getting to th e bottom of this would be greatly appreciated.

I was creating a powershell script that finds the location of an office program executable in the registry of an rd server host and uses that to publish the application with the path (that exists on every rd server host):

[cmdletbinding()]
Param(
[Parameter(Mandatory=$true)]$alias,[Parameter(Mandatory=$true)]$collection,[Parameter(Mandatory=$false)]$broker=[System.Net.Dns]::GetHostByName(($env:computerName)).HostName,[Parameter(Mandatory=$false)][bool]$webaccess = $true,[Parameter(Mandatory=$false)][bool]$associate = $false,[Parameter(Mandatory=$false)]$fp,[Parameter(Mandatory=$false)]$friendlyname,[Parameter(Mandatory=$false)]$group)
$friendlyname="'"+"$alias Rapp"+"'"
$group="GG_RAP_$alias"
$groupspec= $env:USERDNSDOMAIN + "\$group"
$groups=@($groupspec)
$x=(Get-RDserver -role RDS-RD-SERVER -ConnectionBroker $broker)
#all registry ops need to be done on one of the rd servers
$rdh=($x[(get-random -Maximum $x.length)]).Server
$alli=invoke-command -ComputerName $rdh -ScriptBlock {gp -Path HKLM:\Software\RegisteredApplications}
$ToI=($alli.PSObject.Properties |Where-Object {$_.Name -Like "*$alias.*" -or $_.Name -Like "* $alias *" -or $_.Name -Like "$alias"})
$capabilities=$ToI.Value
$filep=invoke-command -ComputerName $rdh -ScriptBlock {if (!($fp))
  {
  $hkc='HKLM:\Software\Classes\' + $args[0].Name + '\CLSID'

   $clsid=(gp $hkc).'(default)'
 $app="HKLM:\SOFTWARE\WOW6432Node\Classes\CLSID\$clsid\LocalServer32"
  if ($clsid) 
    {
    $fp=(gp $app).'(default)' #gives in a error if alias is not found
    #separate on parameters
    $fp=($fp -split " /")[0]
    }
  else
    {
    write-output "please specify filepath"
    exit
    }
  write-output $fp
  }} -Args $ToI

Write-Host "The following settings will be used to publish $alias : filepath $filep, usergroups $groups"
$filep=[string]$filep
New-RDRemoteApp -CollectionName $collection -Alias $alias -FilePath $filep -DisplayName $friendlyname -UserGroups $group -ShowInWebAccess:1 -ConnectionBroker $broker -Verbose

When executing this it invariably returns (for example):

"New-RDRemoteApp : The specified AppPath, "C:\Program Files\Microsoft Office\Office16\POWERPNT.EXE", is not valid. Specify a valid file path."

But when I execute the exact same command (placing write-host before the command in the script and copying the written command to the command shell), it works (for example):

New-RDRemoteApp -CollectionName FARM1 -Alias Powerpoint -FilePath "C:\Program Files\Microsoft Office\Office16\POWERPNT.EXE" -DisplayName 'Powerpoint Rapp' -UserGroups GG_RAP_Powerpoint -ShowInWebAccess:1 -ConnectionBroker BROKERFQDN -Verbose
VERBOSE: Fetching FTAs and Icon contents from endpoint: SOMEHOSTFQDN

CollectionName Alias          DisplayName              FilePath                         ShowIn CommandLin RequiredC UserGroups             
                                                                                        WebAcc eSetting   ommandLin                        
                                                                                        ess               e                                
-------------- -----          -----------              --------                         ------ ---------- --------- ----------             
FARM1          Powerpoint     Powerpoint Rapp          C:\Program Files\Microsoft Of... True   DoNotAllow           {OCMW\GG_RAP_Powerpo...

This is on a full server 2012 R2 deployment of RDS.

How come this does not work in a script?

Kind regards,

Leander Quintelier

So my problem is that we create a separate RAP for each client and we currently have over 600 RAP's now.  Using a script it takes over 30 minutes for it to create the RAP, using the RDG Manager console it takes 5 to 10 minutes.  We are trying to do this using a powershell script so that our techs can do this as well as Admins.  The techs don't have access to the MMC Console.  I have also noted that as we went past about 100 rules things started slowing down on creating the rules and as we add more it keeps getting slower.  We have 3 RDG servers and at 30 minutes plus for each server it takes quite a while to add one new client.

Is there a limit as to the the number of RAP's and CAP's that you can have?

Does anyone know of a way to speed this up? I would think that using powershell would be faster than using the console and the wizard.

Here is a snip of the script that pertains to adding a RAP.

$ResultRAP = Invoke-Command -ComputerName $Servers -ArgumentList $RapName, $RapPath, $RapDescription, $RapDescriptionPath, $GroupRDGUserFull, $GroupRDGServer -ScriptBlock {
    param($RapName, $RapPath, $RapDescription, $RapDescriptionPath, $GroupRDGUserFull, $GroupRDGServer)
    Import-Module remotedesktopservices
    New-Item -Path $RapPath -Name $RapName -UserGroups $GroupRDGUserFull -ComputerGroupType 1 -ComputerGroup $GroupRDGServer
    set-item -Path $RapDescriptionPath $RapDescription
}

Thank You to anyone that can help me out

Roy

Hello! First of all, i want to apologize for my bad english. i try my best

I got Windows Server 2012R2 installed as RDP server, server working in 2008R2 domain. Since it works as print server too, i try to hide some printers from RDP clients and give permissions on specific printers to specific users. 

To accomplish this, first thing that i did is took away print permission from group Everyone. Then i addPrinter1 and give print permission to, e.g, user1@domain.org. Then i addPrinter2 and give print permission to User2@domain.org, and so on. It works well, User1 can see only Printer1, User2 can see only Printer2, but when it comes to actually print something, it fails. Print task appears and then disappears in queue, but page is never come out of printer. 

In eventviewer i see event with ID 1000 every time i try to print. It says:

- EventData 

   printfilterpipelinesvc.exe 
   6.3.9600.17415 
   5450487e 
   hpxtpsdrvf8.dll 
   11.21.0.2275 
   519f521e 
   c0000005 
   000000000001421a 
   484 
   01d4086957291768 
   C:\Windows\system32\printfilterpipelinesvc.exe 
   C:\Windows\system32\spool\DRIVERS\x64\3\hpxtpsdrvf8.dll 
   94f23d50-745c-11e8-80e6-84ab6135b69d 

When i revert all permissions to default, and group Everyone got it print permission, printing works like charm, but every RDP user can see all printers connected to server. All printers are HP, most of them M125-127 MFP.

Any help appreciated. Thanks!

Where is the Remote Desktop Session Host Configuration tool in Server 2012 ?

This is an MMC snap-in found on earlier servers, even if RDS is not installed.  In Server 2012, even if the Remote Desktop Session Host role is installed, this tool is still not available.

I'm looking for the Server 2012 tool to adjust security settings like TLS authentication, High encryption level, choice of TLS certificate, NLA, etc.

Thanks!

hi dears

i wrote a .net windows application and used RDP8 activex on it.

i want my client enter username and password on remote windows screen but windows, prompt credentials for username and password. how can i disable windows security credentials prompt while RDP connection.

i use both windows7 and windows10.

thanks

Hi,

i am looking for a solution to monitor the stats of a rdp connection. There was a way to show the stats of a running RDP Connection at the Windows 2008R2 (Remotedesktopservice Manager > Users > Right Click a User > Status). But i dont find a way to do the same on a Windows 2012 R2 with a Remote Desktop Gateway. Im looking for the RDP Resolution. Also it would be good if there is a log of previous RDP Sessions, but i think that wont be logged. 

Thanks for your help :)