Hello Everyone,

If we deploy new RDS server in a domain contoso.com which already has existing RDS configuration with Licensing servers, will I be able to use evaluation licenses for the new RDS instead of choosing from existing Licensing servers to provide the licenses.

Regards,
Pramod

Atradius

So we've implemented a 90 password expiration policy here and it works but I have a handful of users that work remotely certain days of the week. One user just called me and mentioned that his password has expired as it told him when he attempted to RDP into his workstation but it failed to give him the option to change it so I had to do it for him. How can I resolve this? 

I came across this post from two years ago but was wondering if there was a way to accomplish it without disabling NLA?

https://social.technet.microsoft.com/Forums/windows/en-US/6c5b6e2b-d636-4c3c-961d-3b45bf51ec9a/no-chance-to-change-expired-password-when-connecting-to-rdp-server?forum=winserverTS

**Also in our server 2008 Group Policy there is no "Computer Configuration\Policies\Windows Settings\Security Options"

Hello,

I run a Storage report on file server and it showed me a lot of files with a location of $RECYCLE.BIN.

The strange thing is, that when I manually open the location $RECYCLE.BIN on a disk, it is empty (option to see hidden folder is enabled).

It seems that every profile has it's own recycle bin which is hidden somewhere.

I've tried to put some test file into my bin if it appears in $RECYCLE.BIN, but still nothing is there.

Thank you for any advice.

BR

Lukas

Hi all.  I'm seeing a lot of security articles this past year or more about how RDP is being attacked so much.  From a risk assessment standpoint I'm trying to understand what is 'reallY' happening, and then had some questions.  

So first, all the articles talk about RDP hosts being hacked into via brute force attempts.  Also, not one article that I've seen yet, makes ny mention of what people are doing to improve the situation.  

My scenario is I manage the occasional server, low-level small business stuff so there are no multi-server environemnt, no budget for RDS licensing, etc.  It's all RDP for me, the server admin, to get on there and do single-server tasks in non-AD environments.  

That said, here's my questions: 

• How the heck can anyone brute force an RDP host - has MS not yet implemented any kind of lock-out time-delay mechanism?  
• I typically have a port forward on the site Internet gateway to listen on a different port than 3389, then forward to the internal server.  Assuming port scans are not being done thru the whole TCP range, I imagine this is ok?  Granted I realize you can port scan from a botnet so your router would have to be able to detect anomalies and not just repeated attempts from the same IP, but let's assume there is no port scan mitigation in place.  
• Under WS2016 Standard host, from a Win 10 Pro client, is the session encryption good? 
• Lastly are there any recommended configuration options or white papers I should review to set RDP up so that it is secure enough to satisfy real world security needs?  I don't mean is it hack-proof as nothing ever is, but "good enough".  

And maybe one last question: if the answer is "dump RDP man", well, are there any recommendations for a stand-alone solution for remote access to client machines, but that also does servers? TeamViewer does not do servers it seems.  

Thanks!  

Hi,

our workstations with Windows 10 pro are in this weekend updated to version 1803. For main system we use RemoteAPP aplications on Windows server 2012R2 (Windows server 2012R2 is full updated). After update on client station are RemoteAPP slower, and  right mouse button is unresponsive, or react verly long time... 

It is a big problem for us.

PS: after replace mstsc.exe and mstscax.dll from older version Windows 10 is all OK. but this is not a solution.

Thanks.

Hi,

Ive recently deployed the HTML5 Web Client, at an existing RDS 2016 setup, using this guide:

https://custominterfacesolutions.com/html5-web-client-microsoft-remote-desktop-services-2016-steps-install-rd-web-client/

The setup contains 1 x RDWeb server, 2 x RDGW and 2 x Connection brokers.

A single public trusted wildcard certificate is used, for the entire RDS setup, containing the domain name, that the servers is belonging to.

Im able to login to the Web Client, and see all the published applications, that is available.

But when trying to connect, i then get an certificate error, containing the name of the Remote Desktop Session host...

Ive managed to find the certificate at the Session Host, containing the same thumbprint as the one on the picture.

Added the certificate to the trusted root cert auth, across all the frontend RDS servers (Web,GW,CB) - but that didnt help.

What seems to be the problem, since i cant find any solution to this error?

Remote Desktop can't find the computer "FQDN".  This might mean that "FQDN" does not belong to the specified network. Verify the computer name and domain that you are trying to connect to.

When I launch IE 10 and attempt connect to https://FQDN/Rdweb.  I get my icons for the Remote Applications.  When I click on any of the applications I first get RemoteApp windows that states "A website wants to run a RemoteApp program.  Make sure that you trust the publisher before connect to run the program.

I click Connect and get the error above.  This is on a PC that is in the domain so I don't understand why it's not working.

Setup

I have Server 2016 set up with Remote desktop Services.  Its primary function is to deploy one particular application, installed on the server, with RemoteApp.  The Configuration for the workstations is being pushed out with a GPO, and RemoteApp shortcuts are successfully being placed in the Start Menu.  We have approximately 50 Users utilizing this application, and for 95% of them this works perfectly.

Issue

While running the application on one monitor (right), under certain circumstances, the application will jump to the second monitor, maximize, and "appear" to be frozen (no response to mouse movements). We have a remote control software used for troubleshooting.  When we shadow the console on the users workstation, you can clearly see the application is open on the second monitor (left).  When we shadow the users' session on the server, the application appears to be maximized on the right.  Restoring the window restores the window to the right monitor, both on the workstation console (jumps) and server session, and regains control.

Attempted Resolutions

We have attempted video driver updates, alternate graphics adapters, complete windows updates, restoring older versions of mstsc.exe (for Windows 10 1803 users, per another hotfix), and switching primary monitors and resolutions.  The problem still arises.  Problem only exists for particular users for dual screens.  User A and User B have identical hardware and dal screens, but problem only exists for User A.  User C has a different make & model desktop, and User D has a laptop with a docking station, and both C & D experience the same issue.  We cannot duplicate the issue on workstations that aren't experiencing it already.

Hi,

Connection to a RemoteApp program from within an RDP session does not work if the user has a startup program defined in the user profile.

I'm using Windows Server 2012 R2. I used calculator as the RemoteApp program to verify that it's not a problem in my custom program.

1st scenario - works:

1. Connect to the server using RDP (no RemoteApp) --> Desktop opens
2. From the RDP session, try to make an RDP connection using RemoteApp. I'm using a pre-configured RDP file with remoteapplicationmode and remoteapplicationprogram parameters and I'm connecting to the same server in this example --> The RemoteApp screen appears and after entering credentials the RemoteApp program opens

2nd scenario - does not work:

1. Using an admin account, on the server, go to local user management and set a startup program for the user that is used for the test, cmd.exe for example (Environment tab --> Starting program --> Start the following... --> Program file name ="cmd.exe").

2. Connect to server with the test user --> cmd.exe opens

3. Try to connect with RemoteApp like step 2 in the previous scenario --> the RemoteApp screen appear but the program does not start, after a while the session closes.

I checked using ProcMon and the Event Viewer and I see that a connection is established, but for some reason the program does not start (rdpinit.exe should start the program, but it doesn't - I don't see any call for CreateProcess).

Is this a bug in Windows?

Thanks,
Gabriel

Hello, I have this problem and I have no idea how to solve it. Windows server 2016 has been installed for several months. Now for about a month there is a problem that for no reason during work it disconnects the remote desktopsand you can initially connect again until the end of the day but the next day, you can no longer connect through the remote desktop and the only thing that will help is the server restart. What can be done with it, had someone such a problem that after disconnect and after some time you can not reconnected?

All users connect from outside to this server. It has license for 4 users (and exactly 4 users are connecting to this server). And all four users has the same problem. 

Hola, tengo la siguiente situación:

1. Tengo instalada una aplicación en mi servidor de aplicaciones.

2. Esta aplicación la tengo publicada en mi Collection del servidor y desde un espacio de trabajo accedo por RemoteApp a dicha aplicación.

3. En esta aplicación debo configurar una conexión que apunta a un servidor el cual me permite traer la información requerida que se mostrará en la aplicación.

4. Según el punto anterior, tengo configuradas en la aplicación dos conexiones diferentes hacia el mismo servidor.

(Aquí inicia mi consulta como tal)

5. Requiero tener dos instancias de la aplicación ejecutándose en simultáneo. Una instancia de la aplicación se conecta a una de las configuraciones internas según el punto 4, y la otra instancia de la aplicación apunta a la segunda conexión configurada.

6. Cuando accedo remotamente a mi servidor de aplicaciones, puedo ejecutar las dos instancias de mi aplicación cada una conectándose a las configuraciones del punto 4.

7. Sin embargo, al intentar hacer esto ejecutando la aplicación desde el entorno de trabajo vía RemoteApp, ésta no me permite tener dos sesiones en simultáneo ya que dice que otro usuario está conectado.

Según mi análisis, cuando ejecuto la aplicación vía RemoteApp aparecen dos árboles de procesos y en cada uno aparece el .exe de mi aplicación, mientras que cuando ejecuto la aplicación en el servidor directamente solo hay un árbol de procesos donde aparecen las dos instancias .exe de la aplicación ejecutada.

¿Es posible que cuando ejecuto la aplicación vía RemoteApp los dos procesos .exe queden bajo el mismo árbol de procesos como cuando lo hago directamente en el servidor?

Espero haberme hecho entender.

Gracias.

Hi Guys

Seeking clarity if it's possible and anyone has come across this scenario.

We have a Windows 2008 R2 based RDS License Server that has free CALs. The installed CALs (CAL Version) read as "Windows Server 2008 or Windows Server 2008 R2 : Installed TS or RDS per User CALs".

My Windows 2008 / Windows 2008 R2 and even Windows 2012 R2 server RDSH servers are able to contact the license server and get license issued. However, I recently enabled RDSH role on Windows 2016 servers (the only other difference is that these new RDSH servers re in Azure and my license server is on-premises). The new Windows 2016 RDSH servers are not getting the license even after pointing them to the on-premises license server using Server Manager.

I've followed the article https://social.technet.microsoft.com/wiki/contents/articles/16164.rds-2012-which-ports-are-used-during-deployment.aspx to allow port communication through Network Security Groups (NSG) in Azure.

This is the error I see on the RDSH severs:

Is it even possible that the existing Windows 2008 / R2 CALs can be consumed by Windows 2016 RDSH servers?

If yes, what else could be the cause of the issue and possible fix.

Thanks

Taranjeet Singh

zamn

Hi Guys,

Will it work if add an RDSH 2016 to my RDS 2012 R2 Environment?

Just to clarify as it seems I'm unable to make my additional RDSH 2016 to work. It can hosts RemoteApps but I cannot launch any of it. It says:

This computer can't connect to the remote computer.

Try connecting again. If the problem continues, contact the owner of the remote computer or your network administrator.

So out cert expired on our ADFS and we did not change it in time. this is now fixed but after this we cant connect to TS servers from outside company. Internal access is working fine.

Error from outside: Your computer can’t connect to the remote computer because authentication to the firewall failed due to missing firewall credentials. To resolve the issue, go to the firewall website that your network administrator recommends, and then try the connection again, or contact your network administrator for assistance.

Anyone have an idea? i get only a few hits on google

I work as a "systems engineer" supporting a whole bunch of different customer environments. Lately I have been battling with this issue where in the end (and what I am having to do yet again tonight) the only working permanent fix is to nuke all the shared printer BS, clear out all the drivers and connections from the existing RDS Host, and manually install the printers locally.

The issue is the customers users will have their defaults set. In the case of using RemoteApp this can be a huge pain to get right but we do usually just through publishing the "devices and printers" Control Panel as a RemoteApp. So all good, default is set, you can close that, go back in and confirm, open applications confirm they have the right default all OK.

To confirm usually at this point we have used GPP Printers to create the printer connections. We do so we the CREATE options, with it set to "RUN ONCE AND DO NOT REAPPLY" and enable "RUN UNDER LOGGED IN USERS ...".

At some random point later the users start reporting that their set defaults are no longer defaults. It will have changed to the Microsoft OneNote Printer or the Microsoft PDF Printer.

Ok, so then at that point despite all the GPO stuff being set correctly that it should not interfere, connections should never be "updated" or "recreated" we turn that off. We just delete the link to the GPO containing that. So would expect to fix it.

But NO. The issue just keeps happening.

So.. There is very clearly something at play on 2012 R2 and 2016 where for some reason the shared printer connections "recreate" or "refresh" even for the smallest split second at some point, and when this occurs because Windows sees no other connections present it defaults back to one of the local printers, apparently whichever is first alphabetically.

So.. Then we are stuck where we are implementing something by fucking letter that Microsoft say should work, but we then look beyond incompetent to the customer. I look stupid to my colleagues, because despite being told 10 years ago to use local printers then on a Terminal Server because GPO is just too unreliable I say "no, this is meant to work, this should work because MICROSOFT SAID IT WILL".

I have said before and I stand by it. You (Microsoft) make me hate my job. You make my job so unnecessarily complicated and BS. You make me have to stress about stupid shit like this. I mean... It's printers guys. This is simple shit and you incompetent children still can't get printers right. Like, we still have almost 20 year old tools around print deployment... Why isn't there something I can just say "give these users these printers" and it just work? Why are you not innovating in anyway on any of this? Why do you fire a QA team that would probably of picked up on whatever bug whatever update you released has probably kicked off this issue?

Just fix this. it's childish. its a joke. Do your jobs and fix this.

We are using Horizon View to present Windows 10 VDI Desktops to our users.  We have a Standalone (not integrated to AD) Microsoft File cluster with two Server 2012 boxes connected to shared storage.  This MS File Cluster presents shares to our user's desktops and Windows 10 VDI desktops.

While in the office, our users access files from the fileshares.  In order to prevent users from saving documents from the shares locally on the VDI Desktops, I am trying to redirect the "my documents" folder on all my Windows 10 VDI Desktops to our fileshares.  In other words, whenever they try to save to or open a file from "My Documents", I want the fileshares to be listed instead of anything in "My Documents". 

I have tried two methods:

1. Created a Group Policy that sets "Basic (Redirect everyone's folder to the same location)" and the location is "\\fileshare\root".  Our users have access to various folders off of the root, so normally they only see what they have access to.  This does not work.  I get 1085 & 1112 errors in the event log on the Windows 10 VDI desktop.  Another thread told me the "Domain Users" need full access to the destination path.  I tested that with one test folder and then it works, but I cant do this because my users would have access to all the folders.

2. I used a reg file to make changes to:

Can anyone offer any advice on how to get this working?  Our shares are already created and I cant have the users creating new shares just for VDI.  Any advice is appreciated.

Hi,

Remote Desktop Connection Broker won't accept remote connections when i dig out i found following problems

1-Remote Desktop connection broker service stopped as server restarted at midnight due to schedule updates.

2-In event logs i found the following error

Pooled virtual desktop collection name: NULL
Error: Logon to the database failed.

When i started broker service its start working but again after 10 to 20 days same issue reoccurred.

Since 2014 RDS2012 working fine and i am facing this issue from last 5 months.

I have added Adding the broker to "Windows Authorization Access Group" still problem exist.

Please help me out how can resolve this.