Step by Step Windows 2012 R2 Remote Desktop Services – Part 4

A step by step guide to build a Windows 2012 R2 Remote Desktop Services deployment.

Part 4 – Publishing RemoteApp programs.

If you missed the previous parts:
Step by Step Windows 2012 R2 Remote Desktop Services – Part 3: Adding Session Hosts and Load Balancing session collections
Step by Step Windows 2012 R2 Remote Desktop Services – Part 2: Deploying an advanced setup
Step by Step Windows 2012 R2 Remote Desktop Services – Part 1: Deploying a single server solution

I’ll be using the setup I demonstrated in Part 2 – Deploying an advanced setup because this setup was still on my Windows 8.1 Hyper-V setup. As a reminder, here’s the setup again:
RDS Deployment - RemoteApps 01

Everything is up & running, so this guide won’t be focusing on building the Remote Desktop Services deployment itself.


Perparing for publishing a RemoteApps collection
By the end of Step 2 in this series I had a Full Desktop session collection fully functioning. To prepare the lab for RemoteApps I can simply click the Full Desktop session collection and click the “Publish RemoteApp programs” link as shown in this screenshot:
RDS Deployment - RemoteApps 02
Doing so will convert the Full Desktop session collection to a RemoteApp programs collection, as mentioned in the remark below the link.

Publishing a RemoteApps collection
Click the Publish RemoteApp programs link.

Select RemoteApp programs
RDS Deployment - RemoteApps 03
Immediately you are presented with a list of available applications. If you have multiple servers in the collection pay attention to the text I highlighted in the screenshot.
If you want to publish programs that are not in this list use the Add button to browse to the program you want to publish. Note that you need to browse to a UNC path, not a local disk on the RD Session Host.
I selected Calculator, Paint and Wordpad.

As you can see, Notepad is missing by default.
Click Add.

RDS Deployment - RemoteApps 05
Browse to \\itwrds04\c$\windows\system32 and select notepad.exe there.

If I browse to C:\Windows\System32 and select notepad.exe:
RDS Deployment - RemoteApps 04
So browse to Notepad.exe using the UNC path and click Open.

Click Next.

RDS Deployment - RemoteApps 06
On the Confirmation page you can see the UNC path is no longer visible, but is now shown as the actual path.
Click Publish.
The applications you selected will be published.

RDS Deployment - RemoteApps 07
Click Close.

Server Manager
RDS Deployment - RemoteApps 08
You’ll return to Server Manager and you can see the applications that were just published in the RemoteApp programs sections, including basic properties like Alias and Visible in RD Web Access.

Let’s finish the collection.


Finishing the RemoteApp programs collection
Server Manager
RDS Deployment - RemoteApps 09
In the properties section for the Full Desktop collection click Tasks and then click Edit Properties.

Session Collection
RDS Deployment - RemoteApps 10
Rename the collection to something more meaningful than “Full Desktop”. Also notice that “Show the session collection in RD Web Access” is now greyed out since it’s no longer a session collection.
Click Next.

User Profile Disks
RDS Deployment - RemoteApps 11
Review the settings in User Groups, Session, Security and Load Balancing, and adjust the settings in each section to your likings.
In User Profile Disks I changed the profile disks location to a different folder. Although that’s not really necessary in this setup it’s good practice to give each type of collection its own location for profile disks. Especially so if you’re planning for multiple types of collections in a single deployment. The reason I do this is because profile disks can’t be shared across types of collections. That’s right. You can’t. This means that if you have a deployment that supports Virtual Desktop Infrastructure (VDI), Remote Desktop session collection(s) and RemoteApp programs, you’ll have three different profile disks for each user. In deployments with a large number of users you’ll quickly see the need for a nice little tool like Sidder ;)
Click OK.

Now log in to the RD Web Access:
RDS Deployment - RemoteApps 13
It works, but we’re not done yet.


Editing a RemoteApp program
When we added Notepad.exe in the Wizard it created a RemoteApp called “notepad”. Let’s use this RemoteApp to demonstrate what we can manage for RemoteApps.

Server Manager
RDS Deployment - RemoteApps 12
In the RemoteApp programs section, right-click notepad and click Edit Properties.

RDS Deployment - RemoteApps 14
On the General page we can edit several attributes for our notepad RemoteApp.
We can change the RemoteApp program name. This is the name that is displayed in RD Web Access. Change this to “Windows Updates Log”.
We cannot change the RemoteApp’s alias here. You can only change the alias by deleting the RemoteApp and re-creating it using Powershell. More on that later.
We cannot change the RemoteApp’s program location here.
We cannot change the current icon here.
We can select to hide or show the RemoteApp in RD Web Access.
And we can select a Folder for the RemoteApp. If you click the dropdown menu you’ll notice it is empty. Don’t worry, just type in the folder name. Enter “Logfiles” here. This is the way to add new folders. If you have created folders before, you can select them using the dropdown menu.
Click Parameters.

RDS Deployment - RemoteApps 15
If your RemoteApp program needs any parameters to run, this is the place to enter them. Enter “c:\windows\windowsupdatelog” for this one.
Click User Assignment.

User Assignment
RDS Deployment - RemoteApps 16
You can fine-grain user assignment on RemoteApp program level. For example, you can publish the complete collection to Domain Users, but limit this application to Domain Admins or Log Admins. In this case the Logfiles RemoteApp folder will be hidden for Domain Users as well, since this is the only application in this folder.
Review the remark in the bottom of the screenshot.
Click File Type Associations.

File Type Associations
RDS Deployment - RemoteApps 17
You can set desired File Type Associations for your RemoteApp program here. Take notice of the remark when you scroll down. What this means is that associations will only take effect if the RemoteApp is started through “Connected RemoteApp and Desktop Connections”, and not if you start it using custom RDP files, or through RD Web Access.
Since we just changed this one to publish the Windows Update Log, we don’t need any File Type Associations, I’ll get back to this later.
Click OK.

Review the list of RemoteApp programs and notice the change in RemoteApp Program Name:
RDS Deployment - RemoteApps 18

Refresh or log in to the RD Web Access and review these changes:
RDS Deployment - RemoteApps 19
Here’s the folder we entered.

RDS Deployment - RemoteApps 20
Clicking the folder shows the RemoteApp we just published.
Note: if you want to customize views like these, check out another step by step series I am publishing.
Click Windows Updates Log.

Windows Updates Log
RDS Deployment - RemoteApps 21
And it works.

Using Powershell to manage RemoteApp programs
Get-RDRemoteApp ( is used to list properties for RemoteApps.

Get-RDRemoteApp -alias "wordpad" | fl

Set-RDRemoteApp ( is used to set properties for RemoteApps.

Set-RDRemoteApp -Alias "wordpad" -DisplayName "WordPad - Renamed"

New-RDRemoteApp ( is used to create a new RemoteApp in a certain collection.

New-RDRemoteApp -CollectionName "RemoteApps" -Alias "regedit" -DisplayName "RegEdit" -FolderName "Admin Tools" -FilePath "C:\Windows\regedit.exe"

Remove-RDRemoteApp ( is used to remove a RemoteApp.

Set-RDRemoteApp -CollectionName "RemoteApps" -Alias "wordpad"

Get-RDAvailableApp ( is used to list available applications to publish in a collection.

Get-RDAvailableApp -CollectionName "RemoteApps"

Get-RDFileTypeAssociation ( lists the filetype association(s) for a certain application.

Get-RDFileTypeAssociation -AppAlias "wordpad"

Set-RDFileTypeAssociation ( is used to set the filetype association(s) for a certain application.

Set-RDFileTypeAssociation -CollectionName "RemoteApps" -AppAlias "wordpad" -FileExtension ".txt" -IsPublished $True -IconPath "%ProgramFiles%\Windows NT\Accessories\wordpad.exe" -IconIndex 0


And that concludes this step by step on publishing RemoteApp programs.

In the next part of this series I will show how to use and configure the “Connected RemoteApp and Desktop Connections” in combination with this setup.


20+ years experience in Microsoft powered environments. Enjoy automating stuff using scripts, powershell, and even batch files. In my free time (hah! as if there is any) I hunt achievements and gamerscore on anything Xbox Live enabled (Windows Mobile, Windows 8, Windows 10, Xbox 360 and Xbox One). When I'm not doing that I enjoy traveling or riding my Yamaha R1 on the edge ;)

Tagged with: , ,
Posted in Remote Desktop, Step-by-Step guide, Windows 2012 R2
126 comments on “Step by Step Windows 2012 R2 Remote Desktop Services – Part 4
  1. Dennis says:

    These articles are really good – I have read many on this subject. My question is if you have an article on deploying client desktops to the lab created here. I built the lab described in these 4 articles, but I want to deploy some session based windows clients in the collections. It would be great to see if you have an article like that.

  2. Harshad Lokhande says:

    Hi when i launch a app it pops up for user name and password but it also needs domain name it it i want to remove domain name from it or just launch the app with login of main page without reentering it second time

    Please help

    Thanks in advance

    • Philipp W. says:

      same Problem here, but i think that Problem occurs just in older Windows Versions like Vista… Let me know when you have a solution. thx

  3. Carlos says:

    Great Article and very helpful but I’m still confused on hos to load balance RD Web access. It is very cool to load balance RD session hosts and Connection broker high availability but what good is that if my RD web access server is down? The users won’t be able to see the applications. Do you have any ideas? Your help will be much appreciate it.


  4. Ray says:

    Great set of articles, i have read and made use of them.

    I have one question, is there a way to include a complete VDI solution along with the published app solution coming from the same broker?

    • Arjan Mensch says:

      Hi Ray,
      Yes there is. You need to go through the Add Roles and Features wizard for RDS again, but this time choose the VDI option. Gateway, Webaccess and Broker are shared. So you can have 3 kinds of collections: Remote Desktop, Remote Apps, and VDI using the same Web Access, Gateway and Broker.

      • Ray says:

        Thanks for Info Arjan.
        I have as of yet not been able to test the VDI solution as I’m still waiting on resources to be freed up.

        A couple of follow on questions if I may. Would I be better off adding a clustered Hyper-V set of servers or just separate Hyper-V hosts as you do with just a hosted session? Would I be able to add a cluster to be honest?

        I wondered, as a clustered environment will get to share storage where as I will have to allocate storage to each single Hyper-V host.

        Also is there a specific method for adding VDI hosts?

      • Arjan Mensch says:

        Hi Ray,

        You can just use the wizard to add hosts, and why would you add clustered servers? I’d use local storage for VDI anyway :) If that is not an option I don’t see why not.

  5. Mark Lasky says:


    If I left this question on the site already please forgive me. I don’t see it listed. I was able to finish all the labs with great success. Again thank you so much! I do have one question that is unrelated to any of the labs but I thought you might have an answer for me. I can connect to any remote PC using RDWEB when I am connecting to it from inside the LAN. I can not connect to any remote PC’s from the internet. I can connect to the Full Desktop on the session host inside and outside then network. I just can’t connect to any of the remote PC using RDWEB from outside the lan.


    Mark Lasky

    • Arjan Mensch says:

      Hi Mark. I think you need to add extra resources you want to connect to through RDWeb to the resources group in the RD Gateway’s RAP.

      • Mark Lasky says:

        Ok I tried that already but I will take a harder look at that tonight. Seems like I am not the only one that has had issues in this regard. I see others fighting the same issue when I Google it.



      • Arjan Mensch says:

        Another thing you can try is entering the gateway in the IIS App settings. By default it’s a blank entry. Published resources like desktops and applications get their gateway setting from the collection.

      • Mark Lasky says:


        Where would those settings be in IIS? I am looking at the IIS settings on the machine I have setup using the web access role. I am guessing that the settings will be on that machine but not sure where in IIS those are located.



      • Arjan Mensch says:

        Open IIS manager and navigate all the way to the /RDWeb/Pages node in the tree on the left. Then doubleclick Application Settings in the middle pane. The setting I mean is called “DefaultTSGateway” and it’s blank by default. Not sure this will solve your problem though, but it’s the first thing that comes to mind.


      • Mark Lasky says:


        I tired those settings and still no luck. Everything I am reading seems to point to a certificate issue. I will keep attacking this and let you know if I am successful.

        I never give up! Ever! lol


  6. Mark Lasky says:


    I will give that a try that sounds promising! This is not a show stopper for me but I am a curious guy and would love to get it working.

    Again thanks for your help….


  7. Mark Lasky says:


    I found the settings … I was on the right machine just was unsure. I will let you know if this gets the Remote PC Feature working.


    • Kay Jarchow says:

      Hi Arjan, hi Mark,

      first of all: Great HowTo! Deploying the desktops works fine here. What does not work is opening of the remote apps. Probably the same problem as Mark has.

      I want to ask Mark if he has already found a solution. I have the feeling I’m looking for a needle in a haystack. ;)

      Best Regards

      • Mark Lasky says:

        Hi Kay,

        I was having issues with the remote pc not the remote apps. I have the remote apps working but have not been able to get the remote pc feature working yet. I am going to revisit that this weekend when I have more time


      • Kay Jarchow says:

        Hi Mark,

        thanks a lot. I will also look further.


      • Kay Jarchow says:

        Hi Mark, hi Arjan,

        A hint in the MS TechNet Forum pointed to the right direction. I already checked the Event Viewer but one message was overlooked by me. A message about issues of the VGPU. For the complete destop this was no problem but for the Remote Apps it was. In my test server a DirectX 11 capable graphics board is plugged in and I configured a RemoteFX “board” in the Hyper-V master VM.

        Now I deleted the RemoteFX “board” from the virtual computer and … *tadah* … it works.

        Best Regards,

      • Mark Lasky says:


        Thanks for the tip. That makes perfect sense. I am still fighting the ability to access other computers through RD Web. I am pretty sure it’s a certificate issue but still no luck.


      • Arjan Mensch says:

        Thanks for posting back on this, glad you fixed the problem!

  8. Dale Randle says:

    Is it possible to scan images from a remote desktop session? Example, if I open in a Remote Desktop session, and open Paint, then select “scanner or camera”—then I can scan from a scanner attached to my remote desktop computer. Is that possible? I thought they improved that in 2012R2.

    • Arjan Mensch says:

      Hi Dale,
      I cannot say. I don’t have any hardware to test that with yet. Will look around and ask some friend, see if I can come up with something.

    • Arjan Mensch says:

      I now tried it with a HP Photosmart all-in-one device: no go.
      I also tried my Lumia 820, which can be used in Paint to acquire an image: no go.

      If there’s anyone out there who can try other devices, please do and let us know the results?

      • Allan Lace says:

        I have not come across this as a native feature in Terminal Services yet. We found that TS Scan from TerminalWorks ( is a reasonable solution, and as far was we know, the only way to translate TWAIN compliant scanners (that would show up in Paint & the like) from a client workstation to a remote Terminal Server.

  9. David says:

    Thank you for the awesome articles. The holy grail for me would be, if I can publish a Windows 2012 Server application on the users local desktop and then get it to use the local desktop MS Excel and MS Outlook instances. So to clarify, We have a published accounting package on the server, being accessed by a local user that wants to email from the accounting package using the local MS Outlook profile. So in theory it works the same as mapped printers and drives when you create a RD session.

  10. Joe says:

    This is a great site and had the best WS2012R2 info I have found–Thanks!

    I am looking for some guidance on configuring RemoteApps that use ClickOnce deployment in WS2012R2. I have read WS2012R2 supports it, but have not been able to find any guidance on how to actually get it setup. I have been able to get this to work by publishing the setup.exe of a ClickOnce deployed app on the session host but this does not seem correct to me. The RemoteApp publish function still does not let an ‘.appref-ms’ file to be published. I have installed the ClickOnce app on the session host, and published the user installed RemoteApp and this does not work or seem correct either. Any guidance would be greatly appreciated. Do you know what is considered best practice for configuring ClickOnce deployed RemoteApps?

    • Arjan Mensch says:

      Hi Joe.
      Let me start by saying I don’t like ClickOnce applications ;)
      That being said, I have very limited experience with them.
      I have exactly one customer that uses a ClickOnce app, and they have a full desktop published, not Remote Apps.
      To get the ClickOnce app to work for them I installed it as an admin on the Session Hosts, and then copied the shortcut to the redirected startmenu.
      When a user starts the ClickOnce app for the first time it “installs” the app, but doesn’t start it. Each subsequent time the user starts the app it will check versioning and such, and then starts the app. If the app is updated and the user starts the app, it will install again, but not start.
      I have no idea if the same method works for RemoteApps..

      Hope this helps :)

  11. Allan Lace says:

    Hi Arjan,

    Most informative articles on configuring RD that I’ve found on the web. I’m developing this for my company & have been following along with your blog posts with great success. I have one hang-up however – for some users, the RD Web portal / Control Panel link has no remote apps, while for others, they have all the apps in the collection. Security on the collection is set for Domain Users, and apps inherit the security from the collection. Everything look right as far as I can tell. Do you have any ideas?

    Looking forward to more of your posts!

  12. Adam Sova says:

    Arjan, great guide!

    One question (thou I gues it will be covered in part5 :) :
    We (Company1) are clients of Company2. On our PCs we use COmpany2’s RemoteApps and have added Company2’s RDweb webfeed.aspx to Work resources. We have PCs with Windows 7 SP1 Pro and all windows updates. PCs are not domain joined to Company2’s domain (they are domain joined to our Company1’s domain). All 3 published apps are working but we have to enter password (in credenitals re-prompt … Company2domain\user is prefilled there so only password is needed) each time we click app shortcut (placed on our users desktop) after user logoff/restart pc. When I look in our user’s “Windows 7 credentials vault” these Company2’s domain credenitals are stored there.

    Is there any way (GP, PS scripting or such) to connect automatically to this Work Resource using vault’s stored credentials on/before app shortcut click?


    • Arjan Mensch says:

      Hi Adam.
      I have (as of yet) not tested this kind of setup. I do know however, there’s no way using GPO or PS or any other script to insert credentials and make it work.
      Not sure if there’s something broken in your setup, like I said, need to do some testing on this some day.
      And no, this will not be part 5 ;)

  13. Alex says:

    So much fun Arjan great post!

    let me ask u when i tried to acess to Remote app programs as a client through the web acess it stil ask me about untrusted certification , if u get me exatly need ur hints . Do i still need some ceritificate configuration to the RD session Hosts.or did i miss something or any possiblity to sign the app programs With cerificate in Windows server 2012 R2

    • Arjan Mensch says:

      Hi Alex,
      You need a certificate on the Broker that is trusted by the clients that start RDP files from the Web Access interface. That’s why I configure even a single broker as HA because then I can use an externally routable FQDN and a trusted 3rd party certificate on the broker.
      The broker signs the RDP files. It is possible to sign them yourself, but even then you need a certificate that is trusted by non-domain joined external clients. Save yourself the hassle and use a 3rd party external CA to get a certificate.


  14. Brad Morris says:

    Love these articles. But would I would like to see is a deployment on Multi Nic server. As in the RD Gateway/Web server has a nic in one public facing VLAN and a second nic in a Private facing VLAN.


  15. Andreas Altermann says:

    Is there a solution or guide how to enable SSO ? Because after Login in RDWeb the users must repeat their credentials if they are starting the published RemoteApps.
    Thanks for help.

  16. Max says:

    Hey Arjan,

    Thoroughly enjoying this series, it’s extremely informative and makes deployment easy when someone else can work out the steps for you!…. Wondering if you’re still planning on continuing it? Max

    • Arjan Mensch says:

      Hey Max,
      As time permits I spend it blogging here.
      Currently testing some VDI setups, but nothing major at the moment.
      I expect to blog about branding next, but don’t hold your breath :)

  17. pob579 says:

    is there part 5?

    I published apps. Works fine in RDWEB.
    I need to publish app icon on Windows 7 machines from RDS 2012 R2.
    Will appreciate step by step including (certificate, web feed, gpo – all what is needed for seamless icon distribution in large W7 environment.


  18. Tony Woodhouse says:

    Hi Arjan.. I need to create 2 RDSH, and have them be accessible from the internet. What would be the best way to go about this??

    • Arjan Mensch says:

      Hi Tony,
      You need to create a WebAccess server, which you can combine with the Gateway role and the Broker role. Install SQL server (express) on a different server, but not on the session hosts. Installing SQL express on a DC just for the RDS setup is fine by me. Add 2 servers as session hosts to the setup and add them to a single collection.
      Another server needs to hold the broker rol

      • Tony Woodhouse says:

        So do I need two broker servers as you mention?? Also if I combine WA/GW/Broker do I need 1 ssl cert?

      • Arjan Mensch says:

        Hi Tony,
        No. One Broker is enough. You only need 2 if you want HA.
        Recap: 1 server: WebAccess with Gateway and Broker combined, 1 server with SQL (Express) and Licensing combined, can also be on a Domain Controller, 2 servers with Session Host role, in a single collection.
        And yes, if you use the same FQDN you can use just 1 ssl cert, or if you use multiple names, you can use 1 single wildcard ssl cert. As long as WebAccess and Gateway use the same FQDN and cert when you combine them on one server, you’re oke.

      • Tony Woodhouse says:

        Brilliant… Thanks Arjan

  19. I have set this up in production. We have successful remote desktop sessions on one collection of 2 load balanced rdsh servers. I created a second collection for rdweb. The rdweb collection has one server in it which runs the rdweb, rdsh and brokers roles. My problem is that I publish apps but the rdweb page remains blank. No users, not even the administrator can see them. I’ve not been able to figure this out. Looking for some ideas on why this would be?

    • Arjan Mensch says:

      Hi Amy,
      Recap: you have a working Session Host collection of 2 servers, and you added another server to the same deployment, but this server is Web Access server, and broker, and on top of that this one server is in its own Session Collection?
      Try uninstalling or removing the session host role from that server. Remove the collection with the two session hosts in it, and recreate that collection.

  20. Pavel says:

    Anybody know and see working, how can configure Windows XP+sp3 to use published Remote Apps 2012?! thank you.

  21. Lee says:

    Do you have a step by step for pooled sessions and/or personal VDi?

    • Arjan Mensch says:

      Hi Lee,
      Since I don’t have the proper hardware in my lab at the moment I can’t create a guide for that (yet). I will however be able to do that once my new hardware arrives.

  22. Kandan K says:

    Hi Arjan,

    I have deployed the RDS on the windows azure , But everything conifgured correctly as per my knowledge, but only one issue facing now , Like I able to access the RDS web inside the Windows azure, But try to connect through internet RDSweb is accessed but unable to open any published app’s in the webpage but inside the internal network its working fine,

    The error shows ” unable to connect remote desktop”

    I think have missed small configuration some where, can you please help here why we are unable to access the app’s from external network.

    Kandan K

    • Arjan Mensch says:

      Hi Kandan,
      Only reasons I can think of would be that you are not using a fully patched RDP client, or that your Session Host(s) are not added to the RAP in the Gateway.
      I’m not using Azure for RDP, so not sure if there are other things to consider.

  23. Dennis says:

    Hi guys! Been a while – I am working on licensing for a production machine – I am going to add an RDS ECL for the solution, but I am wondering about user on the domain. Will that license grant RDS access to internal domain users?

    • Arjan Mensch says:

      Hi Dennis,
      As far as I know the ECL is for allowing external entities access to your servers. I’m not sure if you can even add ECL to the RDS License Server. If you can, I doubt it will be valid for domain users as the license overview explicitly states ECL is for non company (external) entities.

      • Dennis D. Warren says:

        you are right – basically I am trying to find a way to do unlimited licensing for RDS users.

        Sent from my iPad

  24. Thomas says:

    Hi Arjan,
    first thank you for your very good step-by-step guides!!!
    But I have still one big issue. When I want to save a file to the server local drives it works fine, but when I want to save a file to my local drives it works, but it is soooo slow – it takes minutes. :-(
    (Also after I published one app directly from the RD Gateway Server it is slow. Within Remote Desktop/ mstsc.exe it is fine, not slow.)
    Is this because of SSL/https? Is it normal!? Where is the (main) difference between RD Web Access and RD Session/mstsc?

    All, thanks in advance for help! And a nice day!

    • Arjan Mensch says:

      Hi Thomas,
      Saving files over RDP is only limited by the available bandwidth. RDP expands until maximum bandwidth is reached.
      RD WebAccess is only a web portal. Once the application is started you really use the same processes / protocols as mstsc.exe, with the only difference being RDP tunneled through HTTPS (443). Again, this is limited by available bandwidth.

      • Thomas says:

        thanks a lot!
        I learn the following things in the last days.
        RDP 7.0 is so slow, we have to wait minutes for a few MBs.
        The time difference between saving a file to a direct mapped drive using TCP (not the redirected drives within RD) – about 16 sec. – and a redirected local drive with RD – about 50 min!!! – is huge. Could this be normal!?
        RD Web Access with RDP 8.0 without UDP activated is slow as RDP 7.0.
        RD Web Access with RDP 8.0 and UDP activated is needable fast. However the transfer connection stops after about 10-30 sec. I have no idea why. You can see this in the process bar of our application and also in the Server Manager. The connection seems to be ok, but the increasing of the kilobytes stops. The same with published Wordpad.
        I asked our firewall and network Experts, everything ok. Bandwidth is also good.

        So my question:
        * is the speed of the RD Web Access with RDP 8.0 without UDP activated and RDP 7.0 really so, so slow!? (We wouldn’t like to update every Client and we wouldn’t like to open then UDP port.)
        * is within RD Gateway a timeout setting that the transfer stops RD Web Access with RDP 8.0 and UDP activated?

        Some ideas? I’m more than happy about a hint or the reason for this problem,
        thanks in advance and have a nice day,

      • Arjan Mensch says:

        Hi Thomas,
        16sec vs 50min seems like an awful big difference. I have experienced slow copy times as well, but this seems too much to me.
        File transfer over RDP suffers from QoS settings, and it is much slower by design (encryption / decryption of data).

        In my experience Copy / Paste is MUCH slower than Drag / Drop. Copy / Paste is also what causes the copy connection to break (clipboard is used, data is encrypted / decrypted over RDP, memory consumption, etc).

        Try this for the copy process:
        – 1. disable local AV for testing purposes (maybe exclude one folder and RDP copy to that folder?)
        – 2. Instead of Copy / Paste, open Explorer on the remote desktop and use Drag / Drop between the host and your mapped local drives.

  25. Thomas says:

    Arjan, (all)
    I can’t still believe my result of today.
    But I double checked the results!
    Now I’m wondering if the redirected drives of RD is still in beta status or if there is a bugfix /update?
    I have Win7 SP1 and installed KB2574819, KB2830477 and KB2857650; on server site (2012R2) I did nothing.

    My results of this day:
    For every try I used the (published) Wordpad and the same 18MB file form MyPC/server from which I started the published wordpad. I opened the file from and saved it to a different folder which was a redirected drive in RD. Used RPD 8.0 and UDP was activated. All used servers (RD Gateway, Session Host and Client) are 2012R2.
    * Wordpad as RD App within the RD Web Access (with RD Gateway):
    + Open: 318 sec != > 5 minutes!!!
    + Save: 36 sec
    * Wordpad as RD App with RDP file (mstsc.exe with RD Gateway and set ‘start a program’ to open the same Wordpad from the application server)
    + Open: 300 sec!
    + Save: 39 sec
    * Wordpad as RD App with RDP file (mstsc.exe withOUT RD Gateway ). This time from a different server in the same network/VLAN, no RD Gateway needed.
    + Open: 289 sec
    + Save: 28 sec
    * Same like before but with RD Gateway and Bypass activated
    + Same result
    * Same like before but with RD Gateway and NO Bypass
    + Open: 120 sec!!!
    + Save: 10 sec!!!
    * Wordpad in a RD Session mstsc.exe (with RD Gateway, ‘start a program’ not set) (+ start Wordpad + copy file in File Explorer)
    + copy (normal copy/paste) test file from redirected MyPC C drive to local server C drive within normal Remote Desktop session (with desktop!): 1-2 sec!!!
    + Open test file in Wordpad from local server C drive: 1-2 sec
    + save in Wordpad test file: 7 sec
    + Copy back to redirected myPC C drive: 3-4 sec
    * Comment: ‘copy/paste’ and ‘drag/drop’ speed is equal

    I have for almost nothing a explanation.
    My Questions:
    * Why is the time difference between an ‘open file’ in Wordpad from a redirected drive so slow and a ‘copy’ from a redirected drive so fast!?
    * Why is NO Bypass so much faster than no RD Gateway (direct way) and also so much faster then with RD Gateway and with Bypass!?
    * Why is the way through our firewall so much slower than in the same network/VLAN?
    (This is the only thing I could understand, but everything is intern and the bandwidth for this should be more than enough.)
    * Is the use of the redirected drives really so slow!? How do you use your published applications? With the server drives!? I think the access to the own local drives is essential, isn’t it!?
    * Has anybody some similar results? How fast is it, when you open a file (about 18MB) from your redirected local drive within Wordpad?

    During these tests I had no stops of the data transfer. Maybe our application can’t work with such a slow data transfer.

    Yes, it is a lot of text. However I hope so it is easier to understand the challenge.
    I appreciate every hint, help and answer, also additional question.
    Thank you,

  26. Adam says:

    Is there a way to set it up to start with a specific program when a user remotes in? In windows 2003 we have it set up so that when a user remotes in a specific program starts automatically and if they close that program the session ends.

  27. Steve says:

    Great post! I do have one question though. When I log into and publish web applications, it all looks great. But when other admins log into the same server, they see nothing in server administrator. How can I set this up for all administrators to see the same list of published applications and server settings?


    • Arjan Mensch says:

      Hi Steve,
      Since that is a per-user setting (server manager with multiple servers added) you could see if you could change this in the default user profile.
      Other than that, I don’t know. And really, how much effort is it to add some servers to server manager? ;)

  28. Joe A says:

    Hi again Arjan,

    Now that I’ve got the RDS infrastructure up and running in my organization (thanks again to this wonderful guide), I have some follow-up questions that I’m hoping you can help me with:

    1) My setup is solely to expose Remote Apps to end-users from their browsers, so I really only care about RDWeb, which is up and running well. I see that users who have access to RDWeb applications, can also connect to the server directly via an RDP client and poke around the server. This is pretty scary to me, because even though, I’m not telling end-users about their ability to RDP directly to the server, there’s nothing currently stopping them from doing so, because (I think) the RDP access is needed in order for them to access the RemoteApp, since the app launches in an RDP session…

    Is there a way to allow my end-users access to RemoteApps but restrict them from being able to RDP directly into the server?

    2) I’m trying to publish apps that live on other machines within my environment, but currently I can only publish apps that live on an RD Session Host server. Is there a way to get around this in a session-based deployment?

    3) Were you able to publish the post on the virtual machine-Based desktop deployment option?

    Thanks again for your help.


    • Arjan Mensch says:

      Hi Joe,
      1) As far as I know that is not possible. You need to lockdown the desktop to make sure your users can’t poke around on the server should they decide to RDP directly into it. Do so by using Group Policy. Search around for guides.
      2) No you can’t, unless you publish mstsc.exe (the standard windows RDP tool) to allow the user to RDP to the remote machine, and configure the mstsc.exe RDP file to autostart the program you needed to publish.
      3) no, I no longer have direct access to the hyper-visor. I can deploy VMs in my lab just fine, but the hyper-visor layer is managed by a different department now. Don’t expect this post anytime soon, sorry

  29. Eddy Jay says:

    Hi Arjan,

    I have my RDS environment setup and working with all users connecting through RemoteApp but I have an issue regarding internal users connecting directly through the Internet. External Users: Users connecting Externally users can connect and launch apps with problem and Internal VPN User (on the same domain/ Local LAN) connecting through our VPN works fine

    But Internal users at our remote site (PC’s on the same domain/ LAN) connecting directly through Internet (not VPN) gets this error message “Your computer can’t connect to the remote computer because an error occurred on the remote computer that you want to connect to.

    Because of Internet Bandwidth issue staff at this remote office Desktops/PC’s connect directly through the internet and not VPN, but we have a domain controller link to other DC on which is on VPN to allow for AD replication.

    We suspect that it might be the RDS Gateway preventing Internal PC on the LAN domain from connecting externally through the Internet.

    RDS Gateway:
    Connection Authorization Policies — have User Groups configured, but not Client Computer Group
    Resource Authorisation Policies — have User Group and Network Resource configured

    What do you think could be the problem?

    • Arjan Mensch says:

      Hi Eddy,
      If you’ve configured internal dns zones for split dns your clients might be resolving your gateway and or webaccess dns entries as internal servers eventhough they need to connect over the internet?
      You could easily troubleshoot this by entering the correct external IPs for gateway and / or webaccess dns entries in the hosts file on one of the machines in your remote site.

  30. Shimon says:

    Hi Arjan,
    We have our cloud environment working in production since June 2015.
    Oddly enough I just had a user trying to connect to a remote desktop via RDWEB, and received the error :
    Remote Desktop can’t connect to the remote computer for one of these reasons…
    Which I’m sure many people got if they didn’t use RDP8.1.
    I have verified that RDP8.1 is installed on this PC.
    I can remote into it using TeamViewer and I have checked that the broker ip is being evaluated correctly, so no DNS issues…
    That location has other PCS which can connect to the cloud with no problems.
    The workstation OS is Win7 SP1 with all the latest windows updates.
    Any idea what I should look for in order to resolve ?

    • Arjan Mensch says:

      Hi Shimon,
      Have you limited access to the session hosts using RAP/CAP in the gateway configuration? If so, make sure this user has access.
      Are you able to test with a working account on that workstation and do you get different results?
      Have you tried using that user’s credentials on a machine that you know works?
      In other words, find out if it’s the workstation or user that causes the error and take it from there.

      • Shimon Adimor says:

        Hi Arjan,
        Oddly enough, I was able to connect to the remote desktop using Chrome instead of IE for the RDWEB part.
        I guess the IE11 was causing a problem – can’t explain it though.
        It’s a 32 bit Win7 SP1 with all windows updates and RDP8.1 installed, so as I said – a strange one…

  31. Wyatt Hughes says:


    I had RDWeb all working, I was able to click on Word, Excel, etc

    But now all of a sudden the apps don’t work, I click on Word, it looks like it’s going to work, then it just disappears. All the apps do the same thing.

    Not sure what I did to break it.

  32. Love your work mate made my job a hell of a lot easier so thank you.

    Did you happen to complete Part 5 –

    “In the next part of this series I will show how to use and configure the “Connected RemoteApp and Desktop Connections” in combination with this setup.”

  33. frank says:

    Hi Arjan,
    Please, how do I install a printer for users using RD web access. What options do I have as regards achieving this. The available printer does not have a network card and can only be installed on the physical server.

    • Arjan Mensch says:

      Hi Frank,
      Just as you would do so on a full blown workstation. Deploy a print server to which you connect the printer(s), install the printer drivers on the Remote Desktop Servers. Map printer mappings using group policy objects..

  34. Clint Neider says:

    Hello Arjan,

    I have really enjoyed your articles. I have gone through them and and having an issue with deploying a remoteapp. The Full desktop works fine but the remote app states “The follwoing RemoteApp program is not in the list of authorized programs: notepad”

    I see another comment mentions the RemoteFx board but I do not see that I have that installed.

    I have this setup in a new VM environment for testing. Our hope was to create this one remote app and then in the end have it revert all settings as it will be for training purposes only. However we are unable to get just the app to launch.

    **Note the Full Desktop launches on the Gateway server and not the Session Host however when selecting the app for publishing we can see specific apps on the host that are not on the Gateway.

    Thanks again for these articles, they have been a huge help thus far.


    • Arjan Mensch says:

      Hi Clint,
      Couple of things. You say the Full Desktop works fine, but you also say it opens on the Gateway server? If you meant to publish the Full Desktop from the Session Host I’d say the Full Desktop doesn’t work fine..
      What’s your setup? Single server installation, or have you distributed the roles across multiple servers and if so, please describe your installation a bit more.
      In the meantime you could try removing the collection and start from scratch building a new collection.

      • Avi says:

        Hi there, need some assistance please. i currently have rds up and running with about 8 apps available.
        i need to move some of those apps to its own server but i still want it to work from current remoteapp url.

        so when i click on App1 its must rdp server1 and when i click on App2 it must rdp server 2

        is it possible? thank you in advance

      • Arjan Mensch says:

        Hi Avi,
        Simply create a second collection for only the second server. This allows you to publish a second collection of applications, but still allow an app to run from the first collection, and thus from the first server. A user that is a member of both collections will have 2 icons showing the app though.

  35. Avi says:

    Thank you so much Arjan. i have tried this and I noticed that the app is published in the second collection and does appear on the remoteApp url. But it rdp’s into the original server.
    is it possible for the app in the new collection to rdp the second server when the icon is clicked

    Thank you so much

    • Arjan Mensch says:

      Hi Avi,
      Then that means something is amiss in your setup. I have set this up several times now: 1 collection with SERVER1 holding v1 of APP1 APP2 etc. Then another collection with SERVER2 holding v2 of APP1 APP2 etc.
      Both collections are published and those with appropriate rights will see v1 of the apps and v2 of the apps and starting v2 apps never launch from SERVER1 because that server is not part of the v2 collection.

  36. AnthonyG says:


    Going out on a limb here and asking a VDI question even though it’s not discussed a lot in this article. I’m thinking you are probably good with all aspects of RDS.

    I’ve heard from a consultant that we should keep our VDI Desktop collections sizes to around 40-50 desktops in each collection. This seems like a cumbersome way to mange things in my opinion. We are currently running a VDI deployment of about 180 desktops in a SINGLE collection.

    We are seeing performance issues with our VDI setup and he is saying that Microsoft’s “Best Practice” is to be in the 40-50 range on each collection. I would note we are running everything on 10gig, on a Cisco blade chassis to flash storage for the entire VDI environment. We have not noticed any latency or IOPS issues on the SAN or storage.

    I’m just hesitant to split our collection up into 4 or 5 smaller collections unless I can get some better information on this recommendation.

    Thanks in advance for your reply.

    • Arjan Mensch says:

      Hi Anthony,

      As far as I know the limits are somewhere around 450-500. Not that the setup couldn’t handle more, but the management tools simply become sluggish, or crash.
      Brokers etc. could potentially handle 5000 connections.
      As for you performance problem, it could be in the brokers, sql backend for the brokers, your base image, or the storage after all.
      If it is possible to split the collection into 2 or 3 while not interrupting business, it’s what I would do to test the consultants’ proposal. My guess is you won’t see a difference though.

  37. Ryan Young says:

    Hello! This is a very good writeup. By chance do you know of anywhere that I can see how to setup multiple broker servers?

  38. Ryan Young says:

    And/or how to HA the RDWeb as well?

  39. SOLMAN13 says:

    Hi Arjan. Great write ups. I am a novice to RDS but i have a simple question. Can i publish full desktops and remote apps together? ….if so can it be done on a single windows server instance? or do i need 2 windows server instances? – Thanks in advance

  40. SOLMAN13 says:

    …also i see a lot about RD Server configuration. Do you have or can you pint me in the direction of best practices for group policy implementation. …Still trying to decide how best to setup my Active directory…lol

  41. Sniper says:

    I want to create a 2 folders … I mean folder2 with in folder1 (folder1–>folder2–>app) is this possible

    • Arjan Mensch says:

      Hi Sniper,
      There’s no such option out of the box.
      If I had to create this feature I’d program logic into the xsl to take the folder in which the app is published, define a folder delimiter and check if there’s a subfolder name in the foldername. So publish the app in “folder1-subfolder1”. The logic would then need to have code to display a folder-path instead of a foldername, etc etc.
      Not an easy task.

  42. Tej says:

    Hi Arjan, Thank you so much for the step by step guide to set up RDS server. My question is in regards to the UPD. I have set up RDS with UPD feature enabled. My UVHD-template.vhdx is encryped by virus and don’t have backup. Now if I create new user then UPD doesn’t get created and user logs with temporary profile. Is there any way I can recreate template vhdx so current users vhdx will still stay as it is means they can login with their current logged in profile and new users vhdx will start getting generated again?

    • Arjan Mensch says:

      Hi Tej,
      If a user has a working VHDX UPD it will remain the same. The template is used to initially create the VHDX for the user, it does not function as a master disk or parent disk or anything like that.
      If you can create a new session collection with UPD enabled it will recreate the template VHDX which you can copy to the original location.

      • Tej says:

        Hi Arjan,

        Thank you for your reply. While I was waiting for your reply, i did some testing in my lab environment and realized that UPD feature turning off and turning back on creates template again and then new users vhdx gets generated and old users can still use their old vhdx. I did replicate in the production environment and all seems to be working fine.

        Thank you once again for the great post :)


  43. Hey Arjan,

    I am very happy and glad I found your guides. My students are now playing with Remote Desktop Services and they have really enjoyed your guides. I will be waiting for further step by step guides so I can share them with my students. Really great guide and fully appreciated your effort.

    Best wishes,
    Sachin Jung Karki

  44. Shimon Adimor says:

    Hey Arjan,
    I’m looking into adding a session host to an existing collection for remote apps.
    Is there any guide on how to do that, or I should just install all the apps exactly as they are in the first server, and then just add the 2nd server to the collection ?
    Thanks !

    • Arjan Mensch says:

      Hi Shimon,
      That is correct. The better option next time would be to virualize your applications, or make packages or silent installers for them. That way you can be sure the apps are installed exactly the the same for any RDS host you add or replace.

  45. Hi

    Nice doc.
    I have a trouble with publishing one of our corporate application. The execution path must be a path different from where the myapp.exe is.

    but execution path should be in
    (and not \\mysrv\C$\mycompany\myapp )

    I did not find a way to set this in publish app under w2012 – Remote Desktops Servicers – Collections ….

    Can you help me ?


    • I think I found a way with powershell + icon relinked to original exe

      New-RDRemoteApp -CollectionName “QuickSessionCollection” -Alias “Myapp” -DisplayName “MyApp” -FolderName “MyFolderInWeb” -FilePath “C:\windows\system32\cmd.exe” -FileVirtualPath “C:\windows\system32\cmd.exe” -CommandLineSetting “Require” -RequiredCommandLine “/C start /D \\mysrv2\myshare \\mysrv\c$\mypath\myapp.EXE all my params” -IconPath “\\mysrv\c$\mypath\myapp.EXE” -IconIndex 0

  46. Ruud says:

    Hi Eric,

    You can set the startup parameters in the properties window if you right click on the newly added app. But for the icon path you still need PowerShell.

    Your solution gave me an idea how I might be able to launch an application that needs to start in a cmd prompt. It does not quit work yet, but at least it now starts.

    Next step for me is to figure out how to fix the errors the app is throwing at me at start up.

    So thanks for sharing.

  47. Dame Malov says:

    Great post very helpful.
    I have an issue with webapps. If an application hangs, becomes unresponsive and the user closes the application and starts it again, it is still unresponsive. I know this is because the application runs on the server and the user only connects and disconnects on the session.
    But is there a way for the user to kill the process of that specific application only?

    • Arjan Mensch says:

      Hi Dame,
      You could see if you can publish TaskManager for the user.
      Or you could change the setting which controls what to do with a disconnected session.

      • Dame Malov says:

        I just learned that pressing Ctrl+Alt+End shows the options to log off or open task manager for that user on the server and presents it on the client PC. This is very helpful.

  48. Nois says:

    Hi Arjan, after created Collections I want to change back to no Collections because it is using Mounted user disk which causing some application from running (unable to save to C:\users). But I already have many users in the connections. Instead of delete the Collections. How can I change the Collections to use Full Desktop instead of VDI?

    • Arjan Mensch says:

      Hi Nois,
      You cannot change the collection type.
      If you have multiple Session Hosts, you can create a second collection, remove a host from the faulty collection, and add it to the new collection. When all hosts are moved, you can remove the faulty collection.

  49. Allen says:

    Hi Arjan,
    Is it possible to publish 2 different app from 2 different session host? For example, notepad published from session host 1 and paint from session host 2? Thanks

    • Arjan Mensch says:

      Hi Allen,

      This can only be achieved by creating two collections. One collection will hold the sessionhost that publishes notepad, the other collection will hold the sessionhost that publishes paint.
      A sessionhost can only be a member of one collection, so if you have a 3rd app, which is on both sessionhosts you need to publish that app in both collections. Users will see 2 identical apps for that though..

  50. John Carver says:

    Hi Arjan

    I have gone through this article a few times and done everything to the letter and all has worked wonderfully. Thanks so much for all the info and detailed tutorial. I would not have been able to do it without this. Now 2 questions. I have a remote app published and working using 3 session servers. The issue that I am having is one of the servers gets most of the connections. The layout is as follows:
    2 connection brokers (HA), 2 gateway servers for fault tolerance (active/active), 3 host servers all set up with 100% relative weight and 70 session limit. They used to balance much more efficiently. Where can I check to see what could be wrong here?
    2nd question:
    I have 3 host servers Cloud37, Cloud47, Cloud57. If I am connected to cloud37 and then I use the Host Servers section in Collection settings to stop allowing connections to that server. Then I log on to the remote app it says that the server denied the connection. I thought when I drain the server like this it is supposed to bounce me to another server. Where can I check the persistence settings or see what is happening here to resolve this issue?

    • Arjan Mensch says:

      Hi John,
      1. Session balancing is based on several things. If they are all based on the same image, equally patched and have the same hardware resources, balancing should be even. Check if something is eating or claiming resources on your other servers.
      2. My best guess would be to check the broker’s logs to see if anything is logged there.

      • John Carver says:

        Thanks for the reply. It seems to have worked itself out. I will keep an eye on it for now.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog Authors
Donate Button

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 353 other followers

Blog Stats
  • 2,172,318 hits
%d bloggers like this: