M12: Remote Desktop Services

Remote Desktop Services (RDS) enables users to access Windows desktops and applications remotely from any device, anywhere.

What You'll Learn

  • RDS architecture and role services
  • Session-based vs VDI deployments
  • RD Gateway for secure access
  • RemoteApp publishing
  • Licensing and CALs

Prerequisites

  • Windows Server basics
  • Active Directory (M02)
  • DNS configuration (M08)
  • Certificate Services helpful (M13)
Enterprise Reality: RDS powers remote work for millions of users, enabling secure access to corporate applications without full VPN connections.
Remote Desktop Services: PC sessions on a serverThin clientvia mstsc.exemacOS MaciPad / AndroidSession Hostmulti-user WindowsOffice, browser, line-of-business appsmany sessions on one hostData stays on server. Client sends keyboard/mouse, receives screen.

RDS Architecture

Remote Desktop Services consists of multiple role services working together.

Core Role Services

  • RD Session Host: Hosts user sessions
  • RD Connection Broker: Load balancing and reconnection
  • RD Web Access: Web portal for RemoteApps
  • RD Gateway: HTTPS tunneling for external access

Additional Services

  • RD Licensing: Manages CALs
  • RD Virtualization Host: VDI virtual machines
  • User Profile Disks (UPD)
  • Session collections
# Install RDS roles on a single server (Quick Start) Install-WindowsFeature -Name RDS-RD-Server, RDS-Connection-Broker, RDS-Web-Access -IncludeManagementTools
RDS roles: 5 services that stack into a deploymentRD Session Hostruns user sessionsRD Virtualization HostHyper-V VDIRD Connection Brokerload balance, reconnectRD Web Accessbrowser landing pageRD GatewayHTTPS to RDP bridgeRD LicensingCAL accountingEach role on separate server (recommended)or co-located on a single box for small deploymentsInstall-WindowsFeature RDS-RD-Server, RDS-Web-Access...

RDS Role Services Deep Dive

Each RDS role service has a specific function in the overall architecture.

RD Session Host (RDSH)

  • Hosts shared Windows desktop sessions
  • Runs applications for multiple concurrent users
  • Requires RDS CALs for each user/device
  • Can be load-balanced across multiple servers

RD Connection Broker

  • Central orchestration of RDS deployments
  • Distributes sessions across RDSH servers
  • Handles session reconnection after disconnect
  • Required for all multi-server deployments

RD Web Access

  • Browser-based portal for RemoteApps
  • Users browse and launch published apps
  • Requires IIS on the same server
  • Customizable branding and layout

RD Virtualization Host

  • Hosts VDI virtual machines on Hyper-V
  • Pooled VMs (shared) or personal VMs
  • Managed through Connection Broker
  • Requires Hyper-V role on the host
Each role server scales independentlyRDS roles

Deployment Types

Choose the right deployment model for your organization's needs.

Session-Based Desktop

  • Multiple users share one OS
  • Lower infrastructure cost
  • Easier management
  • Best for standardized workloads

Virtual Desktop (VDI)

  • Each user gets dedicated VM
  • Full desktop isolation
  • Higher resource requirements
  • Best for power users/developers
Licensing Note: VDI requires Windows Enterprise with Software Assurance or VDA licensing. Session-based requires RDS CALs.
Session-based vs VDISession-based (RDSH)One Windows Server50-100 users share⚡ low overhead⚡ cheap⚠ shared kernelBest for: knowledgeworkers, kiosksVDI (RD Virt Host)Personal Windows 10/11 VMone VM per user🛡 strong isolation⚙ full client OS⚠ heavy on hardwareBest for: developers,contractors, BYOD

RDS Deployment Methods

Windows Server provides two deployment approaches for RDS infrastructure.

Quick Start Deployment

  • All roles on a single server
  • Ideal for labs and small environments
  • Uses Server Manager wizard
  • Not recommended for production
  • Fast setup (single wizard)

Standard Deployment

  • Roles distributed across multiple servers
  • Production-ready architecture
  • Scalable and highly available
  • Separate CB, RDSH, and Web Access
  • Requires domain environment
# Standard deployment via PowerShell New-RDSessionDeployment ` -ConnectionBroker "RDCB01.hexworth.local" ` -SessionHost @("RDSH01.hexworth.local", "RDSH02.hexworth.local") ` -WebAccessServer "RDWA01.hexworth.local"
Best Practice: Always use Standard Deployment for production environments. Quick Start is excellent for proof-of-concept testing.
Deployment methods comparedStandard or Quick

Session Collections

Session collections group RD Session Hosts and define access policies.

Collection Components

  • Session Host Servers - Servers hosting user sessions
  • User Groups - Who can access the collection
  • User Profile Disks - Roaming profile storage
  • Session Limits - Timeout and reconnection settings

Create a session collection that groups multiple RD Session Hosts under one name.

# Create a collection with two session hosts behind the broker PS C:\> New-RDSessionCollection -CollectionName "Corporate Apps" -SessionHost @("RDSH01.hexworth.local", "RDSH02.hexworth.local") -ConnectionBroker "RDCB01.hexworth.local"
# Expected output: # ───────────────────────────────────────── CollectionName : Corporate Apps Size : 2 ResourceType : RemoteDesktop

Restrict which AD security group can connect to this collection.

# Assign the RDS-Users group as the only authorized users PS C:\> Set-RDSessionCollectionConfiguration -CollectionName "Corporate Apps" -UserGroup "HEXWORTH\RDS-Users"
Session Collection = group of session hostsRDSH-0142 sessionsRDSH-0238 sessionsRDSH-0328 sessionsSales Collection3 hosts, 108 max sessionsConnection Broker round-robins by loadSame RemoteApps published to all hostsNew-RDSessionCollection -CollectionName "Sales"

Session Configuration

Fine-tune session behavior for optimal user experience and server resource management.

Session Timeouts

  • Idle Session Limit: Disconnect after inactivity
  • Active Session Limit: Max session duration
  • Disconnected Timeout: End disconnected sessions
  • Broken Connection: Disconnect or end on network drop

Device Redirection

  • Printers (local and network)
  • Clipboard (copy/paste)
  • Drives (map local drives to session)
  • Smart cards and USB devices
  • Audio playback and recording

Set session timeouts to automatically disconnect idle users and reclaim server resources.

# Set idle (30 min), active (8 hr), and disconnected (1 hr) limits PS C:\> Set-RDSessionCollectionConfiguration -CollectionName "Corporate Apps" -IdleSessionLimitMin 30 -ActiveSessionLimitMin 480 -DisconnectedSessionLimitMin 60

Control which local devices users can redirect into their remote session.

# Allow printers, audio, and smart cards but block drive redirection PS C:\> Set-RDSessionCollectionConfiguration -CollectionName "Corporate Apps" -ClientPrinterRedirected $true -ClientDeviceRedirectionOptions AudioVideoPlayBack, SmartCard
Apps + UPDs + RDP settingsCollection bits

RD Gateway

RD Gateway enables secure remote access over HTTPS without VPN.

How It Works

  • RDP traffic tunneled over HTTPS (443)
  • Firewall-friendly - no RDP port exposure
  • SSL/TLS certificate required
  • Connection and Resource Authorization Policies

Policy Types

  • CAP: Connection Authorization Policy (who can connect)
  • RAP: Resource Authorization Policy (what they can access)

Install the RD Gateway role so external users can tunnel RDP over HTTPS.

# Install RD Gateway with management tools PS C:\> Install-WindowsFeature -Name RDS-Gateway -IncludeManagementTools
# Expected output: # ───────────────────────────────────────── Success Restart Needed Exit Code Feature Result ─────── ────────────── ───────── ────────────── True No Success {Remote Desktop Gateway}

Create a CAP to define which user groups are allowed to connect through the gateway.

# Create a Connection Authorization Policy for remote users PS C:\> New-Item -Path "RDS:\GatewayServer\CAP" -Name "Remote-Users-CAP" -UserGroups "HEXWORTH\Remote-Users" -AuthMethod 1
Timeouts, drives, printers, clipboardSession settings

RD Gateway Policies Deep Dive

Understanding CAP and RAP policies is essential for secure RD Gateway configuration.

Connection Authorization (CAP)

  • Controls WHO can connect through the gateway
  • Specify allowed user groups
  • Choose authentication methods (password, smart card)
  • Optional device redirection restrictions
  • Can require NAP health validation

Resource Authorization (RAP)

  • Controls WHAT internal resources users can reach
  • Specify allowed target servers by name or group
  • Use AD security groups for server lists
  • Restrict allowed ports
  • Multiple RAPs evaluated in order
# Create Resource Authorization Policy New-Item -Path "RDS:\GatewayServer\RAP" -Name "Allow-RDSH-Servers" ` -UserGroups "HEXWORTH\Remote-Users" ` -ComputerGroupType 1 ` -ComputerGroup "HEXWORTH\RDS-Servers"
Security Tip: Always create restrictive RAP policies. Never allow connections to "any computer on the network." Define specific server groups that users may access.
RD Gateway: tunnel RDP inside HTTPSExternal userfrom home Wi-FiHTTPS 443RD Gatewayin DMZchecks CAP + RAPRDP 3389RDSHinternal LANTwo policy layers:CAP, Connection Auth Policywho can connect (user group + MFA)RAP, Resource Auth Policywhat they can reach (resource group)Add-RDServer -Server gw01 -Role RDS-Gateway

Remote Desktop Protocol (RDP) Security

RDP security settings determine how connections are authenticated and encrypted.

Security Layers

  • Negotiate: TLS if supported, fallback to RDP
  • SSL (TLS 1.0+): Strongest, requires certificate
  • RDP Security: Legacy, weakest option

Encryption Levels

  • High: 128-bit (recommended)
  • Client Compatible: Max supported by client
  • Low: 56-bit (avoid)

Network Level Authentication (NLA)

  • Authenticates BEFORE full session starts
  • Prevents resource consumption attacks
  • Requires CredSSP protocol
  • Blocks unauthenticated users from login screen
  • Strongly recommended for all deployments
# Require NLA via Group Policy: # Computer Config > Admin Templates > Windows Components > # Remote Desktop Services > Remote Desktop Session Host > Security # "Require user authentication for remote connections by using NLA" = Enabled

Force the security layer to SSL/TLS via the registry so all connections are encrypted.

# Set the security layer to SSL/TLS (value 2) via registry PS C:\> Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "SecurityLayer" -Value 2
Connection + Resource policiesCAP + RAP

RemoteApp Programs

Publish individual applications that appear as local programs on client devices.

Benefits of RemoteApp

  • Applications run on server, display locally
  • Seamless integration with local desktop
  • Centralized application management
  • Published via RD Web Access or .rdp files

Publish an application so users see it in the RD Web Access portal without a full desktop.

# Publish the Accounting System as a RemoteApp PS C:\> New-RDRemoteApp -CollectionName "Corporate Apps" -DisplayName "Accounting System" -FilePath "C:\Program Files\Accounting\app.exe" -Alias "accounting"

Verify which applications are currently published in a collection.

# List all RemoteApps in the collection PS C:\> Get-RDRemoteApp -CollectionName "Corporate Apps"
# Expected output: # ───────────────────────────────────────── Alias DisplayName FilePath accounting Accounting System C:\Program Files\Accounting\app.exe
NLA + TLS + cert pinningRDP Security

RemoteApp Advanced Configuration

Customize RemoteApp behavior for optimal user experience.

RemoteApp Properties

  • Display Name: User-friendly name in portal
  • Show in Web Access: Visibility in RD Web portal
  • Command-Line Arguments: Pass parameters at launch
  • User Assignment: Restrict by AD group
  • File Type Associations: Open local files in RemoteApp

File Type Association

  • Associate file extensions with RemoteApps
  • Double-click .xlsx opens remote Excel
  • Files appear to open locally
  • Requires RD Web Access Feed
  • Configured in RemoteApp properties

Restrict a RemoteApp to a specific user group and pass required command-line arguments.

# Configure the accounting app with required args and group restriction PS C:\> Set-RDRemoteApp -CollectionName "Corporate Apps" -Alias "accounting" -CommandLineSetting Require -RequiredCommandLine "/database:production" -UserGroups "HEXWORTH\Finance-Users"
# RD Web Access feed URL for client subscription: # https://rdwa.hexworth.local/RDWeb/Feed/webfeed.aspx # Users subscribe to this URL in Remote Desktop Connection settings
RemoteApp: single app in a window, not a full desktopMicrosoft Excel, RemoteAppQ1 sales spreadsheetapp window onlylooks localUser's local desktopscreen onlyRDSH serverexcel.exe runs hereuser data stays on shareapp updated centrallyRDP from local PC to RDSH session, but only the app window forwardedNew-RDRemoteApp -CollectionName Sales -DisplayName "Excel" \-FilePath "C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"

RDS Licensing

RDS requires Client Access Licenses (CALs) for each connecting user or device.

Per User CALs

  • License follows the user
  • Connect from any device
  • Better for mobile workforce
  • Requires AD for tracking

Per Device CALs

  • License assigned to device
  • Multiple users can share
  • Better for shift workers
  • Works without AD
# Configure RD Licensing server Set-RDLicenseConfiguration -LicenseServer "RDL01.hexworth.local" ` -Mode PerUser -ConnectionBroker "RDCB01.hexworth.local"
Grace Period: RDS has a 120-day grace period without licenses. After that, connections are denied.
No client install, central updates, BYODBenefits

RDS Certificates

RDS uses certificates for server identity, encryption, and single sign-on.

Certificate Roles

  • RD Connection Broker - Publishing: Signs RDP files and feed
  • RD Connection Broker - RD Gateway SSO: Enables single sign-on
  • RD Web Access: HTTPS for web portal
  • RD Gateway: HTTPS tunneling certificate

Certificate Requirements

  • Subject name matches DNS name
  • Trusted by all client machines
  • Exportable private key (.pfx)
  • Server Authentication EKU
  • Use internal CA or public CA

Import a certificate for the Connection Broker so it can sign published RDP files.

# Set the RD Publishing certificate from a PFX file PS C:\> Set-RDCertificate -Role RDPublishing -ImportPath "C:\Certs\rdcb.hexworth.local.pfx" -Password (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) -ConnectionBroker "RDCB01.hexworth.local"

Import a separate certificate for the RD Gateway to secure HTTPS tunneling.

# Set the RD Gateway certificate for HTTPS tunneling PS C:\> Set-RDCertificate -Role RDGateway -ImportPath "C:\Certs\rdgw.hexworth.local.pfx" -Password (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) -ConnectionBroker "RDCB01.hexworth.local"
Command-line args, file associationsAdvanced

User Profile Disks

User Profile Disks (UPDs) provide persistent user settings across session hosts.

UPD Configuration

  • VHDX files stored on file share
  • Contains user profile data
  • Mounted automatically at logon
  • Supports profile roaming across hosts
# Enable User Profile Disks for a collection Set-RDSessionCollectionConfiguration -CollectionName "Corporate Apps" ` -EnableUserProfileDisk ` -MaxUserProfileDiskSizeGB 20 ` -DiskPath "\\FILESERVER\UPD$"
Best Practice: Store UPDs on fast storage with SMB 3.0 support. Consider FSLogix for larger deployments.
Per-User CAL or Per-Device CALLicensing

Group Policy for RDS

Group Policy provides centralized control over RDS behavior, security, and user experience.

Key Computer Policies

  • Licensing: Specify license server and mode
  • Security: Require NLA, set encryption level
  • Session Limits: Idle, active, disconnected timeouts
  • Device Redirection: Allow/deny printers, drives, USB
  • Temporary Folders: Delete on session exit

Key User Policies

  • Start Menu: Hide specific shortcuts
  • Desktop: Restrict wallpaper changes
  • Drive Mapping: Control mapped drive visibility
  • RemoteApp: Control app availability
  • Logon Script: Run scripts at RDS logon
# GPO Path for RDS settings # Computer Config > Admin Templates > Windows Components > # Remote Desktop Services > Remote Desktop Session Host # > Connections - Max connections, keep-alive # > Device and Resource Redirection # > Licensing # > Security - NLA, encryption, security layer # > Session Time Limits # > Temporary Folders
Tip: Create a dedicated GPO linked to the OU containing your RD Session Host servers. Use WMI filtering to target only servers with the RDSH role installed.
SSO + identity + Trusted PublisherCertificates

Remote Desktop Connection (mstsc.exe)

The built-in Remote Desktop client provides numerous options for connecting to RDS.

Connection Options

  • /v:server - Target server or IP
  • /f - Full-screen mode
  • /w: /h: - Set resolution
  • /admin - Connect to admin session
  • /multimon - Multi-monitor support
  • /span - Span across monitors

Advanced Features

  • /restrictedAdmin - Credential guard mode
  • /remoteGuard - Windows Defender Remote Credential Guard
  • /shadow:ID - Shadow an existing session
  • Save connection settings as .rdp files
  • RD Gateway settings in Advanced tab

Launch a full-screen RDP connection to a session host.

# Connect full-screen to an RD Session Host PS C:\> mstsc.exe /v:RDSH01.hexworth.local /f

Specify an exact resolution for the remote session window.

# Connect with 1920x1080 resolution PS C:\> mstsc.exe /v:RDSH01.hexworth.local /w:1920 /h:1080

Shadow an active session to view or control a user's screen for support purposes.

# Shadow session ID 3 with interactive control PS C:\> mstsc.exe /shadow:3 /v:RDSH01.hexworth.local /control

Use Remote Credential Guard to prevent credential theft on the remote host.

# Connect with Windows Defender Remote Credential Guard PS C:\> mstsc.exe /remoteGuard /v:RDSH01.hexworth.local
One VHDX per user, roams sessionsUser Profile Disk

RDS Session Management

Monitor and manage active user sessions across your RDS deployment.

Session States

  • Active: User connected and working
  • Disconnected: Session running, user not connected
  • Idle: No user input detected
  • Listen: Waiting for connections (system)

Management Actions

  • Shadow: View/control user's session
  • Disconnect: Detach user, keep session
  • Log Off: End session completely
  • Send Message: Notify users (maintenance)

List all active and disconnected sessions across the RDS deployment.

# Query all user sessions from the Connection Broker PS C:\> Get-RDUserSession -ConnectionBroker "RDCB01.hexworth.local"
# Expected output: # ───────────────────────────────────────── UserName UnifiedSessionId SessionState HostServer jsmith 3 Active RDSH01.hexworth.local jdoe 5 Disconnected RDSH01.hexworth.local admin 7 Active RDSH02.hexworth.local

Disconnect a user's session while keeping it running on the server.

# Force-disconnect session ID 5 on a specific host PS C:\> Disconnect-RDUser -HostServer "RDSH01.hexworth.local" -UnifiedSessionID 5 -Force

Send a pop-up message to notify users before scheduled maintenance.

# Send a maintenance warning to a specific session PS C:\> Send-RDUserMessage -HostServer "RDSH01.hexworth.local" -UnifiedSessionID 5 -MessageTitle "Maintenance" -MessageBody "Server rebooting in 15 minutes"

Use the classic quser and logoff commands to quickly view and terminate sessions.

# List sessions with quser, then log off session ID 5 PS C:\> quser /server:RDSH01 PS C:\> logoff 5 /server:RDSH01
Size, share, exclusions, refreshUPD config

High Availability

Enterprise RDS deployments require redundancy and load balancing.

HA Components

  • Multiple RD Session Hosts
  • SQL Server for Connection Broker
  • Load-balanced RD Web Access
  • RD Gateway farm

Connection Broker HA

  • Active-Active clustering
  • Shared SQL database
  • DNS round-robin or NLB
  • Automatic session reconnection
# Add Connection Broker to HA configuration Set-RDConnectionBrokerHighAvailability ` -ConnectionBroker "RDCB01.hexworth.local" ` -DatabaseConnectionString "DRIVER=SQL Server Native Client 11.0;SERVER=SQL01;Trusted_Connection=Yes;APP=Remote Desktop Services;DATABASE=RDCB" ` -ClientAccessName "rdcb.hexworth.local"
Session limits, drive maps, redirectionGPO for RDS

RDS High Availability Architecture

A fully redundant RDS deployment requires careful planning of each tier.

Session Host Tier

  • Multiple RDSH servers per collection
  • Connection Broker distributes sessions
  • Drain mode for graceful maintenance
  • Identical software and configuration
  • Windows NLB or hardware load balancer

Gateway & Web Access Tier

  • Multiple RD Gateway servers behind load balancer
  • Shared SSL certificate across gateway farm
  • RD Web Access behind NLB
  • Sticky sessions may be required
  • Use wildcard or SAN certificates

Register a new server with the RDS deployment as a session host role.

# Add a third RD Session Host server to the deployment PS C:\> Add-RDServer -Server "RDSH03.hexworth.local" -Role RDS-RD-SERVER -ConnectionBroker "RDCB01.hexworth.local"

Assign the new server to an existing session collection so it starts receiving connections.

# Add the new host to the Corporate Apps collection PS C:\> Add-RDSessionHost -CollectionName "Corporate Apps" -SessionHost "RDSH03.hexworth.local" -ConnectionBroker "RDCB01.hexworth.local"

Set drain mode before maintenance so existing sessions finish but no new ones start.

# Enable drain mode to block new connections until reboot PS C:\> Set-RDSessionHost -SessionHost "RDSH01.hexworth.local" -NewConnectionAllowed NotUntilReboot -ConnectionBroker "RDCB01.hexworth.local"
Production Tip: Use drain mode before maintenance. This prevents new connections while allowing existing sessions to complete gracefully.
.rdp files, command-line flags, credentialsmstsc.exe

Lab Preview

Practice RDS configuration through both interfaces.

GUI Lab Tasks

  • Create session collection
  • Publish RemoteApp programs
  • Configure RD Gateway policies
  • Set session timeouts
  • Enable User Profile Disks
  • Configure RDS certificates
  • Manage user sessions

PowerShell Lab Tasks

  • Deploy RDS roles with PowerShell
  • Create and manage collections
  • Publish RemoteApps
  • Configure licensing
  • Monitor active sessions
  • Set up HA Connection Broker
  • Configure device redirection
Start GUI Lab Start PowerShell Lab
Connect, disconnect, shadow, logoffSession Mgmt
Course Home