General Admin Issues

Slowness (2) solutions


Seeing some slowness when trying to connect in


Windows Registry Editor Version 5.00




General Terminal Server Global turn offs for speed


Admin Command prompt:

netsh interface tcp set global autotuning=disabled
netsh interface tcp set global chimney=disabled
netsh interface tcp set global rss=disabled

Can't see collections


Can't see Collections that were created by other users


  1. You must add Windows Authorization Access Group to the security tab in Active Directory
  2. There are two properties you have to set as Read msTSLProperty01
  3. To be able to see the Collections, you additionally need to add all the Servers in your Farm from Server Manager

2018-02-21 11_14_18-Remote Desktop Organizer

2018-03-04 13_29_14-Active Directory Users and Computers

2018-03-04 13_30_02-Active Directory Users and Computers

2018-03-04 13_31_28-Active Directory Users and Computers

Remote Desktop Services tools are not functional after you remove a server from Server Manager

PS C:\> Get-RDServer

Server Roles
------                                             -----                                {RDS-RD-SERVER, RDS-CONNECTION-BROKER, RDS-WEB-ACCESS}                                {RDS-RD-SERVER}
PS C:\> Remove-RDServer RDS-RD-SERVER

Connection Broker Install (WMI firewall Access Denied)


Failed: Could not create the Windows Management Instrumentation (wmi) Windows Firewall exception on <Server Name>. Could not create the Windows Management Instrumentation Windows Firewall exception on <Server Name>. System.Management.Automation.RemoteException: Access is denied.


Make sure you have no drive mappings in your Windows account.

RDWeb - Change published FQDN


A common scenario where the ability to change the published name is useful is when your internal domain is .local, .private, .internal, etc.  For instance, you purchase and install a wildcard certificate (* for use with RDS, but when your users connect they receive a name mismatch error because they are attempting to connect to rdcb.yourdomain.local.  This cmdlet allows you to change the FQDN they will use to a name that will match your certificate (


Set-RDPublishedName.ps1' -ClientAccessName "" -ConnectionBroker ""

2018-03-28 09_25_52-CRHRDPORMIS1 on

RDGateway Server Add error


"The RD RAP could not be created. The following error occured: wmi failure: unable to create resource access policy"  The error is 2147965800. Please check the eventlog on RD Gateway server


Put TEMP and TMP environment variables back to the classic location in c:\windows\temp

** Also make sure that your account can gain entry. Most likely need to make Users:RW  (domain users group, Read/Write/Modify)

** Put the computer into the Terminal Servers Computer group

** Needs a Reboot

To check this, click Start > Control Panel > System and Security > System > Advanced System Settings and click the Environment Variables button.

Under the System variable section, let's verify that both the path of TEMP and TMP environment variables are configured to be on the same volume as the system volume.  By default, it is set to its native location: %systemroot%\temp (i.e.c:\Windows\Temp) .

(In 2016, it was set into the user profile. Also, didn't have permission to c:\windows\temp )

RemoteApps Cannot Publish App Instance (Error)


You try to publish a RemoteApp, could not create a published application instance on the server.

Solution (1):

Make sure that your Certificates are valid

Check certs here

RemoteApps not showing on Web Interface


You publish a RemoteApp, but it does not show up for you on the Web Interface

Solution (1):

You must make sure that you have the User/Groups listed in the Remote Collections configuration.

2018-03-09 10_19_00-crhrdpgateway - Remote Desktop Connection

Solution (2):

Make sure that you have added the group allowed to connect in too if you're using the Broker server
Connection Authorization

RDSH Not Load Balancing


Seems to be accepting some connections, but people reporting they cannot connect


Make sure that the Remote Desktop Service is started on all Farm nodes. 

Also ensure that you see "OK" in the farm statuses. Can confirm in the console that all nodes are being seen and are green

Desktop Client Access License has been Modified


the remote session was disconnected because the remote desktop client access license stored on this computer has been modified


Click on Start

In the start search box type REGEDIT and press enter.

In the registry editor access the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\MSLicensing

Remote Desktop Connection cannot verify that the computer belongs to the same RD Session Host Farm


This is the Error you'll get if you do not list all servers. In this case, it could not connect to a recently-added group

RDP gateway no good


See the "Setting the Servers for the Farm" section

Adding Session Host into RemoteApp Pool


Can't see the session host when you click Add Session Host


Go to Overview and in the RD Session Host GUI, Right Click and Add Session Host Servers

2018-03-29 09_41_50-CRHRDPORMIS1 on

Changing the Server Manager to Another RDS Farm


Can't seem to figure out how


2018-03-28 15_19_24-CRHRDPORMIS1 on

Error: Unable to display RD Web Access


An unexpected error has occurred that is preventing this page from being displayed correctly.
Viewing this page in Internet Explorer with the Enhanced Security Configuration enabled can cause such an error.
Please try loading this page without the Enhanced Security Configuration enabled. If this error continues to be displayed, please contact your administrator.

2018-03-28 09_23_51-Error_ Unable to display RD Web Access - Internet Explorer


Reboot your computer! or try another Browser

Redirect the Default Web Site to /RDWeb


Get the Microsoft Stock Landing page


2018-03-29 19_01_54-Clipboard

Website is asking for Credentials when Launching App


When you launch and app, you are re-prompted for credentials


Ensure that you're using Internet Explorer and that the site is a Trusted Site in your browser

Also, in the Trusted Site "Custom Level", go to the bottom and check the setting for passing current username and password (not just Local Intranet)

2018-05-03 14_10_35-Security Settings - Trusted Sites Zone

1. Sites 
Click on Add the site. ( ie:
2. Click on Custom Level
3. Scroll to the bottom and click the "Automatic logon with current user name and password

RemoteApps taking LONG time to connect in (60+ seconds)


When you launch and app, there is a significant delay between the time you launch the RemoteApp and the time it loads


Ensure that port 3389 (RDP) is opened on your Firewall to the RD Broker server

Make sure you Bypass Settings on Gateway Server

Earlier in this book I said to make sure it's unchecked. However, Microsoft has suggested that this be enabled. This did help the 60+ second connection issue

2018-05-05 10_37_59-Server 2016 with RDS [Running] - Oracle VM VirtualBox

Set [Computer] GPO (either local or domain) for security to Negotiate from Security Layer RDP

2018-05-05 10_48_52-Server 2016 with RDS [Running] - Oracle VM VirtualBox

Kill RemoteApps Process


Sometimes you need to kill the process


The process that RemoteApps work under is:  wksprt.exe

Cannot Change Password on Login screen


By default, the Change Password mechanism is disabled.


You have to enable this by editting the file  %windir%\web\Pages\web.config

Set the value PasswordChangeEnabled to true

2018-05-05 11_22_25-Server 2016 with RDS [Running] - Oracle VM VirtualBox


RDS Change Icon


Need to change icon


Set-RDRemoteApp -CollectionName "Remote Desktop" -Alias "MEDENT_RDS" –IconPath "c:\medent\bin\webmed.exe" -IconIndex 0

Set-RDRemoteApp : A Remote Desktop Services deployment does not exist


Set-RDRemoteApp : A Remote Desktop Services deployment does not exist on <>. This operation

can be performed after creating a deployment. For information about creating a deployment, run "Get-Help

New-RDVirtualDesktopDeployment" or "Get-Help New-RDSessionDeployment".


Run PowerShell as ADMIN

Cannot Connect to RDP Message


A user with a heavily locked down computer could not connect. Getting this message


What I noticed: 

When you log into the RDWeb webpage, we weren't getting the message illustrated here. When you click on the icon, you'd get that ugly error message. Also, the custom RDP file would not launch either

The environment was extremely locked down--so i think that may have played a part in it



We created a Work Resource (available in Win 7 and higher) to our Gateway server. Once logged in, the bubble above popped up and the user--after an unusually long delay--was able to connect in

Solution 2: 

This can also be a locked-out user or disabled account.

An authentication error has occured. The function requested  is not supported




REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2


iOS Devices get an error when connecting  0x00000904




In Local Security Policy (secpol.msc) on your Gateway machine, Enable this setting, followed by a "gpupdate /force"


An authentication error has occurred (Code: 0x607).


1. Please make sure all client devices have at least RDP 8.0 capable client software.  For PCs, this means clients should have mstsc.exe version 6.2.9200 or later, with 6.3.9600 (RDP 8.1) or later preferred.  For iOS, OSX, Android, Windows Mobile, this means using the latest version of the Remote Desktop app available from the respective app store.

2. On your RD Session Host servers only (not your broker), please delete the following registry value:

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp


NOTE:  Again, do not delete the above value from your broker.  Only your RDSH servers.

After making the above changes, please test to make sure the issue has been resolved.

Can't connect to RD Gateway server from Windows 10, or Windows 7 with RDP v7.1 or below


"Your Computer can't connect to the Remote Desktop Gateway server. Contact your network administrator for assistance."


HKCU\Software\Microsoft\Terminal Server Client\
      RDGClientTransport     REG_DWORD     0x00000002

     // (1 - RPC, 0 - default, 2 - remoteDesktopGateway (WinHTTP))

Additional Data (Windows 7, RDP Version 7.1 or earlier):

A hotfix (KB2574819) followed by RDC version 8.0 (KB2592687).

How to tell your RDP version?

Launch Remote Desktop Connection from the START menu

Click the Window icon and select About


Ignore missing channel bindings on the Gateway server

Set the EnforceChannelBinding registry value to 0 (zero) to ignore missing channel bindings on the Gateway server. To do this, locate the following registry subkey, and use the given specifications:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\TerminalServerGateway\Config\Core

Name: EnforceChannelBinding
Value: 0 (Decimal)

Note By default, the EnforceChannelBinding value does not exist on the Gateway server. You must create this value.

PowerShell Server Maintenance


Example to remove an invalid License server


Windows PowerShell

Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\Users\admin> Get-RDServer

Server                                             Roles

------                                             -----

Server1                                            {RDS-RD-SERVER, RDS-CONNECTION-BROKER, RDS-WEB-ACCESS, RDS-GATEWAY}

Server2                                            {RDS-LICENSING}

PS C:\Users\admin> Remove-RDServer Server2 RDS-RD-LICENSING


Removing server from the Remote Desktop deployment. Do you want to continue?

[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): y

PS C:\Users\admin> Get-RDServer

Server                                             Roles

------                                             -----

Server1                                            {RDS-RD-SERVER, RDS-CONNECTION-BROKER, RDS-WEB-ACCESS, RDS-GATEWAY}

Some patches that might be useful for Win7                                 WIN7-WORK  Update                        KB2592687               WIN7-WORK\Administrator  12/11/2018                                  WIN7-WORK  Update                        KB2574819               WIN7-WORK\Administrator  12/11/2018                                  WIN7-WORK  Update                        KB2952664               NT AUTHORITY\SYSTEM      12/10/2018                                  WIN7-WORK  Security Update         KB3177467               NT AUTHORITY\SYSTEM      12/11/2018                                  WIN7-WORK  Update                        KB4457044               NT AUTHORITY\SYSTEM      12/10/2018                                  WIN7-WORK  Update                        KB4459934               NT AUTHORITY\SYSTEM      12/10/2018                                  WIN7-WORK  Security Update         KB4467107               NT AUTHORITY\SYSTEM      12/10/2018           

Enable TLS 1.1/1.2 by Default in Win7


Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows


The DefaultSecureProtocols registry entry can be added in the following path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

On x64-based computers, DefaultSecureProtocols must also be added to the Wow6432Node path:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

The registry value is a DWORD bitmap. The value to use is determined by adding the values corresponding to the protocols desired.

DefaultSecureProtocols Value

Protocol enabled


Enable SSL 2.0 by default


Enable SSL 3.0 by default


Enable TLS 1.0 by default


Enable TLS 1.1 by default


Enable TLS 1.2 by default

A fatal error occurred when attempting to access the SSL server credential private key. 


The error code returned from the cryptographic module is 0x8009030D. 

The internal error state is 10001." 


  • The Remote Desktop Host Services service runs under the NETWORK SERVICE account. Therefore, it is necessary to set the ACL of the key file used by RDS to include NETWORK SERVICE with "Read" permissions. To modify the permissions follow the steps below:

    Open the Certificates snap-in for the local computer:

    1. Click Start, click Run, type mmc, and click OK.

    2. On the File menu, click Add/Remove Snap-in.

    3. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and click Add.

    4. In the Certificates snap-in dialog box, click Computer account, and click Next.

    5. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and click Finish.

    6. In the Add or Remove Snap-ins dialog box, click OK.

    7. In the Certificates snap-in, in the console tree, expand Certificates (Local Computer), expand Personal, and navigate to the SSL certificate that you would like to use.

    8. Right-click the certificate, select All Tasks, and select Manage Private Keys.

    9. In the Permissions dialog box, click Add, type NETWORK SERVICE, click OK,  select Read under the Allow checkbox, then click OK.

    Disable UDP  (Loading Virutal Machine)

    Set-ItemProperty 'HKLM:/Software/Policies/Microsoft/Windows NT/Terminal Services/Client' 'fClientDisableUDP' 0


    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client" /v "fClientDisableUDP" /t REG_DWORD /d 1 /f