Tell us about your PDF experience.

Remote Desktop Services

Remote Desktop Services let you deliver virtualized applications and provide secure
remote and mobile desktop access through remote desktop sessions.

About Remote Desktop Services

ｅ OVERVIEW

What is Remote Desktop Services?

Get started

ｂ GET STARTED

Create virtual machines for Remote Desktop

Supported configurations for Remote Desktop Services

Supported security configurations for Windows 10 Virtual Desktop Infrastructure

Planning poster for Remote Desktop Services

Plan and Design

ｇ TUTORIAL

Plan and Design your Remote Desktop Services environment

Ｙ ARCHITECTURE

Remote Desktop Services architecture

Build anywhere

Network guidelines

Build and deploy

ｇ TUTORIAL

Build and deploy your Remote Desktop Services deployment

ｃ HOW-TO GUIDE

Deploy your Remote Desktop environment

Create a Remote Desktop Services collection

License your RDS deployment with client access licenses

Run and tune

ｇ TUTORIAL

Run and tune your Remote Desktop Services environment

ｃ HOW-TO GUIDE

Manage your personal desktop session collections

Manage users in your RDS collection

Remote Desktop IP Virtualization

Optimize Windows configuration for VDI desktops

Access your Remote Desktop resources

ｃ HOW-TO GUIDE

Get started with the Remote Desktop Connection app

Enable Remote Desktop on your PC

Allow access to your PC from outside your network

Uninstall and reinstall the Remote Desktop Connection app

ｉ REFERENCE

Available Remote Desktop clients

Remote Desktop Services overview in
Windows Server
Article • 01/03/2025 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

Remote Desktop Services (RDS) is the platform of choice for building virtualization
solutions for every end customer need, including delivering individual virtualized
applications, providing secure mobile and remote desktop access, and providing end
users the ability to run their applications and desktops from the cloud.

RDS offers deployment flexibility, cost efficiency, and extensibility—all delivered through
a variety of deployment options, including Windows Server for on-premises
deployments, Microsoft Azure for cloud deployments, and a robust array of partner
solutions.

Depending on your environment and preferences, you can set up the RDS solution for
session-based virtualization, as a virtual desktop infrastructure (VDI), or as a
combination of the two:

Session-based virtualization: Leverage the compute power of Windows Server to

provide a cost-effective multi-session environment to drive your users' everyday
workloads.
VDI: Leverage Windows client to provide the high performance, app compatibility,
and familiarity that your users have come to expect of their Windows desktop
experience.

Within these virtualization environments, you have additional flexibility in what you
publish to your users:
 Desktops: Give your users a full desktop experience with a variety of applications
that you install and manage. Ideal for users that rely on these computers as their
primary workstations.
RemoteApps: Specify individual applications that are hosted/run on the virtualized
machine but appear as if they're running on the user's desktop like local
applications. The apps have their own taskbar entry and can be resized and moved
across monitors. Ideal for deploying and managing key applications in the secure,
remote environment while allowing users to work from and customize their own
desktops.

With these options and configurations, you have the flexibility to deploy the desktops
and applications your users need in a remote, secure, and cost-effective fashion.

Next steps
Here are some next steps to help you get a better understanding of RDS and even start
deploying your own environment:

Understand the supported configurations for RDS with the various Windows and
Windows Server versions
Plan and design an RDS environment to accommodate various requirements, such
as high availability and multifactor authentication.
Review the Remote Desktop Services architecture models that work best for your
desired environment.
Connect to your RDS environment using one of the available clients.

Feedback
Was this page helpful?  Yes  No
Create virtual machines for Remote
Desktop
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

Use the following steps to create the virtual machines in the tenant's environment that
will be used to run the Windows Server 2016 roles, services, and features required for a
desktop hosting deployment.

For this example of a basic deployment, the minimum of 3 virtual machines will be
created. One virtual machine will host the Remote Desktop (RD) Connection Broker and
License Server role services and a file share for the deployment. A second virtual
machine will host the RD Gateway and Web Access role services. A third virtual machine
host the RD Session Host role service. For very small deployments, you can reduce VM
costs by using Microsoft Entra App Proxy to eliminate all public endpoints from the
deployment and combining all the role services onto a single VM. For larger
deployments, you can install the various role services on individual virtual machines to
allow better scaling.

This section outlines the steps necessary to deploy virtual machines for each role based
on Windows Server images in the Microsoft Azure Marketplace . If you need to create
virtual machines from a custom image, which requires PowerShell, check out Create a
Windows VM with Resource Manager and PowerShell. Then return here to attach Azure
data disks for the file share and enter an external URL for your deployment.

1. Create Windows virtual machines to host the RD Connection Broker, RD License

Server, and File server.

For our purpose, we used the following naming conventions:

RD Connection Broker, License Server, and File Server:

VM: Contoso-Cb1
Availability set: CbAvSet

RD Web Access and RD Gateway Server:

VM: Contoso-WebGw1
Availability set: WebGwAvSet

RD Session Host:
VM: Contoso-Sh1
 Availability set: ShAvSet

Each VM uses the same resource group.

2. Create and attach an Azure data disk for the user profile disk (UPD) share:
a. In the Azure portal click Browse > Resource groups, click the resource group
for the deployment, and then click the VM created for the RD Connection
Broker (for example, Contoso-Cb1).
b. Click Settings > Disks > Attach new.
c. Accept the defaults for name and type.
d. Enter a size (in GB) that is large enough to hold network shares for the tenant's
environment, including user profile disks and certificates. You can approximate 5
GB per user you plan to have
e. Accept the defaults for location and host caching, and then click OK.

3. Create an external load balancer to access the deployment externally:

a. In the Azure portal click Browse > Load balancers, and then click Add.
b. Enter a Name, select Public as the Type of load balancer, and select the
appropriate Subscription, Resource Group, and Location.
c. Select Choose a public IP address, Create new, enter a name, and select Ok.
d. Select Create to create the load balancer.

4. Configure the external load balancer for your deployment

a. In the Azure portal click Browse > Resource groups, click the resource group
for the deployment, and then click the load balancer you created for the
deployment.
b. Add a backend pool for the load balancer to send traffic to:
i. Select Backend pool and Add.
ii. Enter a Name and select + Add a virtual machine.
iii. Select Availability set and WebGwAvSet.
iv. Select Virtual machines, Contoso-WebGw1, Select, OK, and OK.
c. Add a probe so the load balancer knows what machines are active:
i. Select Probes and Add.
ii. Enter a Name (like HTTPS), select TCP, enter Port 443, and select OK.
d. Enter load balancing rules to balance the incoming traffic:
i. Select Load balancing rules and Add
ii. Enter a Name (like HTTPS), select TCP, and 443 for both the Port and the
Backend port.

For a Windows 10 and Windows Server 2016 Deployment, leave Session

persistence as None, otherwise select Client IP.

iii. Select OK to accept the HTTPS rule.

 iv. Create a new rule by selecting Add.
v. Enter a Name (like UDP), select UDP, and 3391 for both the port and the
**Backend port.

For a Windows 10 and Windows Server 2016 deployment, leave Session

persistence as None, otherwise select Client IP.

vi. Select OK to accept the UDP rule.

e. Enter an inbound NAT rule to directly connect to Contoso-WebGw1
i. Select Inbound NAT rules and Add.
ii. Enter a Name (like RDP-Contoso-WebGw1), select Customm for the service,
TCP for the protocol, and enter 14000 for the Port.
iii. Select Choose a virtual machine and Contoso-WebGw1.
iv. Select Custom for the port mapping, enter 3389 for the Target port, and
select OK.

5. Enter an external URL/DNS name for your deployment to access it externally:

a. In the Azure portal, click Browse > Resource groups, click the resource group
for the deployment, and then click the public IP address you created for RD
Web Access and RD Gateway.
b. Click Configuration, enter a DNS name label (like contoso), and then click Save.
This DNS name label (contoso.westus.cloudapp.azure.com) is the DNS name
that you'll use to connect to your RD Web Access and RD Gateway server.

Feedback
Was this page helpful?  Yes  No
Supported configurations for Remote
Desktop Services
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

When it comes to supported configurations for Remote Desktop Services environments,

the largest concern tends to be version interoperability. Most environments include
multiple versions of Windows Server. For example, you may have an existing RDS
deployment running an earlier version of Windows Server but want to upgrade to a later
version of Windows Server to take advantage of the new features. The question then
becomes, which RDS components can work with different versions and which need to be
the same?

So with that in mind, here are basic guidelines for supported configurations of Remote
Desktop Services in Windows Server.

７ Note

Make sure to review the system requirements for Windows Server.

Best practices
Use the most recent version of Windows Server for your Remote Desktop
infrastructure (the Web Access, Gateway, Connection Broker, and license server).
Windows Server is backward-compatible with these components. Meaning a
Windows Server 2022 RD Session Host can connect to a 2025 RD Connection
Broker, but not the other way around.

For RD Session Hosts - all Session Hosts in a collection need to be at the same
level, but you can have multiple collections. For example, you can have a collection
with Windows Server 2019 Session Hosts and one with Windows Server 2025
Session Hosts.

An RDS license server can only process client access licenses (CALs) from the same
or previous versions of Windows Server. Meaning, if you upgrade your RD Session
Host to Windows Server 2025, you also need to upgrade the license server.
 Follow the upgrade order recommended in Upgrading your Remote Desktop
Services environment.

If you are creating a highly available environment, all of your Connection Brokers
need to be at the same OS level.

RD Connection Brokers
Starting in Windows Server 2016, there's no restriction for the number of Connection
Brokers you can have in a deployment when using Remote Desktop Session Hosts
(RDSH) and Remote Desktop Virtualization Hosts (RDVH). The following table shows
which versions of RDS components work in a highly available deployment with three or
more Connection Brokers.

ﾉ Expand table

3+ Connection Brokers RDSH or RDSH or RDSH or RDSH or

in HA RDVH 2025 RDVH 2022 RDVH 2019 RDVH 2016

Windows Server 2025 Supported Supported Supported Supported

Connection Broker

Windows Server 2022 N/A Supported Supported Supported

Connection Broker

Windows Server 2019 N/A N/A Supported Supported

Connection Broker

Windows Server 2016 N/A N/A N/A Supported

Connection Broker

Support for graphics processing unit (GPU)

acceleration
Remote Desktop Services support systems equipped with GPUs. Applications that
require a GPU can be used over the remote connection. Additionally, GPU-accelerated
rendering and encoding can be enabled for improved app performance and scalability.

Remote Desktop Services Session Hosts and single-session client operating systems can
take advantage of the physical or virtual GPUs presented to the operating system in
many ways, including the Azure GPU optimized virtual machine sizes, GPUs available to
the physical RDSH server, and GPUs presented to the VMs by supported hypervisors.
See Which graphics virtualization technology is right for you? for help figuring out what
you need. For specific information about DDA, check out Plan for deploying Discrete
Device Assignment.

GPU vendors may have a separate licensing scheme for RDSH scenarios or restrict GPU
use on the server OS, verify the requirements with your favorite vendor.

GPUs presented by a non-Microsoft hypervisor or Cloud Platform must have drivers

digitally-signed by WHQL and supplied by the GPU vendor.

Remote Desktop Session Host support for GPUs

The following table shows the scenarios supported by different versions of RDSH hosts.

ﾉ Expand table

Feature Windows Windows Windows Windows

Server 2016 Server 2019 Server 2022 Server 2025

Use of hardware GPU for all Yes Yes Yes Yes

RDP sessions

H.264/AVC hardware encoding Yes Yes Yes Yes

(if supported by the GPU)

Load balancing between No Yes Yes Yes

multiple GPUs presented to
the OS

H.264/AVC encoding No Yes Yes Yes

optimizations for minimizing
bandwidth usage

H.264/AVC support for 4K No Yes Yes Yes

resolution

VDI support for GPUs

The following table shows support for GPU scenarios in the client OS.

ﾉ Expand table

Feature Windows 7 Windows Windows 10

SP1 8.1

Use of hardware GPU for all RDP sessions No Yes Yes

 Feature Windows 7 Windows Windows 10
SP1 8.1

H.264/AVC hardware encoding (if supported No No Windows 10 1703

by the GPU) or later

Load balancing between multiple GPUs No No Windows 10 1803

presented to the OS or later

H.264/AVC encoding optimizations for No No Windows 10 1803

minimizing bandwidth usage or later

H.264/AVC support for 4K resolution No No Windows 10 1803

or later

RemoteFX 3D Video Adapter (vGPU) support

７ Note

Because of security concerns, RemoteFX vGPU is disabled by default on all versions

of Windows starting with the July 14, 2020 Security Update and removed starting
with the April 13, 2021 Security Update. To learn more, see KB 4570006 .

Remote Desktop Services supports RemoteFX vGPUs when VM is running as a Hyper-V

guest on Windows Server. The following guest operating systems have RemoteFX vGPU
support:

Windows 11
Windows 10
Windows Server in a single-session deployment only

Discrete Device Assignment support

Remote Desktop Services supports Physical GPUs presented with Discrete Device
Assignment from Hyper-V hosts running Windows Server 2016 or later. See Plan for
deploying Discrete Device Assignment for more details.

VDI deployment – supported guest operating

systems
Windows Server RD Virtualization Host servers support the following guest operating
systems:
 Windows 11 Enterprise
Windows 10 Enterprise

７ Note

Remote Desktop Services doesn't support heterogeneous session collections.

The OSes of all VMs in a collection must be the same version.
You can have separate homogeneous collections with different guest OS
versions on the same host.
The Hyper-V host used to run VMs must be the same version as the Hyper-V
host used to create the original VM templates.

Single sign-on
RDS in Windows Server supports two main SSO experiences:

In-app (Remote Desktop application on Windows, iOS, Android, and Mac)

Web SSO

Using the Remote Desktop application, you can store credentials either as part of the
connection info (Mac) or as part of managed accounts (iOS, Android, Windows) securely
through the mechanisms unique to each OS.

To connect to desktops and RemoteApps with SSO through the inbox Remote Desktop
Connection client on Windows, you must connect to the RD Web page through Internet
Explorer. The following configuration options are required on the server side. No other
configurations are supported for Web SSO:

RD Web set to Forms-Based Authentication (Default)

RD Gateway set to Password Authentication (Default)
RDS Deployment set to "Use RD Gateway credentials for remote computers"
(Default) in the RD Gateway properties

７ Note

Due to the required configuration options, Web SSO is not supported with
smartcards. Users who login via smartcards might face multiple prompts to login.

For more information about creating VDI deployment of Remote Desktop Services,
check out Supported Windows 10 security configurations for Remote Desktop Services
VDI.

Using Remote Desktop Services with

application proxy services
You can use Remote Desktop Services with Microsoft Entra application proxy. Remote
Desktop Services doesn't support using Web Application Proxy.

Feedback
Was this page helpful?  Yes  No
Supported Windows security
configurations for Remote Desktop
Services VDI
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

Windows and Windows Server have new layers of protection built into the operating
system to:

Safeguard against security breaches

Help block malicious attacks
Enhance the security of virtual machines, applications, and data.

７ Note

Features like Credential Guard may have performance implication on user

density. Ensure to test your scenarios. Learn more about other considerations
for credential guard configuration.

Make sure to review the Remote Desktop Services supported configuration

information.

The following table outlines which of these new features are supported in a VDI
deployment using RDS.

ﾉ Expand table

VDI collection Managed Managed Unmanaged pooled Unmanaged personal

type pooled personal

Credential Guard Yes Yes Yes Yes

Device Guard Yes Yes Yes Yes

Remote No No No No
Credential Guard

Shielded & No No Encryption supported Encryption supported

Encryption VMs with extra VMs with extra
Supported VMs configuration configuration
Remote Credential Guard
Remote Credential Guard is only supported for direct connections to the target
machines and not for the ones via Remote Desktop Connection Broker and Remote
Desktop Gateway.

７ Note

If you have a Connection Broker in a single-instance environment, and the DNS

name matches the computer name, you may be able to use Remote Credential
Guard, although this isn't supported.

Shielded VMs and Encryption Supported VMs

Shielded VMs aren't supported in Remote Desktop Services VDI.

For leveraging Encryption Supported VMs:

Use an unmanaged collection and a provisioning technology outside of the

Remote Desktop Services collection creation process to provision the virtual
machines.
User Profile Disks aren't supported as they rely on differential disks

Feedback
Was this page helpful?  Yes  No
Remote Desktop Services - planning
poster
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016

Azure Virtual Desktop

You may have heard us talk about a new "modern infrastructure" for Remote Desktop.
Maybe you've heard us use the phrase "RDmi." The phrase you need to know is "Azure
Virtual Desktop." Learn more at our Azure Virtual Desktop documentation page.

The Remote Desktop Services team have created a poster to help you plan, build, and
run your Azure Virtual Desktop environment.

You can get a copy of the poster by right-clicking the image and saving it to your local
system.

Remote Desktop Services in Windows Server

The Remote Desktop Services team have created a poster to help you plan, build, and
run your RDS environment.

You can get a copy of the poster by right-clicking the image and saving it to your local
system.

Check out the following topics to learn more about planning:

Plan and design your RDS deployment

Build and deploy RDS
Run and tune your RDS environment

Feedback
Was this page helpful?  Yes  No
Plan and design your Remote Desktop
Services environment
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016

A highly scalable Remote Desktop deployment requires the use of specific patterns and
practices. Designing for optimal performance and scale-out is key. Use the scenarios
below to help you envision, architect, and continually refine your deployment.

Use the following information to plan and design your deployment:

Build anywhere
Network guidance
Access from anywhere
High availability
MultiFactor Authentication
Secure data storage
GPU acceleration
Connect from any device
Choose how you pay

Be sure to also review the Desktop Hosting Reference Architecture, which provides an
overview of the Remote Desktop architecture and helps you plan a hybrid RDS
environment that includes Azure infrastructure.

Feedback
Was this page helpful?  Yes  No
Remote Desktop Services - Build
anywhere
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

Deploy on-premises, in the cloud, or a hybrid of the two. Modify your deployment as
your business needs change.

Regardless of where you are, the underlying architecture of the Remote Desktop
Services environment remains the same:

You still must have an internet-facing server to utilize RD Web Access and RD
Gateway for external users
You still must have an Active Directory and--for highly available environments--a
SQL database to house user and Remote Desktop properties
You still must have communication access between the RD infrastructure roles (RD
Connection Broker, RD Gateway, RD Licensing, and RD Web Access) and the end
RDSH or RDVH hosts to be able to connect end-users to their desktops or
applications.

This flexibility allows you to get the best of both worlds:

The simplicity and pay-as-you-go methods associated with the cloud and the
online world.
The familiarity and hassle-free way of leveraging heavy resources that already exist
on-premises.

For additional information, look at how to build and deploy your Remote Desktop
Services deployment.

Feedback
Was this page helpful?  Yes  No
Network guidelines
Article • 07/03/2024

When using a remote Windows session, your network's available bandwidth greatly
impacts the quality of your experience. Different applications and display resolutions
require different network configurations, so it's important to make sure your network is
configured to meet your needs.

７ Note

The following recommendations apply to networks with less than 0.1% loss. These
recommendations apply regardless of how many sessions you're hosting on your
virtual machines (VMs).

Applications
The following table lists the minimum recommended bandwidths for a smooth user
experience. These recommendations are based on the guidelines in Remote Desktop
workloads.

ﾉ Expand table

Workload type Recommended bandwidth

Light 1.5 Mbps

Medium 3 Mbps

Heavy 5 Mbps

Power 15 Mbps

Keep in mind that the stress put on your network depends on both your app workload's
output frame rate and your display resolution. If either the frame rate or display
resolution increases, the bandwidth requirement will also rise. For example, a light
workload with a high-resolution display requires more available bandwidth than a light
workload with regular or low resolution.

Other scenarios can have their bandwidth requirements change depending on how you
use them, such as:

Voice or video conferencing

 Real-time communication
Streaming 4K video

Make sure to load test these scenarios in your deployment using simulation tools like
Login VSI. Vary the load size, run stress tests, and test common user scenarios in remote
sessions to better understand your network's requirements.

Display resolutions
Different display resolutions require different available bandwidths. The following table
lists the bandwidths we recommend for a smooth user experience at typical display
resolutions with a frame rate of 30 frames per second (fps). These recommendations
apply to single and multiple user scenarios. Keep in mind that scenarios involving a
frame rate under 30 fps, such as reading static text, require less available bandwidth.

ﾉ Expand table

Typical display resolutions at 30 fps Recommended bandwidth

About 1024 × 768 px 1.5 Mbps

About 1280 × 720 px 3 Mbps

About 1920 × 1080 px 5 Mbps

About 3840 × 2160 px (4K) 15 Mbps

Azure Virtual Desktop experience estimator

The Azure region you're in can affect user experience as much as network conditions.
Check out the Azure Virtual Desktop experience estimator to learn more.

Assistive technologies
Assistive technology workloads, like using Narrator in the remote session, require
connections with a connection round trip time (RTT) of 20 milliseconds (ms) or better for
the best user experience.

Feedback
Was this page helpful?  Yes  No
Session host virtual machine sizing
guidelines
Article • 07/03/2024

Whether you're running your session host virtual machines (VM) on Remote Desktop
Services or Azure Virtual Desktop, different types of workloads require different VM
configurations. The examples in this article are generic guidelines, and you should only
use them for initial performance estimates. For the best possible experience, scale your
deployment depending on your users' needs.

Workloads
Users can run different types of workloads on the session host virtual machines. The
following table shows examples of a range of workload types to help you estimate what
size your virtual machines need to be. After you set up your virtual machines, you should
continually monitor their actual usage and adjust their size accordingly. If you end up
needing a bigger or smaller virtual machine, you can easily scale your existing
deployment up or down in Azure.

The following table describes each workload. Example users are the types of users that
might find each workload most helpful. Example apps are the kinds of apps that work
best for each workload.

ﾉ Expand table

Workload type Example users Example apps

Light Users doing basic data entry Database entry applications, command-line
tasks interfaces

Medium Consultants and Database entry applications, command-line

market researchers interfaces, Microsoft Word, static web pages

Heavy Software engineers, Database entry applications, command-line

content creators interfaces, Microsoft Word, static web
pages, Microsoft Outlook,
Microsoft PowerPoint, dynamic web pages,
software development

Power Graphic designers, Database entry applications, command-line

3D model makers, interfaces, Microsoft Word, static web
machine learning researchers pages, Microsoft Outlook,
Microsoft PowerPoint, dynamic web pages,
 Workload type Example users Example apps

photo and video editing, computer-aided

design (CAD), computer-aided
manufacturing (CAM)

Single-session recommendations
Single-session scenarios are when there's only one user signed in to a session host VM at
any one time. For example, if you use personal host pools in Azure Virtual Desktop,
you're using a single-session scenario. For VM sizing recommendations for single-
session scenarios, we recommend you use at least two physical CPU cores per VM,
typically four vCPUs with hyper-threading. If you need more specific VM sizing
recommendations for single-session scenarios, ask the software vendors specific to your
workload. VM sizing for single-session VMs usually align with physical device guidelines.

The following table shows examples of typical workloads:

ﾉ Expand table

Workload vCPU/RAM/OS storage Example Azure Profile container storage

type minimum instances minimum

Light 2 vCPUs, 8-GB RAM, 32-GB D2s_v5, D2s_v4 30 GB

storage

Medium 4 vCPUs, 16-GB RAM, 32-GB D4s_v5, D4s_v4 30 GB

storage

Heavy 8 vCPUs, 32-GB RAM, 32-GB D8s_v5, D8s_v4 30 GB

storage

Multi-session recommendations
Multi-session scenarios are when there's more than one user signed in to a session host
virtual machine at any one time. For example, when you use pooled host pools in Azure
Virtual Desktop with the Windows 11 Enterprise multi-session operating system (OS),
that's a multi-session deployment.

The following table lists the maximum suggested number of users per virtual central
processing unit (vCPU) and the minimum VM configuration for standard or larger user
workload. If you need more specific VM sizing recommendations for single-session
scenarios, ask the software vendors specific to your workload.
 ﾉ Expand table

Workload Maximum Minimum Example Azure Minimum

type users per vCPU/RAM/OS instances profile
vCPU storage storage

Light 6 8 vCPUs, 16-GB D8s_v5, D8s_v4, F8s_v2, 30 GB

RAM, 32-GB storage D8as_v4, D16s_v5,
D16s_v4, F16s_v2,
D16as_v4

Medium 4 8 vCPUs, 16-GB D8s_v5, D8s_v4, F8s_v2, 30 GB

RAM, 32-GB storage D8as_v4, D16s_v5,
D16s_v4, F16s_v2,
D16as_v4

Heavy 2 8 vCPUs, 16-GB D8s_v5, D8s_v4, F8s_v2, 30 GB

RAM, 32-GB storage D8as_v4, D16s_v5,
D16s_v4, F16s_v2,
D16as_v4

Power 1 6 vCPUs, 56-GB D16ds_v5, D16s_v4, 30 GB

RAM, 340-GB D16as_v4, NV6,
storage NV16as_v4

For multi-session workloads, you should limit VM size to between 4 vCPUs and 24
vCPUs for the following reasons:

All VMs should have more than two cores. The UI components in Windows rely on
the use of at least two parallel threads for some of the heavier rendering
operations. For multi-session scenarios, having multiple users on a two-core VM
leads to the UI and apps becoming unstable, which lowers the quality of user
experience. Four cores are the lowest recommended number of cores that a stable
multi-session VM should have.

VMs shouldn't have more than 32 cores. As the number of cores increase, the
system's synchronization overhead also increases. For most workloads, at around
16 cores, the return on investment gets lower, with most of the extra capacity
offset by synchronization overhead. User experience is better with two 16-core
VMs instead of one 32-core one.

The recommended range between 4 and 24 cores generally provides better capacity
returns for your users as you increase the number of cores. For example, if you have 12
users sign in at the same time to a VM with four cores, the ratio is three users per core.
Meanwhile, on a VM with 8 cores and 14 users, the ratio is 1.75 users per core. In this
scenario, the latter configuration with a ratio of 1.75 offers greater burst capacity for
your applications that have short-term CPU demand.

This recommendation is true at a larger scale. For scenarios with 20 or more users
connected to a single VM, several smaller VMs would perform better than one or two
large VMs. For example, if you're expecting 30 or more users to sign in within 10
minutes of each other on the same session host with 16 cores, two 8-core VMs would
handle the workload better. You can also use breadth-first load balancing to evenly
distribute users across different VMs instead of depth-first load balancing, where you
can only use a new session host after the existing one is full of users.

It's also better to use a large number of smaller VMs instead of a few large VMs. It's
easier to shut down VMs that need to be updated or aren't currently in use. With larger
VMs, you're more likely to have at least one user signed in at any time, which prevents
you from shutting down the VM. When you have many smaller VMs, it's more likely you
have some VMs without active users. You can safely shut down these unused VMs to
conserve resources, either manually or automatically by using autoscale in Azure Virtual
Desktop. Conserving resources makes your deployment more resilient, easier to
maintain, and less expensive.

General virtual machine recommendations

In order to run your chosen OS in Azure, you must use a Premium SSD storage for
production workloads that require a service level agreement (SLA). For more
information, see the Service Level Agreements (SLA) for Online Services .

Graphics processing units (GPUs) are a good choice for users who regularly use
graphics-intensive programs for video rendering, 3D design, and simulations. Azure has
several graphics acceleration deployment options and multiple available GPU VM sizes.
Learn more at GPU optimized virtual machine sizes. For more general information about
graphics acceleration in Remote Desktop Services, see Remote Desktop Services - GPU
acceleration

B-series burstable VMs in Azure are a good choice for users who don't always need
maximum CPU performance. For more information, see Sizes for Windows virtual
machines in Azure and the pricing information on the Virtual Machine series .

Test your workload

Finally, you should use simulation tools to test your deployment with both stress tests
and real-life usage simulations. Make sure your system is responsive and resilient
enough to meet user needs, and remember to vary the load size to avoid surprises.

Feedback
Was this page helpful?  Yes  No
Remote Desktop Services - Access from
anywhere
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

End users can connect to internal network resources securely from outside the corporate
firewall through RD Gateway.

Regardless of how you configure the desktops for your end-users, you can easily plug
the RD Gateway into the connection flow for a fast, secure connection. For end-users
connecting through published feeds, you can configure the RD Gateway property as you
configure the overall deployment properties. For end-users connecting through to their
desktops without a feed, they can easily add the name of the organization's RD Gateway
as a connection property no matter which Remote Desktop client application they use.

The three primary purposes of the RD Gateway, in the order of the connection
sequence, are:

1. Establish an encrypted SSL tunnel between the end-user's device and the RD
Gateway Server: In order to connect through any RD Gateway server, the RD
Gateway server must have a certificate installed that the end-user's device
recognizes. In testing and proofs of concepts, self-signed certificates can be used,
but only publicly trusted certificates from a certificate authority should be used in
any production environment.
2. Authenticate the user into the environment: The RD Gateway uses the inbox IIS
service to perform authentication, and can even utilize the RADIUS protocol to
leverage multi-factor authentication solutions such as Azure MFA. Aside from the
default policies created, you can create additional RD Resource Authorization
Policies (RD RAPs) and RD Connection Authorization Policies (RD CAPs) to more
specifically define which users should have access to which resources within the
secure environment.
3. Pass traffic back and forth between the end-user's device and the specified
resource: The RD Gateway continues to perform this task for as long as the
connection is established. You can specify different timeout properties on the RD
Gateway servers to maintain the security of the environment in case the user walks
away from the device.

You can find additional details on the overall architecture of a Remote Desktop Services
deployment in the desktop hosting reference architecture.
Feedback
Was this page helpful?  Yes  No
Remote Desktop Services - High
availability
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

Failures and throttling are unavoidable in large-scale systems. It's simple to set up
Remote Desktop infrastructure roles to support high availability and allow end users to
connect seamlessly, every time.

In Remote Desktop Services, the following items represent the Remote Desktop
infrastructure roles, with their respective guidance to establish high availability:

Remote Desktop Connection Broker

Remote Desktop Gateway
Remote Desktop Licensing
Remote Desktop Web Access

High availability is established by duplicating each of the roles services on a second

machines. In Azure, you can receive a guaranteed uptime by placing the set of the two
virtual machines (hosting the same role) in an availability sets.

Along with availability sets, you can now leverage the power of Azure SQL Database and
its Azure-backed SLA to ensure that you always have connection information and can
redirect users to their desktops and applications.

For best practices on creating your RDS environment, please see the desktop hosting
architecture.

Feedback
Was this page helpful?  Yes  No
Remote Desktop Services - Multi-Factor
Authentication
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

Leverage the power of Active Directory with Multi-Factor Authentication to enforce high
security protection of your business resources.

For your end-users connecting to their desktops and applications, the experience is
similar to what they already face as they perform a second authentication measure to
connect to the desired resource:

Launch a desktop or RemoteApp from an RDP file or through a Remote Desktop

client application.
Upon connecting to the RD Gateway for secure, remote access, receive a mobile
application MFA challenge.
Correctly authenticate and get connected to their resource!

For more details on the configuration process, check out Integrate your Remote
Desktop Gateway infrastructure using the Network Policy Server (NPS) extension and
Microsoft Entra ID.

Feedback
Was this page helpful?  Yes  No
Remote Desktop Services - Secure data
storage with UPDs
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

Store business resources, user personalization data, and settings securely on-premises
or in Azure. RD Session Hosts use AD authentication and empower users with the
resources they need in a personalized environment, securely.

Ensuring users have a consistent experience, regardless of the endpoint from which they
access their remote resources, is an important aspect of managing an RDS deployment.
User Profile Disks (UPDs) allow user data, customizations, and application settings to
follow a user within a single collection. A UPD is a per-user, per-collection VHD file
saved in a central share that is mounted to a user's session when they sign in - the UPD
is treated as a local drive for the duration of that session.

From the user's perspective, the UPD provides a famililar experience - they save their
documents to their Documents folder (on what appears to be a local drive), change their
app settings as usual, and make any customizations to their Windows environment. All
this data, including the registry hive, is stored on the UPD and persists in a central
network share. UPDs are only available to the user when the user is actively connected
to a desktop or RemoteApp. UPDs can only roam within a collection because the user's
entire C:\Users\<username\> directory (including AppData\Local) is stored on the UPD.

You can use PowerShell cmdlets to designate the path to the central share, the size of
each UPD, and which folders should be included or excluded from the user profile saved
to the UPD. Alternatively, you can enable UPDs through Server Manager by going to
Remote Desktop Services > Collections > Desktop Collection > Desktop Collection
Properties > User Profile Disks. Note that you enable or disable UPDs for all users of an
entire collection, not for specific users in that collection. UPDs must be stored on a
central file share where the servers in the collection have full control permissions.

You can achieve high availability for your UPDs by storing them in Azure with Storage
Spaces Direct.

Feedback
Was this page helpful?  Yes  No
Remote Desktop Services - GPU
acceleration
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016

Remote Desktop Services (RDS) works with native graphics acceleration and the graphics
virtualization technologies supported by Windows Server. For information on those
technologies, their differences, and how to deploy them, see Plan for GPU acceleration
in Windows Server.

When you plan for graphics acceleration in your RDS environment, your choice of user
scale and user workloads drives which graphics rendering technology you use:

Feedback
Was this page helpful?  Yes  No
Remote Desktop Services - Connect
from any device
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

Access corporate resources from any Windows, Apple, or Android computer, tablet, or
phone. Enable users to easily see their available desktops and applications from any
device through RD Web Feed.

Learn more about Microsoft Remote Desktop clients.

Feedback
Was this page helpful?  Yes  No
Remote Desktop Services - Choose how
you pay
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

Choose your licensing based on what makes sense for your company. License per user
to enable users to remote on any of their devices in a BYOD scenario. License per device
if users share the same devices. If you are a service provider (HSP or MSP) or ISV, choose
the per user SALs license for a flexible, pay-as-you-go model.

For more information, check out License your RDS deployment with client access
licenses (CALs).

Feedback
Was this page helpful?  Yes  No
Office 2016 in RDSH and VDI
Deployments
Article • 01/03/2024

Use the following information to plan how best to integrate Office 2016 into your
Remote Desktop (RDSH) and VDI deployments.

Outlook 2016
In pooled VDI and RDSH deployments, using search within Outlook has limitations.
Search indexing depends on the machine ID, which is different for different VMs. It's
possible that every time a user logs into a pooled VDI infrastructure, they're directed to
a new VM. That would mean, if we enable local search, the indexer will run every time
the machine ID changes (when the user is on a different VM). Depending on the size of
the .OST file, the indexer could take a long time to complete and use up resources
needed for other apps. Search wouldn't only be slow but might not produce results.
Using an Online Mode account profile would work around this, but overall performance
would suffer due to the lack of a local cache.

Learn more about the difference between cached and online mode

Outlook 2016 has a solution to tackle this in cached mode by providing a new service
search experience for mailboxes hosted on Exchange 2016 (or hosted in Office 365). This
uses service search results against the local cache (OST). Outlook might fall back to
using the local search indexer in some scenarios, but most searches would use this new
service search feature. The recommendation for pooled VDI and RDSH deployments
would be to use Outlook 2016 in cache mode with network connectivity to allow service
search.

Learn how to configure cached exchange mode in Outlook 2016

OneDrive
The OneDrive Desktop App isn’t supported for client sessions that are hosted on
Windows 2008 Terminal Services or Windows 2012 Remote Desktop Services (RDS) in
non-persistent environments. Persistent Virtual Desktop Infrastructure (VDI)
environments are supported. For more information, see Use the sync app on virtual
desktops.
Skype for Business
Skype for Business isn't supported for RDSH deployments. For VDI deployments, check
out the documentation on planning for Skype for Business in VDI environments.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Dealing with Outlook search in non-
persistent RDS environments
Article • 12/01/2023

Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

A common issue customers face with their non-persistent (pooled) Remote Desktop
Services environments is handling users' Outlook data. When Outlook is running in
cached exchange mode, the .OST storing a user's Outlook data must follow the user as
they roam from host to host. Windows Search Service indexes the .OST and creates an
index catalog to enable search functionality in Outlook. In non-persistent RDS
environments, the index catalog doesn't roam with user data and must be rebuilt every
time the user signs into a new PC, which could potentially be every sign-on. Until the
Windows Search Service finishes indexing the .OST, users get limited or incomplete
search functionality.

According to a published report from RDS Gurus , FSLogix (a third party solution
provider) has a solution that aims to solve this issue: FSLogix’s Office 365 Container
roams a user's Outlook data and their search index catalog, giving users access to their
emails and enabling users to search in Outlook, even when they roam between sessions
on different hosts within a collection.

RDS Gurus performed testing on FSLogix's Office 365 Container, comparing it with
RDS’s native User Profile Disk roaming solution. The test scenarios covered both on-
premises and Azure RDS environments for non-persistent sessions on an RD session
host (RDSH). Tests also included pooled VMs on RD virtualization host (RDVH), only for
on-premises (RDVH isn't available in Azure). RDS Gurus primarily focused on the user
experience when there are "noisy neighbors," or other users logged on to the same
session host running similar workloads on the system.

The performance counters collected in these tests revealed similar resource usage (CPU,
RAM, network activity) with both UPD and FSLogix. The similarity in resource usage is
because Windows Search Service throttles its CPU usage when indexing. When it comes
to user experience, RDS Gurus found that FSLogix's Office 365 Container exceeds UPD in
Outlook search functionality. In the UPD case, search doesn't return results or returns
incomplete results as Windows Search Service indexes the .OST. Because FSLogix roams
the index catalog, users see search results immediately. RDS Gurus observed a
significant improvement in user experience when searching in Outlook in non-persistent
RDS environments using FSLogix.

Read more about the results and conclusions on the RDS Gurus blog .
Use the sync app on virtual desktops
Article • 12/05/2024

For all supported operating systems , the OneDrive sync app supports:

Virtual desktops that persist between sessions.

Non-persistent virtual desktops that use Azure Virtual Desktop.
Non-persistent virtual desktops that have FSLogix Apps or FSLogix Office
Container, and a Microsoft 365 subscription for all of the following operating
systems:
Windows 10 and 11, 32-bit or 64-bit (supports VMDK/Virtual Machine Disk files)
Windows Server 2022 (supports VHDX/Virtual Hard Disk)
Windows Server 2019 (supports VHDX/Virtual Hard Disk)
Windows Server 2016 (supports VHDX/Virtual Hard Disk)
Windows Server 2012 R2 (supports VHDX/Virtual Hard Disk)

７ Note

It is not supported to roam the OneDrive registry hive as part of a non-persistent

VDI environment. Do not roam HKEY_CURRENT_USER\Software\Microsoft\OneDrive\ in
your non-persistent VDI user profiles.

７ Note

The minimum supported versions are: OneDrive 19.174.0902.0013 and FSLogix

Apps 2.9.7653.47581.

Using the OneDrive sync app with non-persistent environments requires that you
install the sync app per machine.

For Windows Server, the SMB network file sharing protocol is also required.

The OneDrive sync app is supported in a remote app scenario hosted as a Citrix
Virtual App.

The OneDrive sync app with FSLogix does not support running multiple instances
of the same container simultaneously.

Set up OneDrive in Citrix Virtual Apps

This article describes how to enable and use OneDrive in Citrix Virtual Apps.

Prerequisites
To enable OneDrive in Citrix Virtual Apps, you must have the following versions of
Windows and Citrix Virtual Apps and Desktops (CVAD):

Windows:

Windows 11: KB5014019

Windows Server 2022: KB5014021
Windows 10: KB5014023
Windows Server 2019: KB5014022

Citrix:

CVAD 7 2203 LTSR/Long Tern Service Release CU1 or later.

VDA/Virtual Delivery Agent 2212 enables Shellbridge by default. All earlier versions
require Shellbridge to be enabled manually.

To enable this feature, On 2203 LTSR TS VDA (2019 Server, 2022 Server, Windows
10 RDSH/Remote Desktop Session Host, or Windows 11 RDSH/Remote Desktop
Service Host) add the following registry details:
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Citrix Virtual Desktop Agent

Name: Shellbridge

Type: REG_DWORD
Value: 1

To ensure that the feature is correctly enabled, open a command window (cmd.exe) and
run start ms-settings:printers . If the feature is enabled, the printer setting window is
displayed.

We recommend adding OneDrive.exe to LogoffCheckSysModules .

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI

Value Name:LogoffCheckSysModules
Type:REG_SZ

String:OneDrive.exe, Microsoft.Sharepoint.exe

） Important
 FSLogix must be used in conjunction with Citrix Virtual Apps for OneDrive to be
supported.

How to set up OneDrive

1. Install OneDrive Sync app per machine. See Install the sync app per-machine.

2. Install the latest version of FSLogix. See Install FSLogix Applications.

７ Note

All non-persistent VDI environments require the latest version of FSLogix.

Ensure you install the latest version. See OneDrive sync error
FSLogix_unsupported_environment on VMs.

3. Add OneDrive to HKLM\Software\Microsoft\Windows\CurrentVersion\ by using the

following command:

REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v OneDrive /t

REG_SZ /d "\"C:\Program Files\Microsoft OneDrive\OneDrive.exe\" /background"

4. Silently configure user accounts. See Silently configure user accounts.

７ Note

Silent sign-in should work if your machine is connected to Microsoft Entra ID.
Make sure to turn off this setting if your computer is not Microsoft Entra
joined.

See also
Learn more about VHDX/Virtual Hard Disk and VHD/Virtual Hard Disk.

For info about creating virtual hard disks, see Manage virtual hard disks.

Feedback
Was this page helpful?  Yes  No
Provide product feedback
Desktop Hosting Reference Architecture
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

This article defines a set of architectural blocks for using Remote Desktop Services (RDS)
and Microsoft Azure virtual machines to create multitenant, hosted Windows desktop
and application services, which we call "desktop hosting." You can use this architecture
reference to create highly secure, scalable, and reliable desktop hosting solutions for
small- and medium-sized organizations with 5 to 5000 users.

The primary audience for this reference architecture is hosting providers who want to
leverage Microsoft Azure Infrastructure Services to deliver desktop hosting services and
Subscriber Access Licenses (SALs) to multiple tenants via the Microsoft Service Provider
Licensing Agreement (SPLA) program. A second audience for this reference
architecture are end customers who want to create and manage desktop hosting
solutions in Microsoft Azure Infrastructure Services for their own employees using RDS
User CALs extended rights through Software Assurance (SA).

To deliver a desktop hosting solutions, hosting partners and SA customers leverage

Windows Server to deliver Windows users an application experience that is familiar to
business users and consumers. Built on the foundations of Windows 10, Windows Server
2016 provides familiar application support and user experience.

The scope of this document is limited to:

Architectural design guidance for a desktop hosting service. Detailed information,

such as deployment procedures, performance, and capacity planning is explained
in separate documents. For more general information about Azure Infrastructure
Services, see Virtual Machines in Azure.

Session-based desktops, RemoteApp applications, and server-based personal

desktops that use Windows Server 2016 Remote Desktop Session Host (RD Session
Host). Windows client-based virtual desktop infrastructures aren't covered because
there's no Service Provider License Agreement (SPLA) for Windows client operating
systems. Windows Server-based virtual desktop infrastructures are allowed under
the SPLA, and Windows client-based virtual desktop infrastructures are allowed on
dedicated hardware with end-customer licenses in certain scenarios. However,
client-based virtual desktop infrastructures are out-of-scope for this document.

Microsoft products and features, primarily Windows Server 2016 and Microsoft
Azure Infrastructure Services.
 Desktop hosting services for tenants ranging in size from 5 to 5000 users. For
larger tenants, you may need to modify this architecture to provide adequate
performance. The Server Manager RDS graphical user interface (GUI) isn't
recommended for deployments over 500 users. PowerShell is recommended for
managing RDS deployments between 500 and 5000 users.

The minimum set of components and services required for a desktop hosting
service. There are many optional components and services that can be added to
enhance a desktop hosting service, but these are out-of-scope for this document.

After reading this document, the reader should understand:

The building blocks for providing a secure, reliable, multitenant desktop hosting
solution based in Microsoft Azure Services.
The purpose of each building block and how they fit together.

There are multiple ways to build a desktop hosting solution based on this architecture.
This architecture outlines integration and improvements in Azure with Windows Server
2016. Other deployment options are available with the Desktop Hosting Reference
Architecture Guide .

The following topics are covered:

Desktop hosting logical architecture

Understand the RDS Roles
Understand the desktop hosting environment
Azure services and considerations for desktop hosting

Feedback
Was this page helpful?  Yes  No
Remote Desktop Services architecture
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

Below are various configurations for deploying Remote Desktop Services to host
Windows apps and desktops for end-users.

７ Note

The architecture diagrams below show using RDS in Azure. However, you can
deploy Remote Desktop Services on-premises and on other clouds. These diagrams
are primarily intended to illustrate how the RDS roles are colocated and use other
services.

Standard RDS deployment architectures

Remote Desktop Services has two standard architectures:

Basic deployment – This contains the minimum number of servers to create a fully
effective RDS environment
Highly available deployment – This contains all necessary components to have the
highest guaranteed uptime for your RDS environment

Basic deployment
Highly available deployment
RDS architectures with unique Azure PaaS roles
Though the standard RDS deployment architectures fit most scenarios, Azure continues
to invest in first-party PaaS solutions that drive customer value. Below are some
architectures showing how they incorporate with RDS.

RDS deployment with Microsoft Entra Domain Services

The two standard architecture diagrams above are based on a traditional Active
Directory (AD) deployed on a Windows Server VM. However, if you don't have a
traditional AD and only have a Microsoft Entra tenant—through services like Office365
—but still want to leverage RDS, you can use Microsoft Entra Domain Services to create
a fully managed domain in your Azure IaaS environment that uses the same users that
exist in your Microsoft Entra tenant. This removes the complexity of manually syncing
users and managing more virtual machines. Microsoft Entra Domain Services can work
in either deployment: basic or highly available.
RDS deployment with Microsoft Entra application proxy
The two standard architecture diagrams above use the RD Web/Gateway servers as the
Internet-facing entry point into the RDS system. For some environments, administrators
would prefer to remove their own servers from the perimeter and instead use
technologies that also provide additional security through reverse proxy technologies.
The Microsoft Entra application proxy PaaS role fits nicely with this scenario.

For supported configurations and how to create this setup, see how to publish Remote
Desktop with Microsoft Entra application proxy.
Feedback
Was this page helpful?  Yes  No
Desktop hosting service
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

This article will tell you more about the desktop hosting service's components.

Tenant environment
As described in Remote Desktop service roles, each role plays a distinct part in the
tenant environment.

The provider's desktop hosting service is implemented as a set of isolated tenant

environments. Each tenant's environment consists of a storage container, a set of virtual
machines, and a combination of Azure services, all communicating over an isolated
virtual network. Each virtual machine contains one or more of the components that
make up the tenant's hosted desktop environment. The following subsections describe
the components that make up each tenant's hosted desktop environment.

Active Directory Domain Services

Active Directory Domain Services (AD DS) provides the domain and forest information,
such that the tenant's users can sign in to the desktops and applications to carry out
their workloads. This also enables you to set up or connect to required file shares and
databases that may be required for Windows applications.

The tenant's forest does not require any trust relationship with the provider's
management forest. A domain administrator account may be set up in the tenant's
domain to allow the provider's technical personnel to perform administrative tasks in
the tenant's environment (such as monitoring system status and applying software
updates) and to assist with troubleshooting and configuration.

There are multiple ways to deploy AD DS:

1. Enable Microsoft Entra Domain Services in the tenant's virtual networking

environment. This will create a managed AD DS instance for the tenant based on
the users and groups that exist in Microsoft Entra ID.
2. Set up a stand-alone AD DS server in the tenant's virtual networking environment.
This gives you all of the full control of the AD DS instance running on virtual
machines.
 3. Create a site-to-site VPN connection to an AD DS server located on the tenant's
premises. This allows the tenant to connect to their existing AD DS instance and
reduce duplication of users, groups, organizational units, and so on.

For more information, see the following articles:

Microsoft Entra Domain Services documentation

Desktop Hosting Reference Architecture Guide
Create a site-to-site connection in the Azure portal

SQL database
A highly-available SQL database is used by the Remote Desktop Connection Broker to
store deployment information, such as the mapping of current users' connections to the
host servers.

There are multiple ways to deploy an SQL database:

1. Create an Azure SQL Database in the tenant's environment. This provides you with
the functionality of a redundant SQL database without you having to manage the
servers themselves. This also allows you to pay for what you consume instead of
investing in infrastructure.
2. Create an SQL Server AlwaysOn cluster. This allows you to leverage existing SQL
Server infrastructure and gives you complete control over the SQL Server instances.

For more information about how to set up a highly-available SQL database

infrastructure, see the following articles:

What is the Azure SQL Database service?

Creation and configuration of availability groups (SQL Server).
Add the RD Connection Broker server to the deployment and configure high
availability.

File server
The file server uses the Server Message Block (SMB) 3.0 protocol to provide shared
folders. These shared folders are used to create and store user profile disk files (.vhdx) to
back up data and let users share data with each other within the tenant's cloud service.

The virtual machine that deploys the file server must have an Azure data disk attached
and configured with shared folders. Azure data disks use write-through caching,
guaranteeing that writes to the disk will not be erased whenever the virtual machine is
restarted.

Small tenants can reduce costs by combining the file server and RD Licensing role on a
single virtual machine in the tenant's environment.

For more information, see the following articles:

Storage in Windows Server

How to attach a managed data disk to a Windows VM in the Azure portal

User profile disks

User profile disks allow users to save personal settings and files when they are signed in
to a session on an RD Session Host server in one collection, then access the same
settings and files when signing in to a different RD Session Host server in the collection.
When the user first signs in, the tenant's file server creates a user profile disk that gets
mounted to the RD Session Host server that the user is currently connected to. For each
subsequent sign-in, the user profile disk is mounted to the appropriate RD Session host
server, and it is unmounted with each sign-out. Only the user can access the profile
disk's contents.

Feedback
Was this page helpful?  Yes  No
Remote Desktop Services roles
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

This article describes the roles within a Remote Desktop Services environment.

Remote Desktop Session Host

The Remote Desktop Session Host (RD Session Host) holds the session-based apps and
desktops you share with users. Users get to these desktops and apps through one of the
Remote Desktop clients that run on Windows, MacOS, iOS, and Android. Users can also
connect through a supported browser by using the web client.

You can organize desktops and apps into one or more RD Session Host servers, called
"collections." You can customize these collections for specific groups of users within
each tenant. For example, you can create a collection where a specific user group can
access specific apps, but anyone outside of the group you designated won't be able to
access those apps.

For small deployments, you can install applications directly onto the RD Session Host
servers. For larger deployments, we recommend building a base image and provisioning
virtual machines from that image.

You can expand collections by adding RD Session Host server virtual machines to a
collection farm with each RDSH virtual machine within a collection assigned to same
availability set. This provides higher collection availability and increases scale to support
more users or resource-heavy applications.

In most cases, multiple users share the same RD Session Host server, which most
efficiently utilizes Azure resources for a desktop hosting solution. In this configuration,
users must sign in to collections with non-administrative accounts. You can also give
some users full administrative access to their remote desktop by creating personal
session desktop collections.

You can customize desktops even more by creating and uploading a virtual hard disk
with the Windows Server OS that you can use as a template for creating new RD Session
Host virtual machines.

For more information, see the following articles:

Remote Desktop Services - Secure data storage

 Upload a generalized VHD and use it to create new VMs in Azure
Update RDSH collection (ARM template)

Remote Desktop Connection Broker

Remote Desktop Connection Broker (RD Connection Broker) manages incoming remote
desktop connections to RD Session Host server farms. RD Connection Broker handles
connections to both collections of full desktops and collections of remote apps. RD
Connection Broker can balance the load across the collection's servers when making
new connections. If RD Connection Broker is enabled, using DNS round robin to RD
Session Hosts for balancing servers is not supported. If a session disconnects, RD
Connection Broker will reconnect the user to the correct RD Session Host server and
their interrupted session, which still exists in the RD Session Host farm.

You'll need to install matching digital certificates on both the RD Connection Broker
server and the client to support single sign-on and application publishing. When
developing or testing a network, you can use a self-generated and self-signed
certificate. However, released services require a digital certificate from a trusted
certification authority. The name you give the certificate must be the same as the
internal Fully Qualified Domain Name (FQDN) of the RD Connection Broker virtual
machine.

You can install the Windows Server 2016 RD Connection Broker on the same virtual
machine as AD DS to reduce cost. If you need to scale out to more users, you can also
add additional RD Connection Broker virtual machines in the same availability set to
create an RD Connection Broker cluster.

Before you can create an RD Connection Broker cluster, you must either deploy an Azure
SQL Database in the tenant's environment or create an SQL Server AlwaysOn Availability
Group.

For more information, see the following articles:

Add the RD Connection Broker server to the deployment and configure high
availability
SQL database in Desktop hosting service.

Remote Desktop Gateway

Remote Desktop Gateway (RD Gateway) grants users on public networks access to
Windows desktops and applications hosted in Microsoft Azure's cloud services.
The RD Gateway component uses Secure Sockets Layer (SSL) to encrypt the
communications channel between clients and the server. The RD Gateway virtual
machine must be accessible through a public IP address that allows inbound TCP
connections to port 443 and inbound UDP connections to port 3391. This lets users
connect through the internet using the HTTPS communications transport protocol and
the UDP protocol, respectively.

The digital certificates installed on the server and client have to match for this to work.
When you're developing or testing a network, you can use a self-generated and self-
signed certificate. However, a released service requires a certificate from a trusted
certification authority. The name of the certificate must match the FQDN used to access
RD Gateway, whether the FQDN is the public IP address' externally facing DNS name or
the CNAME DNS record pointing to the public IP address.

For tenants with fewer users, the RD Web Access and RD Gateway roles can be
combined on a single virtual machine to reduce cost. You can also add more RD
Gateway virtual machines to an RD Gateway farm to increase service availability and
scale out to more users. Virtual machines in larger RD Gateway farms should be
configured in a load-balanced set. IP affinity isn't required.

For more information, see the following articles:

Add high availability to the RD Web and Gateway web front

Remote Desktop Services - Access from anywhere
Remote Desktop Services - Multifactor authentication
Set up the RD Gateway role

Remote Desktop Web Access

Remote Desktop Web Access (RD Web Access) lets users access desktops and
applications through a web portal and launches them through the device's native
Microsoft Remote Desktop client application. You can use the web portal to publish
Windows desktops and applications to Windows and non-Windows client devices, and
you can also selectively publish desktops or apps to specific users or groups.

RD Web Access needs Internet Information Services (IIS) to work properly. A Hypertext
Transfer Protocol Secure (HTTPS) connection provides an encrypted communications
channel between the clients and the RD Web server. The RD Web Access virtual machine
must be accessible through a public IP address that allows inbound TCP connections to
port 443 to allow the tenant's users to connect from the internet using the HTTPS
communications transport protocol.
Matching digital certificates must be installed on the server and clients. For
development and testing purposes, this can be a self-generated and self-signed
certificate. For a released service, the digital certificate must be obtained from a trusted
certification authority. The name of the certificate must match the Fully Qualified
Domain Name (FQDN) used to access RD Web Access. Possible FQDNs include the
externally facing DNS name for the public IP address and the CNAME DNS record
pointing to the public IP address.

For tenants with fewer users, you can reduce costs by combining the RD Web Access
and Remote Desktop Gateway workloads into a single virtual machine. You can also add
additional RD Web virtual machines to an RD Web Access farm to increase service
availability and scale out to more users. In an RD Web Access farm with multiple virtual
machines, you'll have to configure the virtual machines in a load-balanced set.

For more information about how to configure RD Web Access, see the following articles:

Set up the Remote Desktop web client for your users

Create and deploy a Remote Desktop Services collection
Create a Remote Desktop Services collection for desktops and apps to run

Remote Desktop Licensing

Activated Remote Desktop Licensing (RD Licensing) servers let users connect to the RD
Session Host servers hosting the tenant's desktops and apps. Tenant environments
usually come with the RD Licensing server already installed, but for hosted environments
you'll have to configure the server in per-user mode.

The service provider needs enough RDS Subscriber Access Licenses (SALs) to cover all
authorized unique (not concurrent) users that sign in to the service each month. Service
providers can purchase Microsoft Azure Infrastructure Services directly, and can
purchase SALs through the Microsoft Service Provider Licensing Agreement (SPLA)
program. Customers looking for a hosted desktop solution must purchase the complete
hosted solution (Azure and RDS) from the service provider.

Small tenants can reduce costs by combining the file server and RD Licensing
components onto a single virtual machine. To provide higher service availability, tenants
can deploy two RD License server virtual machines in the same availability set. All RD
servers in the tenant's environment are associated with both RD License servers to keep
users able to connect to new sessions even if one of the servers goes down.

For more information, see the following articles:

License your RDS deployment with client access licenses (CALs)

 Activate the Remote Desktop Services license server
Track your Remote Desktop Services client access licenses (RDS CALs)
Microsoft Volume Licensing: licensing options for service providers

Feedback
Was this page helpful?  Yes  No
Azure services and considerations for
desktop hosting
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

The following sections describe Azure Infrastructure Services.

Azure portal
After the provider creates an Azure subscription, the Azure portal can be used to
manually create each tenant's environment. This process can also be automated using
PowerShell scripts.

For more information, visit the Microsoft Azure website.

Azure Load Balancer

The tenant's components run on virtual machines that communicate with each other on
an isolated network. During the deployment process, you can externally access these
virtual machines through the Azure Load Balancer using Remote Desktop Protocol
endpoints or a Remote PowerShell endpoint. Once a deployment is complete, these
endpoints will typically be deleted to reduce the attack surface area. The only endpoints
will be the HTTPS and UDP endpoints created for the virtual machine running the RD
Web and RD Gateway components. This allows clients on the internet to connect to
sessions running in the tenant's desktop hosting service. If a user opens an application
that connects to the internet, such as a web browser, the connections will be passed
through the Azure Load Balancer.

For more information, see What is Azure Load Balancer?

Security considerations
This Azure Desktop Hosting Reference Architecture Guide is designed to provide a
highly secure and isolated environment for each tenant. System security also depends
on safeguards taken by the provider during deployment and operation of the hosted
service. The following list describes some considerations the provider should take to
keep their desktop hosting solution based on this reference architecture secure.
 All administrative passwords must be strong, ideally randomly generated, changed
frequently, and saved in a secure central location only accessible to a select few
provider administrators.
When replicating the tenant environment for new tenants, avoid using the same or
weak administrative passwords.
The RD Web Access site URL, name, and certificates must be unique and
recognizable to each tenant to prevent spoofing attacks.
During the normal operation of the desktop hosting service, all public IP addresses
should be deleted for all virtual machines except the RD Web and RD Gateway
virtual machine that lets users securely connect to the tenant's desktop hosting
cloud service. Public IP addresses may be temporarily added when necessary for
management tasks, but they should always be deleted afterwards.

For more information, see the following articles:

Security and protection

Security best practices for IIS 8

Design considerations
It's important to consider the constraints of Microsoft Azure Infrastructure Services
when designing a multitenant desktop hosting service. The following list describes
considerations the provider must take to achieve a functional and cost-effective desktop
hosting solution based on this reference architecture.

An Azure subscription has a maximum number of virtual networks, VM cores, and

Cloud Services that can be used. If a provider needs more resources than this, they
may need to create multiple subscriptions.
An Azure Cloud Service has a maximum number of virtual machines that can be
used. The provider may need to create multiple Cloud Services for larger tenants
that exceed the maximum.
Azure deployment costs are based partially on the number and size of virtual
machines. The provider should optimize the number and size of the virtual
machines for each tenant to provide a functional and highly secure Desktop
Hosting environment at the lowest cost.
The physical computer resources in the Azure data center are virtualized by using
Hyper-V. Hyper-V hosts are not configured in host clusters, so the availability of
the virtual machines is dependent on the availability of the individual servers used
in the Azure infrastructure. To provide higher availability, multiple instances of each
role service virtual machine can be created in an availability set, then guest
clustering can be implemented within the virtual machines.
 In a typical storage configuration, a service provider will have a single storage
account with multiple containers (for example, one for each tenant), and multiple
disks within each container. However, there is a limit to the total storage and
performance that can be achieved for a single storage account. For service
providers that support large numbers of tenants or tenants with high storage
capacity or performance requirements, the service provider may need to create
multiple storage accounts.

For more information, see the following articles:

Sizes for Cloud Services

Microsoft Azure virtual machine pricing details
Hyper-V overview
Azure Storage scalability and performance targets

Microsoft Entra application proxy

Microsoft Entra application proxy is a service provided in paid SKUs of Microsoft Entra
ID that allow users to connect to internal applications through Azure's own reverse-
proxy service. This allows the RD Web and RD Gateway endpoints to be hidden inside of
the virtual network, eliminating the need to be exposed to the internet by a public IP
address. Hosters can use Microsoft Entra application proxy to condense the number of
virtual machines in the tenant's environment while still maintaining a full deployment.
Microsoft Entra application proxy also enables many of the benefits that Microsoft Entra
ID provides, such as conditional access and multi-factor authentication.

For more information, see Get started with Application Proxy and install the connector.

Feedback
Was this page helpful?  Yes  No
Understanding the desktop hosting
environment
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

The following information describes the components of the desktop hosting service.

Tenant environment
The provider's desktop hosting service is implemented as a set of isolated tenant
environments. Each tenant's environment consists of a storage container, a set of virtual
machines, and a combination of Azure services, all communicating over an isolated
virtual network. Each virtual machine contains one or more of the components that
make up the tenant's hosted desktop environment. The following subsections describe
the components that make up each tenant's hosted desktop environment.

Remote Desktop Services

In a desktop hosting environment, the following Remote Desktop Services roles are
installed amongst various virtual machines:

Remote Desktop Connection Broker

Remote Desktop Gateway
Remote Desktop Licensing
Remote Desktop Session Host
Remote Desktop Web Access

For a full description of each of these roles and how they interact with each other,
please review the Understanding RDS roles document.

(Azure) Active Directory Domain Services

There are multiple ways to connect to and manage Active Directory Domain Services
(AD DS) for a desktop hosting environment in Azure:

1. Create a virtual machine in the tenant's environment running the AD DS role

2. Create a site-to-site VPN connection with the tenant's on-premises environment to
use an existing AD DS
 3. Use the Microsoft Entra Domain Services PaaS role, which creates a domain on the
tenant's virtual network based on the tenant's Microsoft Entra ID

With Remote Desktop Services, the tenant must have an Active Directory to manage
access into the environment, user profile storage, and monitoring within the
deployment. When using the standard (non-Azure) AD DS, the tenant's forest does not
require any trust relationship with the provider's management forest. A domain
administrator account may be set up in the tenant's domain to allow the provider's
technical personnel to perform administrative tasks in the tenant's environment (such as
monitoring system status and applying software updates) and to assist with
troubleshooting and configuration.

Additional information: Microsoft Entra Domain Services Documentation Install a new

Active Directory forest on an Azure virtual network Create a resource manager VNet
with a Site-to-Site VPN connection using the Azure Portal

Azure SQL Database

Azure SQL Database allows for hosters to extend their Remote Desktop Services
deployment without needing to deploy and maintain a full SQL Server Always-On
cluster. The Azure SQL Database is used by the Remote Desktop Connection Broker to
store deployment information, such as the mapping of current users' connections to
end-host servers. Like other Azure services, Azure SQL DB follows a consumption model,
ideal for any size deployment.

Additional information: What is SQL Database?

Microsoft Entra application proxy

Microsoft Entra application proxy is a service provided in paid-SKUs of Microsoft Entra
ID that allow users to connect to internal applications through Azure's own reverse-
proxy service. This allows the RD Web and RD Gateway endpoints to be hidden inside of
the virtual network, eliminating the need to be exposed to the internet via a public IP
address. This further allows hosters to condense the number of virtual machines in the
tenant's environment while still maintaining a full deployment.

Additional information: Enabling Microsoft Entra application proxy

File server
The file server provides shared folders by using the Server Message Block (SMB) 3.0
protocol. The shared folders are used to create and store user profile disk files (.vhdx), to
backup data, and to allow users a place to share data with other users in the tenant's
virtual network.

The VM used to deploy the file server must have an Azure data disk attached and
configured with shared folders. Azure data disks use write-through caching which
guarantees that writes to the disk persist across restarts of the VM.

For small tenants, the cost can be reduced by combining the file server with the virtual
machine running the RD Connection Broker and RD Licensing roles on a single virtual
machine in the tenant's environment.

Additional information File and Storage Services Overview How to Attach a Data Disk to
a Virtual Machine

User Profile Disks

User profile disks allow users to save personal settings and files when they are signed in
to a session on an RD Session Host server in a collection, and then have access to the
same settings and files when signing in to a different RD Session Host server in the
collection. When the user first signs in, a user profile disk is created on the tenant's file
server, and that disk is mounted to the RD Session Host server to which the user is
connected. For each subsequent sign-in, the user profile disk is mounted to the
appropriate RD Session host server, and with each sign-out, it is un-mounted. The
contents of the profile disk can only be accessed by that user.

Feedback
Was this page helpful?  Yes  No
Tenant on-premises components
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

The following information describes the on-premises components that make up the
desktop hosting deployment.

Clients
To access the hosted desktops and applications, the users must use Remote Desktop
clients that support Remote Desktop Protocol (RDP) 7.1 or higher. In particular, the
client must support Remote Desktop Gateway and Remote Desktop Connection Broker.
To deliver applications to the local desktop, the client must also support the RemoteApp
feature. To achieve highest gateway scale, the client must support the pure HTTP
transport connections to RD Gateway.

Additional information:

Microsoft Remote Desktop Clients

Remote Desktop app for Windows in Microsoft Store
Microsoft Remote Desktop - Android Apps on Google Play
Mac App Store - Microsoft Remote Desktop
Microsoft Remote Desktop in the App Store

Active Directory Domain Services

Some larger and more sophisticated tenants may choose to host an Active Directory
Domain Services (AD DS) server on their premises. In this case, the AD DS server in the
tenant's environment will typically be a replica of AD DS server that is on the tenant's
premises. This is supported by creating a virtual network in the tenant's environment
and using the Azure VPN to create a site-to-site connection from the tenant's on-
premises network to the tenant's virtual network in the Azure data center.

Additional information:

Microsoft Azure Virtual Network Overview

Create a resource manager VNet with a Site-to-Site VPN connection using the
Azure portal
Feedback
Was this page helpful?  Yes  No
Build and deploy your Remote Desktop
Services deployment
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016

A Remote Desktop Services deployment is the infrastructure used to share apps and
resources with your users. Depending on the experience you want to provide, you can
make it as small or complex as you need. Remote Desktop deployments are easily
scaled. You can increase and decrease Remote Desktop Web Access, Gateway,
Connection Broker and Session Host servers at will. You can use Remote Desktop
Connection Broker to distribute workloads. Active Directory based authentication
provides a highly secure environment.

Remote Desktop clients enable access from any Windows, Apple, or Android computer,
tablet, or phone.

See Remote Desktop Services architecture for a detailed discussion of the different
pieces that work together to make up your Remote Desktop Services deployment.

Have an existing Remote Desktop deployment built on a previous version of Windows

Server? Check out your options for moving to the latest version of Windows Server,
where you can take advantage of new and better functionality around performance and
scale:

Migrate your RDS deployment

Upgrade your RDS deployment

Want to create a new Remote Desktop deployment? Use the following information to
deploy Remote Desktop in Windows Server:

Deploy the Remote Desktop Services infrastructure

Create a session collection to hold the apps and resources you want to share
License your RDS deployment
Have your users install a Remote Desktop client so they can access the apps and
resources.
Enable high availability by adding additional Connection Brokers and Session
Hosts:
Scale out an existing RDS collection with an RD Session Host farm
Add high availability to the RD Connection Broker infrastructure
Add high availability to the RD Web and RD Gateway web front
 Deploy a two-node Storage Spaces Direct file system for UPD storage

Feedback
Was this page helpful?  Yes  No
Remote Desktop Services architecture
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

Below are various configurations for deploying Remote Desktop Services to host
Windows apps and desktops for end-users.

７ Note

The architecture diagrams below show using RDS in Azure. However, you can
deploy Remote Desktop Services on-premises and on other clouds. These diagrams
are primarily intended to illustrate how the RDS roles are colocated and use other
services.

Standard RDS deployment architectures

Remote Desktop Services has two standard architectures:

Basic deployment – This contains the minimum number of servers to create a fully
effective RDS environment
Highly available deployment – This contains all necessary components to have the
highest guaranteed uptime for your RDS environment

Basic deployment
Highly available deployment
RDS architectures with unique Azure PaaS roles
Though the standard RDS deployment architectures fit most scenarios, Azure continues
to invest in first-party PaaS solutions that drive customer value. Below are some
architectures showing how they incorporate with RDS.

RDS deployment with Microsoft Entra Domain Services

The two standard architecture diagrams above are based on a traditional Active
Directory (AD) deployed on a Windows Server VM. However, if you don't have a
traditional AD and only have a Microsoft Entra tenant—through services like Office365
—but still want to leverage RDS, you can use Microsoft Entra Domain Services to create
a fully managed domain in your Azure IaaS environment that uses the same users that
exist in your Microsoft Entra tenant. This removes the complexity of manually syncing
users and managing more virtual machines. Microsoft Entra Domain Services can work
in either deployment: basic or highly available.
RDS deployment with Microsoft Entra application proxy
The two standard architecture diagrams above use the RD Web/Gateway servers as the
Internet-facing entry point into the RDS system. For some environments, administrators
would prefer to remove their own servers from the perimeter and instead use
technologies that also provide additional security through reverse proxy technologies.
The Microsoft Entra application proxy PaaS role fits nicely with this scenario.

For supported configurations and how to create this setup, see how to publish Remote
Desktop with Microsoft Entra application proxy.
Feedback
Was this page helpful?  Yes  No
Migrate your Remote Desktop Services
deployment to a newer Windows Server
version
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016

Migration of a Remote Desktop Services deployment is supported from source servers

running a Windows Server version to destination servers running the same Windows
Server version. For example, from Windows Server 2025 to Windows Server 2025.
Meaning, there is no direct in-place migration from RDS in an earlier version of
Windows Server to a later Windows Server version. Instead, you need to upgrade most
RDS components first to a later Windows Server version, then migrate data and licenses.
The only components that support a direct migration are RD Web, RD Gateway, and the
licensing server.

For more information on the upgrade process and requirements, see upgrading your
Remote Desktop Services deployments.

Use the following steps to migrate your Remote Desktop Services deployment:

Migrate RD Connection Broker servers

Migrate session collections
Migrate virtual desktop collections
Migrate RD Web Access servers
Migrate RD Gateway servers
Migrate RD Licensing servers
Migrate certificates

Migrate RD Connection Broker servers

This is the first and most important step for migrating: migrating your RD Connection
Brokers to destination servers running the latest version of Windows Server.

） Important
 The Remote Desktop Connection Broker (RD Connection Broker) source servers
must be configured for high availability to support migration. For more
information, see Deploy a Remote Desktop Connection Broker cluster.

1. If you have more than one RD Connection Broker server in the high availability
setup, remove all the RD Connection Broker servers except the one that is currently
active.

2. Upgrade the remaining RD Connection Broker server in the deployment to a later

Windows Server version.

3. Add the new Windows Server version RD Connection Broker servers into the high
availability deployment.

７ Note

A mixed high availability configuration with different versions of Windows

Server is not supported for RD Connection Broker servers.
An RD Connection Broker running a newer version of Windows Server can
serve session collections with RD Session Host servers running a previous
version of Windows Server, and it can serve virtual desktop collections with
RD Virtualization Host servers running a previous version of Windows Server.

Migrate session collections

Follow these steps to migrate a session collection in an earlier version of Windows
Server to a session collection in a later version of Windows Server.

） Important

Migrate session collections only after successfully completing the previous step,
Migrate RD Connection Broker servers.

1. Upgrade the session collection to a later version of Windows Server.

2. Add the new RD Session Host server running the new Windows Server version to
the session collection.

3. Sign out of all sessions in the RD Session Host servers, and remove the servers that
require migration from the session collection.
 ７ Note

If the UVHD template (UVHD-template.vhdx) is enabled in the session

collection and the file server has been migrated to a new server, update the
User Profile Disks: Location collection property with the new path. The User
Profile Disks must be available at the same relative path in the new location as
they were on the source server.

A session collection of RD Session Host servers with a mix of Windows Server

versions isn't supported.

Migrate virtual desktop collections

Follow these steps to migrate a virtual desktop collection from a source server running
the earlier version of Windows Server to a destination server running a later version of
Windows Server.

） Important

Migrate virtual desktop collections only after successfully completing the previous
step, Migrate RD Connection Broker servers.

1. Upgrade the virtual desktop collection from the server running the earlier version
of Windows Server to a later version of Windows Server.

2. Add the new Windows Server version RD Virtualization Host servers to the virtual
desktop collection.

3. Migrate all virtual machines in the current virtual desktop collection that are
running on RD Virtualization Host servers to the new servers.

4. Remove all RD Virtualization Host servers that required migration from the virtual
desktop collection in the source server.

７ Note

If the UVHD template (UVHD-template.vhdx) is enabled in the session collection

and the file server has been migrated to a new server, update the User Profile Disks:
Location collection property with the new path. The User Profile Disks must be
available at the same relative path in the new location as they were on the source
server.
 A virtual desktop collection of RD Virtualization Host servers with a mix of servers
running earlier versions of Windows Server and later versions of Windows Server is
not supported.

Migrate RD Web Access servers

Follow these steps to migrate RD Web Access servers:

1. Join the destination servers running the new version of Windows Server to the
Remote Desktop Services deployment and install the RD Web role

2. Use IIS Web Deploy tool to migrate the RD Web website settings from the
current RD Web Access servers to the destination servers running the new version
of Windows Server.

3. Migrate certificates to the destination servers running the new version of Windows
Server.

4. Remove the source servers from the Remote Desktop Services deployment.

Migrate RD Gateway servers

Follow these steps to migrate RD Gateway servers:

1. Join the destination servers running the new version of Windows Server to the
Remote Desktop Services deployment and install the RD Gateway role

2. Use the IIS Web Deploy tool to migrate the RD Gateway endpoint settings from
the current RD Gateway servers to the destination servers running the new version
of Windows Server.

3. Migrate certificates to the destination servers running the new version of Windows
Server.

4. Remove the source servers from the Remote Desktop Services deployment.

Migrate RD Licensing servers

Follow these steps to migrate an RD Licensing server from a source server running an
earlier version of Windows Server to a destination server running a later version
Windows Server.
 1. Migrate the Remote Desktop Services client access licenses (RDS CALs) from the
source server to the destination server.

2. Edit the Deployment Properties in Server Manager on the Remote Desktop

management server (which is typically being run on the first RD Connection Broker
server) to include only the new RD Licensing servers running the new version of
Windows Server.

3. Deactivate the source RD Licensing server: In Remote Desktop Licensing Manager,

right-click the appropriate server, hover over Advanced to select Deactivate
Server, and then follow the steps in the wizard.

4. Remove the source RD Licensing servers from the deployment in Server Manager
on the Remote Desktop management server.

Migrate certificates
Successful certificate migration requires both the actual process of migrating certificates
and updating certificate information in the Remote Desktop Services Deployment
Properties.

Typical certificate migration includes the following steps:

Export the certificate to a PFX file with the private key.

Import the certificate from a PFX file.

After migrating the appropriate certificates, update the following required certificates
for the Remote Desktop Services deployment in server manager or PowerShell:

RD Connection Broker - single sign-on

RD Connection Broker - RDP file publishing

RD Gateway - HTTPS connection

RD Web Access - HTTPS connection and RemoteApp/desktop connection

subscription

Feedback
Was this page helpful?  Yes  No
Migrate your Remote Desktop Services
Client Access Licenses (RDS CALs)
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016

You have three options to migrate your RDS CALs:

Automatic connection method: This recommended method communicates via

internet directly to the Microsoft Clearinghouse outbound over TCP port 443.

Using a web browser: This method allows migration when the server running the
Remote Desktop Licensing Manager tool does not have internet connectivity, but
the administrator has internet connectivity on a separate device. The URL for the
Web migration method is displayed in the Manage RDS CALs Wizard.

Using a telephone: This method allows the administrator to complete the

migration process over the phone with a Microsoft representative. The appropriate
telephone number is determined by the country/region that you chose in the
Activate Server Wizard and is displayed in the Manage RDS CALs Wizard.

In this article, the establish RDS CAL migration method highlights the general steps
common across any RDS CAL migration method, while migrate RDS CALs highlights the
steps specific to each migration method.

Regardless of migration method, you must, at a minimum, be a member of the local

Administrators group to perform the migration steps.

Before migration ensure that the destination license server is activated. Follow these
steps to activate the Remote Desktop Services license server.

Establish RDS CAL migration method

1. On the destination license server, open Remote Desktop Licensing Manager.
(Alternatively, the licensing manager can be launched with the following steps:
Select Start > Administrative Tools. Enter the Remote Desktop Services directory,
and launch Remote Desktop Licensing Manager.)

2. Verify the connection method for the Remote Desktop license server: right-click
the license server to which you want to migrate the RDS CALs, and then select
 Properties. On the Connection Method tab, verify the Connection method - you
can change it in the dropdown menu. Select OK.

3. Right-click the license server to which you want to migrate the RDS CALs, and then
select Manage Licenses.

4. Follow the steps in the wizard to the Action Selection page. Select Migrate
RDS CALs from another license server to this license server.

5. Choose the reason for migrating the RDS CALs, and then select Next. You have the
following choices:

The source license server is being replaced by this license server.

The source license server is no longer functioning.

6. The next page in the wizard depends on the migration reason that you chose.

If you chose The source license server is being replaced by this license
server as the reason for migrating the RDS CALs, the Source License Server
Information page is displayed.

On the Source License Server Information page, enter the name or IP address
of the source license server.

If the source license server is available on the network, select Next. The
wizard contacts the source license server and has an option to Obtain Client
License Key Pack.

If the source license server isn't available on the network, select The specified
source license server isn't available on the network. Specify the operating
system that the source license server is running, and then provide the license
server ID for the source license server. After you select Next, you're reminded
that you must remove the RDS CALs manually from the source license server
after the wizard has completed. After you confirm that you understand this
requirement, the Obtain Client License Key Pack page appears.

If you chose The source license server is no longer functioning as the reason
for migrating the RDS CALs, you're reminded that you must remove the
RDS CALs manually from the source license server after the wizard has
completed. After you confirm that you understand this requirement, the
Obtain Client License Key Pack page appears.

The next step is to migrate the CALs - use the information in the following to complete
the wizard. What you see in the wizard depends on the connection method you
identified in Step 2 of this section.
Migrate RDS CALs
There are three ways to migrate licenses to the destination license server; follow the
steps corresponding to the Connection method verified in Step 2 in the previous
section:

Automatic connection method

Using a web browser
Using a telephone

Automatic connection method

1. On the License Program page, select the appropriate program through which you
purchased your RDS CALs, then select Next.

2. Enter the required information (typically a license code or an agreement number,

depending on the License program), and then select Next. Consult the
documentation provided when you purchased your RDS CALs.

3. Select the appropriate product version, license type, and quantity of RDS CALs for
your environment based on your RDS CAL purchase agreement, and then select
Next.

4. The Microsoft Clearinghouse is automatically contacted and processes your

request. The RDS CALs are then migrated onto the license server.

5. Select Finish to complete the RDS CAL migration process.

Using a web browser

1. On the Obtain Client License Key Pack page, select the hyperlink to connect to the
Remote Desktop Services Licensing Web site. If you're running Remote Desktop
Licensing Manager on a computer that doesn't have internet connectivity, note the
address for the Remote Desktop Services Licensing Web site, and then connect to
the Web site from a computer that has internet connectivity.

2. On the Remote Desktop Services Licensing Web page, under Select Option, select
Manage CALs, and then select Next.

3. Provide the following required information, then select Next:

Target License Server ID: A 35-digit number, in groups of 5 numerals, which

is displayed on the Obtain Client License Key Pack page in the Manage
 RDS CALs Wizard.
Reason for recovery: Choose the reason for migrating the RDS CALs.
License Program: Choose the program through which you purchased your
RDS CALs.

4. Provide the following required information, then select Next:

Last name or surname

First name or given name

Company name

Country/region

You can also provide the optional information requested, such as company
address, e-mail address, and phone number. In the organizational unit field,
you can describe the unit within your organization that this license server
serves.

5. The License Program that you selected on the previous page determines what
information you need to provide on the next page. In most cases, you must
provide either a license code or an agreement number. Consult the documentation
provided when you purchased your RDS CALs. In addition, you need to specify
which type of RDS CAL and the quantity that you want to migrate to the license
server.

6. After you enter the required information, select Next.

7. Verify that all of the information that you entered is correct, then select Next to
submit your request to the Microsoft Clearinghouse. The web page then displays a
license key pack ID generated by the Microsoft Clearinghouse.

） Important

Keep a copy of the license key pack ID. Having this information with you
facilitates communications with the Microsoft Clearinghouse, should you need
assistance with recovering RDS CALs.

8. On the same Obtain Client License Key Pack page, enter the license key pack ID,
and then select Next to migrate the RDS CALs to your license server.

9. Select Finish to complete the RDS CAL migration process.

Using a telephone
1. On the Obtain Client License Key Pack page, use the displayed telephone number
to call the Microsoft Clearinghouse. Give the representative your Remote Desktop
license server ID and the required information for the licensing program through
which you purchased your RDS CALs. The representative then processes your
request to migrate the RDS CALs, and gives you a unique ID for the RDS CALs. This
unique ID is referred to as the license key pack ID.

） Important

Keep a copy of the license key pack ID. Having this information with you
facilitates communications with the Microsoft Clearinghouse should you need
assistance with recovering RDS CALs.

2. On the same Obtain Client License Key Pack page, enter the license key pack ID,
and then select Next to migrate the RDS CALs to your license server.

3. Select Finish to complete the RDS CAL migration process.

Feedback
Was this page helpful?  Yes  No
Use certificates in Remote Desktop
Services
Article • 08/06/2024

You can use certificates to secure connections to your Remote Desktop Services (RDS)
deployment and between RDS server roles. RDS uses Secure Socket Layer (SSL) or
Transport Layer Security (TLS) to encrypt connections to the RDS Web, Connection
Broker and Gateway role services.

Certificates prevent man-in-the-middle attacks, where a bad actor intercepts traffic

between the Remote Desktop Protocol (RDP) server and client to steal confidential
information or deny access to credentials, by verifying that the server sending
information to the client is authentic. When this trust relationship is set up, the client
considers the connection secure and can accept data going to and from the server.

Prerequisites
The following things are required to use certificates in RDS:

A computer or computers with the RDS role configured. To learn more, see Install
or uninstall roles, role services, or features.

An account with administrator rights or equivalent to the RDS server(s).

A server certificate that meets the following requirements:

Issued for Server Authentication (EKU 1.3.6.1.5.5.7.3.1).

Issued for Enhanced Key Usage (OID 2.5.29.37).

Issued for Key Usage (OID 2.5.29.15).

Issued by a certificate authority trusted by the RDS server(s) and clients.

Issued with an exportable private key.

An export of the certificate with the corresponding private key in .pfx format.
To learn more about exporting the private key, see Export a certificate with its
private key.

７ Note
 If you're using Active Directory Certificate Services (AD CS) to issue certificates, you
can also create a certificate template or duplicate the Web Server certificate
template. To learn more about creating certificate templates, see Create a new
certificate template.

Configure Remote Desktop to use certificates

Now that you created your certificates and understand their contents, you must
configure Remote Desktop to use those certificates.

To configure Remote Desktop to use specific certificates:

GUI

1. In Server Manager, on the left pane, select Remote Desktop Services.

2. On the Overview tab, under Deployment Overview, select TASKS, then select
Edit Deployment Properties.

3. In the Configure the deployment window, select Certificates.

4. Choose Select existing certificate, select Browse, locate your certificate file in
.pfx format, then select Open.

5. In the Password field, enter the password for the certificate you created, then
select OK.

6. Select the Allow the certificate to be added to the Trusted Root Certification
Authorities certificate store on the destination computers checkbox, then
select OK.

7. Select OK to finalize your deployment.

７ Note

Even if you have multiple servers in the deployment, Server Manager imports
the certificate to all servers. Server Manager places the certificate in the trusted
root for each server, then binds the certificate to its respective roles.

You might want to use certificates for the RDS Session Host along with the certificates
you configured in Server Manager. For more information about RDS Session Host
certificates, see Remote Desktop listener certificate configurations.

Related content
Remote Desktop Services - Secure data storage with UPDs

Remote Desktop Services - Multifactor Authentication

Feedback
Was this page helpful?  Yes  No
Upgrade Remote Desktop Services
deployments
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016

In this article, learn about which Remote Desktop Services (RDS) versions can be
upgraded and the order to upgrade your Remote Desktop (RD) role services.

Supported OS upgrades with RDS role installed

You can upgrade to a newer version of Windows Server by two versions at a time. For
example, you can upgrade to Windows Server 2025 from Windows Server 2019.

Flow for deployment upgrades

In order to keep the downtime to a minimum, use the following guide:

1. RD Connection Broker servers should be upgraded first. If you have an

active/active configuration, remove all but one server from the deployment and
perform an in-place upgrade. Perform upgrades on the remaining RD Connection
Broker servers offline and then reapply them to the deployment. The deployment
isn't available during the RD Connection Broker servers' upgrade.

７ Note

It's mandatory to upgrade all RD Connection Broker servers. Windows Server

RD Connection Broker servers in a mixed deployment are not supported.
Once the RD Connection Broker server(s) are running a new Windows Server
version, the deployment remains functional, even if the rest of the servers in
the deployment are still running the previous version.

2. RD License servers should be upgraded before you upgrade your RD Session Host
servers.

７ Note
 RD license servers from an older version of Windows Server work with newer
versions, but they can only process client access licenses (CALs) from the older
Windows Server version. They can't use the newer Windows Server CALs. For
more information about RD license servers, see RDS CAL version
compatibility.

3. RD Session Host servers can be upgraded next. Avoid downtime during upgrade
by splitting the servers to be upgraded into steps as detailed. All will be functional
after the upgrade. To upgrade, use the steps described in Upgrading your Remote
Desktop Session Host to the latest Windows Server version.

4. RD Virtualization Host servers can be upgraded next. To upgrade, use the steps
described in Upgrading your Remote Desktop Virtualization Host to the latest
Windows Server version.

5. RD Web Access servers can be upgraded anytime.

７ Note

Upgrading RD Web might reset Internet Information Services (IIS)

properties, such as any configuration files. To not lose your changes,
make notes or copies of customizations done to the RD Web site in IIS.
RD Web Access servers from an older version of Windows Server work
with newer versions.

6. RD Gateway servers can be upgraded anytime.

７ Note

Windows Server 2016 and later doesn't include Network Access

Protection (NAP) policies—they have to be removed. The easiest way to
remove the correct policies is by running the upgrade wizard. If there are
any NAP policies you must delete, the upgrade blocks and creates a text
file on the desktop that includes the specific policies. To manage NAP
policies, open the Network Policy Server tool. After deleting them, select
Refresh in the Setup tool to continue with the upgrade process.
RD Gateway servers from an older version of Windows Server work with
newer versions.
VDI deployment – supported guest OS upgrade
Administrators have the following options to upgrade VM collections:

Upgrade managed shared VM collections

Administrators need to create VM templates with the desired OS version and use it to
patch all the VMs in the pool.

Windows 10 can be patched to Windows 11.

Upgrade unmanaged shared VM collections

End users can't upgrade their personal desktops. Administrators should perform the
upgrade. The exact steps are to be determined.

Known issues
Issue: If the RD deployment has the RD Web Access (RDWA) Role already installed and
has been upgraded from a previous windows installation, a new upgrade might fail. For
example, if the deployment containing RDWA upgraded from Server 2012 R2 to Server
2019, another upgrade to Server 2022 might encounter a failure.

Workaround: Before migrating for the second time, check if the following registry key is
present: HKLM\SOFTWARE\Microsoft\Terminal Server Web Access\IsInstalled

If it isn't present, open an elevated PowerShell prompt, then run the following
commands:

PowerShell

$registryPath = "HKLM:SOFTWARE\Microsoft\Terminal Server Web

Access\IsInstalled"
New-Item -Path $registryPath
New-ItemProperty -Path $registryPath -Name Version -PropertyType String -
Value "6.0"

Feedback
Was this page helpful?  Yes  No
Upgrading your Remote Desktop
Session Host
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016

） Important

All applications must be uninstalled before the upgrade and reinstalled after the
upgrade to avoid any app compatibility issues that may rise because of the
upgrade.

Upgrading a RDS session-based collection

In order to keep the down-time to a minimum, it's best to follow these steps while
upgrading a RDS session-based collection:

1. Identify the servers to be upgraded, say, half the servers in the collection.

2. Prevent new connections to these servers by setting Allow New Connections to

false.

3. Log off all sessions on these servers.

4. Remove these servers from the collection.

5. Upgrade the servers to the latest Windows Server version.

6. Set Allow New Connections to "false" on the remaining servers in the collection.

7. Add the upgraded servers back to their corresponding collections.

8. Remove the remaining set of servers to be upgraded from the collection.

9. Set Allow New Connections to "true" on the upgraded servers in the collection.

10. Upgrade the remaining servers in the deployment by following steps 3 through 9.
Upgrading a standalone RD Session Host
server
A standalone RD Session Host server can be upgraded anytime.

Feedback
Was this page helpful?  Yes  No
Upgrading your Remote Desktop
Virtualization Host
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016

RD Virtualization Host servers in the

deployment where VMs are stored locally
These servers should be upgraded all at once. Complete the following steps to upgrade:

1. Log off all users.

2. Turn off or save all virtual machines on each host.

3. Upgrade the servers to the new Windows Server version.

4. All collections should be available and functional after the upgrades are complete.

RD Virtualization Host servers in the

deployment where VMs are stored in Cluster
Shared Volumes (CSV)
1. Determine an upgrade strategy where some of the RDVH servers are upgraded
and some continue to host VMs on the earlier version of Windows Server.

2. Isolate one or more of the RDVH servers targeted for the initial round of
upgrading. By migrating all VMs to other 'not to be upgraded yet' RDVH servers
that remain part of the original cluster.

a. Open Failover Cluster Manager.

b. Select Roles.

c. Select one or more VMs. Right-click to open the context menu.

d. Select Move and choose either Live or Quick Migration to move the VMs to
one or more of the RD Virtualization Host Servers that aren't part of the initial
upgrade. Use Live or Quick Migration depending on factors such as hardware
compatibility or online requirements.
 3. Evict the RDVH servers, prepared for upgrading, from the original cluster.

4. Upgrade the isolated RDVH servers.

5. After the targeted RDVH servers have been successfully upgraded, create a new
cluster and CSV, which needs to be on an entirely different SAN volume.

6. Join all upgraded RDVH servers to the new cluster.

7. Create a folder structure in the new CSV that mimics the existing folder structure in
the existing CSV. This includes the collection folders and each VM's top level
subfolders.

8. From the various VM Collection folders on the original CSV, copy over the /IMGS
folder and contents to the new collection folders in the same locations on the new
CSV.

9. On the source RDVH machine, use Cluster Manager to remove the VM's
configuration for high availability:

a. Launch Cluster Manager.

b. Select Roles.

c. Right-click the VM objects, and then select Remove.

10. On one of the nonupgraded RDVH servers, use Hyper-V Manager to move all VMs
to one of the upgraded RDVH servers and new Cluster CSV:

a. Open Hyper-V Manager.

b. Select one of the nonupgraded RDVH servers.

c. Right-click one of the VMs to be moved, and then select Move.

d. Choose Move the virtual machine, and then select Next.

e. Provide the targeted upgraded RDVH server's name on the Specify Destination
Computer page, and then select Next.

f. Choose Move the virtual machine's data to a single location, and then select
Next.

g. Browse to the destination location.

） Important
 Ensure this path is to an empty folder for the specific VM.

７ Note

As mentioned, you need to have already created a new destination

subfolder prior to this step. The Select Folder dialog won't allow you to
create a subfolder in this step.

Select Next, and then select Finished.

11. Once the VMs are relocated, add them as cluster High Availability objects:

a. Open Failover Cluster Manager on an upgraded RD Virtualization Host Server.

b. Right-click the Roles node, and then select Configure Role. Select Next on the
Start page of the High Availability wizard.

c. Choose Virtual Machine from the list of available roles, and then select Next. A
list of VMs that aren't configured is shown.

d. Select all the VMs. Select Next and then select Next again on the confirmation
page to start the configuration task.

12. Once you have relocated all VMs, upgrade the remaining RDVH servers. Use the
above steps for balancing VM locations as appropriate.

７ Note

Heterogeneous Hyper-V servers in a cluster aren't supported.

Feedback
Was this page helpful?  Yes  No
Deploy your Remote Desktop
environment
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

Use the following steps to deploy the Remote Desktop servers in your environment. You
can install the server roles on physical machines or virtual machines, depending on
whether you are creating an on-premises, cloud-based, or hybrid environment.

If you are using virtual machines for any of the Remote Desktop Services servers, make
sure you have prepared those virtual machines.

1. Add all the servers you're going to use for Remote Desktop Services to Server
Manager:
a. In Server Manager, click Manage > Add Servers.
b. Click Find Now.
c. Click each server in the deployment (for example, Contoso-Cb1, Contoso-
WebGw1, and Contoso-Sh1) and click OK.

2. Create a session-based deployment to deploy the Remote Desktop Services

components:
a. In Server Manager, click Manage > Add Roles and Features.
b. Click Remote Desktop Services installation, Standard Deployment, and
Session-based desktop deployment.
c. Select the appropriate servers for the RD Connection Broker server, RD Web
Access server, and RD Session Host server (for example, Contoso-Cb1, Contoso-
WebGw1, and Contoso-SH1, respectively).
d. Select Restart the destination server automatically if required, and then click
Deploy.
e. Wait for the deployment to complete successfully

3. Add RD License Server:

a. In Server Manager, click Remote Desktop Services > Overview > +RD
Licensing.
b. Select the virtual machine where the RD license server will be installed (for
example, Contoso-Cb1).
c. Click Next, and then click Add.

4. Activate the RD License Server and add it to the License Servers group:
 a. In Server Manager, click Remote Desktop Services > Servers. Right-click the
server with the Remote Desktop Licensing role installed and select RD Licensing
Manager.
b. In RD Licensing Manager, select the server, and then click Action > Activate
Server.
c. Accept the default values in the Activate Server Wizard. Continue accepting
default values until you reach the Company information page. Then, enter your
company information.
d. Accept the defaults for the remaining pages until the final page. Clear Start
Install Licenses Wizard now, and then click Finish.
e. Select Action > Review Configuration > Add to Group > OK. Enter credentials
for a user in the AAD DC Administrators group, and register as SCP. This step
might not work if you are using Microsoft Entra Domain Services, but you can
ignore any warnings or errors.

5. Add the RD Gateway server and certificate name:

a. In Server Manager, click Remote Desktop Services > Overview > + RD
Gateway.
b. In the Add RD Gateway Servers wizard, select the virtual machine where you
want to install the RD Gateway server (for example, Contoso-WebGw1).
c. Enter the SSL certificate name for the RD Gateway server using the external fully
qualified DNS Name (FQDN) of the RD Gateway server. In Azure, this is the DNS
name label and uses the format servicename.location.cloudapp.azure.com. For
example, contoso.westus.cloudapp.azure.com.
d. Click Next, and then click Add.

6. Create and install self-signed certificates for the RD Gateway and RD Connection
Broker servers.

７ Note

If you are providing and installing certificates from a trusted certificate

authority, perform the procedures from step h to step k for each role. You will
need to have the .pfx file available for each of these certificates.

a. In Server Manager, click Remote Desktop Services > Overview > Tasks > Edit
Deployment Properties.
b. Expand Certificates, and then scroll down to the table. Click RD Gateway >
Create new certificate.
c. Enter the certificate name, using the external FQDN of the RD Gateway server
(for example, contoso.westus.cloudapp.azure.com) and then enter the password.
 d. Select Store this certificate and then browse to the shared folder you created
for certificates in a previous step. (For example,\Contoso-Cb1\Certificates.)
e. Enter a file name for the certificate (for example, ContosoRdGwCert), and then
click Save.
f. Select Allow the certificate to be added to the Trusted Root Certificate
Authorities certificate store on the destination computers, and then click OK.
g. Click Apply, and then wait for the certificate to be successfully applied to the RD
Gateway server.
h. Click RD Web Access > Select existing certificate.
i. Browse to the certificate created for the RD Gateway server (for example,
ContosoRdGwCert), and then click Open.
j. Enter the password for the certificate, select Allow the certificate to be added
to the Trusted Root Certificate store on the destination computers, and then
click OK.
k. Click Apply, and then wait for the certificate to be successfully applied to the RD
Web Access server.
l. Repeat substeps 1-11 for the RD Connection Broker - Enable Single Sign On
and RD Connection Broker - Publishing services, using the internal FQDN of
the RD Connection Broker server for the new certificate's name (for example,
Contoso-Cb1.Contoso.com).

7. Export self-signed public certificates and copy them to a client computer. If you are
using certificates from a trusted certificate authority, you can skip this step.
a. Launch certlm.msc.
b. Expand Personal, and then click Certificates.
c. In the right-hand pane right-click the RD Connection Broker certificate intended
for client authentication, for example Contoso-Cb1.Contoso.com.
d. Click All Tasks > Export.
e. Accept the default options in the Certificate Export Wizard accept defaults until
you reach the File to Export page.
f. Browse to the shared folder you created for certificates, for example \Contoso-
Cb1\Certificates.
g. Enter a File name, for example ContosoCbClientCert, and then click Save.
h. Click Next, and then click Finish.
i. Repeat substeps 1-8 for the RD Gateway and Web certificate, (for example
contoso.westus.cloudapp.azure.com), giving the exported certificate an
appropriate file name, for example ContosoWebGwClientCert.
j. In File Explorer, navigate to the folder where the certificates are stored, for
example \Contoso-Cb1\Certificates.
k. Select the two exported client certificates, then right-click them, and click Copy.
l. Paste the certificates on the local client computer.
 8. Configure the RD Gateway and RD Licensing deployment properties:
a. In Server Manager, click Remote Desktop Services > Overview > Tasks > Edit
Deployment Properties.
b. Expand RD Gateway and clear the Bypass RD Gateway server for local
addresses option.
c. Expand RD licensing and select Per User
d. Click OK.

9. Create a session collection. These steps create a basic collection. Check out Create
a Remote Desktop Services collection for desktops and apps to run for more
information about collections.
a. In Server Manager, click Remote Desktop Services > Collections > Tasks >
Create Session Collection.
b. Enter a collection Name (for example, ContosoDesktop).
c. Select an RD Session Host Server (Contoso-Sh1), accept the default user groups
(Contoso\Domain Users), and enter the Universal Naming Convention (UNC)
Path to the user profile disks created above (\Contoso-Cb1\UserDisks).
d. Set a Maximum size, and then click Create.

You've now created a basic Remote Desktop Services infrastructure. If you need to
create a highly-available deployment, you can add a connection broker cluster or a
second RD Session Host server.

Feedback
Was this page helpful?  Yes  No
Create a Remote Desktop Services
collection for desktops and apps to run
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

Use the following steps to create a Remote Desktop Services session collection. A
session collection holds the apps and desktops you want to make available to users.
After you create the collection, publish it so users can access it.

Before you create a collection, you need to decide what kind of collection you need:
pooled desktop sessions or personal desktop sessions.

Use pooled desktop sessions for session-based virtualization: Leverage the

compute power of Windows Server to provide a cost-effective multi-session
environment to drive your users' everyday workloads
Use personal desktop sessions for to create a virtual desktop infrastructure
(VDI): Leverage Windows client to provide the high performance, app
compatibility, and familiarity that your users have come to expect of their Windows
desktop experience.

With a pooled session, multiple users access a shared pool of resources, while with a
personal desktop session, users are assigned their own desktop from within the pool.
The pooled session provides lower overall cost, while personal sessions enable users to
customize their desktop experience.

If you need to share graphics-intensive hosted applications, you can combine personal
session desktops with the new Discrete Device Assignment (DDA) capability to also
provide support for hosted applications that require accelerated graphics. Check out
Which graphics virtualization technology is right for you for more information.

Regardless of the type of collection you choose, you'll populate those collections with
RemoteApps - programs and resources that users can access from any supported device
and work with as though the program was running locally.

Create a pooled desktop session collection

1. In Server Manager, click Remote Desktop Services > Collections > Tasks > Create
Session Collections.
2. Enter a name for the collection, for example ContosoAps.
 3. Select the RD Session Host server you created (for example, Contoso-Shr1).
4. Accept the default User Groups.
5. Enter the location of the file share you created for the user profile disks for this
collection (for example, \Contoso-Cb1\UserDisksr).
6. Click Create. When the collection is created, click Close.

Create a personal desktop session collection

Use the New-RDSessionCollection cmdlet to create a personal session desktop
collection. The following three parameters provide the configuration information
required for personal session desktops:

-PersonalUnmanaged - Specifies the type of session collection that lets you assign
users to a personal session host server. If you don't specify this parameter, then the
collection is created as a traditional RD Session Host collection, where users are
assigned to the next available session host when they sign in.
-GrantAdministrativePrivilege - If you use -PersonalUnmanaged, specifies that
the user assigned to the session host be given administrative privileges. If you
don't use this parameter, users are granted only standard user privileges.
-AutoAssignUser - If you use -PersonalUnmanaged, specifies that new users
connecting through the RD Connection Broker are automatically assigned to an
unassigned session host. If there are no unassigned session hosts in the collection,
the user will see an error message. If you don't use this parameter, you have to
manually assign users to a session host before they sign in.

You can use PowerShell cmdlets to manage your personal desktop session collections.
See Manage your personal desktop session collections for more information.

Publish RemoteApp programs

Use the following steps to publish the apps and resources in your collection:

1. In Server Manager, select the new collection (ContosoApps).

2. Under RemoteApp Programs, click Publish RemoteApp programs.
3. Select the programs you want to publish, and then click Publish.

Feedback
Was this page helpful?  Yes  No
Deploy the Remote Desktop Gateway
role
Article • 07/03/2024

This article will tell you how to use the Remote Desktop Gateway (RD Gateway) role to
deploy Remote Desktop Gateway servers in your Remote Desktop environment. You can
install the server roles on physical machines or virtual machines depending on whether
you are creating an on-premises, cloud-based, or hybrid environment.

Install the RD Gateway role

1. Sign into the target server with administrative credentials.

2. In Server Manager, select Manage, then select Add Roles and Features. The Add
Roles and Features installer will open.

3. In Before You Begin, select Next.

4. In Select Installation Type, select Role-Based or feature-based installation, then

select Next.

5. For Select destination server, select Select a server from the server pool. For
Server Pool, select the name of your local computer. When you're done, select
Next.

6. In Select Server Roles > Roles, select Remote Desktop Services. When you're
done, select Next.

7. In Remote Desktop Services, select Next.

8. For Select role services, select only Remote Desktop Gateway When you're
prompted to add required features, select Add Features. When you're done, select
Next.

9. For Network Policy and Access Services, select Next.

10. For Web Server Role (IIS), select Next.

11. For Select role services, select Next.

12. For Confirm installation selections, select Install. Don't close the installer while the
installation process is happening.
Configure the RD Gateway role
Once the RD Gateway role is installed, you'll need to configure it.

To configure the RD Gateway role:

1. Open the Server Manager, then select Remote Desktop Services.

2. Go to Servers, right-click the name of your server, then select RD Gateway

Manager.

3. In the RD Gateway Manager, right-click the name of your gateway, then select
Properties.

4. Open the SSL Certificate tab, select the Import a certificate into the RD Gateway
bubble, then select Browse and Import Certificate….

5. Select the name of your PFX file, then select Open.

6. Enter the password for the PFX file when prompted.

7. After you've imported the certificate and its private key, the display should show
the certificate’s key attributes.

７ Note

Because the RD Gateway role is supposed to be public, we recommend you use a

publicly issued certificate. If you use a privately issued certificate, you'll need to
make sure to configure all clients with the certificate's trust chain beforehand.

Next steps
If you want to add high availability to your RD Gateway role, see Add high availability to
the RD Web and Gateway web front.

Feedback
Was this page helpful?  Yes  No
Set up the Remote Desktop web client
for your users
Article • 07/03/2024

The Remote Desktop web client lets users access your organization's Remote Desktop
infrastructure through a compatible web browser. They'll be able to interact with remote
apps or desktops like they would with a local PC no matter where they are. Once you set
up your Remote Desktop web client, all your users need to get started is the URL where
they can access the client, their credentials, and a supported web browser.

） Important

The web client does support using Microsoft Entra application proxy but does not
support Web Application Proxy at all. See Using RDS with application proxy
services for details.

What you'll need to set up the web client

Before getting started, keep the following things in mind:

Make sure your Remote Desktop deployment has an RD Gateway, an RD

Connection Broker, and RD Web Access running on Windows Server 2016 or 2019.

Make sure your deployment is configured for per-user client access licenses (CALs)
instead of per-device, otherwise all licenses will be consumed.

Install the Windows 10 KB4025334 update on the RD Gateway. Later cumulative

updates may already contain this KB.

Make sure public trusted certificates are configured for the RD Gateway and RD
Web Access roles.

Make sure that any computers your users connect to are running one of the
following OS versions:
Windows 10 or later
Windows Server 2016 or later

Your users will see better performance connecting to Windows Server 2016 (or later) and
Windows 10 (version 1611 or later).
 ） Important

If you used the web client during the preview period and installed a version prior to
1.0.0, you must first uninstall the old client before moving to the new version. If you
receive an error that says "The web client was installed using an older version of
RDWebClientManagement and must first be removed before deploying the new
version," follow these steps:

1. Open an elevated PowerShell prompt.

2. Run Uninstall-Module RDWebClientManagement to uninstall the new
module.
3. Close and reopen the elevated PowerShell prompt.
4. Run Install-Module RDWebClientManagement -RequiredVersion <old
version> to install the old module.
5. Run Uninstall-RDWebClient to uninstall the old web client.
6. Run Uninstall-Module RDWebClientManagement to uninstall the old
module.
7. Close and reopen the elevated PowerShell prompt.
8. Proceed with the normal installation steps as follows.

How to publish the Remote Desktop web client

To install the web client for the first time, follow these steps:

1. On the RD Connection Broker server, obtain the certificate used for Remote
Desktop connections and export it as a .cer file. Copy the .cer file from the RD
Connection Broker to the server running the RD Web role.

2. On the RD Web Access server, open an elevated PowerShell prompt.

3. On Windows Server 2016, update the PowerShellGet module since the inbox
version doesn't support installing the web client management module. To update
PowerShellGet, run the following cmdlet:

PowerShell

Install-Module -Name PowerShellGet -Force

７ Note
 To access the PowerShell Gallery, Transport Layer Security (TLS) 1.2 or higher is
required. Use the following command to enable TLS 1.2 in your PowerShell
session:

PowerShell

[Net.ServicePointManager]::SecurityProtocol =
[Net.ServicePointManager]::SecurityProtocol -bor
[Net.SecurityProtocolType]::Tls12

） Important

You'll need to restart PowerShell before the update can take effect, otherwise
the module may not work.

4. Install the Remote Desktop web client management PowerShell module from the
PowerShell gallery with this cmdlet:

PowerShell

Install-Module -Name RDWebClientManagement

5. After that, run the following cmdlet to download the latest version of the Remote
Desktop web client:

PowerShell

Install-RDWebClientPackage

6. Next, run this cmdlet with the bracketed value replaced with the path of the .cer
file that you copied from the RD Broker:

PowerShell

Import-RDWebClientBrokerCert <.cer file path>

7. Finally, run this cmdlet to publish the Remote Desktop web client:

PowerShell

Publish-RDWebClientPackage -Type Production -Latest

 Make sure you can access the web client at the web client URL with your server
name, formatted as https://server_FQDN/RDWeb/webclient/index.html . It's
important to use the server name that matches the RD Web Access public
certificate in the URL (typically the server FQDN).

７ Note

When running the Publish-RDWebClientPackage cmdlet, you may see a

warning that says per-device CALs are not supported, even if your
deployment is configured for per-user CALs. If your deployment uses per-user
CALs, you can ignore this warning. We display it to make sure you're aware of
the configuration limitation.

8. When you're ready for users to access the web client, just send them the web client
URL you created.

７ Note

To see a list of all supported cmdlets for the RDWebClientManagement module, run
the following cmdlet in PowerShell:

PowerShell

Get-Command -Module RDWebClientManagement

How to update the Remote Desktop web client

When a new version of the Remote Desktop web client is available, follow these steps to
update the deployment with the new client:

1. Open an elevated PowerShell prompt on the RD Web Access server and run the
following cmdlet to download the latest available version of the web client:

PowerShell

Install-RDWebClientPackage

2. Optionally, you can publish the client for testing before official release by running
this cmdlet:
 PowerShell

Publish-RDWebClientPackage -Type Test -Latest

The client should appear on the test URL that corresponds to your web client URL
(for example, <https://server_FQDN/RDWeb/webclient-test/index.html> ).

3. Publish the client for users by running the following cmdlet:

PowerShell

Publish-RDWebClientPackage -Type Production -Latest

This replaces the client for all users when they relaunch the web page.

How to uninstall the Remote Desktop web

client
To remove all traces of the web client, follow these steps:

1. On the RD Web Access server, open an elevated PowerShell prompt.

2. Unpublish the Test and Production clients, uninstall all local packages and remove
the web client settings:

PowerShell

Uninstall-RDWebClient

3. Uninstall the Remote Desktop web client management PowerShell module:

PowerShell

Uninstall-Module -Name RDWebClientManagement

How to install the Remote Desktop web client

without an internet connection
Follow these steps to deploy the web client to an RD Web Access server that doesn't
have an internet connection.
 ７ Note

Installing without an internet connection is available in version 1.0.1 and above of

the RDWebClientManagement PowerShell module.

７ Note

You still need an admin PC with internet access to download the necessary files
before transferring them to the offline server.

７ Note

The end-user PC needs an internet connection for now. This will be addressed in a
future release of the client to provide a complete offline scenario.

From a device with internet access

1. Open a PowerShell prompt.

2. Import the Remote Desktop web client management PowerShell module from the
PowerShell gallery:

PowerShell

Import-Module -Name RDWebClientManagement

3. Download the latest version of the Remote Desktop web client for installation on a
different device:

PowerShell

Save-RDWebClientPackage "C:\WebClient\"

4. Download the latest version of the RDWebClientManagement PowerShell module:

PowerShell

Find-Module -Name "RDWebClientManagement" -Repository "PSGallery" |

Save-Module -Path "C:\WebClient\"
 5. Copy the content of "C:\WebClient" to the RD Web Access server.

From the RD Web Access server

Follow the instructions under How to publish the Remote Desktop web client, replacing
steps 4 and 5 with the following.

4. You have two options to retrieve the latest web client management PowerShell
module:

Import the Remote Desktop web client management PowerShell module:

PowerShell

Import-Module -Name RDWebClientManagement

Copy the downloaded RDWebClientManagement folder to one of the local

PowerShell module folders listed under $env:psmodulePath, or add the path
to the folder with the downloaded files to the $env:psmodulePath.

5. Deploy the latest version of the Remote Desktop web client from the local folder
(replace with the appropriate zip file):

PowerShell

Install-RDWebClientPackage -Source "C:\WebClient\rdwebclient-1.0.1.zip"

Connecting to RD Broker without RD Gateway

in Windows Server 2019
This section describes how to enable a web client connection to an RD Broker without
an RD Gateway in Windows Server 2019.

Setting up the RD Broker server

Follow these steps if there's no certificate bound to the RD Broker

server
1. Open Server Manager > Remote Desktop Services.

2. In Deployment Overview section, select the Tasks dropdown menu.

 3. Select Edit Deployment Properties, a new window titled Deployment Properties
will open.

4. In the Deployment Properties window, select Certificates in the left menu.

5. In the list of Certificate Levels, select RD Connection Broker - Enable Single Sign
On. You have two options: (1) create a new certificate or (2) an existing certificate.

Follow these steps if there's a certificate previously bound to the

RD Broker server

1. Open the certificate bound to the Broker and copy the Thumbprint value.

2. To bind this certificate to the secure port 3392, open an elevated PowerShell
window and run the following command, replacing "< thumbprint >" with the
value copied from the previous step:

PowerShell

netsh http add sslcert ipport=0.0.0.0:3392 certhash="<thumbprint>"

certstorename="Remote Desktop" appid="{00000000-0000-0000-0000-
000000000000}"

７ Note

To check if the certificate has been bound correctly, run the following
command:

PowerShell

netsh http show sslcert

In the list of SSL Certificate bindings, ensure that the correct certificate is
bound to port 3392.

3. Open the Windows Registry (regedit), go to

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp and

locate the key WebSocketURI. Next, set the value to https://+:3392/rdp/ .

Setting up the RD Session Host

Follow these steps if the RD Session Host server is different from the RD Broker server:
 1. Create a certificate for the RD Session Host machine, open it and copy the
Thumbprint value.

2. To bind this certificate to the secure port 3392, open an elevated PowerShell
window and run the following command, replacing "< thumbprint >" with the
value copied from the previous step:

PowerShell

netsh http add sslcert ipport=0.0.0.0:3392 certhash="<thumbprint>"

appid="{00000000-0000-0000-0000-000000000000}"

７ Note

To check if the certificate has been bound correctly, run the following
command:

PowerShell

netsh http show sslcert

In the list of SSL Certificate bindings, ensure that the correct certificate is
bound to port 3392.

3. Open the Windows Registry (regedit) and navigate to

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp and

locate the key WebSocketURI. The value must be set to https://+:3392/rdp/ .

General Observations
Ensure that both the RD Session Host and RD Broker server are running Windows
Server 2019.

Ensure that public trusted certificates are configured for both the RD Session Host
and RD Broker server.

７ Note

If both the RD Session Host and the RD Broker server share the same
machine, set the RD Broker server certificate only. If the RD Session Host and
 RD Broker server use different machines, both must be configured with
unique certificates.

The Subject Alternative Name (SAN) for each certificate must be set to the
machine's Fully Qualified Domain Name (FQDN). The Common Name (CN) must
match the SAN for each certificate.

How to pre-configure settings for Remote

Desktop web client users
This section tells you how to use PowerShell to configure settings for your Remote
Desktop web client deployment. These PowerShell cmdlets control a user's ability to
change settings based on your organization's security concerns or intended workflow.
The following settings are all located in the Settings side panel of the web client.

Suppress telemetry
By default, users may choose to enable or disable collection of telemetry data that is
sent to Microsoft. For information about the telemetry data Microsoft collects, refer to
our Privacy Statement via the link in the About side panel.

As an administrator, you can choose to suppress telemetry collection for your

deployment using the following PowerShell cmdlet:

PowerShell

Set-RDWebClientDeploymentSetting -Name "SuppressTelemetry" $true

By default, the user may select to enable or disable telemetry. A boolean value $false
will match the default client behavior. A boolean value $true disables telemetry and
restricts the user from enabling telemetry.

Remote resource launch method

７ Note

This setting currently only works with the RDS web client, not the Azure Virtual
Desktop web client.
By default, users may choose to launch remote resources (1) in the browser or (2) by
downloading an .rdp file to handle with another client installed on their machine. As an
administrator, you can choose to restrict the remote resource launch method for your
deployment with the following PowerShell command:

PowerShell

Set-RDWebClientDeploymentSetting -Name "LaunchResourceInBrowser"

($true|$false)

By default, the user may select either launch method. A boolean value $true will force
the user to launch resources in the browser. A boolean value $false forces the user to
launch resources by downloading an .rdp file to handle with a locally installed RDP
client.

Reset RDWebClientDeploymentSetting configurations to

default
To reset a deployment-level web client setting to the default configuration, run the
following PowerShell cmdlet and use the -name parameter to specify the setting you
want to reset:

PowerShell

Reset-RDWebClientDeploymentSetting -Name "LaunchResourceInBrowser"

Reset-RDWebClientDeploymentSetting -Name "SuppressTelemetry"

Troubleshooting
If a user reports any of the following issues when opening the web client for the first
time, the following sections will tell you what to do to fix them.

What to do if the user's browser shows a security warning

when they try to access the web client
The RD Web Access role might not be using a trusted certificate. Make sure the RD Web
Access role is configured with a publicly trusted certificate.

If that doesn't work, your server name in the web client URL might not match the name
provided by the RD Web certificate. Make sure your URL uses the FQDN of the server
hosting the RD Web role.
What to do if the user can't connect to a resource with
the web client even though they can see the items under
All Resources
If the user reports that they can't connect with the web client even though they can see
the resources listed, check the following things:

Is the RD Gateway role properly configured to use a trusted public certificate?

Does the RD Gateway server have the required updates installed? Make sure that
your server has the KB4025334 update installed.

If the user gets an "unexpected server authentication certificate was received" error
message when they try to connect, then the message will show the certificate's
thumbprint. Search the RD Broker server's certificate manager using that thumbprint to
find the right certificate. Verify that the certificate is configured to be used for the RD
Broker role in the Remote Desktop deployment properties page. After making sure the
certificate hasn't expired, copy the certificate in .cer file format to the RD Web Access
server and run the following command on the RD Web Access server with the bracketed
value replaced by the certificate's file path:

PowerShell

Import-RDWebClientBrokerCert <certificate file path>

Diagnose issues with the console log

If you can't solve the issue based on the troubleshooting instructions in this article, you
can try to diagnose the source of the problem yourself by watching the console log in
the browser. The web client provides a method for recording the browser console log
activity while using the web client to help diagnose issues.

Select the ellipsis in the upper-right corner and navigate to the About page in the
dropdown menu.
Under Capture support information select the Start recording button.
Perform the operation(s) in the web client that produced the issue you're trying to
diagnose.
Navigate to the About page and select Stop recording.
Your browser will automatically download a .txt file titled RD Console Logs.txt. This
file contains the full console log activity generated while reproducing the target
issue.
The console may also be accessed directly through your browser. The console is
generally located under the developer tools. For example, you can access the log in
Microsoft Edge by pressing the F12 key, or by selecting the ellipsis, then navigating to
More tools > Developer Tools.

Get help with the web client

If you've encountered an issue that can't be solved by the information in this article, you
can report it on the Azure Virtual Desktop forum of Microsoft Tech Community .

Feedback
Was this page helpful?  Yes  No
Disable Automatic Reconnection
Article • 07/03/2024

Learn about Automatic Reconnection in Remote Desktop Service (RDS), lock screen
security, and how to disable Automatic Reconnection for RDS session hosts and clients
using Server Manager, Group Policy, and Remote Desktop Protocol (RDP) properties.

Automatic Reconnection
Microsoft Remote Desktop offers a wide range of features designed to enhance your
remote working experience, such as Automatic Reconnection. Automatic Reconnection
allows the client to seamlessly reconnect to their existing sessions, giving a smooth,
uninterrupted user experience when temporary network disruptions occur. To learn
more about the automatic reconnection behavior, see the Automatic Reconnection
open specification. Automation Reconnection is available to Remote Desktop when
connecting to a local PC or Remote Desktop Services (RDS).

） Important

Automatic Reconnection is enabled by default, and therefore, requires explicit

action from the administrators to disable it.

Lock Screen Security

When a policy or the user locks the remote session and the network connection is lost
or disrupted, RDS retains the session state and connection information. If the automatic
reconnection of locked sessions raises concerns for your specific use case, we
recommend implementing extra security measures. Because RDS retains the session
state and connection information, the client reconnects without needing to
reauthenticate. The lock screen of the Remote Desktop session isn't designed to
function as a security boundary. Security measures can include disabling Automatic
Reconnection on either the RDS session host or the client. This article describes how to
disabled Automatic Reconnection.

Prerequisites
Before you can configure Automatic Reconnection for Remote Desktop, you need to
complete the following prerequisites:
 A Windows client or Windows Server machine to connect from and to.
An account that is a member of RDS session host administrators group, or
equivalent.
If your machine is a domain member, you also need a domain account that is a
member of the Group Policy Creator Owners group, or equivalent.

If you're using RDS, you also need:

A Windows Server with the RDS installed and configured. To learn more about
deploying RDS, see Deploy your Remote Desktop environment.
A Remote Desktop Session Collection. To learn more about creating a Remote
Desktop Session Collection, see Create a Remote Desktop Services collection for
desktops and apps to run.

Methods to disable Automatic Reconnection

To disable Automatic Reconnection, you can configure your server, client, or both.

 Tip

If you disable Automatic Reconnection from your server, clients will be unable
to perform Automatic Reconnection regardless of the client configuration.

Changes to the Automatic Reconnection setting only apply to new sessions.

Existing sessions will continue to use the Automatic Reconnection setting
from the time of connection.

Client RDP Properties

You can configure the following Remote Desktop Protocol (RDP) property to disable
Automatic Reconnection using the Remote Desktop Connection app or by editing the
.rdp file. More information can be found here: Supported RDP properties with Remote

Desktop Services. To disabled Automatic Reconnection, select the relevant method and
follow the steps.

RDP file

Here's how to disable Automatic Reconnection by editing the .rdp file.

 1. Locate your .rdp file, right-click the file, expand the Open with menu, then
select Choose another app.

2. Select Notepad, then select Just once

3. Scroll to the last line of the file, then enter the following text.

RDP

autoreconnection enabled:i:0

Remote Desktop Services server configuration

To disable Automatic Reconnection for your RDS session host, select the relevant
method and follow the steps.

 Tip

If you have an RDS deployment and want to configure Automatic Reconnection

using the Session Collection properties, Group Policy must be in the Not
Configured state for each session host. The Group Policy setting applied to each
session host takes priority over the Automatic Reconnection setting for the Remote
Desktop Session Collection.

Group Policy

Here's how to disable Automatic Reconnection for RDS session hosts using Group
Policy.

1. Open the Group Policy Management Console, create or edit a policy applied
to your server.

2. In the console tree, select Computer Configuration > Administrative

Templates > Windows Components > Remote Desktop Service > Remote
Desktop Session Host > Connections.

3. For the setting, right-click Automatic reconnection and select Edit.

4. Select Disable, from the radio buttons.

 5. Select OK to complete the configuration.

Next steps
Remote Desktop clients for Remote Desktop Services and remote PCs.

Feedback
Was this page helpful?  Yes  No
Set up email discovery to subscribe to
your RDS feed
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

Have you ever had trouble getting your end users connected to their published RDS
feed, either because of a single missing character in the feed URL or because they lost
the email with the URL? Nearly all Remote Desktop client applications support finding
your subscription by entering your email address, making it easier than ever to get your
users connected to their RemoteApps and desktops.

Before you set up email discovery, do the following:

Make sure you have permission to add a TXT record to the domain associated with
your email (for example, if your users have @contoso.com email addresses, you
would need permissions for the contoso.com domain)
Create an RD Web feed URL (https://<rdweb-dns-
name>.domain/RDWeb/Feed/webfeed.aspx, such as
https://rdweb.contoso.com/RDWeb/Feed/webfeed.aspx )

７ Note

If you're using Azure Virtual Desktop instead of Remote Desktop, you'll want to use
these URLs instead:

If you're using Azure Virtual Desktop (classic):

https://rdweb.wvd.microsoft.com/api/feeddiscovery/webfeeddiscovery.aspx
If you're using Azure Virtual Desktop:
https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery

Now, follow these steps to set up email discovery:

1. In your browser, connect to the website of the domain name registrar where your
domain is registered.

2. Navigate to the appropriate page for your registered domain where you can view,
add, and edit DNS records.

3. Enter a new DNS record with the following properties:

 Host: _msradc
Text: <RD Web Feed URL>
TTL: 300 seconds

The names of the DNS records fields vary by domain name registrar, but this
process will result in a TXT record named _msradc.<domain_name> (such as
_msradc.contoso.com) that has a value of the full RD Web feed.

That's it! Now, launch the Remote Desktop application on your device and subscribe
yourself!

Feedback
Was this page helpful?  Yes  No
Fair Share technologies are enabled by
default in Remote Desktop Services
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016

This article describes how a Remote Desktop Session Host (RDSH) server, Windows 10
Enterprise multi-session, Windows 11 Enterprise multi-session, and Windows Server use
Fair Share technologies to balance CPU, disk, and network bandwidth resources among
multiple Remote Desktop sessions.

_ Original KB number: 4494631

Introduction
Remote Desktop Services (RDS) server, Windows 10 Enterprise multi-session and
Windows 11 Enterprise multi-session use Fair Share technologies for CPU resources to
manage resources. RDS builds on the Fair Share technologies to add features for
allocating network bandwidth and disk resources. Fair Share CPU Scheduling is enabled
by default, while Dynamic Disk Fair Share and Dynamic Network Fair Share are disabled.
You can change the defaults by using PowerShell and WMI.

For more information about the related properties in WMI, see

Win32_TerminalServiceSetting class: Properties.

７ Note

Before turning on Dynamic Disk Fair Share or Dynamic Network Fair Share, it's
recommended to review performance on applications that require exchanging
larger amounts of data.

Fair Share CPU Scheduling

Fair Share CPU Scheduling dynamically distributes processor time across all RDS and
Azure Virtual Desktop (AVD) multi-session sessions on the same Session Host server,
based on the number of sessions and the demand for processor time within each
session. This process creates a consistent user experience across all of the active
sessions, while sessions are being created and deleted dynamically. This feature builds
on the Dynamic Fair Share Scheduling technology (DFSS) that was part of Windows
Server.

Dynamic Disk Fair Share

When disk-intensive processes run in one or more sessions, they can starve non-disk
intensive processes and prevent them from ever accessing disk resources. To fix this
issue, the Dynamic Disk Fair Share feature balances disk access among the different
sessions by balancing disk IO and throttling excess disk usage.

Dynamic Network Fair Share

When bandwidth-intensive applications run in one or more sessions, they can starve
applications in other sessions of bandwidth. To equalize network consumption among
the sessions, the Network Fair Share feature uses a round-robin approach to allocate
bandwidth for each session.

In a centralized computing scenario, the Dynamic Network Fair Share feature tries to
fairly distribute network interface bandwidth load among the sessions.

Feedback
Was this page helpful?  Yes  No
License your RDS deployment with
client access licenses (CALs)
Article • 09/11/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

Each user and device that connects to a Remote Desktop Session host needs a client
access license (CAL). You use RD Licensing to install, issue, and track RDS CALs.

When a user or a device connects to an RD Session Host server, the RD Session Host
server determines if an RDS CAL is needed. If needed, the RD Session Host server then
requests an RDS CAL from the Remote Desktop license server. If an appropriate
RDS CAL is available from a license server, the RDS CAL is issued to the client, and the
client is able to connect to the RD Session Host server and from there to the desktop or
apps they're trying to use.

There's a licensing grace period of 120 Days during which no license server is required.
Once the grace period ends, clients must have a valid RDS CAL issued by a license server
before they can log on to an RD Session Host server.

Use the following information to learn about how client access licensing works in
Remote Desktop Services and how to deploy and manage your licenses:

License your RDS deployment with client access licenses (CALs)

Understand the RDS CAL model
Per Device CALs
Per User CALs
RDS CAL version compatibility

Understand the RDS CAL model

There are two types of RDS CALs:

RDS Per Device CALs

RDS Per User CALs

The following table outlines the similarities and differences between the two types of
CALs:

ﾉ Expand table
 Per Device Per User

RDS CALs are physically assigned to each RDS CALs are assigned to a user in Active
device. Directory.

RDS CALs are tracked by the license server. RDS CALs are tracked by the license server.

RDS CALs can be tracked regardless of Active RDS CALs can't be tracked within a workgroup.
Directory membership.

You can revoke up to 20% of RDS CALs. You can't revoke any RDS CALs.

Temporary RDS CALs assigned on first logon Temporary RDS CALs aren't available.
are valid for 90 days.

Permanent CALs are valid for a random CALs are valid for 60 days before renewal or 90
period of 52–89 days before renewal. days before reassignment.

RDS CALs can't be overallocated. RDS CALs can be overallocated, in breach of the
Remote Desktop licensing agreement.

For example, the Per Device model would be appropriate in an environment where there
are two or more shifts using the same computers to access the RD Session Hosts. The
Per User model would be best for environments where each user has their own
dedicated Windows devices to access the RD Session Hosts.

Per Device CALs

When you use the Per Device model, a temporary license is issued the first time a device
connects to the RD Session Host. After a user signs in to the session, the RDS server
instructs the license server to mark the issued temporary RDS CAL token as being
validated.

The next time that device connects, as long as the license server is activated and there
are available RDS CALs, the license server upgrades the temporary RDS CAL token to a
full RDS CAL token and issues a permanent RDS Per Device CAL. If no license tokens are
available, the temporary RDS CAL token continues to function for 90 days.

Every time the client device connects to the RDS Host, it presents its RDS CAL certificate
to the server. The server checks not only whether the client device has a valid certificate,
but also the expiration date of that certificate. If the expiration date of the certificate is
within seven days of the current date, the RDS Host connects to the license server to
renew the license for another random period of 52 to 89 days.

Per User CALs

When you use the Per User model, licensing isn't enforced, and each user is granted a
license to connect to an RD Session Host from any number of devices. The license server
issues licenses from the available RDS CAL pool or the OverUsed RDS CAL pool. It's the
administrator's responsibility to ensure that all users have valid licenses and no
OverUsed CALs, to avoid violating the Remote Desktop Services license terms.

Per User RDS CALs show as expiring 60 days after they're issued. Shortly before their
expiration date, when the user signs in, the date is extended another 60 days. If a user
doesn't sign in before the expiration date, they drop off the list, but the next time they
sign in they show up again with a new expiration date.

For most license agreements, 90 days is the more relevant time period, because it's the
minimum time required before a license can be reassigned to a different user, except
under special circumstances.

You can use the Remote Desktop Licensing Manager to track and generate reports on
RDS Per User CALs. To ensure you're in compliance with the Remote Desktop Services
license terms, track the number of RDS Per User CALs used in your organization. Be sure
to have enough RDS Per User CALs installed on the license server for all of your users.

RDS CAL version compatibility

The RDS CAL for your users or devices must be compatible with the version of Windows
Server that the user or device is connecting to. You can't use RDS CALs for earlier
versions to access later versions of Windows Server, but you can use later versions of
RDS CALs to access earlier versions of Windows Server. For example, you must have an
RDS 2022 CAL or later to connect to a Windows Server 2022 RD session host, and you
can also use an RDS 2022 CAL to access a Windows Server 2016 or Windows Server
2019 session host.

The following table shows which RDS CAL and RD session host versions are compatible
with each other.

ﾉ Expand table

Session host version RDS 2016 RDS 2019 RDS 2022 RDS 2025
CAL CAL CAL CAL

Windows Server 2016 session Yes Yes Yes Yes

host

Windows Server 2019 session No Yes Yes Yes

host
 Session host version RDS 2016 RDS 2019 RDS 2022 RDS 2025
CAL CAL CAL CAL

Windows Server 2022 session No No Yes Yes

host

Windows Server 2025 session No No No Yes

host

You must install your RDS CAL on a compatible RD license server. Any RDS license server
can host licenses from all previous versions of Remote Desktop Services and the current
version of Remote Desktop Services. For example, a Windows Server 2022 RDS license
server can host licenses from all previous versions of RDS, while a Windows Server 2016
RDS license server can only host licenses up to Windows Server 2016.

The following table shows which RDS CAL and license server versions are compatible
with each other.

ﾉ Expand table

License server version RDS 2016 RDS 2019 RDS 2022 RDS 2025
CAL CAL CAL CAL

Windows Server 2016 license Yes No No No

server

Windows Server 2019 license Yes Yes No No

server

Windows Server 2022 license Yes Yes Yes No

server

Windows Server 2025 license Yes Yes Yes Yes

server

Feedback
Was this page helpful?  Yes  No
Activate the Remote Desktop Services
license server
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

The Remote Desktop Services license server issues client access licenses (CALs) to users
and devices when they access the RD Session Host. You can activate the license server
by using the Remote Desktop Licensing Manager.

Install the Remote Desktop Licensing role

1. Sign into the server you want to use as the license server using an administrator
account.

2. In Server Manager, select Manage > Add Roles and Features.

3. On the Select installation type page, select Role-based or feature-based

installation.

4. Specify the server on which you'll install the licensing role.

5. On the Server Roles page, check the box for Remote Desktop Services, then select
Next until you see the Remote Desktop Services page.

6. Select the roles you want to install. Make sure you include the Remote Desktop
Licensing role.

7. In the Add Roles and Features Wizard dialog box, select Add Features.

8. Select Next until you see the Confirmation page, then select Install.

For detailed information and other installation options, see Install or uninstall roles, role
services, or features

Activate the license server

1. In Server Manager, select Tools > Remote Desktop Services > Remote Desktop
Licensing Manager.

2. In the RD Licensing Manager, select the server, and then select Action > Activate
Server.
 3. Confirm your preferred Connection method for license server activation and select
Next. The three options available are:

Automatic connection (recommended): This recommended method

communicates via internet directly to the Microsoft Clearinghouse outbound
over TCP port 443.

Web Browser: This method requires the administrator to connect to the

Microsoft Clearinghouse web site. Use this method if the license server
doesn't have internet access, but you have internet access through another
computer.

Telephone: This method allows the administrator to complete the migration

process over the phone with a Microsoft Clearinghouse operator. Use this
method if you don't have internet access.

Activate with automatic connection

1. Enter your required Company information including First name, Last name,
Company, and Country or Region. Select Next.

2. Then enter your optional company information. Select Next until you complete the
Activate Server Wizard.

3. Accept the defaults for the remaining pages until the final page. Clear Start Install
Licenses Wizard now, and then select Finish.

4. Select Action > Install Licenses. Enter your license code ready to enter when
prompted.

Activate using a web browser

1. On the License Server Activation page, copy the URL for the Remote Desktop
Licensing Web Site. Then open a web browser and navigate to the site.

2. Complete the steps on the Remote Desktop Licensing Web Site.

3. Return to the License Server Activation page and enter in the license server ID.
Select Next.

Activate by telephone
1. Select your Country or Region. Then select Next.
 2. On the License Server Activation page, call Microsoft at the number displayed.
The representative will provide you with a license server ID to enter. Select Next.

Feedback
Was this page helpful?  Yes  No
Reactivate or deactivate a Remote
Desktop Services license server
Article • 07/03/2024

In this article learn how-to reactivate or deactivate a Remote Desktop Services license
server automatically over the internet, using a web browser, or by telephone.

Prerequisites
Consider the following prerequisites before either reactivating or deactivating the
license server:

You'll need to know which server is the license server.

You'll need membership in the Administrators group, or equivalent.

Reactive a license server

You must reactivate a Remote Desktop license server when any of the following occur:

The license server certificate expired.

The license server certificate was corrupted.
The license server was upgraded.
The license server was redeployed.
The license server private key was compromised.

Reactivate a license server by using one of the following methods:

Reactivate a license server automatically

Reactivate a license server using a web browser
Reactivate a license server by telephone

Reactivate a license server automatically

The automatic reactivation method requires internet connectivity from the computer
running the Remote Desktop Licensing Manager tool. Complete the following steps to
reactivate a license server automatically:

1. In Server Manager, select Tools > Remote Desktop Services > Remote Desktop
Licensing Manager.
 2. In RD Licensing Manager, verify that the connection method for the license server
is set to Automatic connection (recommended). To do this, right-click the license
server that you want to reactivate, and then select Properties. On the Connection
Method tab, change the connection method if necessary.

3. Right-click the license server that you want to reactivate, point to Advanced, and
then select Reactivate Server. The Reactivate Server Wizard starts.

4. On the Welcome page, select Next.

5. On the Information Needed page, provide the requested information, and then
select Next.

6. Your request to reactivate the license server is sent to the Microsoft Clearinghouse
for processing, and the license server is reactivated.

7. On the Completing the Reactivate Server Wizard page, select Finish.

Reactivate a license server using a web browser

The web reactivation method can be used when the computer running the Remote
Desktop Licensing Manager tool doesn't have internet connectivity, but you have access
to the web from another computer. The URL for the web method is displayed in the
Reactivate Server Wizard.

To reactivate a Remote Desktop Licensing Manager server by using a web browser,

complete the following steps:

1. In Server Manager, select Tools > Remote Desktop Services > Remote Desktop
Licensing Manager.

2. Verify that the connection method for the Remote Desktop license server is set
to Web Browser by right-clicking the license server that you want to reactivate, and
then select Properties.

3. Using a computer that has internet connectivity, connect to the Remote Desktop
Licensing website.

4. On the Remote Desktop Licensing website, select the option to Reactivate a

license server and then select Next. Follow the steps to reactivate the license
server.

Reactivate a license server by telephone

The telephone reactivation method allows you to talk to a Microsoft customer service
representative to complete the reactivation process. The appropriate telephone number
depends on the country/region that is configured for the Remote Desktop Licensing
Manager, and that telephone number is displayed in the Reactivate Server Wizard.

To reactivate a Remote Desktop Licensing Manager server by telephone, complete the

following steps:

1. In Server Manager, select Tools > Remote Desktop Services > Remote Desktop
Licensing Manager.

2. Verify that the connection method for the Remote Desktop license server is set
to Telephone by right-clicking the license server that you want to reactivate, and
then select Properties. On the Connection Method tab, change the connection
method, if necessary, ensure that the correct country or region is selected in
the Select Country or Region list, and then select OK.

3. Right-click the license server that you want to reactivate, point to Advanced, and
then select Reactivate Server. The Reactivate Server Wizard starts.

4. On the Welcome page, select Next.

5. Call Microsoft by using the telephone number that is displayed on the License
Server Reactivation page, and then provide the Microsoft customer support
representative with the product ID and license server ID that is displayed on your
screen.

6. The representative processes your request to reactivate the license server, and
provides you with a new license server ID. On the License Server Reactivation page
in the Reactivate Server Wizard, type the new license server ID that the
representative provides, and then select Next. The license server is reactivated.

7. On the Completing the Reactivate Server Wizard page, select Finish.

Deactive a license server

You may have to deactivate a license server if the certificate of the server expires, gets
damaged, or if you redeploy the server.

The following steps describe how to deactivate a license server:

1. In Server Manager, select Tools > Remote Desktop Services > Remote Desktop
Licensing Manager.
 2. In the console tree, right-click the license server that you want to deactivate,
select Advanced, and then select Deactivate Server.

3. In the Deactivate Server Wizard, confirm that your name, your phone number
(optional), and your e-mail address that are listed under Information Needed are
correct. Then select Next. Your request to deactivate the license server is sent to
Microsoft Clearinghouse for processing.

７ Note

Your e-mail address is required if you are using the Internet method.

4. Select Finish.

When you deactivate a license server, you can't license other client computers from this
server until the license server is activated again.

Feedback
Was this page helpful?  Yes  No
Install RDS client access licenses on the
Remote Desktop license server
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

Use the following information to install Remote Desktop Services client access licenses
(CALs) on the license server. Once the CALs are installed, the license server will issue
them to users as appropriate. Be sure to activate your license server first before
continuing with the following steps.

７ Note

You need Internet connectivity on the computer running Remote Desktop Licensing
Manager but not on the computer running the license server.

1. On the license server (usually the first RD Connection Broker), open the Remote
Desktop Licensing Manager.

2. Right-click the license server, and then select Install licenses.

3. Select Next on the welcome page.

4. Select the program you purchased your RDS CALs from, and then select Next. If
you are a service provider, select Service Provider License Agreement.

5. Enter the information for your license program. In most cases, this will be the
license code or an agreement number, but this varies depending on the license
program you're using.

6. Select Next.

7. Select the product version, license type, and number of licenses for your
environment, and then select Next. The license manager contacts the Microsoft
Clearinghouse to validate and retrieve your licenses.

8. Select Finish to complete the process.

Feedback
Was this page helpful?  Yes  No
License Remote Desktop session hosts
Article • 07/09/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016

You can use the information in this article to configure licensing for session hosts on
your Remote Desktop Services (RDS) deployments. The process is slightly different
depending on which roles you assigned to the session host you're licensing.

Prerequisites
In order to install licenses for your session hosts, you need a Remote Desktop license
server with per-user or per-device client access licenses (CALs) activated.

Configure licensing for an RDS deployment

that includes the RD Connection Broker role
If you need to license session hosts where your RDS deployment doesn't include the
connection broker role, you must specify a license server by using group policy either
centrally from your Active Directory domain, or locally on each session host. You also
need to do specify a license server when using Windows Server with Azure Virtual
Desktop.

To specify a license server:

1. On the RD Connection Broker computer, open Server Manager.

2. In Server Manager, select Remote Desktop Services > Overview > Edit
Deployment Properties > RD Licensing.
3. Select the Remote Desktop licensing mode (either Per User or Per Device, as
appropriate for your deployment).

７ Note

If you use domain-joined servers for your RDS deployment, you can use both
Per User and Per Device CALs. If you use workgroup servers for your RDS
deployment, you have to use Per Device CALs In that case, Per User CALs are
not permitted.

4. Specify a license server, and then select Add.

Configure licensing for an RDS deployment
that includes only the RD Session Host role and
the RD Licensing role
1. Depending on whether you want to configure Group Policy centrally from your
domain or locally on each session host:

Open the Group Policy Management Console (GPMC) and create or edit a
policy that targets your session hosts.

Open the Local Group Policy Editor on the session host.

2. Go to Computer Configuration > Administrative Templates > Windows

Components > Remote Desktop Services > Remote Desktop Session Host >
Licensing.

3. In the policy list, right-click Use the specified Remote Desktop license servers, and
then select Properties.

4. Select Enabled, and then enter the name of the license server under License
servers to use. If you have more than one license server, use commas to separate
their names.
5. Select OK.

6. In the policy list, right-click Set the Remote Desktop licensing mode, and then
select Properties.

7. Select Enabled.

8. Under Specify the licensing mode for the Remote Desktop Session Host server,
select Per Device or Per User, as appropriate for your deployment.
Ensure an RD Session Host can access an RD
licensing server in the same work group
This section only applies to work groups. Skip this section if your RD Session Host and
RD licensing server are joined to a domain in Active Directory. You can also skip this
section if the RD licensing server and RD Session Host server are the same machine.

After applying the security update for CVE-2024-38099 , RD licensing servers enforce
that RD Session Host servers present nonanonymous credentials when requesting or
querying licenses. To enforce nonanymous credentials exist, confirm that the NT
AUTHORITY\NETWORK SERVICE account under which the Remote Desktop Service runs
on the RD Session Host has access to credentials. Configure the machines in a work
group using the following steps.

First, we recommend creating a dedicated user on the RD licensing server:

1. Connect to the RD licensing server. If doing so remotely, you may need to start the
Remote Desktop Connection application using the mstsc.exe /admin command if
 the target machine can't contact a RD licensing server.

2. Once connected, right-click Start, then select Run, and enter lusrmgr.msc . Then
press ENTER.

3. Select Users in the left pane.

4. Open the Action menu and select New User….

5. Choose a username and a unique strong password for the user. Then confirm the
password.

6. Uncheck the "User must change password at next logon" checkbox.

7. Select Create.

Then, on each RD Session Host server that needs to connect to the RD licensing server,
add the user:

1. Connect to the RD Session Host machine. If doing so remotely, you may need to
start the Remote Desktop Connection application if the target machine can’t
contact any RD licensing server. Open Remote Desktop Connection as an
administrator, or use the command: mstsc.exe /admin .

2. Start a Command Prompt as NT AUTHORITY\NETWORK SERVICE. You can do this

with PsExec from the Sysinternals Utilities, by running the following command as
an administrator:

Windows Command Prompt

psexec.exe -I -u "NT AUTHORITY\NETWORK SERVICE" cmd.exe

3. Then, add a username and password to the host computer with the following
command:

Windows Command Prompt

cmdkey /add:<NAME-OF-THE-LICENSING-SERVER> /user:<NAME-OF-THE-

LICENSING-SERVER>\<USERNAME> /pass

4. When prompted for the password, enter the password previously selected and
press ENTER.

The RD Session Host should now be able to connect to the RD licensing server.
Alternatively, the requirement for proper authentication can be disabled on the licensing
server. If you would like to disable the enforcement of authentication on your RD
licensing server despite the risk, you can modify the registry.

２ Warning

Disabling the enforcement of authentication on the RD licensing server is not

recommended and can result in increased security risks. Use it at your own risk.

If you use Registry Editor incorrectly, you may cause serious problems that may
require you to reinstall your operating system. Microsoft cannot guarantee that you
can solve problems that result from using Registry Editor incorrectly. Use Registry
Editor at your own risk.

To update the registry key and value on the RD licensing server:

1. Start the Registry Editor.

2. Modify the key: HKLM\

SYSTEM\CurrentControlSet\Services\TermServLicensing\Parameters with the

following values:

Name: DisableWorkgroupAuthEnforcement

Type: REG_DWORD

Data: 1

２ Warning

Future versions of Windows may stop honoring this setting.

Next steps
Learn how to create reports to track RDS per-user CALs issued by a Remote Desktop
license server at Track your Remote Desktop Services client access licenses (RDS CALs).

Feedback
Was this page helpful?  Yes  No
Track your Remote Desktop Services
client access licenses (RDS CALs)
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

You can use the Remote Desktop Licensing Manager tool to create reports to track the
RDS Per User CALs that have been issued by a Remote Desktop license server.

７ Note

If you're using Microsoft Entra Domain Services in your environment, the Remote
Desktop Licensing Manager tool won't work to obtain Per User CALs. Instead, you
need to track licensing manually, either through logon events, polling active
Remote Desktop connections through the Connection Broker, or another
mechanism that works for you.

Use the following steps to generate a per User CALs report:

1. In Remote Desktop Licensing Manager right-click the license server, click Create
Report, and then click CAL Usage.

2. The report is created and a message appears to confirm that the report was
successfully created. Click OK to close the message.

The report that you created appears in the Reports section under the node for the
license server. The report provides the following information:

Date and time the report was created

The scope of the report (e.g., Domain, OU=Sales, or All trusted domains)
The number of RDS Per User CALs that are installed on the license server
The number of RDS Per User CALs that have been issued by the license server
specific to the scope of the report

You can also save the report as a CSV file to a folder location on the computer. To save
the report, right-click the report that you want to save, click Save As, and then specify
the file name and location to save the report.

Reports that you create are listed in the Reports node under the node for the license
server in Remote Desktop Licensing Manager. If you no longer need a report, you can
delete it.
Feedback
Was this page helpful?  Yes  No
Use multiple Remote Desktop license
servers
Article • 09/10/2024

When using multiple Remote Desktop (RD) license servers, after applying the security
update for CVE-2024-38231 , ensure that the servers can properly communicate with
one another. It's important that RD license servers can communicate with one another in
either of the following scenarios:

A license is returned to an RD license server that didn't issue it

Automatic license server discovery, a mechanism that was abandoned starting with
Windows Server 2008 R2, is still in use in a Remote Desktop deployment

Workgroup-joined deployment
Workgroup-joined Remote Desktop deployments are meant for small deployments. We
don't recommend using multiple RD license servers in workgroup-joined Remote
Desktop deployments.

） Important

Support for multiple license servers in workgroups may be removed in a future

version of Windows.

To use multiple RD license servers in the same workgroup, ensure that each license
server can authenticate to one another, and that they recognize each other as license
servers.

Ensure license servers are authenticated

As an example, let’s consider two license servers called LICSVR1 and LICSVR2.

To ensure that LICSVR1 can authenticate to LICSVR2, you need to decide which account
LICSVR1 uses to connect to LICSVR2. We recommend creating a dedicated user account
on LICSVR2 with the following steps:

1. Connect to LICSVR2 using an administrator account. If doing so remotely, you may

need to start the Remote Desktop Connection application using the mstsc.exe
/admin command if the target machine can't contact an RD license server.
 2. Once connected, right-click Start, then select Run, and enter lusrmgr.msc. Then
press ENTER.

3. Select Users in the left pane.

4. Open the Action menu and select New User….

5. Choose a username and a unique strong password for the user. Then confirm the
password.

6. Uncheck the "User must change password at next logon" checkbox.

7. Select Create.

Then, on LICSVR1, add the user and its credentials so that the NT
AUTHORITY\NETWORK SERVICE account can authenticate to LICSVR2 with the following
steps:

1. Connect to LICSVR1. If doing so remotely, you may need to start the Remote
Desktop Connection application using the mstsc.exe /admin command if the target
machine can't contact an RD license server.

2. Start a Command Prompt as NT AUTHORITY\NETWORK SERVICE. You can do this

with PsExec from the Sysinternals Utilities, by running the following command as an
administrator:

Bash

psexec.exe -i -u "NT AUTHORITY\NETWORK SERVICE" cmd.exe

3. Then, add a username and password to the host computer with the following
command:

Bash

cmdkey /add:LICSVR2 /user:LICSVR2\<USERNAME> /pass

where <USERNAME> is the name of the user you decided that LICSVR1 uses to
authenticate to LICSVR2.

4. When prompted for the password, enter the password of that user.

LICSVR1 should now be able to authenticate to LICSVR2. For LICSVR2 to recognize

LICSVR1 as another license server, you need to add the user to a local group on LICSV2
and register that local group with the RD licensing service. In PowerShell running as
administrator on LICSVR2, use the following command:

PowerShell

New-LocalGroup -Name <GROUP-NAME>

Add-LocalGroupMember -Group <GROUP-NAME> -Member "LICSVR2\<USERNAME>"

Where <GROUP-NAME> is the desired name for the group and <USERNAME> is the
name of the user whose credentials are registered in LICSVR1.

To register that local group with the RD licensing service in the registry, run the
following PowerShell command:

PowerShell

Set-ItemProperty -Path
"HKLM:\SYSTEM\CurrentControlSet\Services\TermServLicensing\Parameters" -Name
" WorkgroupLicenseServerAccountsGroup" -Value "LICSVR2\<GROUP-NAME>" -Type
String

Domain-joined deployment
For domain-joined RD license servers to properly communicate with one another, they
need to know that communication is coming from another RD license server. This can be
achieved using one of the three manners described in this section.

A domain administrator can publish each RD license server to Active Directory

Domain Services (AD DS) using the PublishLS WMI method of the
Win32_TSLicenseServer class. This creates a site-level record in AD DS that can be
used to authorize communication between RD license servers. In PowerShell as a
domain administrator on a license server, run the command:

PowerShell

Invoke-WmiMethod -Class Win32_TSLicenseServer -Name PublishLS

Alternatively, each RD license server can be configured to authorize

communication from a particular set of RD license servers by configuring the Use
the specified Remote Desktop license servers group policy. That group policy is
described in more detail in License Remote Desktop session hosts. Or the following
registry value can be set to specify license servers. In PowerShell as an
administrator on an RD license server, run the command:
 PowerShell

Set-ItemProperty -Path
"HKLM:\SYSTEM\CurrentControlSet\Services\TermServLicensing\Parameters"
-Name " SpecifiedLicenseServers" -Value "<LicSrv1DnsHostName>","
<LicSrv2DnsHostName>" -Type MultiString

Where <LicSrv1DnsHostName> and <LicSrv1DnsHostName> are the DNS host

names of the other RD license servers.

For historical reasons, RD licensing services that run on Active Directory domain
controllers don't require extra configuration.

） Important

We strongly advise against installing the RD licensing server on domain controllers.

Use this approach at your own risk. Per the Active Directory security best practices,
domain controllers should be treated as critical infrastructure components and
should minimize the amount of unrelated software they run. For more information,
se Protecting Domain Controllers.

Feedback
Was this page helpful?  Yes  No
Remote Desktop Services architecture
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

Below are various configurations for deploying Remote Desktop Services to host
Windows apps and desktops for end-users.

７ Note

The architecture diagrams below show using RDS in Azure. However, you can
deploy Remote Desktop Services on-premises and on other clouds. These diagrams
are primarily intended to illustrate how the RDS roles are colocated and use other
services.

Standard RDS deployment architectures

Remote Desktop Services has two standard architectures:

Basic deployment – This contains the minimum number of servers to create a fully
effective RDS environment
Highly available deployment – This contains all necessary components to have the
highest guaranteed uptime for your RDS environment

Basic deployment
Highly available deployment
RDS architectures with unique Azure PaaS roles
Though the standard RDS deployment architectures fit most scenarios, Azure continues
to invest in first-party PaaS solutions that drive customer value. Below are some
architectures showing how they incorporate with RDS.

RDS deployment with Microsoft Entra Domain Services

The two standard architecture diagrams above are based on a traditional Active
Directory (AD) deployed on a Windows Server VM. However, if you don't have a
traditional AD and only have a Microsoft Entra tenant—through services like Office365
—but still want to leverage RDS, you can use Microsoft Entra Domain Services to create
a fully managed domain in your Azure IaaS environment that uses the same users that
exist in your Microsoft Entra tenant. This removes the complexity of manually syncing
users and managing more virtual machines. Microsoft Entra Domain Services can work
in either deployment: basic or highly available.
RDS deployment with Microsoft Entra application proxy
The two standard architecture diagrams above use the RD Web/Gateway servers as the
Internet-facing entry point into the RDS system. For some environments, administrators
would prefer to remove their own servers from the perimeter and instead use
technologies that also provide additional security through reverse proxy technologies.
The Microsoft Entra application proxy PaaS role fits nicely with this scenario.

For supported configurations and how to create this setup, see how to publish Remote
Desktop with Microsoft Entra application proxy.
Feedback
Was this page helpful?  Yes  No
Integrate your Remote Desktop
Gateway infrastructure using the
Network Policy Server (NPS) extension
and Microsoft Entra ID
Article • 01/08/2025

This article provides details for integrating your Remote Desktop Gateway infrastructure
with Microsoft Entra multifactor authentication using the Network Policy Server (NPS)
extension for Microsoft Azure.

The Network Policy Server (NPS) extension for Azure allows customers to safeguard
Remote Authentication Dial-In User Service (RADIUS) client authentication using Azure's
cloud-based multifactor authentication. This solution provides two-step verification for
adding a second layer of security to user sign-ins and transactions.

This article provides step-by-step instructions for integrating the NPS infrastructure with
Microsoft Entra multifactor authentication using the NPS extension for Azure. This
enables secure verification for users attempting to sign in to a Remote Desktop
Gateway.

７ Note

This article shouldn't be used with MFA Server deployments and should only be
used with Microsoft Entra multifactor authentication (Cloud-based) deployments.

The Network Policy and Access Services (NPS) gives organizations the ability to do the
following:

Define central locations for the management and control of network requests by
specifying who can connect, what times of day connections are allowed, the
duration of connections, and the level of security that clients must use to connect,
and so on. Rather than specifying these policies on each VPN or Remote Desktop
(RD) Gateway server, these policies can be specified once in a central location. The
RADIUS protocol provides the centralized Authentication, Authorization, and
Accounting (AAA).
Establish and enforce Network Access Protection (NAP) client health policies that
determine whether devices are granted unrestricted or restricted access to network
resources.
 Provide a means to enforce authentication and authorization for access to 802.1x-
capable wireless access points and Ethernet switches.

Typically, organizations use NPS (RADIUS) to simplify and centralize the management of
VPN policies. However, many organizations also use NPS to simplify and centralize the
management of RD Desktop Connection Authorization Policies (RD CAPs).

Organizations can also integrate NPS with Microsoft Entra multifactor authentication to
enhance security and provide a high level of compliance. This helps ensure that users
establish two-step verification to sign in to the Remote Desktop Gateway. For users to
be granted access, they must provide their username/password combination along with
information that the user has in their control. This information must be trusted and not
easily duplicated, such as a cell phone number, landline number, application on a mobile
device, and so on. RDG currently supports phone call and Approve/Deny push
notifications from Microsoft authenticator app methods for 2FA. For more information
about supported authentication methods, see the section Determine which
authentication methods your users can use.

If your organization uses Remote Desktop Gateway and the user is registered for a TOTP
code along with Authenticator push notifications, the user can't meet the MFA challenge
and the Remote Desktop Gateway sign-in fails. In that case, you can set
OVERRIDE_NUMBER_MATCHING_WITH_OTP = FALSE to fallback to push notifications to
Approve/Deny with Authenticator.

In order for an NPS extension to continue working for Remote Desktop Gateway users,
this registry key must be created on the NPS server. On the NPS server, open the
registry editor. Navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa

Create the following String/Value pair:

Name: OVERRIDE_NUMBER_MATCHING_WITH_OTP

Value = FALSE

Prior to the availability of the NPS extension for Azure, customers who wished to
implement two-step verification for integrated NPS and Microsoft Entra multifactor
authentication environments had to configure and maintain a separate MFA Server in
the on-premises environment as documented in Remote Desktop Gateway and Azure
Multi-Factor Authentication Server using RADIUS.

The availability of the NPS extension for Azure now gives organizations the choice to
deploy either an on-premises based MFA solution or a cloud-based MFA solution to
secure RADIUS client authentication.

Authentication Flow
For users to be granted access to network resources through a Remote Desktop
Gateway, they must meet the conditions specified in one RD Connection Authorization
Policy (RD CAP) and one RD Resource Authorization Policy (RD RAP). RD CAPs specify
who is authorized to connect to RD Gateways. RD RAPs specify the network resources,
such as remote desktops or remote apps, that the user is allowed to connect to through
the RD Gateway.

An RD Gateway can be configured to use a central policy store for RD CAPs. RD RAPs
can't use a central policy, as they're processed on the RD Gateway. An example of an RD
Gateway configured to use a central policy store for RD CAPs is a RADIUS client to
another NPS server that serves as the central policy store.

When the NPS extension for Azure is integrated with the NPS and Remote Desktop
Gateway, the successful authentication flow is as follows:

1. The Remote Desktop Gateway server receives an authentication request from a

remote desktop user to connect to a resource, such as a Remote Desktop session.
Acting as a RADIUS client, the Remote Desktop Gateway server converts the
request to a RADIUS Access-Request message and sends the message to the
RADIUS (NPS) server where the NPS extension is installed.
2. The username and password combination is verified in Active Directory and the
user is authenticated.
3. If all the conditions as specified in the NPS Connection Request and the Network
Policies are met (for example, time of day or group membership restrictions), the
NPS extension triggers a request for secondary authentication with Microsoft Entra
multifactor authentication.
4. Microsoft Entra multifactor authentication communicates with Microsoft Entra ID,
retrieves the user's details, and performs the secondary authentication using
supported methods.
5. Upon success of the MFA challenge, Microsoft Entra multifactor authentication
communicates the result to the NPS extension.
6. The NPS server, where the extension is installed, sends a RADIUS Access-Accept
message for the RD CAP policy to the Remote Desktop Gateway server.
7. The user is granted access to the requested network resource through the RD
Gateway.

Prerequisites
This section details the prerequisites necessary before integrating Microsoft Entra
multifactor authentication with the Remote Desktop Gateway. Before you begin, you
must have the following prerequisites in place.

Remote Desktop Services (RDS) infrastructure

Microsoft Entra multifactor authentication License
Windows Server software
Network Policy and Access Services (NPS) role
Microsoft Entra synced with on-premises Active Directory
Microsoft Entra GUID ID

Remote Desktop Services (RDS) infrastructure

You must have a working Remote Desktop Services (RDS) infrastructure in place. If you
don't, then you can quickly create this infrastructure in Azure using the following
quickstart template: Create Remote Desktop Session Collection deployment .

If you wish to manually create an on-premises RDS infrastructure quickly for testing
purposes, follow the steps to deploy one. Learn more: Deploy RDS with Azure quickstart
and Basic RDS infrastructure deployment.

Windows Server software

The NPS extension requires Windows Server 2008 R2 SP1 or above with the NPS role
service installed. All the steps in this section were performed using Windows Server
2016.

Network Policy and Access Services (NPS) role

The NPS role service provides the RADIUS server and client functionality and Network
Access Policy health service. This role must be installed on at least two computers in
your infrastructure: The Remote Desktop Gateway and another member server or
domain controller. By default, the role is already present on the computer configured as
the Remote Desktop Gateway. You must also install the NPS role on at least on another
computer, such as a domain controller or member server.

For information on installing the NPS role service Windows Server 2012 or older, see
Install a NAP Health Policy Server. For a description of best practices for NPS, including
the recommendation to install NPS on a domain controller, see Best Practices for NPS.

Microsoft Entra synced with on-premises Active Directory

To use the NPS extension, on-premises users must be synced with Microsoft Entra ID
and enabled for MFA. This section assumes that on-premises users are synced with
Microsoft Entra ID using AD Connect. For information on Microsoft Entra Connect, see
Integrate your on-premises directories with Microsoft Entra ID.

Microsoft Entra GUID ID

To install NPS extension, you need to know the GUID of the Microsoft Entra ID. The
following provides instructions for finding the GUID of the Microsoft Entra ID.

Configure multifactor authentication

This section provides instructions for integrating Microsoft Entra multifactor
authentication with the Remote Desktop Gateway. As an administrator, you must
configure the Microsoft Entra multifactor authentication service before users can self-
register their multifactor devices or applications.

Follow the steps in Getting started with Microsoft Entra multifactor authentication in the
cloud to enable MFA for your Microsoft Entra users.

Configure accounts for two-step verification

Once an account has been enabled for MFA, you can't sign in to resources governed by
the MFA policy until you have successfully configured a trusted device to use for the
second authentication factor and have authenticated using two-step verification.

Follow the steps in What does Microsoft Entra multifactor authentication mean for
me? to understand and properly configure your devices for MFA with your user
account.

） Important

The sign-in behavior for Remote Desktop Gateway doesn't provide the option to
enter a verification code with Microsoft Entra multifactor authentication. A user
account must be configured for phone verification or the Microsoft Authenticator
App with Approve/Deny push notifications.

If neither phone verification or the Microsoft Authenticator App with

Approve/Deny push notifications is configured for a user, the user won't be able to
complete the Microsoft Entra multifactor authentication challenge and sign in to
Remote Desktop Gateway.
 The SMS text method doesn't work with Remote Desktop Gateway because it
doesn't provide the option to enter a verification code.

Install and configure NPS extension

This section provides instructions for configuring RDS infrastructure to use Microsoft
Entra multifactor authentication for client authentication with the Remote Desktop
Gateway.

Obtain the directory tenant ID

As part of the configuration of the NPS extension, you must supply administrator
credentials and the ID of your Microsoft Entra tenant. To get the tenant ID, complete the
following steps:

1. Sign in to the Microsoft Entra admin center .

2. Browse to Identity > Overview.

Install the NPS extension

Install the NPS extension on a server that has the Network Policy and Access Services
(NPS) role installed. This functions as the RADIUS server for your design.

） Important

Don't install the NPS extension on your Remote Desktop Gateway (RDG) server. The
RDG server doesn't use the RADIUS protocol with its client, so the extension can't
interpret and perform the MFA.
 When the RDG server and NPS server with NPS extension are different servers, RDG
uses NPS internally to talk to other NPS servers and uses RADIUS as the protocol to
correctly communicate.

1. Download the NPS extension .

2. Copy the setup executable file (NpsExtnForAzureMfaInstaller.exe) to the NPS
server.
3. On the NPS server, double-select NpsExtnForAzureMfaInstaller.exe. If prompted,
select Run.
4. In the NPS Extension For Microsoft Entra multifactor authentication Setup dialog
box, review the software license terms, check I agree to the license terms and
conditions, and select Install.
5. In the NPS Extension For Microsoft Entra multifactor authentication Setup dialog
box, select Close.

Configure certificates for use with the NPS extension

using a PowerShell script
Next, you need to configure certificates for use by the NPS extension to ensure secure
communications and assurance. The NPS components include a PowerShell script that
configures a self-signed certificate for use with NPS.

The script performs the following actions:

Creates a self-signed certificate

Associates public key of certificate to service principal on Microsoft Entra ID
Stores the cert in the local machine store
Grants access to the certificate's private key to the network user
Restarts Network Policy Server service

If you want to use your own certificates, you need to associate the public key of your
certificate to the service principal on Microsoft Entra ID, and so on.

To use the script, provide the extension with your Microsoft Entra Admin credentials and
the Microsoft Entra tenant ID that you copied earlier. Run the script on each NPS server
where you installed the NPS extension. Then do the following:

1. Open an administrative Windows PowerShell prompt.

2. At the PowerShell prompt, type cd 'c:\Program Files\Microsoft\AzureMfa\Config' ,

and press ENTER.
 3. Type .\AzureMfaNpsExtnConfigSetup.ps1 , and press ENTER. The script checks to see
if the PowerShell module is installed. If not installed, the script installs the module
for you.

4. After the script verifies the installation of the PowerShell module, it displays the
PowerShell module dialog box. In the dialog box, enter your Microsoft Entra admin
credentials and password, and select Sign In.

5. When prompted, paste the Tenant ID you copied to the clipboard earlier, and press
ENTER.

6. The script creates a self-signed certificate and performs other configuration

changes.

Configure NPS components on Remote

Desktop Gateway
In this section, you configure the Remote Desktop Gateway connection authorization
policies and other RADIUS settings.

The authentication flow requires that RADIUS messages be exchanged between the
Remote Desktop Gateway and the NPS server where the NPS extension is installed. This
means that you must configure RADIUS client settings on both Remote Desktop
Gateway and the NPS server where the NPS extension is installed.

Configure Remote Desktop Gateway connection

authorization policies to use central store
Remote Desktop connection authorization policies (RD CAPs) specify the requirements
for connecting to a Remote Desktop Gateway server. RD CAPs can be stored locally
(default) or they can be stored in a central RD CAP store that is running NPS. To
configure integration of Microsoft Entra multifactor authentication with RDS, you need
to specify the use of a central store.

1. On the RD Gateway server, open Server Manager.

2. On the menu, select Tools, point to Remote Desktop Services, and then select
Remote Desktop Gateway Manager.

3. In the RD Gateway Manager, right-select [Server Name] (Local), and select

Properties.

4. In the Properties dialog box, select the RD CAP Store tab.

5. On the RD CAP Store tab, select Central server running NPS.

6. In the Enter a name or IP address for the server running NPS field, type the IP
address or server name of the server where you installed the NPS extension.
7. Select Add.

8. In the Shared Secret dialog box, enter a shared secret, and then select OK. Ensure
you record this shared secret and store the record securely.

７ Note

Shared secret is used to establish trust between the RADIUS servers and
clients. Create a long and complex secret.
 9. Select OK to close the dialog box.

Configure RADIUS timeout value on Remote Desktop

Gateway NPS
To ensure there is time to validate users' credentials, perform two-step verification,
receive responses, and respond to RADIUS messages, it's necessary to adjust the
RADIUS timeout value.

1. On the RD Gateway server, open Server Manager. On the menu, select Tools, and
then select Network Policy Server.

2. In the NPS (Local) console, expand RADIUS Clients and Servers, and select
Remote RADIUS Server.

3. In the details pane, double-select TS GATEWAY SERVER GROUP.

７ Note

This RADIUS Server Group was created when you configured the central
server for NPS policies. The RD Gateway forwards RADIUS messages to this
 server or group of servers, if more than one in the group.

4. In the TS GATEWAY SERVER GROUP Properties dialog box, select the IP address or
name of the NPS server you configured to store RD CAPs, and then select Edit.

5. In the Edit RADIUS Server dialog box, select the Load Balancing tab.

6. In the Load Balancing tab, in the Number of seconds without response before
request is considered dropped field, change the default value from 3 to a value
between 30 and 60 seconds.

7. In the Number of seconds between requests when server is identified as

unavailable field, change the default value of 30 seconds to a value that is equal to
or greater than the value you specified in the previous step.
 8. Select OK two times to close the dialog boxes.

Verify Connection Request Policies

By default, when you configure the RD Gateway to use a central policy store for
connection authorization policies, the RD Gateway is configured to forward CAP
requests to the NPS server. The NPS server with the Microsoft Entra multifactor
authentication extension installed, processes the RADIUS access request. The following
steps show you how to verify the default connection request policy.

1. On the RD Gateway, in the NPS (Local) console, expand Policies, and select
Connection Request Policies.

2. Double-select TS GATEWAY AUTHORIZATION POLICY.

3. In the TS GATEWAY AUTHORIZATION POLICY properties dialog box, select the

Settings tab.
 4. On Settings tab, under Forwarding Connection Request, select Authentication.
RADIUS client is configured to forward requests for authentication.

5. Select Cancel.

７ Note

For more information about creating a connection request policy, see the article
Configure connection request policies documentation for the same.

Configure NPS on the server where the NPS

extension is installed
The NPS server where the NPS extension is installed needs to be able to exchange
RADIUS messages with the NPS server on the Remote Desktop Gateway. To enable this
message exchange, you need to configure the NPS components on the server where the
NPS extension service is installed.

Register Server in Active Directory

To function properly in this scenario, the NPS server needs to be registered in Active
Directory.

1. On the NPS server, open Server Manager.

2. In Server Manager, select Tools, and then select Network Policy Server.

3. In the Network Policy Server console, right-select NPS (Local), and then select
Register server in Active Directory.

4. Select OK two times.

5. Leave the console open for the next procedure.

Create and configure RADIUS client

The Remote Desktop Gateway needs to be configured as a RADIUS client to the NPS
server.

1. On the NPS server where the NPS extension is installed, in the NPS (Local) console,
right-select RADIUS Clients and select New.
2. In the New RADIUS Client dialog box, provide a friendly name, such as Gateway,
and the IP address or DNS name of the Remote Desktop Gateway server.

3. In the Shared secret and the Confirm shared secret fields, enter the same secret
that you used before.

4. Select OK to close the New RADIUS Client dialog box.

Configure Network Policy
Recall that the NPS server with the Microsoft Entra multifactor authentication extension
is the designated central policy store for the Connection Authorization Policy (CAP).
Therefore, you need to implement a CAP on the NPS server to authorize valid
connections requests.

1. On the NPS Server, open the NPS (Local) console, expand Policies, and select
Network Policies.

2. Right-select Connections to other access servers, and select Duplicate Policy.

3. Right-select Copy of Connections to other access servers, and select Properties.

4. In the Copy of Connections to other access servers dialog box, in Policy name,
enter a suitable name, such as RDG_CAP. Check Policy enabled, and select Grant
access. Optionally, in Type of network access server, select Remote Desktop
Gateway, or you can leave it as Unspecified.
5. Select the Constraints tab, and check Allow clients to connect without
negotiating an authentication method.
6. Optionally, select the Conditions tab and add conditions that must be met for the
connection to be authorized, for example, membership in a specific Windows
group.
 7. Select OK. When prompted to view the corresponding Help topic, select No.

8. Ensure that your new policy is at the top of the list, that the policy is enabled, and
that it grants access.

Verify configuration
To verify the configuration, you need to sign in to the Remote Desktop Gateway with a
suitable RDP client. Be sure to use an account that is allowed by your Connection
Authorization Policies and is enabled for Microsoft Entra multifactor authentication.

As show in the following image, you can use the Remote Desktop Web Access page.
When you successfully entering your credentials for primary authentication, the Remote
Desktop Connect dialog box shows a status of Initiating remote connection, as shown in
the following section.

If you successfully authenticate with the secondary authentication method you

previously configured in Microsoft Entra multifactor authentication, you're connected to
the resource. However, if the secondary authentication isn't successful, you're denied
access to the resource.
In the following example, the Authenticator app on a Windows phone is used to provide
the secondary authentication.

Once you have successfully authenticated using the secondary authentication method,
you're logged into the Remote Desktop Gateway as normal. However, because you're
required to use a secondary authentication method using a mobile app on a trusted
device, the sign in process is more secure than it would be otherwise.

View Event Viewer logs for successful logon events

To view the successful sign-in events in the Windows Event Viewer logs, you can issue
the following PowerShell command to query the Windows Terminal Services and
Windows Security logs.

To query successful sign-in events in the Gateway operational logs (Event

Viewer\Applications and Services Logs\Microsoft\Windows\TerminalServices-
Gateway\Operational), use the following PowerShell commands:

Get-WinEvent -Logname Microsoft-Windows-TerminalServices-Gateway/Operational |

where {$_.ID -eq '300'} | FL

This command displays Windows events that show the user met resource
authorization policy requirements (RD RAP) and was granted access.

Get-WinEvent -Logname Microsoft-Windows-TerminalServices-Gateway/Operational |

where {$_.ID -eq '200'} | FL

This command displays the events that show when user met connection
authorization policy requirements.

You can also view this log and filter on event IDs, 300 and 200. To query successful logon
events in the Security event viewer logs, use the following command:

Get-WinEvent -Logname Security | where {$_.ID -eq '6272'} | FL

This command can be run on either the central NPS or the RD Gateway Server.
You can also view the Security log or the Network Policy and Access Services custom
view:
On the server where you installed the NPS extension for Microsoft Entra multifactor
authentication, you can find Event Viewer application logs specific to the extension at
Application and Services Logs\Microsoft\AzureMfa.
Troubleshoot Guide
If the configuration isn't working as expected, the first place to start to troubleshoot is
to verify that the user is configured to use Microsoft Entra multifactor authentication.
Have the user sign in to the Microsoft Entra admin center . If users are prompted for
secondary verification and can successfully authenticate, you can eliminate an incorrect
configuration of Microsoft Entra multifactor authentication.

If Microsoft Entra multifactor authentication is working for the user(s), you should review
the relevant Event logs. These include the Security Event, Gateway operational, and
Microsoft Entra multifactor authentication logs that are discussed in the previous
section.

See the following example output of Security log showing a failed logon event (Event ID
6273).
What follows is a related event from the AzureMFA logs:
To perform advanced troubleshoot options, consult the NPS database format log files
where the NPS service is installed. These log files are created in
%SystemRoot%\System32\Logs folder as comma-delimited text files.

For a description of these log files, see Interpret NPS Database Format Log Files. The
entries in these log files can be difficult to interpret without importing them into a
spreadsheet or a database. You can find several IAS parsers online to assist you in
interpreting the log files.

The following image shows the output of one such downloadable shareware
application .
Next steps
How to get Microsoft Entra multifactor authentication

Remote Desktop Gateway and Azure Multi-Factor Authentication Server using RADIUS

Integrate your on-premises directories with Microsoft Entra ID

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Integrate Microsoft Entra Domain
Services with your RDS deployment
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016

You can use Microsoft Entra Domain Services in your Remote Desktop Services
deployment in the place of Windows Server Active Directory. Microsoft Entra Domain
Services lets you use your existing Microsoft Entra identities in with classic Windows
workloads.

With Microsoft Entra Domain Services you can:

Create an Azure environment with a local domain for born-in-the-cloud

organizations.
Create an isolated Azure environment with the same identities used for your on-
premises and online environment, without needing to create a site-to-site VPN or
ExpressRoute.

When you finish integrating Microsoft Entra Domain Services into your Remote Desktop
deployment, your architecture will look something like this:
To see how this architecture compares with other RDS deployment scenarios, check out
Remote Desktop Services architectures.

To get a better understanding of Microsoft Entra Domain Services, check out the
Microsoft Entra Domain Services overview and How to decide if Microsoft Entra Domain
Services is right for your use-case.

Use the following information to deploy Microsoft Entra Domain Services with RDS.

Prerequisites
Before you can bring your identities from Microsoft Entra ID to use in an RDS
deployment, configure Microsoft Entra ID to save the hashed passwords for your users'
identities. Born-in-the-cloud organizations don't need to make any additional changes
in their directory; however, on-premises organizations need to allow password hashes to
be synchronized and stored in Microsoft Entra ID, which may not be permissible to
some organizations. Users will have to reset their passwords after making this
configuration change.

Deploy Microsoft Entra Domain Services and

RDS
Use the following steps to deploy Microsoft Entra Domain Services and RDS.

1. Enable Microsoft Entra Domain Services. Note that the linked article does the
following:

Walk through creating the appropriate Microsoft Entra groups for domain
administration.
Highlight when you might have to force users to change their password so
their accounts can work with Microsoft Entra Domain Services.

2. Set up RDS. You can either use an Azure template or deploy RDS manually.

Use the Existing AD template . Make sure to customize the following:

Settings

Resource group: Use the resource group where you want to create the
RDS resources.

７ Note

Right now this has to be the same resource group where the Azure
resource manager virtual network exists.

Dns Label Prefix: Enter the URL that you want users to use to access RD
Web.

Ad Domain Name: Enter the full name of your Microsoft Entra instance,
for example, "contoso.onmicrosoft.com" or "contoso.com".

Ad Vnet Name and Ad Subnet Name: Enter the same values that you
used when you created the Azure resource manager virtual network.
This is the subnet to which the RDS resources will connect.

Admin Username and Admin Password: Enter the credentials for an

admin user that's a member of the AAD DC Administrators group in
Microsoft Entra ID.
 Template

Remove all properties of dnsServers: after selecting Edit template from

the Azure quickstart template page, search for "dnsServers" and remove
the property.

For example, before removing the dnsServers property:

And here's the same file after removing the property:

Deploy RDS manually.

Feedback
Was this page helpful?  Yes  No
Publish Remote Desktop with Microsoft
Entra application proxy
Article • 02/27/2024

Remote Desktop Service and Microsoft Entra application proxy work together to
improve the productivity of workers who are away from the corporate network.

The intended audience for this article is:

Current application proxy customers who want to offer more applications to their
end users by publishing on-premises applications through Remote Desktop
Services.
Current Remote Desktop Services customers who want to reduce the attack surface
of their deployment by using Microsoft Entra application proxy. This scenario gives
a set of two-step verification and Conditional Access controls to RDS.

How application proxy fits in the standard RDS

deployment
A standard RDS deployment includes various Remote Desktop role services running on
Windows Server. Multiple deployment options exist in the Remote Desktop Services
architecture. Unlike other RDS deployment options, the RDS deployment with Microsoft
Entra application proxy (shown in the following diagram) has a permanent outbound
connection from the server running the connector service. Other deployments leave
open inbound connections through a load balancer.
In an RDS deployment, the Remote Desktop (RD) Web role and the RD Gateway role run
on Internet-facing machines. These endpoints are exposed for the following reasons:

RD Web provides the user a public endpoint to sign in and view the various on-
premises applications and desktops they can access. When you select a resource, a
Remote Desktop Protocol (RDP) connection is created using the native app on the
OS.
RD Gateway comes into the picture once a user launches the RDP connection. The
RD Gateway handles encrypted RDP traffic coming over the internet and translates
it to the on-premises server that the user is connecting to. In this scenario, the
traffic the RD Gateway is receiving comes from the Microsoft Entra application
proxy.

 Tip

If you haven't deployed RDS before, or want more information before you begin,
learn how to seamlessly deploy RDS with Azure Resource Manager and Azure
 Marketplace.

Requirements
Both the RD Web and RD Gateway endpoints must be located on the same
machine, and with a common root. RD Web and RD Gateway are published as a
single application with application proxy so that you can have a single sign-on
experience between the two applications.
Deploy RDS, and enabled application proxy. Enable application proxy and open
required ports and URLs, and enabling Transport Layer Security (TLS) 1.2 on the
server. To learn which ports need to be opened, and other details, see Tutorial: Add
an on-premises application for remote access through application proxy in
Microsoft Entra ID.
Your end users must use a compatible browser to connect to RD Web or the RD
Web client. For more information, see Support for client configurations.
When publishing RD Web, use the same internal and external Fully Qualified
Domain Name (FQDN) when possible. If the internal and external Fully Qualified
Domain Names (FQDNs) are different, disable Request Header Translation to avoid
the client receiving invalid links.
If you're using the RD Web client, you must use the same internal and external
FQDN. If the internal and external FQDNs are different, you encounter websocket
errors when making a RemoteApp connection through the RD Web client.
If you're using RD Web on Internet Explorer, you need to enable the RDS ActiveX
add-on.
If you're using the RD Web client, you'll need to use the application proxy
connector version 1.5.1975 or later.
For the Microsoft Entra pre authentication flow, users can only connect to
resources published to them in the RemoteApp and Desktops pane. Users can't
connect to a desktop using the Connect to a remote PC pane.
If you're using Windows Server 2019, you need to disable HTTP2 protocol. For
more information, see Tutorial: Add an on-premises application for remote access
through application proxy in Microsoft Entra ID.

Deploy the joint RDS and application proxy

scenario
After setting up RDS and Microsoft Entra application proxy for your environment, follow
the steps to combine the two solutions. These steps walk through publishing the two
web-facing RDS endpoints (RD Web and RD Gateway) as applications, and then
directing traffic on your RDS to go through application proxy.

Publish the RD host endpoint

1. Publish a new application proxy application with the values.

Internal URL: https://<rdhost>.com/ , where <rdhost> is the common root

that RD Web and RD Gateway share.
External URL: This field is automatically populated based on the name of the
application, but you can modify it. Your users go to this URL when they access
RDS.
Pre authentication method: Microsoft Entra ID.
Translate URL headers: No.
Use HTTP-Only Cookie: No.

2. Assign users to the published RD application. Make sure they all have access to
RDS, too.

3. Leave the single sign-on method for the application as Microsoft Entra single
sign-on disabled.

７ Note

Your users are asked to authenticate once to Microsoft Entra ID and once to
RD Web, but they have single sign-on to RD Gateway.

4. Browse to Identity > Applications > App registrations. Choose your app from the
list.

5. Under Manage, select Branding.

6. Update the Home page URL field to point to your RD Web endpoint (like
https://<rdhost>.com/RDWeb ).

Direct RDS traffic to application proxy

Connect to the RDS deployment as an administrator and change the RD Gateway server
name for the deployment. This configuration ensures that connections go through the
Microsoft Entra application proxy service.

1. Connect to the RDS server running the RD Connection Broker role.

2. Launch Server Manager.

3. Select Remote Desktop Services from the pane on the left.

4. Select Overview.

5. In the Deployment Overview section, select the drop-down menu and choose Edit
deployment properties.

6. In the RD Gateway tab, change the Server name field to the External URL that you
set for the RD host endpoint in application proxy.

7. Change the Logon method field to Password Authentication.

8. Run this command for each collection. Replace <yourcollectionname> and

<proxyfrontendurl> with your own information. This command enables single sign-
on between RD Web and RD Gateway, and optimizes performance.

Set-RDSessionCollectionConfiguration -CollectionName "

<yourcollectionname>" -CustomRdpProperty "pre-authentication server
address:s:<proxyfrontendurl>`nrequire pre-authentication:i:1"

For example:
 Set-RDSessionCollectionConfiguration -CollectionName
"QuickSessionCollection" -CustomRdpProperty "pre-authentication server
address:s:https://remotedesktoptest-aadapdemo.msappproxy.net/`nrequire
pre-authentication:i:1"

７ Note

The above command uses a backtick in "`nrequire".

9. To verify the modification of the custom RDP properties and view the RDP file
contents that are downloaded from RDWeb for this collection, run the following
command.

(get-wmiobject -Namespace root\cimv2\terminalservices -Class

Win32_RDCentralPublishedRemoteDesktop).RDPFileContents

Now that Remote Desktop is configured, Microsoft Entra application proxy takes over as
the internet-facing component of RDS. Remove the other public internet-facing
endpoints on your RD Web and RD Gateway machines.

Enable the RD Web Client

If you want users to use the RD Web Client follow the steps at Set up the Remote
Desktop web client for your users.

The Remote Desktop web client provides access for your organization's Remote Desktop
infrastructure. An HTML5-compatible web browser such as Microsoft Edge, Google
Chrome, Safari, or Mozilla Firefox (v55.0 and later) is required.

Test the scenario

Test the scenario with Internet Explorer on a Windows 7 or 10 computer.

1. Go to the external URL you set up, or find your application in the MyApps panel .
2. Authenticate to Microsoft Entra ID. Use an account that you assigned to the
application.
3. Authenticate to RD Web.
 4. Once your RDS authentication succeeds, you can select the desktop or application
you want, and start working.

Support for other client configurations

The configuration outlined in this article is for access to RDS via RD Web or the RD Web
Client. If you need to, however, you can support other operating systems or browsers.
The difference is in the authentication method that you use.

ﾉ Expand table

Authentication Supported client configuration

method

Pre authentication RD Web- Windows 7/10/11 using Microsoft Edge Chromium IE mode +
RDS ActiveX add-on

Pre authentication RD Web Client- HTML5-compatible web browser such as Microsoft Edge,
Internet Explorer 11, Google Chrome, Safari, or Mozilla Firefox (v55.0 and
later)

Passthrough Any other operating system that supports the Microsoft Remote Desktop
application

７ Note

Microsoft Edge Chromium IE mode is required when the My Apps portal is used for

accessing the Remote Desktop app.

The pre authentication flow offers more security benefits than the passthrough flow.
With pre authentication you can use Microsoft Entra authentication features like single
sign-on, Conditional Access, and two-step verification for your on-premises resources.
You also ensure that only authenticated traffic reaches your network.

To use passthrough authentication, there are just two modifications to the steps listed in
this article:

1. In Publish the RD host endpoint step 1, set the Preauthentication method to

Passthrough.
2. In Direct RDS traffic to application proxy, skip step 8 entirely.

Next steps
Enable remote access to SharePoint with Microsoft Entra application proxy
Security considerations for accessing apps remotely by using Microsoft Entra
application proxy
Best practices for load balancing multiple app servers
Scale out your Remote Desktop Services
deployment by adding an RD Session
Host farm
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

You can improve the availability and scale of your RDS deployment by adding a Remote
Desktop Session Host (RDSH) farm.

Use the following steps to add another RD Session Host to your deployment:

1. Create a server to host the second RD Session Host. If you are using Azure virtual
machines, make sure to include the new VM in the same availability set that holds
your first RD Session Host.

2. Enable remote management on the new server or virtual machine:

a. In Server Manager, click Local Server > Remote management current setting
(disabled).
b. Select Enable remote management for this server, and then click OK.
c. Optional: You can temporarily set Windows Update to not automatically
download and install updates. This helps prevent changes and system restarts
while you deploy the RDSH server. In Server Manager, click Local Server >
Windows Update current setting. Click Advanced options > Defer upgrades.

3. Add the server or VM to the domain:

a. In Server Manager, click Local Server > Workgroup current setting.
b. Click Change > Domain, and then enter the domain name (for example,
Contoso.com).
c. Enter the domain administrator credentials.
d. Restart the server or VM.

4. Add the new RD Session Host to the farm:

７ Note

Step 1, creating a public IP address for the RDMS virtual machine, is only
necessary if you are using a VM for the RDMS and if it does not already have
an IP address assigned.
 a. Create a public IP address for the virtual machine running Remote Desktop
Management Services (RDMS). The RDMS virtual machine will typically be the
virtual machine running the first instance of the RD Connection Broker role.
i. In the Azure portal, click Browse > Resource groups, click the resource group
for the deployment and then click the RDMS virtual machine (for example,
Contoso-Cb1).
ii. Click Settings > Network interfaces, and then click the corresponding
network interface.
iii. Click Settings > IP address.
iv. For Public IP address, select Enabled, and then click IP address.
v. If you have an existing public IP address you want to use, select it from the
list. Otherwise, click Create new, enter a name, and then click OK and then
Save.
b. Sign into the RDMS.
c. Add the new RDSH server to Server Manager:
i. Launch Server Manager, click Manage > Add Servers.
ii. In the Add Servers dialog, click Find Now.
iii. Select the server you want to use for the RD Session Host or the newly
created virtual machine (for example, Contoso-Sh2) and click OK.
d. Add the RDSH server to the deployment
i. Launch Server Manager.
ii. Click Remote Desktop Services > Overview > Deployment Servers > Tasks
> Add RD Session Host Servers.
iii. Select the new server (for example, Contoso-Sh2), and then click Next.
iv. On the Confirmation page, select Restart remote computers as needed, and
then click Add.
e. Add RDSH server to the collection farm:
i. Launch Server Manager.
ii. Click Remote Desktop Services and then click the collection to which you
want to add the newly created RDSH server (for example, ContosoDesktop).
iii. Under Host Servers, click Tasks > Add RD Session Host Servers.
iv. Select the newly created server (for example, Contoso-Sh2), and then click
Next.
v. On the Confirmation page, click Add.

Feedback
Was this page helpful?  Yes  No
Add the RD Connection Broker server to
the deployment and configure high
availability
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

You can deploy a Remote Desktop Connection Broker (RD Connection Broker) cluster to
improve the availability and scale of your Remote Desktop Services infrastructure.

Pre-requisites
Set up a server to act as a second RD Connection Broker—this can be either a physical
server or a VM.

Set up a database for the Connection Broker. You can use Azure SQL Database instance
or SQL Server in your local environment. We talk about using Azure SQL below, but the
steps still apply to SQL Server. You'll need to find the connection string for the database
and make sure you have the correct ODBC driver.

Step 1: Configure the database for the

Connection Broker
1. Find the connection string for the database you created - you need it both to
identify the version of ODBC driver you need and later, when you're configuring
the Connection Broker itself (step 3), so save the string someplace where you can
reference it easily. Here's how you find the connection string for Azure SQL:

a. In the Azure portal, click Browse > Resource groups and click the resource
group for the deployment.

b. Select the SQL database you just created (for example, CB-DB1).

c. Click Settings > Properties > Show database connection strings.

d. Copy the connection string for ODBC (includes Node.js), which should look like
this:
 Driver={ODBC Driver 13 for SQL Server};Server=tcp:<YourHost>,
<HostPort>;Database=<DatabaseName>;Uid=<UserID>;Pwd=
<Password>;Encrypt=yes;TrustServerCertificate=no;Connection
Timeout=30;

e. Replace "your_password_here" with the actual password. You'll use this entire
string, with your included password, when connecting to the database.
2. Install the ODBC driver on the new Connection Broker:
a. If you are using a VM for the Connection Broker, create a public IP address for
the first RD Connection Broker. (You only have to do this if the RDMS virtual
machine does not already have a public IP address to allow RDP connections.)
i. In the Azure portal, click Browse > Resource groups, click the resource group
for the deployment, and then click the first RD Connection Broker virtual
machine (for example, Contoso-Cb1).
ii. Click Settings > Network interfaces, and then click the corresponding
network interface.
iii. Click Settings > IP address.
iv. For Public IP address, select Enabled, and then click IP address.
v. If you have an existing public IP address you want to use, select it from the
list. Otherwise, click Create new, enter a name, and then click OK and then
Save.
b. Connect to the first RD Connection Broker:
i. In the Azure portal, click Browse > Resource groups, click the resource group
for the deployment, and then click the first RD Connection Broker virtual
machine (for example, Contoso-Cb1).
ii. Click Connect > Open to open the Remote Desktop client.
iii. In the client, click Connect, and then click Use another user account. Enter
the user name and password for a domain administrator account.
iv. Click Yes when warned about the certificate.
c. Download the ODBC driver for SQL Server that matches the version in the ODBC
connection string. For the example string above, we need to install the version
13 ODBC driver.
d. Copy the sqlincli.msi file to the first RD Connection Broker server.
e. Open the sqlincli.msi file and install the native client.
f. Repeat steps 1-5 for each additional RD Connection Brokers (for example,
Contoso-Cb2).
g. Install the ODBC driver on each server that will run the connection broker.
Step 2: Configure load balancing on the RD
Connection Brokers
If you are using Azure infrastructure, you can create an Azure load balancer; if not, you
can set up DNS round-robin.

Create a load balancer

1. Create an Azure Load Balancer
a. In the Azure portal click Browse > Load balancers > Add.
b. Enter a name for the new load balancer (for example, hacb).
c. Select Internal for the Scheme, Virtual Network for your deployment (for
example, Contoso-VNet), and the Subnet with all of your resources (for
example, default).
d. Select Static for the IP address assignment and enter a Private IP address that
is not currently in use (for example, 10.0.0.32).
e. Select the appropriate Subscription, the Resource group with all of your
resources, and the appropriate Location.
f. Select Create.
2. Create a probe to monitor which servers are active:
a. In Azure portal, click Browse > Load Balancers, and then click the load balancer
you just created, (for example, CBLB). Click Settings.
b. Click Probes > Add.
c. Enter a name for the probe (for example, RDP), select TCP as the Protocol, enter
3389 for the Port, and then click OK.
3. Create the backend pool of the Connection Brokers:
a. In Settings, Click Backend address pools > Add.
b. Enter a name (for example, CBBackendPool), then click Add a virtual machine.
c. Choose an availability set (for example, CbAvSet), and then click OK.
d. Click Choose the virtual machines, select each virtual machine, and then click
Select > OK > OK.
4. Create the RDP load balancing rule:
a. In Settings, click Load balancing rules, and then click Add.
b. Enter a name (for example, RDP), select TCP for the Protocol, enter 3389 for
both Port and Backend port, and click OK.
5. Add a DNS record for the Load Balancer:
a. Connect to the RDMS server virtual machine (for example, Contoso-CB1). Check
out the Prepare the RD Connection Broker VM article for steps on how you
connect to the VM.
b. In Server Manager, click Tools > DNS.
 c. In the left-hand pane, expand DNS, click the DNS machine, click Forward
Lookup Zones, and then click your domain name (for example, Contoso.com).
(It might take a few seconds to process the query to the DNS server for the
information.)
d. Click Action > New Host (A or AAAA).
e. Enter the name (for example, hacb) and the IP address specified earlier (for
example, 10.0.0.32).

Configure DNS round-robin

The following steps are an alternative to creating an Azure Internal Load Balancer.

1. Connect to the RDMS server in the Azure portal. using Remote Desktop
Connection client
2. Create DNS records:
a. In Server Manager, click Tools > DNS.
b. In the left-hand pane, expand DNS, click the DNS machine, click Forward
Lookup Zones, and then click your domain name (for example, Contoso.com).
(It might take a few seconds to process the query to the DNS server for the
information.)
c. Click Action and New Host (A or AAAA).
d. Enter the DNS Name for the RD Connection Broker cluster (for example, hacb),
and then enter the IP address of the first RD Connection Broker.
e. Repeat steps 3-4 for each additional RD Connection Broker, providing each
unique IP address for each additional record.

For example, if the IP addresses for the two RD Connection Broker virtual machines are
10.0.0.8 and 10.0.0.9, you would create two DNS host records:

Host name: hacb.contoso.com , IP address: 10.0.0.8

Host name: hacb.contoso.com , IP address: 10.0.0.9

Step 3: Configure the Connection Brokers for

high availability
1. Add the new RD Connection Broker server to Server Manager:
a. In Server Manager, click Manage > Add Servers.
b. Click Find Now.
c. Click the newly created RD Connection Broker server (for example, Contoso-
Cb2) and click OK.
2. Configure high availability for the RD Connection Broker:
 a. In Server Manager, click Remote Desktop Services > Overview.
b. Right-click RD Connection Broker, and then click Configure High Availability.
c. Page through the wizard until you get to the Configuration type section. Select
Shared database server, and then click Next.
d. Enter the DNS name for the RD Connection Broker cluster.
e. Enter the connection string for the SQL DB, and then page through the wizard
to establish high availability.
3. Add the new RD Connection Broker to the deployment
a. In Server Manager, click Remote Desktop Services > Overview.
b. Right-click the RD Connection Broker, and then click Add RD Connection
Broker Server.
c. Page through wizard until you get to Server Selection, then select the newly
created RD Connection Broker server (for example, Contoso-CB2).
d. Complete the wizard, accepting the default values.
4. Configure trusted certificates on RD Connection Broker servers and clients.

Feedback
Was this page helpful?  Yes  No
Add high availability to the RD Web and
Gateway web front
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

You can deploy a Remote Desktop Web Access (RD Web Access) and Remote Desktop
Gateway (RD Gateway) farm to improve the availability and scale of a Windows Server
Remote Desktop Services (RDS) deployment

Use the following steps to add an RD Web and Gateway server to an existing Remote
Desktop Services basic deployment.

Pre-requisites
Set up a server to act as an additional RD Web and RD Gateway - this can be either a
physical server or VM. This includes joining the server to the domain and enabling
remote management.

Step 1: Configure the new server to be part of

the RDS environment
1. Connect to the RDMS server in the Azure portal, using Remote Desktop
Connection client.
2. Add the new RD Web and Gateway server to Server Manager:
a. Launch Server Manager, click Manage > Add Servers.
b. In the Add Servers dialog, click Find Now.
c. Select the newly created RD Web and Gateway server (for example, Contoso-
WebGw2) and click OK.
3. Add RD Web and Gateway servers to the deployment
a. Launch Server Manager .
b. Click Remote Desktop Services > Overview > Deployment Servers > Tasks >
Add RD Web Access Servers.
c. Select the newly created server (for example, Contoso-WebGw2), and then click
Next.
d. On the Confirmation page, select Restart remote computers as needed, and
then click Add.
 e. Repeat these steps to add the RD Gateway server, but choose RD Gateway
Servers in step b.
4. Re-install certificates for the RD Gateway servers:
a. In Server Manager on the RDMS server, click Remote Desktop Services >
Overview > Tasks > Edit Deployment Properties.
b. Expand Certificates.
c. Scroll down to the table. Click RD Gateway Role Service > Select existing
certificate.
d. Click Choose a different certificate and then browse to the certificate location.
For example, \Contoso-CB1\Certificates). Select the certificate file for the RD
Web and Gateway server created during the prerequisites (e.g.
ContosoRdGwCert), and then click Open.
e. Enter the password for the certificate, select Allow the certificate to be added
to the Trusted Root Certificate Authorities certificate store on the destination
computers, and then click OK.
f. Click Apply.

７ Note

You may need to manually restart the TSGateway service running on each
RD Gateway server, either through Server Manager or Task Manager.

g. Repeat steps a through f for the RD Web Access Role Service.

Step 2: Configure RD Web and RD Gateway

properties on the new server
1. Configure the server to be part of an RD Gateway farm:
a. In Server Manager on the RDMS server, click All Servers. Right-click one of the
RD Gateway servers, and then click Remote Desktop Connection.
b. Sign into to the RD Gateway server using a domain admin account.
c. In Server Manager on the RD Gateway server, click Tools > Remote Desktop
Services > RD Gateway Manager.
d. In the navigation pane, click the local computer (e.g. Contoso-WebGw1).
e. Click Add RD Gateway Server Farm members.
f. On the Server Farm tab, enter the name of each RD Gateway server, then click
Add and Apply.
g. Repeat steps a through f on each RD Gateway server so that they recognize
each other as RD Gateway servers in a farm. Do not be alarmed if there are
warnings, as it might take time for DNS settings to propagate.
 2. Configure the server to be part of an RD Web Access farm. The steps below
configure the Validation and Decryption Machine Keys to be the same on both
RDWeb sites.
a. In Server Manager on the RDMS server, click All Servers. Right-click the first RD
Web Access server (e.g. Contoso-WebGw1) and then click Remote Desktop
Connection.
b. Sign into the RD Web Access server using a domain admin account.
c. In Server Manager on the RD Web Access server, click Tools > Internet
Information Services (IIS) Manager.
d. In the left pane of IIS Manager, expand the Server (e.g. Contoso-WebGw1) >
Sites > Default Web Site, and then click RDWeb.
e. Right-click Machine Key, and then click Open Feature.
f. On the Machine Key page, in the Actions pane, select Generate Keys, and then
click Apply.
g. Copy the validation key (you can right-click the key and then click Copy.)
h. In IIS Manager, under Default Web Site, select Feed, FeedLogon and Pages in
turn.
i. For each:
i. Right-click Machine Key, and then click Open Feature.
ii. For the Validation Key, clear Automatically generate at runtime, and then
paste the key you copied in step g.
j. Minimize the RD Connection window to this RD Web server.
k. Repeat steps b through e for the second RD Web Access server, ending on the
feature view of Machine Key.
l. For the Validation Key, clear Automatically generate at runtime, and then paste
the key you copied in step g.
m. Click Apply.
n. Complete this process for the RDWeb, Feed, FeedLogon and Pages pages.
o. Minimize the RD Connection window to the second RD Web Access server, and
then maximize the RD Connection window to the first RD Web Access server.
p. Repeat steps g through n to copy over the Decryption Key.
q. When validation keys and decryption keys are identical on both RD Web Access
servers for the RDWeb, Feed, FeedLogon and Pages pages, sign out of all RD
Connection windows.

Step 3: Configure load balancing for the RD

Web and RD Gateway servers
If you are using Azure infrastructure, you can create an external Azure load balancer; if
not, you can set up a separate hardware or software load balancer. Load balancing is key
so that traffic will be evenly distributed the long-lived connections from Remote
Desktop clients, through the RD Gateway, to the servers that users will be running their
workloads.

７ Note

If your previous server running RD Web and RD Gateway was already set up behind
an external load balancer, skip ahead to step 4, select the existing backend pool,
and add the new server to the pool.

1. Create an Azure Load Balancer:

a. In the Azure portal click Browse > Load balancers > Add.
b. Enter a name, for example WebGwLB.
c. Select Public for the Scheme.
d. Under Public IP address, select Choose a public IP address, and then pick an
existing public IP address or create a new one.
e. Select the appropriate Subscription, Resource Group, and Location.
f. Click Create.
2. Create a probe to monitor which servers are alive:
a. In the Azure portal, select Browse > Load Balancers, and then choose the load
balancer that you created in the previous step.
b. Select All settings > Probes > Add.
c. Enter a name, for example, HTTPS, for the probe. Select TCP as the Protocol,
and enter 443 for the Port, then click OK.
3. Create the HTTPS and UDP load balancing rules:
a. In Settings, click Load balancing rules.
b. Select Add for the HTTPS rule.
c. Enter a name for the rule, for example, HTTPS, and select TCP for the Protocol.
Enter 443 for both Port and Backend port, and click OK.
d. In Load balancing rules, click Add for the UDP rule.
e. Enter a name for the rule, for example, UDP, and select UDP for the Protocol.
Enter 3391 for both Port and Backend port, and click OK.
4. Create the backend pool for the RD Web and RD Gateway servers:
a. In Settings, click Backend address pools > Add.
b. Enter a name (for example, WebGwBackendPool), then click Add a virtual
machine.
c. Choose an availability set (for example, WebGwAvSet), and then click OK.
d. Click Choose the virtual machines, select each virtual machine, and then click
Select > OK > OK.
Feedback
Was this page helpful?  Yes  No
Deploy a two-node Storage Spaces
Direct scale-out file server for UPD
storage in Azure
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

Remote Desktop Services (RDS) requires a domain-joined file server for user profile disks
(UPDs). To deploy a high availability domain-joined scale-out file server (SOFS) in Azure,
use Storage Spaces Direct with Windows Server 2016. If you're not familiar with UPDs or
Remote Desktop Services, check out Welcome to Remote Desktop Services.

７ Note

Microsoft just published an Azure template to deploy a Storage Spaces Direct

scale-out file server ! You can use the template to create your deployment, or use
the steps in this article.

We recommend deploying your SOFS with DS-series VMs and premium storage data
disks, where there are the same number and size of data disks on each VM. You will
need a minimum of two storage accounts.

For small deployments, we recommend a 2-node cluster with a cloud witness, where the
volume is mirrored with 2 copies. Grow small deployments by adding data disks. Grow
larger deployments by adding nodes (VMs).

These instructions are for a 2-node deployment. The following table shows the VM and
disk sizes you'll need to store UPDs for the number of users in your business.

ﾉ Expand table

Users Total (GB) VM # Disks Disk type Disk size (GB) Configuration

10 50 DS1 2 P10 128 2x(DS1 + 2 P10)

25 125 DS1 2 P10 128 2x(DS1 + 2 P10)

50 250 DS1 2 P10 128 2x(DS1 + 2 P10)

100 500 DS1 2 P20 512 2x(DS1 + 2 P20)

 Users Total (GB) VM # Disks Disk type Disk size (GB) Configuration

250 1250 DS1 2 P30 1024 2x(DS1 + 2 P30)

500 2500 DS2 3 P30 1024 2x(DS2 + 3 P30)

1000 5000 DS3 5 P30 1024 2x(DS3 + 5 P30)

2500 12500 DS4 13 P30 1024 2x(DS4 + 13 P30)

5000 25000 DS5 25 P30 1024 2x(DS5 + 25 P30)

Use the following steps to create a domain controller (we called ours "my-dc" below)
and two node VMs ("my-fsn1" and "my-fsn2") and configure the VMs to be a 2-node
Storage Spaces Direct SOFS.

1. Create a Microsoft Azure subscription .

2. Sign into the Azure portal .
3. Create an Azure storage account in Azure Resource Manager. Create it in a new
resource group and use the following configurations:

Deployment model: Resource Manager

Type of storage account: General purpose
Performance tier: Premium
Replication option: LRS

4. Set up an Active Directory forest by either using a quickstart template or deploying

the forest manually.

Deploy using an Azure quickstart template:

Create an Azure VM with a new AD forest
Create a new AD domain with 2 domain controllers (for high availability)
Manually deploy the forest with the following configurations:
Create the virtual network in the same resource group as the storage
account.
Recommended size: DS2 (increase the size if the domain controller will
host more domain objects)
Use an automatically generated VNet.
Follow the steps to install AD DS.

5. Set up the file server cluster nodes. You can do this by deploying the Windows
Server 2016 Storage Spaces Direct SOFS cluster Azure template or by following
steps 6-11 to deploy manually.
6. To manually set up the file server cluster nodes:
a. Create the first node:
 i. Create a new virtual machine using the Windows Server 2016 image. (Click
New > Virtual Machines > Windows Server 2016. Select Resource Manager,
and then click Create.)
ii. Set the basic configuration as follows:

Name: my-fsn1
VM disk type SSD
Use an existing resource group, the one that you created in step 3.

iii. Size: DS1, DS2, DS3, DS4, or DS5 depending on your user needs (see table at
beginning of these instructions). Ensure premium disk support is selected.
iv. Settings:

Storage account: Choose the storage account you created in step 3.

High Availability - create a new availability set. (Click High Availability >
Create new, and then enter a name (for example, s2d-cluster). Use the
default values for Update domains and Fault domains.)
b. Create the second node. Repeat the step above with the following changes:

Name: my-fsn2
High Availability - select the availability set you created above.
7. Attach data disks to the cluster node VMs according to your user needs (as seen in
the table above). After the data disks are created and attached to the VM, set host
caching to None.
8. Set IP addresses for all VMs to static.
a. In the resource group, select a VM, and then click Network interfaces (under
settings). Select the listed network interface, and then click IP Configurations.
Select the listed IP configuration, select static, and then click Save.
b. Note the domain controller (my-dc for our example) private IP address (10.x.x.x).
9. Set primary DNS server address on NICs of the cluster node VMs to the my-dc
server. Select the VM, and then click Network Interfaces > DNS servers > Custom
DNS. Enter the private IP address you noted above, and then click Save.
10. Create an Azure storage account to be your cloud witness. (If you use the linked
instructions, stop when you get to "Configuring Cloud Witness with Failover
Cluster Manager GUI" - we'll do that step below.)
11. Set up the Storage Spaces Direct file server. Connect to a node VM, and then run
the following Windows PowerShell cmdlets.

a. Install Failover Clustering Feature and File Server Feature on the two file server
cluster node VMs:

PowerShell
 $nodes = ("my-fsn1", "my-fsn2")
icm $nodes {Install-WindowsFeature Failover-Clustering -
IncludeAllSubFeature -IncludeManagementTools}
icm $nodes {Install-WindowsFeature FS-FileServer}

b. Validate cluster node VMs and create 2-node SOFS cluster:

PowerShell

Test-Cluster -node $nodes

New-Cluster -Name MY-CL1 -Node $nodes –NoStorage –StaticAddress [new
address within your addr space]

c. Configure the cloud witness. Use your cloud witness storage account name and
access key.

PowerShell

Set-ClusterQuorum –CloudWitness –AccountName <StorageAccountName> -

AccessKey <StorageAccountAccessKey>

d. Enable Storage Spaces Direct.

PowerShell

Enable-ClusterS2D

e. Create a virtual disk volume.

PowerShell

New-Volume -StoragePoolFriendlyName S2D* -FriendlyName VDisk01 -

FileSystem CSVFS_REFS -Size 120GB

To view information about the cluster shared volume on the SOFS cluster, run
the following cmdlet:

PowerShell

Get-ClusterSharedVolume

f. Create the scale-out file server (SOFS):

PowerShell
 Add-ClusterScaleOutFileServerRole -Name my-sofs1 -Cluster MY-CL1

g. Create a new SMB file share on the SOFS cluster.

PowerShell

New-Item -Path C:\ClusterStorage\VDisk01\Data -ItemType Directory

New-SmbShare -Name UpdStorage -Path C:\ClusterStorage\VDisk01\Data

You now have a share at \\my-sofs1\UpdStorage , which you can use for UPD storage
when you enable UPD for your users.

Feedback
Was this page helpful?  Yes  No
Use personal session desktops with
Remote Desktop Services
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

You can deploy server-based personal desktops in a cloud-computing environment by

using personal session desktops. (A cloud-computing environment has a separation
between the fabric Hyper-V servers and the guest virtual machines, such as Microsoft
Azure Cloud or the Microsoft Cloud Platform.) The personal session desktop capability
extends the session-based desktop deployment scenario in Remote Desktop Services to
create a new type of session collection where each user is assigned to their own
personal session host with administrative rights.

Use the following information to create and manage a personal session desktop
collection.

Create a personal session desktop collection

Use the New-RDSessionCollection cmdlet to create a personal session desktop
collection. The following three parameters provide the configuration information
required for personal session desktops:

-PersonalUnmanaged - Specifies the type of session collection that lets you assign
users to a personal session host server. If you don't specify this parameter, then the
collection is created as a traditional RD Session Host collection, where users are
assigned to the next available session host when they sign in.
-GrantAdministrativePrivilege - If you use -PersonalUnmanaged, specifies that
the user assigned to the session host be given administrative privileges. If you
don't use this parameter, users are granted only standard user privileges.
-AutoAssignUser - If you use -PersonalUnmanaged, specifies that new users
connecting through the RD Connection Broker are automatically assigned to an
unassigned session host. If there are no unassigned session hosts in the collection,
the user will see an error message. If you don't use this parameter, you have to
manually assign users to a session host before they sign in.

Manually assign a user to a personal session

host
Use the Set-RDPersonalSessionDesktopAssignment cmdlet to manually assign a user to
a personal session host server in the collection. The cmdlet supports the following
parameters:

-CollectionName <string>

-ConnectionBroker <string>

-User <string>

-Name <string>

–CollectionName - specifies the name of the personal session desktop collection.

This parameter is required.
–ConnectionBroker - specifies the Remote Desktop Connection Broker (RD
Connection Broker) server for your Remote Desktop deployment. If you don't
supply a value, the cmdlet uses the fully qualified domain name (FQDN) of the
local computer.
–User - specifies the user account to associate with the personal session desktop,
in DOMAIN\User format. This parameter is required.
–Name - specifies the name of the session host server. This parameter is required.
The session host identified here must be a member of the collection that the -
CollectionName parameter specifies.

The Import-RDPersonalSessionDesktopAssignment cmdlet imports associations

between user accounts and personal session desktops from a text file. The cmdlet
supports the following parameters:

-CollectionName <string>

-ConnectionBroker <string>

-Path <string>

–Path specifies the path and file name of a file to import.

Removing a User Assignment from a Personal

Session Host
Use the Remove-RDPersonalSessionDesktopAssignment cmdlet to remove the
association between a personal session desktop and a user. The cmdlet supports the
following parameters:

-CollectionName <string>
-ConnectionBroker <string>

-Force

-Name <string>

-User <string>

–Force forces the command to run without asking for user confirmation.

Query user assignments

Use the Get-RDPersonalSessionDesktopAssignment cmdlet to get a list of personal
session desktops and associated user accounts. The cmdlet supports the following
parameters:

-CollectionName <string>

-ConnectionBroker <string>

-User <string>

-Name <string>

You can run the cmdlet to query by collection name, user name, or by session desktop
name. If you specify only the –CollectionName parameter, the cmdlet returns a list of
session hosts and associated users. If you also specify the –User parameter, the session
host associated with that user is returned. If you provide the –Name parameter, the user
associated with that session host is returned.

The Export-RDPersonalPersonalDesktopAssignment cmdlet exports the current

associations between users and personal virtual desktops to a text file. The cmdlet
supports the following parameters:

-CollectionName <string>

-ConnectionBroker <string>

-Path <string>

All new cmdlets support the common parameters: -Verbose, -Debug, -ErrorAction, -
ErrorVariable, -OutBuffer, and -OutVariable. For more information, see
about_CommonParameters.
Feedback
Was this page helpful?  Yes  No
Prepare your virtual machines for
Remote Desktop
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

You can install Remote Desktop Services components on physical servers or on virtual
machines.

The first step is to create Windows Server virtual machines in Azure. You'll want to create
three VMs: one for the RD Session Host, one for the Connection Broker, and one for the
RD Web and RD Gateway. To ensure the availability of your RDS deployment, create an
availability set (under High availablility in the VM creation process) and group multiple
VMs in that availability set.

After you create your VMs, use the following steps to prepare them for RDS.

1. Connect to the virtual machine using the Remote Desktop Connection (RDC) client:
a. In the Azure portal open the Resource groups view, and then click the resource
group to use for the deployment.
b. Select the new RDSH virtual machine (for example, Contoso-Sh1).
c. Click Connect > Open to open the Remote Desktop client.
d. In the client, click Connect, and then click Use another user account. Enter the
user name and password for the local administrator account.
e. Click Yes when warned about the certificate.
2. Enable remote management:
a. In Server Manager, click Local Server > Remote management current setting
(disabled).
b. Select Enable remote management for this server.
c. Click OK.
3. Optional: You can temporarily set Windows Update to not automatically download
and install updates. This helps prevent changes and system restarts while you
deploy the RDSH server.
a. In Server Manager, click Local Server > Windows Update current setting.
b. Select Advanced options > Defer upgrades.
4. Add the server to the domain:
a. In Server Manager, click Local Server > Workgroup current setting.
b. Click Change > Domain, and then enter the domain name (for example,
Contoso.com).
c. Enter the domain administrator credentials.
 d. Restart the virtual machine.
5. Repeat steps 1 through 4 for the RD Web and GW virtual machine.
6. Repeat steps 1 through 4 for the RD Connection Broker virtual machine.
7. Initialize and format the attached disk on the RD Connection Broker virtual
machine:
a. Connect to the RD Connection Broker virtual machine (step 1 above).
b. In Server Manager, click Tools > Computer Management.
c. Click Disk Management.
d. Select the attached disk, then MBR (Master Boot Record), and then click OK.
e. Right-click the new disk (marked as Unallocated) and click New Simple Volume.
f. In the New Simple Volume wizard, accept the default values but provide a
applicable name for the Volume label (like Shares).
8. On the RD Connection Broker virtual machine create file shares for the user profile
disks and certificates:
a. Open File Explorer, click This PC, and open the disk that you added for file
shares.
b. Click Home and New Folder.
c. Enter a name for the user disks folder, for example, UserDisks.
d. Right-click the new folder and click Properties > Sharing > Advanced Sharing.
e. Select Share this folder and click Permissions.
f. Select Everyone, and then click Remove. Now click Add, enter Domain Admins,
and click OK.
g. Select Allow Full Control, and then click OK > OK > Close.
h. Repeat steps c. to g. to create a shared folder for certificates.

Feedback
Was this page helpful?  Yes  No
Configure disaster recovery for Remote
Desktop Services
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016

When you deploy Remote Desktop Services into your environment, it becomes a critical
part of your infrastructure, particularly the apps and resources that you share with users.
If the RDS deployment goes down due to anything from a network failure to a natural
disaster, users can't access those apps and resources, and your business is negatively
impacted. To avoid this, you can configure a disaster recovery solution that allows you to
failover your deployment - if your RDS deployment is unavailable, for whatever reason,
there is a backup available to automatically take over.

To keep your RDS deployment running in the case of a single component or machine
going down, we recommend configuring your RDS deployment for high availability. You
can do this by setting up an RDSH farm and ensuring your Connection Brokers are
clustered for high availability.

The disaster recovery solutions we recommend here are to protect your deployment
from catastrophic disaster - something that takes down your entire RDS deployment
(including redundant roles configured for high availability). If such a disaster hits, having
a disaster recovery solution built into your deployment will allow you to failover the
entire deployment and quickly get apps and resources up and running for your users.

Use the following information to deploy disaster recovery solutions in RDS:

Leverage multiple Azure data centers to ensure users can access your RDS
deployment, even if one Azure data center goes down (geo-redundancy)
Deploy Azure Site Recovery to provide failover for RDS components in site-to-site
or site-to-Azure failovers

Feedback
Was this page helpful?  Yes  No
Create a geo-redundant, multi-data
center RDS deployment for disaster
recovery
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

You can enable disaster recovery for your Remote Desktop Services deployment by
leveraging multiple data centers in Azure. Unlike a standard highly available RDS
deployment (as outlined in the Remote Desktop Services architecture), which uses data
centers in a single Azure region (for example, Western Europe), a multi-data center
deployment uses data centers in multiple geographic locations, increasing the
availability of your deployment - one Azure data center might be unavailable, but it is
unlikely that multiple regions would go down at the same time. By deploying a geo-
redundant RDS architecture, you can enable failover in the case of catastrophic failure of
an entire region.

You can use the instructions below to leverage Microsoft Azure infrastructure services
and RDS to deliver geo-redundant desktop hosting services and Subscriber Access
Licenses (SALs) to multiple tenants through the Microsoft Service Provider License
Agreement (SPLA) program . You can also use the steps below to create a geo-
redundant hosting service for your own employees using RDS User CALs extended
rights through Software Assurance .

Logical architecture for high availability - single

and multiple regions
The following image shows the architecture for a highly available deployment in a single
Azure region:
The deployment consists of three layers:

Azure services - the Azure Management interfaces, including the Azure portal and
APIs, and public networking services, such as DNS and public IP addressing.
Desktop hosting service - Virtual machines, networks, storage, Azure services, and
Windows Server role services
Azure Fabric - Windows Server operating systems running the Hyper-V role, used
to virtualize physical servers, storage units, network switches, and routers. Using
Azure Fabric lets you create VMs, networks, storage, and applications independent
from underlying hardware.

In comparison, here is the architecture for a deployment that uses multiple Azure data
centers:
The entire RDS deployment is replicated in a second Azure region to create a geo-
redundant deployment. This architecture uses an active-passive model, where only one
RDS deployment is running at a time. A VNet-to-VNet connection lets the two
environments communicate with each other. The RDS deployments are based on a
single Active Directory forest/domain, and the AD servers replicate across the two
deployments, meaning users can sign into either deployment using the same
credentials. User settings and data stored in User Profile Disks (UPD) are stored on a
two-node cluster Storage Spaces Direct scale-out file server (SOFS). A second identical
Storage Spaces Direct cluster is deployed in the second (passive) region, and Storage
Replica is used to replicate the user profiles from the active to passive deployment.
Azure Traffic Manager is used to automatically direct end users to whichever
deployment is currently active - from the end user perspective, they access the
deployment using a single URL and are not aware of which region they end up using.

You could create a non-highly available RDS deployment in each region, but if even a
single VM is restarted in one region, a failover would occur, increasing the likelihood of
failovers occurring with associated performance impacts.

Deployment steps
Create the following resources in Azure to create a geo-redundant multi-data center
RDS deployment:

1. Two resource groups in two separate Azure regions. For example RG A (the active
deployment, RG stands for "resource group") and RG B (the passive deployment).

2. A highly-available Active Directory deployment in RG A. You can use the New AD

Domain with 2 Domain Controllers template to create the deployment.
3. A highly-available RDS deployment in RG A. Use the RDS farm deployment using
existing active directory template to create the basic RDS deployment, and then
follow the information in Remote Desktop Services - High availability to configure
the other RDS components for high availability.

4. A VNet in RG B - make sure to use an address space that does not overlap the
deployment in RG A.

5. A VNet-to-VNet connection between the two resource groups.

6. Two AD virtual machines in an availability set in RG B - make sure the VM names

are different from the AD VMs in RG A. Deploy two Windows Server 2016 VMs in a
single availability set, install the Active Directory Domain Services role, and then
promote them to the domain controller in the domain you created in step 1.

7. A second highly-available RDS deployment in RG B.

a. Use the RDS farm deployment using existing active directory template again,
but this time make the following changes. (To customize the template, select it
in the gallery, click Deploy to Azure and then Edit template.)

i. Adjust the address space of the DNS server private IP to correspond to the
VNet in RG B.

Search for "dnsServerPrivateIp" in variables. Edit the default IP (10.0.0.4) to

correspond to the address space you defined in the VNet in RG B.

ii. Edit the computer names so that they don't collide with those in the
deployment in RG A.

Locate the VMs in the Resources section of the template. Change the
computerName field under osProfile. For example, "gateway" can
become"gateway-b"; "[concat('rdsh-', copyIndex())]" can become "
[concat('rdsh-b-', copyIndex())]", and "broker" can become "broker-b".

(You can also change the names of the VMs manually after you run the
template.)
b. As in step 3 above, use the information in Remote Desktop Services - High
availability to configure the other RDS components for high availability.

8. A Storage Spaces Direct scale-out file server with Storage Replica across the two
deployments. Use the PowerShell script to deploy the template across the
resource groups.

７ Note
 You can provision storage manually (instead of using the PowerShell script
and template):
a. Deploy a two-node Storage Spaces Direct SOFS in RG A to store your user
profile disks (UPDs).
b. Deploy a second, identical Storage Spaces Direct SOFS in RG B - make sure
to use the same amount of storage in each cluster.
c. Set up Storage Replica with asynchronous replication between the two.

Enable UPDs
Storage Replica replicates data from a source volume (associated with the primary/active
deployment) to a destination volume (associated with the secondary/passive
deployment). By design, the destination cluster appears as Online (No Access) - Storage
Replica dismounts the destination volumes and their drive letters or mount points. This
means that enabling UPDs for the secondary deployment by providing the file share
path will fail, because the volume is not mounted.

Want to learn more about managing replication? Check out Cluster to cluster Storage
Replication.

To enable UPDs on both deployments, do the following:

1. Run the Set-RDSessionCollectionConfiguration cmdlet to enable the user profile

disks for the primary (active) deployment - provide a path to the file share on the
source volume (which you created in Step 7 in the deployment steps).

2. Reverse the Storage Replica direction so that the destination volume becomes the
source volume (this mounts the volume and makes it accessible by the secondary
deployment). You can run Set-SRPartnership cmdlet to do this. For example:

PowerShell

Set-SRPartnership -NewSourceComputerName "cluster-b-s2d-c" -

SourceRGName "cluster-b-s2d-c" -DestinationComputerName "cluster-a-s2d-
c" -DestinationRGName "cluster-a-s2d-c"

3. Enable the user profile disks in the secondary (passive) deployment. Use the same
steps as you did for the primary deployment, in step 1.

4. Reverse the Storage Replica direction again, so the original source volume is again
the source volume in the SR Partnership, and the primary deployment can access
the file share. For example:
 PowerShell

Set-SRPartnership -NewSourceComputerName "cluster-a-s2d-c" -

SourceRGName "cluster-a-s2d-c" -DestinationComputerName "cluster-b-s2d-
c" -DestinationRGName "cluster-b-s2d-c"

Azure Traffic Manager

Create an Azure Traffic Manager profile, and make sure to select the Priority routing
method. Set the two endpoints to the public IP addresses of each deployment. Under
Configuration, change the protocol to HTTPS (instead of HTTP) and the port to 443
(instead of 80). Take note of the DNS time to live, and set it appropriately for your
failover needs.

Note that Traffic Manager requires endpoints to return 200 OK in response to a GET
request in order to be marked as "healthy." The publicIP object created from the RDS
templates will function, but do not add a path addendum. Instead, you can give end
users the Traffic Manager URL with "/RDWeb" appended, for example:
http://deployment.trafficmanager.net/RDWeb

By deploying Azure Traffic Manager with the Priority routing method, you prevent end
users from accessing the passive deployment while the active deployment is functional.
If end users access the passive deployment and the Storage Replica direction hasn't
been switched for failover, the user sign-in hangs as the deployment tries and fails to
access the file share on the passive Storage Spaces Direct cluster - eventually the
deployment will give up and give the user a temporary profile.

Deallocate VMs to save resources

After you configure both deployments, you can optionally shut down and deallocate the
secondary RDS infrastructure and RDSH VMs to save cost on these VMs. The Storage
Spaces Direct SOFS and AD server VMs must always stay running in the
secondary/passive deployment to enable user account and profile synchronization.

When a failover occurs, you'll need to start the deallocated VMs. This deployment
configuration has the advantage of being lower cost, but at the expense of fail-over
time. If a catastrophic failure occurs in the active deployment, you'll have to manually
start the passive deployment, or you'll need an automation script to detect the failure
and start the passive deployment automatically. In either case, it may take several
minutes to get the passive deployment running and available for users to sign in,
resulting in some downtime for the service. This downtime depends on the amount of
time it takes to start the RDS infrastructure and RDSH VMs (typically 2-4 minutes, if the
VMs are started in parallel rather than serially), and the time to bring the passive cluster
online (which depends on the size of the cluster, typically 2-4 minutes for a 2-node
cluster with 2 disks per node).

Active Directory
The Active Directory servers in each deployment are replicas within the same
Forest/Domain. Active Directory has a built-in synchronization protocol to keep the four
domain controllers in sync. However, there may be some lag so that if a new user is
added to one AD server, it may take some time to replicate across all the AD servers in
the two deployments. Consequently, be sure to warn users to not try to sign in
immediately after being added to the domain.

RD License Server
Provide a per-user RD CAL for each named user that is authorized to access the geo-
redundant deployment. Distribute the per user CALs evenly across the two RD License
Servers in the active deployment. Then, duplicate these CALs to the two RD License
Servers in the passive deployment. Because the CALs are duplicated between the active
and passive deployment, at any given time only one deployment can be active with
users connecting; otherwise, you violate the license agreement.

Image Management
As you update your RDSH images to provide software updates or new applications,
you'll need to separately update the RDSH collections in each deployment to maintain a
common user experience across both deployments. You can use the Update RDSH
collection template , but note that the passive deployment's RDS infrastructure and
RDSH VMs must be running to run the template.

Failover
In the case of the Active-Passive deployment, failover requires you to start the VMs of
the secondary deployment. You can do this manually or with an automation script. In
the case of a catastrophic failover of the Storage Spaces Direct SOFS, change the
Storage Replica partnership direction, so that the destination volume becomes the
source volume. For example:

PowerShell
 Set-SRPartnership -NewSourceComputerName "cluster-b-s2d-c" -SourceRGName
"cluster-b-s2d-c" -DestinationComputerName "cluster-a-s2d-c" -
DestinationRGName "cluster-a-s2d-c"

You can learn more in Cluster to cluster Storage Replication.

Azure Traffic Manager automatically recognizes that the primary deployment failed and
that the secondary deployment is healthy (in the RD Gateway VMs have been started in
RG B) and directs user traffic to the secondary deployment. Users can use the same
Traffic Manager URL to continue working on their remote resources, enjoying a
consistent experience. Note that the client DNS cache will not update the record for the
duration of the TTL set in Azure Traffic Manager configuration.

Test failover
In a Storage Replica partnership, only one volume (the source) can be active at a time.
This means when you switch the SR Partnership direction, the volume in the primary
deployment (RG A) becomes the destination of replication and is therefore hidden. Thus,
any users connecting to RG A will no longer have access to their UPDs stored on the
SOFS in RG A.

To test the failover while allowing users to continue logging in:

1. Start the infrastructure VMs and RDSH VMs in RG B.

2. Switch the SR Partnership direction (cluster-b-s2d-c becomes the source volume).

3. Disable the endpoint of RG A in the Azure Traffic Manager profile to force the ATM
to direct traffic to RG B. Alternatively, use a PowerShell script:

PowerShell

Disable-AzureRmTrafficManagerEndpoint -Name publicIpA -Type

AzureEndpoints -ProfileName MyTrafficManagerProfile -ResourceGroupName
RGA -Force

RG B is now the active primary deployment. To switch back to RG A as the primary

deployment:

1. Switch the SR Partnership direction (cluster-a-s2d-c becomes the source volume):

PowerShell
 Set-SRPartnership -NewSourceComputerName "cluster-a-s2d-c" -
SourceRGName "cluster-a-s2d-c" -DestinationComputerName "cluster-b-s2d-
c" -DestinationRGName "cluster-b-s2d-c"

2. Re-enable the endpoint of RG A in the Azure Traffic Manager profile:

PowerShell

Enable-AzureRmTrafficManagerEndpoint -Name publicIpA -Type

AzureEndpoints -ProfileName MyTrafficManagerProfile -ResourceGroupName
RGA

Considerations for on-premises deployments

While an on-premises deployment couldn't use the Azure Quickstart Templates
referenced in this article, you can implement all the infrastructure roles manually. In an
on-premises deployment where cost is not driven by Azure consumption, consider using
an active-active model for quicker failover.

You can use Azure Traffic Manager with on-premises endpoints, but it requires an Azure
subscription. Alternatively, for the DNS provided to end users, give them a CNAME
record that simply directs users to the primary deployment. In the case of failover,
modify the DNS CNAME record to redirect to the secondary deployment. In this way,
the end user uses a single URL, just like with Azure Traffic Manager, that directs the user
to the appropriate deployment.

If you are interested in creating an on-premises-to-Azure-site model, consider using

Azure Site Recovery.

Feedback
Was this page helpful?  Yes  No
Set up disaster recovery for RDS using
Azure Site Recovery
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

You can use Azure Site Recovery to create a disaster recovery solution for your Remote
Desktop Services deployment.

Azure Site Recovery is an Azure-based service that provides disaster recovery

capabilities by orchestrating replication, failover, and recovery of virtual machines. Azure
Site Recovery supports a number of replication technologies to consistently replicate,
protect, and seamlessly failover virtual machines and applications to private/public or
hoster's clouds.

Use the following information to create and validate the disaster recovery solution.

Disaster recovery deployment options

You can deploy RDS on either physical servers or virtual machines running Hyper-V or
VMWare. Azure Site Recovery can protect both on-premises and virtual deployments to
either a secondary site or to Azure. The following table shows the different supported
RDS deployments in site-to-site and site-to-Azure disaster recvoery scenarios.

ﾉ Expand table

Deployment type Hyper-V Hyper-V site- VMWare site- Physical site-

site-to-site to-Azure to-Azure to-Azure

Pooled virtual desktop Yes No No No

(unmanaged)

Pooled virtual desktop Yes No No No

(managed, no UPD)

RemoteApps and desktop Yes Yes Yes Yes

sessions (no UPD)

Prerequisites
Before you can configure Azure Site Recovery for your deployment, make sure you meet
the following requirements:

Create an on-premises RDS deployment.

Add Azure Site Recovery Services vault to your Microsoft Azure subscription.
If you are going to use Azure as your recovery site, run the Azure Virtual Machine
Readiness Assessment tool on your VMs to ensure they are compatible with
Azure VMs and Azure Site Recovery Services.

Implementation checklist
We'll cover the various steps to enable Azure Site Recovery Services for your RDS
deployment in more detail, but here are the high-level implementation steps.

ﾉ Expand table

Step 1 - Configure VMs for disaster recovery

Hyper-V - Download the Microsoft Azure Site Recovery Provider. Install it on your VMM server or
Hyper-V host. See Prerequisites for replication to Azure by using Azure Site Recovery for
information.

VMWare - Configure protection server, configuration server, and target servers

Step 2 - Prepare your resources

Add an Azure Storage account.

Hyper-V - Download the Microsoft Azure Recovery Services agent and install it on Hyper-V host
servers.

VMWare - Make sure the mobility service is installed on all VMs.

Enable protection for VMs in VMM cloud, Hyper-V sites, or VMWare sites.

Step 3 - Design your recovery plan.

Map your resources - map on-premises networks to Azure VNETs.

Create the recovery plan.

Test the recovery plan by creating a test failover. Ensure all VMs can access required resources, like
Active Directory. Ensure network redirections are configured and working for RDS. For detailed
steps on testing your recovery plan, see Run a test failover

Step 4 - Run a disaster recovery drill.

Run a disaster recovery drill using planned and unplanned failovers. Ensure that all VMs have
access to required resources, such as Active Directory. Ensure that all VMs have access to required
 Step 1 - Configure VMs for disaster recovery

resources, such as Active Directory. For detailed steps on failovers and how to run drills, see
Failover in Site Recovery.

Feedback
Was this page helpful?  Yes  No
Enable disaster recovery of RDS using
Azure Site Recovery
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

To ensure that your RDS deployment is adequately configured for disaster recovery, you
need to protect all of the components that make up your RDS deployment:

Active Directory
SQL Server tier
RDS components
Network components

Configure Active Directory and DNS replication

You need Active Directory on the disaster recovery site for your RDS deployment to
work. You have two choices based on how complex your RDS deployment is:

Option 1 - If you have a small number of applications and a single domain

controller for your entire on-premises site, and you will be failing over the entire
site together, use ASR-Replication to replicate the domain controller to the
secondary site (true for both site-to-site and site-to-Azure scenarios).
Option 2 - If you have a large number of applications and you're running an Active
Directory forest, and you'll failover a few applications at a time, set up an
additional domain controller on the disaster recovery site (either a secondary site
or in Azure).

See Protect Active Directory and DNS with Azure Site Recovery for details on making a
domain controller available on the disaster recovery site. For the rest of this guidance,
we assume that you've followed those steps and have the domain controller available.

Set up SQL Server replication

See Protect SQL Server using SQL Server disaster recovery and Azure Site Recovery for
the steps to set up SQL Server replication.
Enable protection for the RDS application
components
Depending on your RDS deployment type you can enable protection for different
component VMs (as listed in the table below) in Azure Site Recovery. Configure the
relevant Azure Site Recovery elements based on whether your VMs are deployed on
Hyper-V or VMWare.

ﾉ Expand table

Deployment type Protection steps

Personal virtual desktop (unmanaged)
1. Make sure all virtualization hosts are ready with the
RDVH role installed.
2. Connection Broker.
3. Personal desktops.
4. Gold template VM.
5. Web Access, License server, and Gateway server

Pooled virtual desktop (managed
with no UPD)
1. All virtualization hosts are ready with the RDVH role
installed.
2. Connection Broker.
3. Gold template VM.
4. Web Access, License server, and Gateway server.

RemoteApps and Desktop Sessions 1. Session Hosts.

(no UPD) 2. Connection Broker.
3. Web Access, License server, and Gateway server.

Feedback
Was this page helpful?  Yes  No
Create your disaster recovery plan for
RDS
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

You can create a disaster recovery plan in Azure Site Recovery to automate the failover
process. Add all RDS component VMs to the recovery plan.

Use the following steps in Azure to create your recovery plan:

1. Open Azure Site Recovery Vault in the Azure portal, and then click Recovery Plans.
2. Click Create and enter a name for the plan.
3. Select your Source and Target. The target is either a secondary RDS site or Azure.
4. Select the VMs that host your RDS components, and then click OK.

The following sections provide additional information about creating recovery plans for
the different types of RDS deployment.

Sessions-based RDS deployment

For an RDS sessions-based deployment, group the VMs so they come up in sequence:

1. Failover group 1 - Session Host VM

2. Failover group 2 - Connection Broker VM
3. Failover group 3 - Web Access VM

Your plan will look something like this:

Pooled desktops RDS deployment
For an RDS deployment with pooled desktops, group the VMs so they come up in
sequence, adding manual steps and scripts.

1. Failover group 1 - RDS Connection Broker VM

2. Group 1 manual action - Update DNS

Run PowerShell in an elevated mode on the Connection Broker VM. Run the
following command and wait for a couple of minutes to ensure the DNS is
updated with the new value:

ipconfig /registerdns

3. Group 1 script - add Virtualization hosts

Modify the script below to run for each virtualization host in the cloud. Typically
after you add a virtualization host to a Connection Broker, you need to restart the
 host. Ensure that the host doesn't have a reboot pending before the script runs, or
else it will fail.

Broker - broker.contoso.com
Virtualization host - VH1.contoso.com

ipmo RemoteDesktop;
add-rdserver –ConnectionBroker broker.contoso.com –Role RDS-
VIRTUALIZATION –Server VH1.contoso.com

4. Failover group 2 - Template VM

5. Group 2 script 1 - Turn off Template VM

The template VM when recovered to the secondary site will start, but it is a
sysprepped VM and cannot start completely. Also RDS requires that the VM be
shutdown to create a pooled VM configuration from it. So, we need to turn it off. If
you have a single VMM server, the template VM name is the same on the primary
and the secondary. Because of that, we use the VM ID as specified by the Context
variable in the script below. If you have multiple templates, turn them all off.

PowerShell

ipmo virtualmachinemanager;
Foreach($vm in $VMsAsTemplate)
{
Get-SCVirtualMachine -ID $vm | Stop-SCVirtualMachine –Force
}

6. Group 2 script 2 - Remove existing pooled VMs

You need to remove the pooled VMs on the primary site from the Connection
Broker so new VMs can be created on the secondary site. In this case you need to
specify the exact host on which to create the pooled VM. Note that this will delete
the VMs from only the collection.

PowerShell

ipmo RemoteDesktop
$desktops = Get-RDVirtualDesktop -CollectionName Win8Desktops;
Foreach($vm in $desktops){
Remove-RDVirtualDesktopFromCollection -CollectionName Win8Desktops -
VirtualDesktopName $vm.VirtualDesktopName –Force
}
 7. Group 2 manual action - Assign new template

You need to assign the new template to the Connection Broker for the collection
so you can create new pooled VMs on the recovery site. Go to the RDS Connection
Broker and identify the collection. Edit the properties and specify a new VM image
as its template.

8. Group 2 script 3 - Recreate all pooled VMs

Recreate the pooled VMs on the recovery site through the Connection Broker. In
this case, you need to specify the exact host on which to create the pooled VM.

The pooled VM name needs to be unique, using the prefix and suffix. If the VM
name already exists, the script will fail. Also, if the primary side VMs are numbered
from 1-5, the recovery site numbering will continue from 6.

PowerShell

ipmo RemoteDesktop;
Add-RDVirtualDesktopToCollection -CollectionName Win8Desktops -
VirtualDesktopAllocation @{"RDVH1.contoso.com" = 1}

9. Failover group 3 - Web Access and Gateway server VM

The recovery plan will look like this:

Personal desktops RDS deployment
For an RDS deployment with personal desktops, group the VMs so they come up in
sequence, adding manual steps and scripts.

1. Failover group 1 - RDS Connection Broker VM

2. Group 1 manual action - Update DNS

Run PowerShell in an elevated mode on the Connection Broker VM. Run the
following command and wait for a couple of minutes to ensure the DNS is
updated with the new value:

ipconfig /registerdns
3. Group 1 script - Add Virtualization hosts

Modify the script below to run for each virtualization host in the cloud. Typically
after you add a virtualization host to a Connection Broker, you need to restart the
host. Ensure that the host doesn't have a reboot pending before the script runs, or
else it will fail.

PowerShell

Broker - broker.contoso.com
Virtualization host - VH1.contoso.com

ipmo RemoteDesktop;
add-rdserver –ConnectionBroker broker.contoso.com –Role RDS-
VIRTUALIZATION –Server VH1.contoso.com

4. Failover group 2 - Template VM

5. Group 2 script 1 - Turn off template VM

The template VM when recovered to the secondary site will start, but it is a
sysprepped VM and cannot start completely. Also RDS requires that the VM be
shutdown to create a pooled VM configuration from it. So, we need to turn it off. If
you have a single VMM server, the template VM name is the same on the primary
and the secondary. Because of that, we use the VM ID as specified by the Context
variable in the script below. If you have multiple templates, turn them all off.

PowerShell

ipmo virtualmachinemanager;
Foreach($vm in $VMsAsTemplate)
{
Get-SCVirtualMachine -ID $vm | Stop-SCVirtualMachine –Force
}

6. Failover group 3 - Personal VMs

7. Group 3 script 1 - Remove existing personal VMs and add them

Remove the personal VMs on the primary site from the Connection Broker so new
VMs can be created on the secondary site. You need to extract the VMs'
assignments and re-add the virtual machines to the Connection Broker with the
hash of assignments. This will only remove the personal VMs from the collection
and re-add them. The personal desktop allocation will be exported and imported
back into the collection.
 PowerShell

ipmo RemoteDesktop
$desktops = Get-RDVirtualDesktop -CollectionName CEODesktops;
Export-RDPersonalVirtualDesktopAssignment -CollectionName CEODesktops -
Path ./Desktopallocations.txt -ConnectionBroker broker.contoso.com

Foreach($vm in $desktops){
Remove-RDVirtualDesktopFromCollection -CollectionName CEODesktops -
VirtualDesktopName $vm.VirtualDesktopName –Force
}

Import-RDPersonalVirtualDesktopAssignment -CollectionName CEODesktops -

Path ./Desktopallocations.txt -ConnectionBroker broker.contoso.com

8. Failover group 3 - Web Access and Gateway server VM

Your plan will look something like this:

Feedback
Was this page helpful?  Yes  No
Run and tune your Remote Desktop
Services environment
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016

Tuning your deployment takes time and requires instrumentation and monitoring. Use
the processes below to refine your Remote Desktop deployment, keep it running and
enable scaling out (and in) as needed.

It's a good practice to continually assess the metrics and balance against running costs.

Management and monitoring

Check out Manage users in your RDS collection for information about how to manage
access to your desktops and remote resources.

Use Microsoft Operations Management Suite (OMS) to monitor Remote Desktop

deployments for potential bottlenecks and manage them using one of the following
ways:

Server Manager: Use the RD management tool that is built in to Windows Server
to manage deployments with up to 500 concurrent remote end-users.
PowerShell: Use the RD PowerShell module, also built into Windows Server, to
manage deployments with up to 5000 concurrent remote end-users.

Scale: Bigger, better, faster

With visibility into the deployment, you can control scale with more precision. Easily add
or remove Remote Desktop host servers based on scale needs.

Remote Desktop deployments that are built on Azure can make use of Azure services,
like Azure SQL, to scale automatically on demand.

Automation: Script for success

Maintaining a running, highly scaled application involves repeating operations on a
regular basis. Use Remote Desktop Services PowerShell cmdlets and WMI providers to
develop scripts that can be run on multiple deployments when needed. Run Best
Practice Analyzer (BPA) rules for Remote Desktop Services on your deployments to tune
your deployments.

Load testing: Avoid surprises

Load test the deployment with both stress tests and simulation of real-life usage. Vary
the load size to avoid surprises! Ensure that responsiveness meets user requirements,
and that the entire system is resilient. Create load tests with simulation tools, like
LoginVSI, that check your deployment's ability to meet the users' needs.

Feedback
Was this page helpful?  Yes  No
Manage your personal desktop session
collections
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016

Use the following information to manage a personal desktop session collection in

Remote Desktop Services.

Manually assign a user to a personal session

host
Use the Set-RDPersonalSessionDesktopAssignment cmdlet to manually assign a user to
a personal session host server in the collection. The cmdlet supports the following
parameters:

-CollectionName <string>

-ConnectionBroker <string>

-User <string>

-Name <string>

–CollectionName - specifies the name of the personal session desktop collection.

This parameter is required.
–ConnectionBroker - specifies the Remote Desktop Connection Broker (RD
Connection Broker) server for your Remote Desktop deployment. If you don't
supply a value, the cmdlet uses the fully qualified domain name (FQDN) of the
local computer.
–User - specifies the user account to associate with the personal session desktop,
in DOMAIN\User format. This parameter is required.
–Name - specifies the name of the session host server. This parameter is required.
The session host identified here must be a member of the collection that the -
CollectionName parameter specifies.

The Import-RDPersonalSessionDesktopAssignment cmdlet imports associations

between user accounts and personal session desktops from a text file. The cmdlet
supports the following parameters:

-CollectionName <string>
-ConnectionBroker <string>

-Path <string>

–Path specifies the path and file name of a file to import.

Removing a User Assignment from a Personal

Session Host
Use the Remove-RDPersonalSessionDesktopAssignment cmdlet to remove the
association between a personal session desktop and a user. The cmdlet supports the
following parameters:

-CollectionName <string>

-ConnectionBroker <string>

-Force

-Name <string>

-User <string>

–Force forces the command to run without asking for user confirmation.

Query user assignments

Use the Get-RDPersonalSessionDesktopAssignment cmdlet to get a list of personal
session desktops and associated user accounts. The cmdlet supports the following
parameters:

-CollectionName <string>

-ConnectionBroker <string>

-User <string>

-Name <string>

You can run the cmdlet to query by collection name, user name, or by session desktop
name. If you specify only the –CollectionName parameter, the cmdlet returns a list of
session hosts and associated users. If you also specify the –User parameter, the session
host associated with that user is returned. If you provide the –Name parameter, the user
associated with that session host is returned.
The Export-RDPersonalPersonalDesktopAssignment cmdlet exports the current
associations between users and personal virtual desktops to a text file. The cmdlet
supports the following parameters:

-CollectionName <string>

-ConnectionBroker <string>

-Path <string>

All new cmdlets support the common parameters: -Verbose, -Debug, -ErrorAction, -
ErrorVariable, -OutBuffer, and -OutVariable. For more information, see
about_CommonParameters.

Feedback
Was this page helpful?  Yes  No
Remote Desktop IP Virtualization in
Windows Server
Article • 07/03/2024

As of Windows Server 2008 R2, Remote Desktop session hosts support per-session and
per-program Remote Desktop IP Virtualization for Winsock applications. Remote
Desktop assigns individual IP addresses to user sessions to avoid application
compatibility issues that can happen when all Remote Desktop users in the same
location share the same IP address. This article gives instructions for how to virtualize IP
addresses for your organization's Remote Desktop users.

７ Note

This article's instructions for virtualizing IPs only apply to on-premises

environments.

Prerequisites
In order to use IP Virtualization, your system must meet the following requirements:

Your deployment must run Windows Server 2019 or later.

You must assign the RD Session Host server role to the machine you use to make
the changes.

How to configure IP Virtualization

You can configure IP Virtualization using the Microsoft Management Console (MMC),
Group Policy, or running a command in a PowerShell window.

Microsoft Management Console

1. Open the RD Session Host Configuration MMC on the machine you the RD
Session Host server role.

2. Go to Edit settings.

3. Select IP Virtualization and go to Properties.

 4. Select the Enable IP virtualization check box.

5. In the Select the network adapter to be used for IP Virtualization field, select
the network adapter you want to use for IP Virtualization from the drop-down
menu.

７ Note

IP virtualization currently only supports single-network adapter scenarios.

If your server has multiple enabled network adapters, you can only use
the adapter you specify in the settings for IP virtualization.

6. When you're finished, select Apply.

7. Optionally, to configure IP virtualization for specific programs:

Return to Edit settings, then select Add program.

Enter or navigate to the file path of the program you want to use.

Select Open.

Repeat for all programs you want to use.

When you're finished, select Apply.

Related content
Remote Desktop Services Virtualization recommendations

Scale out your Remote Desktop Services deployment by adding an RD Session

Host farm

Manage users in your RDS collection

Feedback
Was this page helpful?  Yes  No
Manage users in your RDS collection
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

As an admin, you can directly manage which users have access to specific collections.
This way, you can create one collection with standard applications for information
workers, but then create a separate collection with graphics-intensive modeling
applications for engineers. There are two primary steps to managing user access in a
Remote Desktop Services (RDS) deployment:

1. Create users and groups in Active Directory

2. Assign users and groups to collections

Create your users and groups in Active

Directory
In an RDS deployment, Active Directory Domain Services (AD DS) is the source of all
users, groups, and other objects in the domain. You can manage Active Directory
directly with PowerShell, or you can use built in UI tools that add ease and flexibility. The
following steps will guide you to install those tools — if you do not have them already
installed — and then use those tools to manage users and groups.

Install AD DS tools
The following steps detail how to install the AD DS tools on a server already running AD
DS. Once installed, you can then create users or create groups.

1. Connect to the server running Active Directory Domain Services. For Azure
deployments:
a. In the Azure portal, click Browse > Resource groups, and then click the resource
group for the deployment
b. Select the AD virtual machine.
c. Click Connect > Open to open the Remote Desktop client. If Connect is grayed
out, the virtual machine might not have a public IP address. To give it one
perform the following steps, then try this step again.
i. Click Settings > Network interfaces, and then click the corresponding
network interface.
ii. Click Settings > IP address.
 iii. For Public IP address, select Enabled, and then click IP address.
iv. If you have an existing public IP address you want to use, select it from the
list. Otherwise, click Create new, enter a name, and then click OK and Save.
d. In the client, click Connect, and then click Use another account. Enter the user
name and password for a domain administrator account.
e. Click Yes when asked about the certificate.
2. Install the AD DS tools:
a. In Server Manager click Manage > Add Roles and Features.
b. Click Role-based or feature-based installation, and then click the current AD
server. Follow the steps until you get to the Features tab.
c. Expand Remote Server Administration Tools > Role Administration Tools > AD
DS and AD LDS Tools, and then select AD DS Tools.
d. Select Restart the destination server automatically if required, and then click
Install.

Create a group
You can use AD DS groups to grant access to a set of users that need to use the same
remote resources.

1. In Server Manager on the server running AD DS, click Tools > Active Directory
Users and Computers.
2. Expand the domain in the left-hand pane to view its subfolders.
3. Right-click the folder where you want to create the group, and then click New >
Group.
4. Enter an appropriate group name, then select Global and Security.

Create a user and add to a group

1. In Server Manager on the server running AD DS, click Tools > Active Directory
Users and Computers.
2. Expand the domain in the left-hand pane to view its subfolders.
3. Right-click Users, and then click New > User.
4. Enter, at minimum, a first name and a user logon name.
5. Enter and confirm a password for the user. Set appropriate user options, like User
must change password at next logon.
6. Add the new user to a group:
a. In the Users folder right-click the new user.
b. Click Add to a group.
c. Enter the name of the group to which you want to add the user.
Assign users and groups to collections
Now that you've created the users and groups in Active Directory, you can add some
granularity regarding who has access to the Remote Desktop collections in your
deployment.

1. Connect to the server running the Remote Desktop Connection Broker (RD
Connection Broker) role, following the steps described earlier.

2. Add the other Remote Desktop servers to the RD Connection Broker's pool of
managed servers:
a. In Server Manager click Manage > Add Servers.
b. Click Find Now.
c. Click each server in your deployment that is running a Remote Desktop Services
role, and then click OK.

3. Edit a collection to assign access to specific users or groups:

a. In Server Manager click Remote Desktop Services > Overview, and then click a
specific collection.
b. Under Properties, click Tasks > Edit properties.
c. Click User groups.
d. Click Add and enter the user or group that you want to have access to the
collection. You can also remove users and groups from this window by selecting
the user or group you want to remove, and then clicking Remove.

７ Note

The User groups window can never be empty. To narrow the scope of users
who have access to the collection, you must first add specific users or groups
before removing broader groups.

Feedback
Was this page helpful?  Yes  No
Customize the RDS title “Work
Resources” using PowerShell on
Windows Server
Article • 07/03/2024

When using Windows Server to access RemoteApps or desktops through RD WebAccess

or the new Remote Desktop app, you may have noticed that the workspace is titled
“Work Resources" by default. You can easily change the title by using PowerShell
cmdlets.

To change the title, open up a new PowerShell window on the connection broker server
and import the RemoteDesktop module with the following command.

PowerShell

Import-Module RemoteDesktop

Next, use the Set-RDWorkspace command to change the workspace name.

PowerShell

Set-RDWorkspace [-Name] <string> [-ConnectionBroker <string>]

[<CommonParameters>]

For example, you can use the following command to change the workpsace name to
"Contoso RemoteApps":

PowerShell

Set-RDWorkspace -Name "Contoso RemoteApps" -ConnectionBroker

broker01.contoso.com

If you are running multiple Connection Brokers in High Availability mode, you must run
this against the active broker. You can use this command:

PowerShell

Set-RDWorkspace -Name "Contoso RemoteApps" -ConnectionBroker (Get-

RDConnectionBrokerHighAvailability).ActiveManagementServer
For more information about the Set-RDWorkspace cmdlet, see the Set-RDSWorkspace
reference.

Feedback
Was this page helpful?  Yes  No
Use performance counters to diagnose
app performance problems on Remote
Desktop Session Hosts
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016

Poor application performance is one of the most difficult problems to diagnose,

especially for slow or nonresponsive applications. Traditionally, you start your diagnosis
by collecting CPU, memory, disk input/output, and other metrics. You then use tools like
Windows Performance Analyzer to try to figure out what's causing the problem.
Unfortunately, in most situations this data doesn't help you identify the root cause
because resource consumption counters have frequent and large variations. This
situation makes it difficult to read the data and correlate it with the reported issue.

７ Note

The User Input Delay counter is only compatible with:

Windows Server 2019 or later

Windows 10, version 1809 or later

The User Input Delay counter can help you quickly identify the root cause for bad end
user Remote Desktop performance experiences. This counter measures how long any
user input, such as mouse or keyboard usage, stays in the queue before a process picks
it up. The counter works in both local and remote sessions.

The following image shows a rough representation of user input flow from client to
application.
The User Input Delay counter measures the max delta within an interval of time between
the input being queued and when the app in a traditional message loop picks it up. A
traditional message loop is shown in the following flow chart:

One important detail of this counter is that it reports the maximum user input delay
within a configurable interval. This delay is the longest time it takes for an input to reach
the application, which can affect the speed of important and visible actions like typing.

For example, in the following table, the user input delay would be reported as 1,000 ms
within this interval. The counter reports the slowest user input delay in the interval. The
counter reports this delay because the user's perception of "slow" is determined by the
slowest input time (the maximum) they experience and not the average speed of all
total inputs.
 ﾉ Expand table

Number 0 1 2

Delay 16 ms 20 ms 1,000 ms

Enable and use the new performance counters

To use these new performance counters, you must first enable a registry key by running
this command:

reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v

"EnableLagCounter" /t REG_DWORD /d 0x1 /f

７ Note

If you use Windows 10, version 1809 or later or Windows Server 2019 or later, you
won't need to enable the registry key.

Next, restart the server. Then, open the Performance Monitor, and select the plus icon
(+), as shown in the following screenshot:

Next, you should see the Add Counters dialog, where you can select User Input Delay
per Process or User Input Delay per Session.
When you select User Input Delay per Process, you see the Instances of the selected
object, in other words, the processes in SessionID:ProcessID <Process Image> format.
For example, if the Calculator app is running in a Session ID 1, you see 1:4232
<Calculator.exe> .

７ Note

Not all processes are included. You won't see any processes that are running as
SYSTEM.

The counter starts reporting user input delay as soon as you add it. The maximum scale
is set to 100 (ms) by default.

Next, see the User Input Delay per Session. There are instances for each session ID, and
their counters show the user input delay of any process within the specified session. In
addition, there are two instances called "Max" (the maximum user input delay across all
sessions) and "Average" (the average across all sessions).

This table shows a visual example of these instances. You can get the same information
in Perfmon by switching to the Report graph type.

ﾉ Expand table
 Type of counter Instance name Reported delay (ms)

User Input Delay per process 1:4232 <Calculator.exe> 200

User Input Delay per process 2:1000 <Calculator.exe> 16

User Input Delay per process 1:2000 <Calculator.exe> 32

User Input Delay per session 1 200

User Input Delay per session 2 16

User Input Delay per session Average 108

User Input Delay per session Max 200

Counters used in an overloaded system

Now let's look at what you see in the report if performance for an app is degraded. The
following graph shows readings for users working remotely in Microsoft Word. In this
case, the performance degrades over time as more users sign in remotely.
Here's how to read the graph's lines:

The pink line shows the number of sessions signed in on the server.
The red line is the CPU usage.
The green line is the maximum user input delay across all sessions.
The blue line, displayed as black in this graph, represents average user input delay
across all sessions.

There's a correlation between CPU spikes and user input delay. As the CPU gets more
usage, the user input delay increases. Also, as more users get added to the system, CPU
usage gets closer to 100%, leading to more frequent user input delay spikes. While this
counter is useful in cases where the server runs out of resources, it can also track user
input delay related to a specific application.

Configuration Options
An important thing to remember when you use this performance counter is that it
reports user input delay on an interval of 1,000 ms by default. If you set the
performance counter sample interval property, as shown in the following screenshot, to
anything different, the reported value will be incorrect.

To fix this issue, you can set the following registry key to match the interval (in
milliseconds) that you want to use. For example, if you change Sample every 1 second to
Sample every 5 seconds, you need to set this key to 5000 ms.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]

"LagCounterInterval"=dword:00005000

７ Note

If you use Windows 10, version 1809 or later or Windows Server 2019 or later, you
don't need to set LagCounterInterval to fix the performance counter.

We've also added a couple of keys you might find helpful under the same registry key:

LagCounterImageNameFirst —set this key to DWORD 1 (default value 0 or key doesn't exist).

This key changes the counter names to "Image Name <SessionID:ProcessId>" for
example, "explorer <1:7964>". This change is useful if you want to sort by image name.

LagCounterShowUnknown —set this key to DWORD 1 (default value 0 or key doesn't exist).

This key shows any processes that are running as services or SYSTEM. Some processes
show up with their session set as "?".

The following image shows what it looks like with both keys on:
Use the new counters with non-Microsoft tools
Monitoring tools can consume this counter by Using Performance Counters.

Share your feedback

You can submit feedback for this feature through the Feedback Hub. Select Apps > All
other apps and include "RDS performance counters—performance monitor" in your
post's title.

Feedback
Was this page helpful?  Yes  No
Optimizing Windows configuration for VDI
desktops
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅ Windows Server 2016, ✅
to: Windows 11, ✅ Windows 10

Although the Windows operating system is well tuned out of the box, there are opportunities for you to refine it
further, specifically for the corporate Microsoft Virtual Desktop Infrastructure (VDI) environment. In the VDI
environment, many background services and tasks are disabled by default.

This article is a guide or starting point for how you might optimize your configuration. Some recommendations
disable functionality that you prefer to use, so you must consider the cost versus the benefit of adjusting a
particular setting in your scenario.

７ Note

Any settings not specifically mentioned in this topic can be left at their default values (or set per your
requirements and policies) without appreciable impact on VDI functionality.

VDI optimization principles

A "full" virtual desktop environment can present a complete desktop session, including applications, to a
computer user over a network. The network delivery vehicle can be an on-premises network, the Internet, or
both. Some implementations of virtual desktop environments use a "base" operating system image, which then
becomes the basis for the desktops then presented to the users for work. There are variations of virtual desktop
implementations such as persistent, non-persistent, and desktop session.

The persistent type preserves changes to the virtual desktop operating system from one session to the next.
The non-persistent type doesn't preserve changes to the virtual desktop operating system from one session
to the next.
The desktop session is like sessions on other virtual or physical devices, and accessed over a network.

The optimization settings could take place on a reference machine. A virtual machine (VM) is an ideal place to
build the VM, because state is saved, there are checkpoints, and backups are made. A default OS installation is
performed to the base VM. That base VM is then optimized by doing things like removing unneeded apps,
installing updates, deleting temporary files, and applying settings.

Security and stability are among the highest priorities for Microsoft when it comes to products and services. In
the virtual desktop realm, security isn't handled much differently than physical devices. Enterprise customers may
choose to utilize the built-in to Windows services of Windows Security, which comprises a suite of services that
work well connected or not connected to the Internet. For those virtual desktop environments not connected to
the Internet, security signatures can be downloaded proactively several times per day, because Microsoft may
release more than one signature update per day. Those signatures can then be provided to the virtual desktop
devices and scheduled to be installed during production, regardless of persistent or non-persistent. That way the
VM protection is as current as possible.

There are some security settings not applicable to virtual desktop environments not connected to the internet
and unable to participate in cloud-enabled security. There are other settings that "normal" Windows devices may
utilize such as Cloud Experience, or The Windows Store. Removing access to unused features reduces footprint,
network bandwidth, and attack surface.

Windows utilizes a monthly update rhythm. In some cases, virtual desktop administrators control the update
process by shutting down VMs based on a "master" or "gold" image, unsealing that read-only image, patching
the image, then resealing it and bringing it back into production. Therefore, there's no need to have virtual
desktop devices checking Windows Update. However, there are cases where normal patching procedures take
place, like the case of persistent "personal" virtual desktop devices. In some cases, Windows Update can be
utilized. In some cases, Intune could be utilized. In some cases, Microsoft Endpoint Configuration Manager
(formerly SCCM) is utilized to handle update and other package delivery. It's up to each organization to
determine the best approach to updating virtual desktop devices, while reducing overhead cycles.

The local policy settings, and many other settings in this guide, can be overridden with domain-based policy. We
recommended that you go through the policy settings thoroughly and remove or not use any that aren't desired
or applicable to your environment. The settings listed in this document try to achieve the best balance of
performance optimization in virtual desktop environments, while maintaining a quality user experience.

７ Note

There's a set of scripts available on GitHub that'll do all the work items documented in this paper. The
scripts are designed to be easily customizable for your environment and requirements. The main code is
PowerShell, and the work is done by calling input files, which are plain text (now .JSON), with also Local
Group Policy Object (LGPO) tool export files. These text files contain lists of the apps to be removed, services
to be disabled, and so on. If you don't want to remove a particular app or disable a particular service, you
can edit the corresponding text file and remove the item you don't want acted upon. Finally, there's an
export of local policy settings that can be imported into your environment machines. It's better to have
some of the settings within the base image, than to have the settings applied through group policy, as some
of the settings take effect on the next restart or when a component is first used.

Non-persistent virtual desktop environments

When a non-persistent virtual desktop implementation is based on a base or "gold" image, the optimizations are
mostly performed in the base image, and then through local settings and local policies.

With image-based non-persistent (NP) virtual desktop environments, the base image is read-only. When an NP
virtual desktop device (VM) is started, a copy of the base image is streamed to the VM. Activity that occurs during
startup and thereafter until the next reboot is redirected to a temporary location. Users are provided network
locations to store their data. In some cases, the user’s profile is merged with the standard VM to provide the user
with their settings.

One important aspect of NP virtual desktop that is based on a single image, is servicing. Updates to the
operating system (OS) and components of the OS are delivered once per month. With image based virtual
desktop environment, there's a set of processes that must be performed to get updates to the image:

On a given host, all the VMs on that host, based on the base image must be shut down or turned off. This
means the users are redirected to other VMs.
In some implementations, this is referred to as "draining." The virtual machine or session host, when set to
draining mode, stops accepting new requests, but continues servicing users currently connected to the
device.
In draining mode, when the last user logs off the device, that device is then ready for servicing operations.
 The base image is then opened and started up. All maintenance activities are then performed, such as OS
updates, .NET updates, app updates, and so on.
Any new settings that need to be applied are applied at this time.
Any other maintenance is performed at this time.
The base image is then shut down.
The base image is sealed and set to go back into production.
Users are allowed to log back on.

７ Note

Windows performs a set of maintenance tasks, automatically, on a periodic basis. There's a scheduled task
that is set to run at 3:00 AM every day by default. This scheduled task performs a list of tasks, including
Windows Update cleanup. You can view all the categories of maintenance that take place automatically with
this PowerShell command:

PowerShell

Get-ScheduledTask | Where-Object {$_.Settings.MaintenanceSettings}

One of the challenges with non-persistent virtual desktop is that when a user logs off, nearly all the OS activity is
discarded. The user’s profile and/or state may be saved to a centralized location, but the virtual machine itself
discards nearly all changes that were made since last boot. Therefore, optimizations intended for a Windows
computer that saves state from one session to the next aren't applicable.

Depending on the architecture of virtual desktop device, things like PreFetch and SuperFetch aren't going to help
from one session to the next, as all the optimizations are discarded on VM restart. Indexing may be a partial
waste of resources, as would be any disk optimizations such as a traditional defragmentation.

７ Note

If preparing an image using virtualization, and if connected to the Internet during image creation process,
on first logon you should postpone Feature Updates by going to Settings > Windows Update.

To sysprep or not sysprep

Windows has a built-in capability called the System Preparation Tool, also known as sysprep. The sysprep tool is
used to prepare a customized Windows 10 or Windows 11 image for duplication. The sysprep process assures the
resulting OS is properly unique to run in production.

There are reasons for and against running sysprep. For virtual desktop environments, you may want the ability to
customize the default user profile, which would be used as the profile template for later users that sign in using
this image. You may have apps that you want installed, but also want to be able to control per-app settings.

The alternative is to use a standard .ISO to install from, possibly using an unattended installation answer file, and
a task sequence to install applications or remove applications. You can also use a task sequence to set local policy
settings in the image, perhaps using the Local Group Policy Object Utility (LGPO) tool.

To learn more about image preparation for Azure, see Prepare a Windows VHD or VHDX to upload to Azure

Supportability
Anytime that Windows defaults are changed, questions arise regarding supportability. Once a virtual desktop
image (VM or session) is customized, every change made to the image needs to be tracked in a change log. If a
time comes to troubleshoot, often an image can be isolated in a pool and configured for problem analysis. Once
a problem is tracked to the root cause, that change can then be rolled out to the test environment first, and
ultimately to the production workload.

This document intentionally avoids touching system services, policies, or tasks that affect security. After that
comes Windows servicing. The ability to service virtual desktop images outside of maintenance windows is
removed, as maintenance windows are when most servicing events take place in virtual desktop environments,
except for security software updates. Microsoft's guidance for Windows Security in virtual desktop environments
is documented in the Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI)
environment

Consider supportability when altering default Windows settings. Occasionally, difficult to solve problems arise
when altering system services, policies, or scheduled tasks, in the name of hardening, "lightening," and so on.
Consult the Microsoft Knowledge Base for current known issues regarding altered default settings. The guidance
in this document, and the associated script on GitHub are maintained with respect to known issues, if any arise. In
addition, you can report issues in many ways to Microsoft.

You can use your favorite search engine with the terms "start value" site:support.microsoft.com to bring up
known issues regarding default start values for services.

This document and the associated scripts on GitHub don't modify any default permissions. If you're interested in
increasing your security settings, start with the project known as AaronLocker. For more information,
"AaronLocker" overview .

Virtual desktop optimization categories

The following categories are ways in which the virtual desktop can be optimized:

Universal Windows Platform (UWP) app cleanup

Optional features cleanup
Local policy settings
System services
Scheduled tasks
Apply Windows (and other) updates
Automatic Windows traces
Windows Defender optimization with VDI
Client network performance tuning by registry settings
Other settings from the "Windows Restricted Traffic Limited Functionality Baseline" guidance.
Disk cleanup

The following sections explain each category in more detail.

Universal Windows Platform (UWP) application cleanup

One of the goals of a virtual desktop image is to be as light as possible with respect to persistent storage. One
way to reduce the size of the image is to remove unused UWP applications (apps). With UWP apps, there are the
main application files, also known as the payload. There's a small amount of data stored in each user’s profile for
application-specific settings. There's also a small amount of data in the "All Users" profile.
In addition, all UWP apps are registered at either the user or machine level at some point after startup for the
device, and login for the user. The UWP apps, which include the Start Menu and the Windows Shell, perform
various tasks at or after installation, and again when a user logs in for the first time, and to a lesser extent at
subsequent logins. For all UWP apps, there are occasional evaluations that take place, such as:

Do you need to update the app to the latest version?

The app, if pinned to the Start Menu, might have live tile data to download
Does the app have a cache of data that needs to be updated, such as maps or weather?
Does the app have persistent data from the user's profile that needs to be presented at login (for example,
Sticky Notes)

With a default installation of Windows, it's unlikely that all UWP apps are used by an organization. Therefore, if
those apps are removed, there are fewer evaluations that need to take place, less caching, and so on. The second
method here's to direct Windows to disable "consumer experiences." This reduces Store activity by having to
check for every user what apps are installed, what apps are available, and then to start downloading some UWP
apps. The performance savings can be significant when there are hundreds or thousands of users, all start work at
approximately the same time, or even starting work at rolling times across time zones.

Connectivity and timing are important factors when it comes to UWP app cleanup. If you deploy your base image
to a device with no network connectivity, Windows can't connect to the Microsoft Store and download apps and
try to install them while you're trying to uninstall them. This might be a good strategy to allow you time to
customize your image, and then update what remains at a later stage of the image creation process.

If you modify your base .WIM that you use to install Windows and remove unneeded UWP apps from the .WIM
before you install, the apps don't install and your subsequent profile creation times are shorter. There's a link
later in this section with information on how to remove UWP apps from your installation .WIM file.

A good strategy for the virtual desktop environment is to provision the apps you want in the base image, then
limit or block access to the Microsoft Store afterward. Store apps are updated periodically in the background on
normal computers. The UWP apps can be updated during the maintenance window when other updates are
applied.

Delete the payload of UWP apps

UWP apps that aren't needed are still in the file system consuming a small amount of disk space. For apps that
aren't needed, the payload of unwanted UWP apps can be removed from the base image using PowerShell
commands. If you delete UWP app payloads out of the installation .WIM file using the links provided later in this
section, you can start from the beginning with a slim list of UWP apps.

Run the following PowerShell command to enumerate provisioned UWP apps currently running on the local
computer:

PowerShell

Get-AppxProvisionedPackage -Online

UWP apps that are provisioned to a system can be removed during OS installation as part of a task sequence, or
later after the OS is installed. This may be the preferred method because it makes the overall process of creating
or maintaining an image modular. Once you develop the scripts, if something changes in a subsequent build you
edit an existing script rather than repeat the process from scratch.

Then run the following PowerShell command to remove UWP app payloads:

PowerShell
 Remove-AppxProvisionedPackage -Online - PackageName MyAppxPackage

As a final note on this topic, each UWP app should be evaluated for applicability in each unique environment.
Install a default installation of Windows 10 or Windows 11, and then note which apps are running and consuming
memory. For example, you might remove apps that start automatically, or apps that automatically display
information on the Start Menu, such as Weather and News.

７ Note

If you're using the scripts from GitHub, you can easily control which apps are removed before running the
script. After downloading the script files, locate the AppxPackage.json file, edit that file, and remove entries
for apps that you want to keep, such as Calculator, Sticky Notes, and so on.

Optional features cleanup

This section describes optional features that can be optimized.

Managing optional features with PowerShell

You can manage Windows Optional Features using PowerShell. To enumerate currently installed Windows
Features, run the following PowerShell command:

PowerShell

Get-WindowsOptionalFeature -Online

Using PowerShell, an enumerated Windows Optional Feature can be configured as enabled or disabled, as in the
following example:

PowerShell

Enabled-WindowsOptionalFeature -Online -FeatureName "DirectPlay" -All

Here's an example command that disables the Windows Media Player feature in the virtual desktop image:

PowerShell

Disable-WindowsOptionalFeature -Online -FeatureName "WindowsMediaPlayer"

Next, you may want to remove the Windows Media Player package. This example command shows you how to
find the package name:

PowerShell

Get-WindowsPackage -Online -PackageName *media*

The output of that command shows something like the following information:

code
 PackageName : Microsoft-Windows-MediaPlayer-
Package~31bf3856ad364e35~amd64~~10.0.19041.153
Applicable : True
Copyright : Copyright (c) Microsoft Corporation. All Rights Reserved
...

If you want to remove the Windows Media Player package (to free up about 60 MB disk space), you can run this
command:

PowerShell

PS C:\Windows\system32> Remove-WindowsPackage -PackageName Microsoft-Windows-MediaPlayer-

Package~31bf3856ad364e35~amd64~~10.0.19041.153 -Online

Enable or disabling Windows features using DISM

You can use the built-in Dism.exe tool to enumerate and control Windows Optional Features. A Dism.exe script
could be developed and run during an operating system installation task sequence with Features on Demand.

Default user settings

You can customize the Windows registry file at C:\Users\Default\NTUSER.DAT . Any setting changes you make to
this file are applied to any subsequent user profiles created from a machine running this image. You can control
which settings you wish to apply to the default user profile by editing the DefaultUserSettings.txt file.

To reduce transmission of graphical data over the virtual desktop infrastructure, you can set the default
background to a solid color instead of the default Windows image. You can also set the sign-in screen to be a
solid color, and turn off the opaque blurring effect on sign-in.

The following settings are applied to the default user profile registry hive, mainly to reduce animations. If some
or all of these settings aren't desired, delete out the settings that you don't wish to apply to new user profiles
based on this image. The goal with these settings is to enable the following equivalent settings:

Show shadows under mouse pointer

Show shadows under windows
Smooth edges of screen fonts
 

And there's a method to disable the following two privacy settings for any user profile created after you run the
optimization:

Let websites provide locally relevant content by accessing my language list

Show me suggested content in the Settings app

Optionally, disable the following two privacy settings for any user profile created after you run the optimization:

Let websites provide locally relevant content by accessing my language list

Show me suggested content in the Settings app
 

The following are the optimization settings applied to the default user profile registry hive to optimize
performance. This operation is performed by first loading the default user profile registry hive NTUser.dat, as the
ephemeral key name Temp, and then making the following modifications:

regedit

Load HKLM\Temp C:\Users\Default\NTUSER.DAT

add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\Explorer" /v ShellState /t REG_BINARY /d
240000003C2800000000000000000000 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v IconsOnly /t
REG_DWORD /d 1 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ListviewAlphaSelect
/t REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ListviewShadow /t
REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowCompColor /t
REG_DWORD /d 1 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowInfoTip /t
REG_DWORD /d 1 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarAnimations /t
REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v VisualFXSetting
/t REG_DWORD /d 3 /f
add "HKLM\Temp\Software\Microsoft\Windows\DWM" /v EnableAeroPeek /t REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\DWM" /v AlwaysHiberNateThumbnails /t REG_DWORD /d 0 /f
add "HKLM\Temp\Control Panel\Desktop" /v DragFullWindows /t REG_SZ /d 0 /f
add "HKLM\Temp\Control Panel\Desktop" /v FontSmoothing /t REG_SZ /d 2 /f
add "HKLM\Temp\Control Panel\Desktop" /v UserPreferencesMask /t REG_BINARY /d 9032078010000000 /f
add "HKLM\Temp\Control Panel\Desktop\WindowMetrics" /v MinAnimate /t REG_SZ /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy" /v
01 /t REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v
SubscribedContent-338393Enabled /t REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v
SubscribedContent-353694Enabled /t REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v
SubscribedContent-353696Enabled /t REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v
SubscribedContent-338388Enabled /t REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v
SubscribedContent-338389Enabled /t REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v
SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f
add "HKLM\Temp\Control Panel\International\User Profile" /v HttpAcceptLanguageOptOut /t REG_DWORD
 /d 1 /f
add
"HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.Windows
.Photos_8wekyb3d8bbwe" /v Disabled /t REG_DWORD /d 1 /f
add
"HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.Windows
.Photos_8wekyb3d8bbwe" /v DisabledByUser /t REG_DWORD /d 1 /f
add
"HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.YourPho
ne_8wekyb3d8bbwe" /v Disabled /t REG_DWORD /d 1 /f
add
"HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.YourPho
ne_8wekyb3d8bbwe" /v DisabledByUser /t REG_DWORD /d 1 /f
add
"HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.Microso
ftEdge_8wekyb3d8bbwe" /v Disabled /t REG_DWORD /d 1 /f
add
"HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.Microso
ftEdge_8wekyb3d8bbwe" /v DisabledByUser /t REG_DWORD /d 1 /f
add "HKLM\Temp\Software\Microsoft\InputPersonalization" /v RestrictImplicitInkCollection /t
REG_DWORD /d 1 /f
add "HKLM\Temp\Software\Microsoft\InputPersonalization" /v RestrictImplicitTextCollection /t
REG_DWORD /d 1 /f
add "HKLM\Temp\Software\Microsoft\Personalization\Settings" /v AcceptedPrivacyPolicy /t REG_DWORD
/d 0 /f
add "HKLM\Temp\Software\Microsoft\InputPersonalization\TrainedDataStore" /v HarvestContacts /t
REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v
ScoobeSystemSettingEnabled /t REG_DWORD /d 0 /f
Unload HKLM\Temp

Disable settings for Windows apps from starting and running in the background. While not significant on a single
device, Windows starts multiple processes for each user session on a given device, or session host. If this
functionality is desired as-is, delete the lines in the DefaultUserSettings.txt file that include the app names like
Windows.Photos and/or MicrosoftEdge.

Local policy settings

Many optimizations for Windows in a virtual desktop environment can be made using Windows policy. The
settings listed in the table in this section can be applied locally to the base/gold image. If the equivalent settings
aren't specified in any other way, such as group policy, the settings still apply.

Some decisions may be based on the specifics of the environment.

Is the virtual desktop environment allowed to access the Internet?

Is the virtual desktop solution persistent or non-persistent?

The following settings were chosen to not counter or conflict with any setting that has anything to do with
security. These settings were chosen to remove settings or disable functionality that may not be applicable to
virtual desktop environments.

ﾉ Expand table

Policy setting Item Sub-item Possible setting and comments

Local Computer Policy \ N/A N/A N/A

Computer
Configuration \
Windows Settings \
Security Settings
Policy setting Item Sub-item Possible setting and comments

Network List Manager All networks Network location User can't change location (This
policies properties setting is set to prevent the right-hand
side pop-up when a new network is
detected)

Local Computer Policy \ N/A N/A

Computer
Configuration \
Administrative
Templates \ Control
Panel

Control Panel Allow Online Tips N/A Disabled (Settings can't contact
Microsoft content services to retrieve
tips and help content)

Control Panel \ Force a specific N/A Enabled (This setting allows you to
Personalization default lock screen force a specific default lock screen and
and logon image logon image by entering the path
(location) of the image file. The same
image is used for both the lock and
logon screens.
The reason for this recommendation is
to reduce bytes transmitted over the
network for virtual desktop
environments. This setting can be
removed or customized for each
environment.)

Control Panel\ Regional Turn off automatic N/A Enabled (With this policy setting
and Language learning enabled, automatic learning stops, and
Options\Handwriting any stored data is deleted. Users can't
personalization configure this setting in Control Panel)

Local Computer Policy \ N/A N/A N/A

Computer
Configuration \
Administrative
Templates \ Network

Background Intelligent Allow BITS Peer N/A Disabled (This policy setting
Transfer Service (BITS) caching determines if the Background
Intelligent Transfer Service (BITS) peer
caching feature is enabled on a specific
computer.)

Background Intelligent Don't allow the BITS N/A Enabled (With this policy setting
Transfer Service (BITS) client to use Windows enabled, the BITS client doesn't use
Branch Cache Windows Branch Cache.)

The reason for this recommendation is

so that virtual desktop devices aren't
used for content caching, and the
devices aren't allowed to use the
network bandwidth.

Background Intelligent Don't allow the N/A Enabled (With this policy setting
Transfer Service (BITS) computer to act as a enabled, the computer doesn't use the
BITS Peer caching BITS peer caching feature to download
client files; files are downloaded only from
the origin server.)
Policy setting Item Sub-item Possible setting and comments

Background Intelligent Don't allow the N/A Enabled (With this policy setting
Transfer Service (BITS) computer to act as a enabled, the computer can't cache
BITS Peer caching downloaded files and offer them to its
server peers.)

BranchCache Turn on BranchCache N/A Disabled (With this selection disabled,

BranchCache is turned off for all client
computers where the policy is applied.)

*Fonts Enabled Font N/A Disabled (With this setting disabled,

Providers Windows doesn't connect to an online
font provider and only enumerates
locally installed fonts)

Hotspot Authentication Enable hotspot N/A Disabled (This policy setting defines
Authentication whether WLAN hotspots are probed
for Wireless Internet Service Provider
roaming (WISPr) protocol support.
With this policy setting disabled, WLAN
hotspots aren't probed for WISPr
protocol support, and users can only
authenticate with WLAN hotspots
using a web browser.)

Microsoft Peer-to-Peer Turn off Microsoft N/A Enabled (This setting turns off
Networking Services Peer-to-Peer Microsoft Peer-to-Peer Networking
Networking Services Services in its entirety and causes all
dependent applications to stop
working. If you enable this setting,
peer-to-peer protocols are turned off.)

Network Connectivity Specify passive Disable passive poling Enabled (This Policy setting enables
Status Indicator polling (checkbox) you to specify passive polling behavior.
(There are other NCSI polls various measurements
settings in this section throughout the network stack on a
that can be used in frequent interval to determine if
isolated networks) network connectivity is lost. Use the
options to control the passive polling
behavior.)

Disabling NCIS passive polling can

improve CPU workload on servers or
other machines whose network
connectivity is static.

Offline Files Allow or Disallow use N/A Disabled (This policy setting
of the Offline Files determines whether the Offline Files
feature feature is enabled. Offline Files saves a
copy of network files on the user's
computer for use when the computer
isn't connected to the network. With
this policy setting disabled, Offline Files
feature is disabled and users can't
enable it.)

*TCPIP Settings\ IPv6 Set Teredo State Disabled State Enabled (With this setting enabled, and
Transition Technologies set to "Disabled State", no Teredo
interfaces are present on the host)

*WLAN Service\ WLAN Allow Windows to N/A Disabled (This policy setting
Settings automatically connect determines whether users can enable
Policy setting Item Sub-item Possible setting and comments

to suggested open the following WLAN settings: "Connect

hot spots, to networks to suggested open hotspots," "Connect
shared by contacts, to networks shared by my contacts,"
and to hot spots and "Enable paid services." With this
offering paid services policy setting disabled, "Connect to
suggested open hotspots," "Connect to
networks shared by my contacts," and
"Enable paid services" are turned off
and users on this device are prevented
from enabling them.)

WWAN Service\ Let Windows apps Default for all apps: Force Deny Enabled (If you choose the "Force
Cellular Data Access access cellular data Deny" option, Windows apps aren't
allowed to access cellular data and
users can't change it.)

Local Computer Policy \ N/A N/A

Computer
Configuration \
Administrative
Templates \ Start Menu
and Taskbar

*Notifications Turn off notifications N/A Enabled (With this policy setting
network usage enabled, applications and system
features aren't able to receive
notifications from the network from
WNS or via notification polling APIs)

Local Computer Policy \ N/A N/A N/A

Computer
Configuration \
Administrative
Templates \ System

Device Installation Don't send a N/A Enabled (With this policy setting
Windows error report enabled, an error report isn't sent when
when a generic driver a generic driver is installed.)
is installed on a
device

Device Installation Prevent creation of a N/A Enabled (With this policy setting
system restore point enabled, Windows doesn't create a
during device activity system restore point when one would
that would normally normally be created.)
prompt creation of a
restore point

Device Installation Prevent device N/A Enabled (This policy setting allows you
metadata retrieval to prevent Windows from retrieving
from the Internet device metadata from the Internet.
With this policy setting enabled,
Windows doesn't retrieve device
metadata for installed devices from the
Internet. This policy setting overrides
the setting in the Device Installation
Settings dialog box (Control Panel >
System and Security > System >
Advanced System Settings > Hardware
tab).)
Policy setting Item Sub-item Possible setting and comments

Device Installation Turn off "Found New N/A Enabled (This policy setting allows you
Hardware" balloons to turn off "Found New Hardware"
during device balloons during device installation.
installation With this policy setting enabled,
"Found New Hardware" balloons don't
appear while a device is being
installed.)

Filesystem\NTFS Short name creation Short name creation options: Enabled (These settings provide
options Disabled on all volumes control over whether or not short
names are generated during file
creation. Some applications require
short names for compatibility, but
short names have a negative
performance impact on the system.
With short names disabled on all
volumes, then they aren't generated.)

*Group Policy Continue experiences N/A Disabled (This policy setting

on this device determines whether the Windows
device is allowed to participate in
cross-device experiences (continue
experiences). Disabling this policy
prevents this device from being
discoverable by other devices, and thus
can't participate in cross-device
experiences.)

Internet Turn off Event Viewer N/A Enabled (This policy setting specifies
Communication "Events.asp" links whether "Events.asp" hyperlinks are
Management\ Internet available for events within the Event
Communication Viewer application.)
settings

Internet Turn off handwriting N/A Enabled (Turns off data sharing from
Communication personalization data the handwriting recognition
Management\ Internet sharing personalization tool.)
Communication
settings

Internet Turn off handwriting N/A Enabled (Turns off the handwriting
Communication recognition error recognition error reporting tool.)
Management\ Internet reporting
Communication
settings

Internet Turn off Help and N/A Enabled (This policy setting specifies
Communication Support Center whether users can perform a Microsoft
Management\ Internet Microsoft Knowledge Knowledge Base search from the Help
Communication Base search and Support Center.)
settings

Internet Turn off Internet N/A Enabled (This policy setting specifies
Communication Connection Wizard if whether the Internet Connection
Management\ Internet URL connection is Wizard can connect to Microsoft to
Communication referring to download a list of Internet Service
settings Microsoft.com Providers (ISPs).)

Internet Turn off Internet N/A Enabled (This policy setting specifies
Communication download for Web whether Windows should download a
Management\ Internet
Policy setting Item Sub-item Possible setting and comments

Communication publishing and online list of providers for the web publishing
settings ordering wizards and online ordering wizards.)

Internet Turn off Internet File N/A Enabled (This policy setting specifies
Communication Association service whether to use the Microsoft Web
Management\ Internet service for finding an application to
Communication open a file with an unhandled file
settings association.)

Internet Turn off Registration if N/A Enabled (This policy setting specifies
Communication URL connection is whether the Windows Registration
Management\ Internet referring to Wizard connects to Microsoft.com for
Communication Microsoft.com online registration.)
settings

Internet Turn off Search N/A Enabled (This policy setting specifies
Communication Companion content whether Search Companion should
Management\ Internet file updates automatically download content
Communication updates during local and Internet
settings searches.)

Internet Turn off the "Order N/A Enabled (If you enable this policy
Communication Prints" picture task setting, the task "Order Prints Online"
Management\ Internet is removed from Picture Tasks in File
Communication Explorer folders.)
settings

Internet Turn off the "Publish N/A *Enabled (This policy setting specifies
Communication to Web" task for files whether the tasks "Publish this file to
Management\ Internet and folders the Web," "Publish this folder to the
Communication Web," and "Publish the selected items
settings to the Web" are available from File and
Folder Tasks in Windows folders.)

Internet Turn off Windows N/A Enabled (The Windows Customer

Communication Customer Experience Experience Improvement Program
Management\ Internet Improvement (CEIP) collects information about your
Communication Program hardware configuration and how you
settings use our software and services to
identify trends and usage patterns. If
you enable this policy setting, all users
are opted out of the Windows CEIP.)

Internet Turn off Windows N/A Enabled (This policy setting controls
Communication Error Reporting whether or not errors are reported to
Management\ Internet Microsoft. If you enable this policy
Communication setting, users aren't given the option to
settings report errors.)

Internet Turn off Windows N/A Enabled (This policy setting specifies
Communication Update device driver whether Windows searches Windows
Management\ Internet searching Update for device drivers when no
Communication local drivers for a device are present. If
settings you enable this policy setting,
Windows Update isn't searched when a
new device is installed.)

Logon Don't display the N/A Enabled (With this setting enabled, the
Getting Started welcome screen is hidden from the
welcome screen at user logging on to a Windows device.)
logon
Policy setting Item Sub-item Possible setting and comments

Logon Don't enumerate N/A Enabled (With this setting enabled, the
connected users on Logon UI doesn't enumerate any
domain-joined connected users on domain-joined
computers computers.)

Logon Enumerate local users N/A Disabled (With this setting disabled,
on domain-joined the Logon UI doesn't enumerate local
computers users on domain-joined computers.)

Logon Show clear logon N/A Enabled (This policy setting disables
background the acrylic blur effect on logon
background image. With this setting
enabled, the logon background image
shows without blur.)

Logon Show first sign-in N/A Disabled (This policy setting allows you
animation to control whether users see the first
sign-in animation when signing in to
the computer for the first time. This
applies to both the first user of the
computer who completes the initial
setup and users who are added to the
computer later. It also controls if
Microsoft account users are offered the
opt-in prompt for services during their
first sign-in.

With this setting disabled, users don't

see the first logon animation and
Microsoft account users don't see the
opt-in prompt for services.)

Logon Turn off app N/A Enabled (This policy setting allows you
notifications on the to prevent app notifications from
lock screen appearing on the lock screen. With this
setting enabled, no app notifications
are displayed on the lock screen.)

Power Management Select an active power Active Power Plan: High Enabled (If you enable this policy
plan Performance setting, specify a power plan from the
Active Power Plan list.)

With the "Power" service disabled, the

Powercfg.cpl UI isn't able to display
these power options, and instead
returns an RPC error.

Power Management \ Turn on desktop N/A Disabled (This policy setting allows you
Video and Display background slideshow to specify if Windows should enable
Settings (plugged-in) the desktop background slideshow.)
With this setting disabled, the desktop
background slideshow is disabled. This
setting likely has no effect on a VM.

Recovery Allow restore of N/A Disabled (With this setting disabled,

system to default the items "Use a system image you
state created earlier to recover your
computer" and "Reinstall Windows" (or
"Return your computer to factory
condition") in Recovery (in Control
Panel) are unavailable.)
Policy setting Item Sub-item Possible setting and comments

*Storage Health Allow downloading N/A Disabled (Updates wouldn't be

updates to the Disk downloaded for the Disk Failure
Failure Prediction Prediction Failure Model)
Model

System Restore Turn off System N/A Enabled (With this setting enabled,
Restore System Restore is turned off, and the
System Restore Wizard can't be
accessed. The option to configure
System Restore or create a restore
point through System Protection is also
disabled.)

Troubleshooting and Configure Scheduled N/A Disabled (Determines whether

Diagnostics\ Scheduled Maintenance Behavior scheduled diagnostics run to
Maintenance proactively detect and resolve system
problems. With this policy setting
disabled, Windows can't detect,
troubleshoot, or resolve problems on a
scheduled basis.)

Troubleshooting and Troubleshooting: N/A Disabled (With this setting disabled,

Diagnostics\ Scripted Allow users to access users can't access or run the
Diagnostics and run troubleshooting tools from the Control
Troubleshooting Panel.)
wizards

Troubleshooting and Troubleshooting: N/A Disabled With this setting disabled,

Diagnostics\ Scripted Allow users to access users can only access and search
Diagnostics online troubleshooting content that is
troubleshooting available locally on their computers,
content on Microsoft even if they're connected to the
servers from the Internet. They're prevented from
Troubleshooting connecting to the Microsoft servers
Control Panel (via the that host the Windows Online
Windows Online Troubleshooting Service.
Troubleshooting
Service – WOTS)

Troubleshooting and Configure Scenario N/A Disabled (Determines the execution

Diagnostics\ Windows Execution Level level for Windows Boot Performance
Boot Performance Diagnostics. If you disable this policy
Diagnostics setting, Windows can't detect,
troubleshoot or resolve any Windows
Boot Performance problems that are
handled by the DPS.)

This setting can be useful during

design, test, development, or
maintenance phases. This setting could
be enabled on an isolated VM or
session host, measurements taken, and
results noted in event logs under
"Microsoft-Windows-Diagnostics-
Performance/Operational" Source:
Diagnostics-Performance, Task
Category "Boot Performance
Monitoring."

ALSO: With the DPS service disabled,

this setting has no effect, as Windows
Policy setting Item Sub-item Possible setting and comments

doesn't log performance data.

Troubleshooting and Configure Scenario N/A Disabled (This policy setting

Diagnostics\ Windows Execution Level determines whether Diagnostic Policy
Memory Leak Service (DPS) diagnoses memory leak
Diagnostics problems. With this setting disabled,
the DPS isn't able to diagnose memory
leak problems.)

Many diagnostics modes can be

enabled, and tools used such as WPT,
though these are done in
dev/test/maintenance scenarios and
not enabled and used on production
VMs or sessions

Troubleshooting and Enable/Disable N/A Disabled (This policy setting specifies

Diagnostics\ Windows PerfTrack whether to enable or disable tracking
Performance PerfTrack of responsiveness events. With this
setting disabled, responsiveness events
aren't processed.)

Troubleshooting and Configure Scenario N/A Disabled (Determines the execution

Diagnostics\ Windows Execution Level level for Windows Resource Exhaustion
Resource Exhaustion Detection and Resolution. With this
Detection and setting disabled, Windows can't detect,
Resolution troubleshoot or resolve any Windows
Resource Exhaustion problems that are
handled by the DPS.)

Troubleshooting and Configure Scenario N/A Disabled (Determines the execution

Diagnostics\ Windows Execution Level level for Windows Shutdown
Shutdown Performance Performance Diagnostics. With this
Diagnostics setting disabled, Windows can't detect,
troubleshoot or resolve any Windows
Shutdown Performance problems that
are handled by the DPS.)

Troubleshooting and Configure Scenario N/A Disabled (Determines the execution

Diagnostics\ Windows Execution Level level for Windows Standby/Resume
Standby/Resume Performance Diagnostics. With this
Performance setting disabled, Windows can't detect,
Diagnostics troubleshoot or resolve any Windows
Standby/Resume Performance
problems that are handled by the DPS.)

Troubleshooting and Configure Scenario N/A Disabled (Determines the execution

Diagnostics\ Windows Execution Level level for Windows System
System Responsiveness Responsiveness Diagnostics. With this
Performance setting disabled, Windows can't detect,
Diagnostics troubleshoot or resolve any Windows
System Responsiveness problems that
are handled by the DPS.)

*User Profiles Turn off the N/A Enabled (With this setting enabled, the
advertising ID advertising ID is turned off. Apps can't
use the ID for experiences across apps)

Local Computer Policy \ N/A N/A N/A

Computer
Configuration \
Administrative
Policy setting Item Sub-item Possible setting and comments

Templates \ Windows
Components

*App Privacy Let Windows apps Default for all apps: Force Deny Enabled (With this setting enabled, and
access diagnostic using the "Force Deny" option,
information about Windows apps aren't allowed to get
other apps diagnostic information about other
apps and employees in your
organization can't change it.)

*App Privacy Let Windows apps Default for all apps: Force Deny Enabled With this setting enabled, and
access location using the "Force Deny" option,
Windows apps aren't allowed to access
location and users can't change the
setting.

*App Privacy Let Windows apps Default for all apps: Force Deny Enabled (With this setting enabled, and
access motion using the "Force Deny" option,
Windows apps aren't allowed to access
motion data and users can't change
the setting.)

*App Privacy Let Windows apps Default for all apps: Force Deny Enabled (With this setting enabled, and
access notifications using the "Force Deny" option,
Windows apps aren't allowed to access
notifications and users can't change
the setting)

*App Privacy Let Windows apps Default for all apps: Force Deny Enabled (This policy setting specifies
activate with voice whether Windows apps can be
activated by voice.)

*App Privacy Let Windows apps Default for all apps: Force Deny Enabled (This policy setting specifies
activate with voice whether Windows apps can be
while the system is activated by voice while the system is
locked locked.)

*App Privacy Let Windows apps Default for all apps: Force Deny Enabled (If you choose the "Force
control radios Deny" option, Windows apps don't
have access to control radios and
employees in your organization can't
change it)

Application Turn off Inventory N/A Enabled (This policy setting controls
Compatibility Collector the state of the Inventory Collector.
The Inventory Collector inventories
applications, files, devices, and drivers
on the system and sends the
information to Microsoft. With this
policy setting enabled, the Inventory
Collector is turned off and data isn't
sent to Microsoft. Collection of
installation data through the Program
Compatibility Assistant is also
disabled.)

AutoPlay Policies Set the default Don't execute any autorun Enabled (This policy setting sets the
behavior for AutoRun commands default behavior for Autorun
commands.)

*AutoPlay Policies Turn off Autoplay All drives Enabled (If you enable this policy
setting, Autoplay is disabled on all
Policy setting Item Sub-item Possible setting and comments

drives.)

*Cloud Content Don't show Windows N/A Enabled (This policy setting prevents
tips Windows tips from being shown to
users)

*Cloud Content Turn off Microsoft N/A Enabled (With this policy setting
consumer experiences enabled, users don't see personalized
recommendations from Microsoft and
notifications about their Microsoft
account)

*Data Collection and Allow Telemetry 0 – Security [Enterprise Only] Enabled (Setting a value of 0 applies to
Preview Builds devices running Enterprise, Education,
IoT, or Windows Server editions only,
and reduces telemetry sent to the most
basic level supported)

Data Collection and Configure collection Configure telemetry collection: Enabled (You can configure Microsoft
Preview Builds of browsing data for Don't allow sending intranet or Edge to send intranet history only,
Desktop Analytics internet history internet history only, or both to
Desktop Analytics for enterprise
devices with a configured Commercial
ID. If disabled or not configured,
Microsoft Edge doesn't send browsing
history data to Desktop Analytics.)

*Data Collection and Don't show feedback N/A Enabled (This policy setting allows an
Preview Builds notifications organization to prevent its devices
from showing feedback questions from
Microsoft.)

Delivery Optimization Download Mode Download Mode: Simple (99) Enabled (99 = Simple download mode
with no peering. Delivery Optimization
downloads using HTTP only and
doesn't attempt to contact the Delivery
Optimization cloud services.)

Desktop Window Don't allow window N/A Enabled (This policy setting controls
Manager animations the appearance of window animations
such as those found when restoring,
minimizing, and maximizing windows.
With this policy setting enabled,
window animations are turned off.)

Desktop Window Use solid color for N/A Enabled (This policy setting controls
Manager Start background the Start background visuals. With this
policy setting enabled, the Start
background uses a solid color.)

Edge UI Allow edge swipe N/A Disabled (If you disable this policy
setting, users can't invoke any system
UI by swiping in from any screen edge.)

Edge UI Disable help tips N/A Enabled (If this setting is enabled,
Windows doesn't show any help tips to
the user.)

File Explorer Don't show the "new N/A Enabled (This policy removes the end-
application installed" user notification for new application
notification associations. These associations are
based on file types (for example, TXT
Policy setting Item Sub-item Possible setting and comments

files) or protocols (for example, HTTP).

If this policy is enabled, no notifications
are shown to the end-user)

File History Turn off File History N/A Enabled (With this policy setting
enabled, File History can't be activated
to create regular, automatic backups.)

*Find My Device Turn On/Off Find My N/A Disabled (When Find My Device is off,
Device the device and its location aren't
registered, and the "Find My Device"
feature doesn't work. The user can't
view the location of the last use of their
active digitizer on their device.)

Homegroup Prevent the computer N/A Enabled (If you enable this policy
from joining a setting, users can't add computers to a
homegroup homegroup. This policy setting doesn't
affect other network sharing features.)

Internet Information Prevent IIS installation N/A Enabled (With this policy setting
Services enabled, IIS can't be installed, and you
can't install Windows components or
applications that require IIS.)

*Location and Sensors Turn off location N/A Enabled (With this setting enabled, the
location feature is turned off, and all
programs on this device are prevented
from using location information from
the location feature)

Location and Sensors Turn off sensors N/A Enabled (This policy setting turns off
the sensor feature for this device. With
this policy setting enabled, the sensor
feature is turned off, and all programs
on this computer can't use the sensor
feature.)

Locations and Sensors / Turn off Windows N/A Enabled (This policy setting turns off
Windows Location Location Provider the Windows Location Provider feature
Provider for this device.)

*Maps Turn off Automatic N/A Enabled (With this setting enabled, the
Download and automatic download and update of
Update of Map Data map data is turned off.)

*Maps Turn off unsolicited N/A Enabled (With this setting enabled,
network traffic on the features that generate network traffic
Offline Maps settings on the Offline Maps settings page are
page turned off. Note: This may turn off the
entire settings page)

*Messaging Allow Message N/A Disabled (This policy setting allows

Service Cloud Sync backup and restore of cellular text
messages to Microsoft's cloud
services.)

*Microsoft Edge Allow configuration N/A Disabled (With this setting disabled,
updates for the Books Microsoft Edge doesn't automatically
Library download updated configuration data
for the Books Library.)
Policy setting Item Sub-item Possible setting and comments

*Microsoft Edge Allow extended N/A Disabled (With this setting disabled,
telemetry for the Microsoft Edge only sends basic
Books tab telemetry data, depending on your
device configuration.)

Microsoft Edge Allow Microsoft Edge Configure pre-launch: Prevent Enabled (With this setting enabled and
to pre-launch at pre-launching configured to prevent pre-launch,
Windows startup, Microsoft Edge won’t pre-launch
when the system is during Windows sign in, when the
idle, and each time system is idle, or each time Microsoft
Microsoft Edge is Edge is closed.)
closed

Microsoft Edge Allow Microsoft Edge Configure tab preloading: Enabled (This policy setting lets you
to start and load the Prevent tab-preloading decide whether Microsoft Edge can
Start and New Tab load the Start and New Tab page
page at Windows during Windows sign in and each time
startup and each time Microsoft Edge is closed. By default
Microsoft Edge is this setting is to allow preloading. With
closed preloading disabled, Microsoft Edge
won’t load the Start or New Tab page
during Windows sign in and each time
Microsoft Edge is closed.)

Microsoft Edge Allow web content on N/A Disabled (With this setting disabled,
New Tab page Edge opens a new tab with a blank
page. If this setting is configured, users
can't change the setting.)

*Microsoft Edge Prevent the First Run N/A Enabled (users won’t see the First Run
webpage from page when opening Microsoft Edge for
opening on Microsoft the first time)
Edge

OneDrive Prevent OneDrive N/A Enabled (Enable this setting to prevent

from generating the OneDrive sync client
network traffic until (OneDrive.exe) from generating
the user signs in to network traffic (checking for updates,
OneDrive and so on.) until the user signs in to
OneDrive or starts syncing files to the
local computer)

Online Assistance Turn off Active Help N/A Enabled (With this policy setting
enabled, active content links aren't
rendered. The text is displayed, but
there are no clickable links for these
elements.)

OOBE Don’t launch privacy N/A Enabled (When logging into a new
settings experience on user account for the first time or after
user logon an upgrade in some scenarios, that
user may be presented with a screen or
series of screens that prompts the user
to choose privacy settings for their
account. Enable this policy to prevent
this experience from launching.)

RSS Feeds Prevent automatic N/A Enabled (This policy setting prevents
discovery of feeds and users from having Microsoft Edge
Web Slices automatically discover whether a feed
Policy setting Item Sub-item Possible setting and comments

or Web Slice is available for an

associated webpage.)

*RSS Feeds Turn off background N/A Enabled (With this policy setting
synchronization for enabled, the ability to synchronize
feeds and Web Slices feeds and Web Slices in the
background is turned off.)

*Search Allow Cortana N/A Disabled (This policy setting specifies

whether Cortana is allowed on the
device. When Cortana is off, users are
able to use search to find things on the
device.)

Search Allow Cortana above N/A Disabled (This policy setting

lock screen determines whether or not the user
can interact with Cortana using speech
while the system is locked.)

*Search Allow search and N/A Disabled (This policy setting specifies
Cortana to use whether search and Cortana can
location provide location aware search and
Cortana results.)

Search Control rich previews Control Rich Previews for Enabled (Enabling this policy defines a
for attachments Attachments:.docx;.xlsx;.txt;.xls semicolon-delimited list of file
extensions which are allowed to have
rich attachment previews.)

NOTE: This setting can be used to limit

what types of attachments are
previewed, which can also help prevent
automatically previewing some
potentially dangerous contents types.

Search Don't allow web N/A Enabled (Enabling this policy removes
search the option of searching the Web from
Windows Desktop Search.)

*Search Don’t search the web N/A Enabled (With this policy setting
or display web results enabled, queries aren't performed on
in Search the web and web results aren't
displayed when a user performs a
query in Search.)

Search Enable indexing N/A Disabled (Enabling this policy allows

uncached Exchange indexing of mail items on a Microsoft
folders Exchange server when Microsoft
Outlook isn't running in cached mode.
The default behavior for search is to
not index uncached Exchange folders.
Disabling this policy blocks any
indexing of uncached Exchange
folders.)

Search Prevent indexing files N/A Enabled (If enabled, files on network
in offline files cache shares made available offline aren't
indexed. Otherwise they're indexed.
Disabled by default.)

*Search Set what information Anonymous info Enabled (Anonymous info: Share usage
is shared in Search information but don't share search
Policy setting Item Sub-item Possible setting and comments

history, Microsoft account info, or

specific location)

Search Stop indexing if MB Limit: 5000 Enabled (Enabling this policy prevents
there's limited hard indexing from continuing after less
drive space than the specified amount of hard
drive space is left on the same drive as
the index location. Select between 0
and 2147483647 MB.)

Software Protection Turn off KMS Client N/A Enabled (With this setting enabled, the
Platform Online AVS Validation device doesn't send data to Microsoft
regarding its activation state)

*Speech Allow Automatic N/A Disabled (Specifies whether the device

Update of Speech receives updates to the speech
Data recognition and speech synthesis
models.)

Store Turn off the offer to N/A Enabled (Enables or disables the Store
update to the latest offer to update to the latest version of
version of Windows Windows. If you enable this setting, the
Store application doesn't offer updates
to the latest version of Windows.)

Text Input Improve inking and N/A Disabled (This policy setting controls
typing recognition the ability to send inking and typing
data to Microsoft to improve the
language recognition and suggestion
capabilities of apps and services
running on Windows.)

Windows Error Disable Windows N/A Enabled (With this policy setting
Reporting Error Reporting enabled, Windows Error Reporting
doesn't send any problem information
to Microsoft. And solution information
isn't available in Security and
Maintenance in Control Panel.)

Windows Game Enables or disables N/A Disabled (With this setting disabled,
Recording and Windows Game Windows Game Recording aren't
Broadcasting Recording and allowed.)
Broadcasting

Windows Ink Allow Windows Ink Choose one of the following Enabled (With this setting enabled and
Workspace Workspace actions: Disabled sub-setting set to disabled, Windows
Ink Workspace functionality is
unavailable.)

Windows Installer Control maximum size 5 Enabled (This policy controls the
of baseline file cache percentage of disk space available to
the Windows Installer baseline file
cache. With this policy setting enabled,
you can modify the maximum size of
the Windows Installer baseline file
cache.)

Windows Installer Turn off creation of N/A Enabled (With this policy setting
System Restore enabled, the Windows Installer doesn't
checkpoints generate System Restore checkpoints
when installing applications.)
Policy setting Item Sub-item Possible setting and comments

Windows Mobility Turn off Windows N/A Enabled (With this policy setting
Center Mobility Center enabled, the user is unable to invoke
Windows Mobility Center. The
Windows Mobility Center UI is
removed from all shell entry points and
the .exe file doesn't launch it.)

Windows Reliability Configure Reliability N/A Disabled (With this policy setting
Analysis WMI Providers disabled, Reliability Monitor doesn't
display system reliability information,
and WMI-capable applications are
unable to access reliability information
from the listed providers.)

Windows Security \ Hide noncritical N/A Enabled (With this setting enabled,
Notifications notifications local users only see critical notifications
from Windows Security. They don't see
other types of notifications, such as
regular PC or device health
information.)

Windows Update Turn on Software N/A Disabled (This policy setting allows you
Notifications to control whether users see detailed
enhanced notification messages about
featured software from the Microsoft
Update service. Enhanced notification
messages convey the value and
promote the installation and use of
optional software. This policy setting is
intended for use in loosely managed
environments in which you allow the
end user access to the Microsoft
Update service.)

*Windows Update\ Manage preview Set the behavior for receiving Enabled (Selecting "Disable preview
Windows Update for builds preview builds: Disable preview builds" prevents preview builds from
Business builds installing on the device. This prevents
users from opting into the Windows
Insider Program, through Settings ->
Update and Security)

*Windows Update\ Select when Preview Select the Windows readiness
Windows Update for Builds and Feature level for the updates you want to
Business Updates are received receive:
Semi-Annual Channel
After a Preview Build or Feature
Update is released, defer
receiving it for this many days:
365
Pause Preview Builds or Feature
Updates starting: yyyy-mm-dd
Enabled (Enable this policy to specify
the level of Preview Build or Feature
Updates to receive, and when. Semi-
Annual Channel: Receive feature
updates when they're released to the
general public.
When Selecting Semi-Annual Channel:
- You can defer receiving Feature
Updates for up to 365 days.
- To prevent Feature Updates from
being received on their scheduled time,
you can temporarily pause them. The
pause remains in effect for 35 days
from the start time provided.

- To resume receiving Feature Updates

that are paused, clear the start date
Policy setting Item Sub-item Possible setting and comments

field.)

Windows Update\ Select when Quality After a quality update is Enabled (Enable this policy to specify
Windows Update for Updates are received released, defer receiving it for when to receive quality updates.
Business this many days: 30
You can defer receiving quality updates
Pause Quality Updates starting: for up to 30 days.
yyyy-mm-dd
To prevent quality updates from being
received on their scheduled time, you
can temporarily pause quality updates.
The pause remains in effect for 35 days
or until you clear the start date field.

To resume receiving Quality Updates

that are paused, clear the start date
field.)

This recommendation is to help control

when updates are applied, and to
ensure updates don’t get offered and
installed unexpectedly

Local Computer Policy \ N/A N/A N/A

User Configuration \
Administrative
Templates

Control Panel\ Regional Turn off offer text N/A Enabled (This policy turns off the offer
and Language Options predictions as I type text predictions as I type option. This
doesn't, however, prevent the user or
an application from changing the
setting programmatically. With this
policy setting enabled, the option is
locked to not offer text predictions.)

Desktop Don't add shares of N/A Enabled (With this setting enabled,
recently opened shared folders aren't added to Network
documents to Locations automatically when you
Network Locations open a document in the shared folder.)

Desktop Turn off Aero Shake N/A Enabled (Prevents windows from being
window minimizing minimized or restored when the active
mouse gesture window is shaken back and forth with
the mouse. With this policy enabled,
application windows aren't minimized
or restored when the active window is
shaken back and forth with the mouse.)

Desktop / Active Maximum size of Number of objects returned:1500 Enabled (Specifies the maximum
Directory Active Directory number of objects the system displays
searches in response to a command to browse
or search Active Directory. This setting
affects all browse displays associated
with Active Directory, such as those in
Local Users and Groups, Active
Directory Users and Computers, and
dialog boxes used to set permissions
for user or group objects in Active
Directory.)
Policy setting Item Sub-item Possible setting and comments

Start Menu and Taskbar Don't display or track N/A Enabled (This policy setting allows you
items in Jump Lists to control displaying or tracking items
from remote locations in Jump Lists from remote locations.)

Start Menu and Taskbar Don't search Internet N/A Enabled (With this policy setting
enabled, the Start Menu search box
doesn't search for internet history or
favorites.)

Start Menu and Taskbar Don't use the search- N/A Enabled (This policy setting prevents
based method when the system from conducting a
resolving shell comprehensive search of the target
shortcuts drive to resolve a shortcut.)

Start Menu and Taskbar Turn off all balloon N/A Enabled (With this policy setting
notifications enabled, no notification balloons are
shown to the user.)

Start Menu and Taskbar Turn off feature N/A Enabled (With this policy setting
advertisement balloon enabled, certain notification balloons
notifications that are marked as feature
advertisements aren't shown.)

Start Menu and Taskbar Turn off user tracking N/A
Enabled (With this policy setting
enabled, the system doesn't track the
programs that the user runs and
doesn't display frequently used
programs in the Start Menu.)

Start Menu and Taskbar Turn off toast N/A Enabled (With this policy setting
/ Notifications notifications enabled, applications can't raise toast
notifications.)

*Start Menu and Turn off toast N/A Enabled (With this policy setting
Taskbar / Notifications notifications on the enabled, applications can't raise toast
lock screen notifications on the lock screen.)

Local Computer Policy / N/A N/A N/A

User Configuration

Windows Components Configure Windows N/A Disabled (With this policy disabled,
/ Cloud Content spotlight on lock Windows spotlight is turned off and
screen users can't select it as their lock screen.
Users see the default lock screen image
and are able to select another image,
unless you have enabled the "Prevent
changing lock screen image" policy.)

*Windows Components Don't suggest third- N/A Enabled (With this policy enabled,
/ Cloud Content party content in Windows spotlight features like lock
Windows spotlight screen spotlight, suggested apps in
Start menu or Windows tips doesn't
suggest apps and content from third-
party software publishers. Users may
still see suggestions and tips to make
them more productive with Microsoft
features and apps.)

Windows Components Don't use diagnostic N/A Enabled (With this policy setting
/ Cloud Content data for tailored enabled, Windows doesn't use
experiences diagnostic data from this device (this
data may include browser, app and
 Policy setting Item Sub-item Possible setting and comments

feature usage, depending on the

"diagnostic data" setting value) to
customize content shown on lock
screen, Windows tips, Microsoft
consumer features, and other related
features.)

Windows Components Turn off all Windows N/A Enabled (Windows spotlight on lock
/ Cloud Content spotlight features screen, Windows tips, Microsoft
consumer features, and other related
features are turned off. You should
enable this policy setting if your goal is
to minimize network traffic from target
devices.)

Edge UI Turn off tracking of N/A Enabled (This policy setting prevents
app usage Windows from keeping track of the
apps that are used and searched most
frequently. If you enable this policy
setting, apps are sorted alphabetically
in:

- search results

- the Search and Share panes

- the drop-down app list in the Picker)

File Explorer Turn off caching of N/A Enabled (With this policy setting
thumbnail pictures enabled, thumbnail views aren't
cached.)

File Explorer Turn off common N/A Enabled (Disabling animations can
control and window improve usability for users with some
animations visual disabilities and improve
performance and battery life in some
scenarios.)

File Explorer Turn off display of N/A Enabled (Disables suggesting recent
recent search entries queries for the Search Box and
in the File Explorer prevents entries into the Search Box
search box from being stored in the registry for
future references.)

File Explorer Turn off the caching N/A Enabled (With this policy setting
of thumbnails in enabled, File Explorer doesn't create,
hidden thumbs.db read from, or write to thumbs.db files.)
files

* Comes from the Windows Restricted Traffic Limited Functionality Baseline .

System services
If you're considering disabling system services to conserve resources, make sure the service isn't a component of
some other service. In this paper and with the available GitHub scripts, some services aren't in the list because
they can't be disabled in a supported manner.

Most of these recommendations mirror recommendations for Windows Server 2016, installed with the Desktop
Experience, based on the instructions in Guidance on disabling system services on Windows Server 2016 with
Desktop Experience.

Many services that may seem like good candidates to disable are set to manual service start type. This means
that the service doesn't automatically start and start only if an event triggers a request to the service. Services
that are already set to start type manual aren't listed here.

７ Note

You can enumerate running services with this PowerShell sample code, outputting only the service short
name:

PowerShell

Get-Service | Where-Object {$_.Status -eq 'Running'} | Select-Object -ExpandProperty Name

The following table contains some services that may be considered to disable in virtual desktop environments:

ﾉ Expand table

Windows Service Name Item Comment

Service

Cellular Time autotimesvc This service sets time based on Virtual desktop environments may not have such
NITZ messages from a Mobile devices available.
Network To learn more, see the MB NITZ support article.

GameDVR and BcastDVRUserService This (per-user) service is used NOTE: This is a "per-user service", and as such, the
Broadcast user for Game Recordings and Live template service must be disabled. This user service
service Broadcasts is used for Game Recordings and Live Broadcasts.
To learn more, see the MB NITZ support article.

CaptureService CaptureService Enables optional screen
capture functionality for
applications that call the
Windows.Graphics.Capture
API.
OneCore capture service: enables optional screen
capture functionality for applications that call the
Windows.Graphics.Capture API
For more information, see the
Windows.Graphics.Capture Namespace API docs.

Connected CDPSvc This service is used for Connected Devices Platform Service. To learn more,
Devices Platform Connected Devices Platform see the Connected Devices Platform overview article
Service scenarios

CDP User Service CDPUserSvc N/A Connected Devices Platform User Service. To learn
more, see the Connected Devices Platform Protocol
Version 3 article.

This user service is used for Connected Devices

Platform scenarios

This is a "per-user service", and as such, the

template service must be disabled (CDPUserSvc).

Optimize drives defragsvc Helps the computer run more Virtual desktop solutions don't normally benefit
efficiently by optimizing files from disk optimization. The "drives" are often not
on storage drives. traditional drives and often just a temporary storage
allocation.

Diagnostic DiagSvc Executes diagnostic actions for Disabling this service disables the ability to run
Execution Service troubleshooting support Windows diagnostics Diagnostic Execution Service.
Windows Service Name Item Comment
Service

Connected User DiagTrack This service enables features Consider disabling if on disconnected network. To
Experiences and that support in-application learn more, see how-to configure Windows
Telemetry and connected user diagnostic data in your organization.
experiences. This service
manages the event driven
collection and transmission of
diagnostic and usage
information (used to improve
the experience and quality of
the Windows Platform) when
the diagnostics and usage
privacy option settings are
enabled under Feedback and
Diagnostics.

Diagnostic Policy DPS The Diagnostic Policy Service Disabling this service disables the ability to run
Service enables problem detection, Windows diagnostics. For more information, see the
troubleshooting, and Windows.System.Diagnostics Namespace reference.
resolution for Windows
components. If this service is
stopped, diagnostics don't
work.

Device Setup DsmSvc Enables the detection, If this service is disabled, devices may be configured
Manager download, and installation of with outdated software, and may not work correctly.
device-related software. Virtual desktop environments closely control what
software is installed and maintain that consistency
across the environment.

Data Usage DusmSvc Network data usage, data For more information, see the DUSM schema.
service limit, restrict background data,
metered networks.

Windows Mobile icssvc Provides the ability to share a To learn more, see the
Hotspot Service cellular data connection with NetworkOperatorTetheringAccessPointConfiguration
another device. Class reference.

Microsoft Store InstallService Provides infrastructure This service is started on demand and if disabled
Install Service support for the Microsoft then installations don't work properly.
Store. Consider disabling this service on non-persistent
virtual desktop, leave as-is for persistent virtual
desktop solutions.

Geolocation Lfsvc Monitors the current location
Service of the system and manages
geofences (a geographical
location with associated
events).
If you turn off this service, applications are unable to
use or receive notifications for geolocation or
geofences. To learn more, see the
Windows.Devices.Geolocation Namespace
reference.

Downloaded MapsBroker Windows service for Disabling this service prevents apps from accessing
Maps Manager application access to maps. To learn more, see the
downloaded maps. This Windows.Services.Maps Namespace API docs.
service is started on-demand
by application accessing
downloaded maps.

MessagingService MessagingService Service supporting text This is a "per-user service", and as such, the
messaging and related template service must be disabled.
functionality.
Windows Service Name Item Comment
Service

Sync Host OneSyncSvc This service synchronizes mail, (UWP) Mail and other applications dependent on
contacts, calendar, and various this functionality don't work properly when this
other user data. service isn't running.
This is a "per-user service", and as such, the
template service must be disabled.

Contact Data PimIndexMaintenanceSvc Indexes contact data for fast This is a "per-user service", and as such, the
contact searching. If you stop template service must be disabled.
or disable this service,
contacts might be missing
from your search results.

Power Power Manages power policy and Virtual machines have virtually no influence on
power policy notification power properties. If this service is disabled, power
delivery. management and reporting aren't available. To learn
more, see the User-Mode Power Service article.

Payments and SEMgrSvc Manages payments and Near May not need this service for payments, in the
NFC/SE Manager Field Communication (NFC) enterprise environment.
based secure elements.

Microsoft SmsRouter Routes messages based on May not need this service, if other tools are used for
Windows SMS rules to appropriate clients. messaging, such as Teams. To learn more, see this
Router Service routing service article.

Superfetch SysMain Maintains and improves Superfetch generally doesn't improve performance
(SysMain) system performance over in virtual desktop environments for various reasons.
time. The underlying storage is often virtualized and
possibly striped across multiple drives. In some
virtual desktop solutions, the accumulated user
state is discarded when the user logs off. The
SysMain feature should be evaluated in each
environment.

Update UsoSvc Manages Windows Updates. If Virtual desktop devices are often carefully managed
Orchestrator stopped, your devices can't with respect to updates. Servicing is performed
Service download and install the latest during maintenance windows. In some cases, an
updates. update client may be utilized, such as SCCM. The
exception is for security signature updates that are
applied at any time, and to any virtual desktop
device, in order to maintain up-to-date signatures. If
you disable this service, test to ensure that security
signatures can still be installed.

Volume Shadow VSS Manages and implements If this service is stopped, shadow copies are
Copy Volume Shadow Copies used unavailable for backup and the backup may fail. If
for backup and other this service is disabled, any services that explicitly
purposes. depend on it fail to start. To learn more, see this
volume shadow copy service article.

Diagnostic WdiSystemHost The Diagnostic System Host is Disabling this service disables the ability to run
System Host used by the Diagnostic Policy Windows diagnostics
Service to host diagnostics
that need to run in a Local
System context. If this service
is stopped, any diagnostics
that depend on it doesn't
function.
 Windows Service Name Item Comment
Service

Windows Error WerSvc Allows errors to be reported
Reporting when programs stop working
or responding and allows
existing solutions to be
delivered. Also allows logs to
be generated for diagnostic
and repair services. If this
service is stopped, error
reporting might not work
correctly, and results of
diagnostic services and repairs
might not be displayed.
With virtual desktop environments, diagnostics are
often performed in an "offline" scenario, and not in
mainstream production. In addition, some
customers disable WER anyway. WER incurs a tiny
amount of resources for many different things,
including failure to install a device, or failure to
install an update. To learn more, see Windows Error
Reporting.

Windows Search WSearch Provides content indexing, Disabling this service prevents indexing of e-mail
property caching, and search and other things. Test before disabling this service.
results for files, e-mail, and To learn more, see Windows search service overview.
other content.

Xbox Live Auth XblAuthManager Provides authentication and If this service is stopped, some applications may not
Manager authorization services for operate correctly.
interacting with Xbox Live.

Xbox Live Game XblGameSave This service syncs save data If this service is stopped, game save data doesn't
Save for Xbox Live save enabled upload to or download from Xbox Live.
games.

Xbox Accessory XboxGipSvc This service manages N/A

Management connected Xbox Accessories.
Service

Xbox Live XboxNetApiSvc This service supports the N/A

Networking Windows.Networking.XboxLive
Service application programming
interface.

Per-user services in Windows

Per-user services are services created when a user signs into Windows or Windows Server and stopped and
deleted when that user signs out. These services run in the security context of the user account - this provides
better resource management than the previous approach of running these kinds of services in Explorer,
associated with a preconfigured account, or as tasks. For more information, see Per-user services in Windows.

Scheduled tasks
Like other items in Windows, ensure an item isn't needed before disabling a scheduled task. Some tasks in virtual
desktop environments, such as StartComponentCleanup, may not be desirable to run in production, but may be
good to run during a maintenance window on the "gold image" (reference image).

The following list of tasks includes tasks that perform optimizations or data collections on computers that
maintain their state across reboots. When a virtual desktop device reboots and discards all changes since last
boot, optimizations intended for physical computers aren't helpful.

You can get all the current scheduled tasks, including descriptions, with the following PowerShell code:

PowerShell
 Get-ScheduledTask | Select-Object -Property TaskPath,TaskName,State,Description

７ Note

There are several tasks that can't be disabled with a script, even when run on an elevated command prompt.
The recommendations here, and in the GitHub scripts don't attempt to disable tasks that can't be disabled
with a script.

ﾉ Expand table

Scheduled Task Name Description

MNO Mobile broadband account experience metadata parser

AnalyzeSystem This task analyzes the system looking for conditions that may cause high energy
use

Cellular Related to cellular devices

Compatibility Collects program telemetry information if opted-in to the Microsoft Customer

Experience Improvement Program.

Consolidator If the user consents to participate in the Windows Customer Experience

Improvement Program, this job collects and sends usage data to Microsoft

Diagnostics (DiskFootprint in task path) 'DiskFootprint' is the combined contribution of all

processes that issue storage I/O in the form of storage reads, writes, and flushes.

FamilySafetyMonitor Initializes Family Safety monitoring and enforcement.

FamilySafetyRefreshTask Synchronizes the latest settings with the Microsoft family features service.

MapsToastTask This task shows various Map-related toasts

Microsoft-Windows- The Windows Disk Diagnostic reports general disk and system information to
DiskDiagnosticDataCollector Microsoft for users participating in the Customer Experience Program.

NotificationTask Background task for performing per user and web interactions

ProcessMemoryDiagnosticEvents Schedules a memory diagnostic in response to system events

Proxy This task collects and uploads autochk SQM data if opted-in to the Microsoft
Customer Experience Improvement Program.

QueueReporting Windows Error Reporting task to process queued reports.

RecommendedTroubleshootingScanner Check for recommended troubleshooting from Microsoft

RegIdleBackup Registry Idle Backup Task

RunFullMemoryDiagnostic Detects and mitigates problems in physical memory (RAM).

Scheduled The Windows Scheduled Maintenance Task performs periodic maintenance of

the computer system by fixing problems automatically or reporting them
through Security and Maintenance.

ScheduledDefrag This task optimizes local storage drives.

SilentCleanup Maintenance task used by the system to launch a silent auto disk cleanup when
running low on free disk space.
 Scheduled Task Name Description

SpeechModelDownloadTask

Sqm-Tasks This task gathers information about the Trusted Platform Module (TPM), Secure
Boot, and Measured Boot.

SR This task creates regular system protection points.

StartComponentCleanup Servicing task that may be better performed during maintenance windows

StartupAppTask Scans startup entries and raises notification to the user if there are too many
startup entries.

SyspartRepair

WindowsActionDialog Location Notification

WinSAT Measures a system's performance and capabilities

XblGameSaveTask Xbox Live GameSave standby task

Apply Windows (and other) updates

Whether from Microsoft Update, or from your internal resources, apply available updates including Windows
Defender signatures. This is a good time to apply other available updates including Microsoft Office if installed,
and other software updates. If PowerShell remains in the image you can download the latest available help for
PowerShell by running the command Update-Help .

Servicing OS and apps

At some point during the image optimization process, available Windows updates should be applied. There's a
setting in Windows update settings that can provide more updates. You can find it at Settings > Advanced
options. Once there, set Give me updates for other uMirosoft products when I update Windows to On.

This would be a good setting in case you're going to install Microsoft applications such as Microsoft Office to the
base image. That way Office is up to date when the image is put in service. There are also .NET updates and
certain third-party components such as Adobe that have updates available through Windows Update.

One important consideration for non-persistent virtual desktop devices is security updates, including security
software definition files. These updates may be released once or more times per day.

For Windows Defender it may be best to allow the updates to occur, even on non-persistent virtual desktop
environments. The updates are going to apply nearly every time you sign in, but the updates are small and
shouldn't be a problem. Plus, the device won’t be behind on updates because only the latest available applies.
The same may be true for third-party definition files.

７ Note

Store apps (UWP apps) update through the Windows Store. Modern versions of Office such as Office 365
update through their own mechanisms when directly connected to the Internet, or through management
technologies when not.

Windows system startup event traces (AutoLoggers)

Windows is configured by default to collect and save diagnostic data. The purpose is to enable diagnostics, or to
record data if further troubleshooting is necessary. Automatic system traces can be found opening Computer
Management and navigating to System Tools > Performance > Data Collector Sets.

Some of the traces displayed under Event Trace Sessions and Startup Event Trace Sessions can't and shouldn't
be stopped. Others, such as the WiFiSession trace can be stopped. To stop a running trace under Event Trace
Sessions, right-click the trace and then select Stop. Use the following procedure to prevent the traces from
starting automatically on startup:

1. Select the Startup Event Trace Sessions folder.

2. Find and select the trace file you want to look at to open it.

3. Select the Trace Session tab.

4. Uncheck the box labeled Enabled.

5. Select Ok.

The following table lists some system traces that you should consider disabling in your virtual desktop
environments:

ﾉ Expand table

Name Comment

Cellcore Cellular Architecture documentation

CloudExperienceHostOOBE Plan a Windows Hello for Business deployment.

DiagLog A log generated by the Diagnostic Policy Service, which is documented in Guidance on disabling
system services with Desktop Experience

RadioMgr Near-field communication (NFC) device drivers

ReadyBoot ReadyBoot Analysis.

WDIContextLog WDI Miniport Driver Design Guide.

WiFiDriverIHVSession User-initiated feedback - normal mode.

WiFiSession Diagnostic log for WLAN technology. If Wi-Fi isn't implemented, there's no need for this logger

WinPhoneCritical Diagnostic log for phone (Windows?). If not using phones, no need for this logger

Windows Defender optimization in the virtual desktop environment

For more details about how to optimize Windows Defender in a virtual desktop environment, check out the
Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment.

The deployment guide contains procedures to service the "gold" virtual desktop image, and how to maintain the
virtual desktop clients as they're running. To reduce network bandwidth when virtual desktop devices need to
update their Windows Defender signatures, stagger reboots, and schedule reboots during off hours where
possible. The Windows Defender signature updates can be contained internally on file shares, and where
practical, have those files shares on the same or close networking segments as the virtual desktop devices.

Client network performance tuning by registry settings

There are some registry settings that can increase network performance. This is especially important in
environments where the virtual desktop device or physical computer has a workload that is primarily network-
based. The settings in this section are recommended to tune performance for the networking workload profile,
by setting up extra buffering and caching of things like directory entries and so on.

７ Note

Some settings in this section are registry-based only and should be incorporated in the base image before
the image is deployed for production use.

The following settings are documented in Performance tuning guidelines for Windows Server.

DisableBandwidthThrottling
HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\DisableBandwidthThrottling

Applies to Windows 10 and Windows 11. The default is 0. By default, the SMB redirector throttles throughput
across high-latency network connections, in some cases to avoid network-related timeouts. Setting this registry
value to 1 disables this throttling, enabling higher file transfer throughput over high-latency network connections.
Consider setting this value to 1.

FileInfoCacheEntriesMax
HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\FileInfoCacheEntriesMax

Applies to Windows 10 and Windows 11. The default is 64, with a valid range of 1 to 65536. This value is used to
determine the amount of file metadata that can be cached by the client. Increasing the value can reduce network
traffic and increase performance when many files are accessed. Try increasing this value to 1024.

DirectoryCacheEntriesMax
HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\DirectoryCacheEntriesMax

Applies to Windows 10 and Windows 11. The default is 16, with a valid range of 1 to 4096. This value is used to
determine the amount of directory information that can be cached by the client. Increasing the value can reduce
network traffic and increase performance when large directories are accessed. Consider increasing this value to
1024.

FileNotFoundCacheEntriesMax
HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\FileNotFoundCacheEntriesMax

Applies to Windows 10 and Windows 11. The default is 128, with a valid range of 1 to 65536. This value is used to
determine the amount of file name information that can be cached by the client. Increasing the value can reduce
network traffic and increase performance when many file names are accessed. Consider increasing this value to
2048.

DormantFileLimit
HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\DormantFileLimit
Applies to Windows 10 and Windows 11. The default is 1023. This parameter specifies the maximum number of
files that should be left open on a shared resource after the application has closed the file. Where many
thousands of clients are connecting to SMB servers, consider reducing this value to 256.: Windows Server 2022,
Windows Server 2019,

You can configure many of these SMB settings by using the Set-SmbClientConfiguration and Set-
SmbServerConfiguration Windows PowerShell cmdlets. Registry-only settings can be configured by using
Windows PowerShell as well, as in the following example:

PowerShell

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters"

RequireSecuritySignature -Value 0 -Force

More settings from the Windows Restricted Traffic Limited

Functionality Baseline guidance
Microsoft has released a baseline, created using the same procedures as the Windows Security Baselines, for
environments that are either not connected directly to the Internet, or wish to reduce data sent to Microsoft and
other services.

The Windows Restricted Traffic Limited Functionality Baseline settings are called out in the group policy table
with an asterisk.

Disk cleanup
Disk cleanup can be especially helpful with gold/master image virtual desktop implementations. After the
gold/master image is prepared, updated, and configured, one of the last tasks to perform is disk cleanup. The
optimization scripts on Github.com have PowerShell code to perform common disk cleanup tasks

７ Note

Disk cleanup settings and are in the Settings category "System" called "Storage." By default, Storage Sense
runs when a low disk free space threshold is reached.

To learn more about how to use Storage Sense with Azure custom VHD images, see Prepare and customize
a master VHD image.

For Azure Virtual Desktop session host that use Windows Enterprise or Windows Enterprise multi-session, we
recommend disabling Storage Sense. You can disable Storage Sense in the Settings menu under Storage.

Here are suggestions for various disk cleanup tasks. These should all be tested before implementing:

1. Storage Sense may be utilized manually or automatically. For more information on Storage Sense, see
Manage drive space with Storage Sense .

2. Manually cleanup temporary files and logs. From an elevated command prompt, run these commands:
a. Del C:\*.tmp /s
b. C:\*.etl /s
c. C:\*.evtx /s

PowerShell
 Get-ChildItem -Path c:\ -Include *.tmp, *.dmp, *.etl, *.evtx, thumbcache*.db, *.log -File -
Recurse -Force -ErrorAction SilentlyContinue | Remove-Item -ErrorAction SilentlyContinue

Remove-Item -Path $env:ProgramData\Microsoft\Windows\WER\Temp\* -Recurse -Force -ErrorAction

SilentlyContinue

Remove-Item -Path $env:ProgramData\Microsoft\Windows\WER\ReportArchive\* -Recurse -Force -

ErrorAction SilentlyContinue

Remove-Item -Path $env:ProgramData\Microsoft\Windows\WER\ReportQueue\* -Recurse -Force -

ErrorAction SilentlyContinue

Clear-RecycleBin -Force -ErrorAction SilentlyContinue

Clear-BCCache -Force -ErrorAction SilentlyContinue

3. Delete any unused profiles on the system by running the following command:

wmic path win32_UserProfile where LocalPath="C:\\users\\<users>" Delete

For any questions or concerns about the information in this paper, contact your Microsoft account team, research
the Microsoft virtual desktop IT Pro blog , post a message to Microsoft Virtual Desktop forums , or contact
Microsoft for questions or concerns.

Re-enable Windows Update

If you'd like to enable the use of Windows Update after disabling it, follow these steps:

1. Re-enable group policy settings:

Go to Local Computer Policy > Computer Configuration > Administrative Templates > System >
Internet Communication Management > Internet Communication settings.
Turn off access to all Windows Update features by changing the setting from enabled to not
configured.
Go to Local Computer Policy > Computer Configuration > Administrative Templates > Windows
Components > Windows Update.
Remove access to all Windows Update features by changing the setting from enabled to not
configured.
Don't connect to any Windows Update Internet locations by changing the setting from enabled to
not configured.
Go to Local Computer Policy > Computer Configuration > Administrative Templates > Windows
Components > Windows Update > Windows Update for Business.
Select when Quality Updates are received (change from enabled to not configured)
Go to Local Computer Policy > Computer Configuration > Administrative Templates > Windows
Components > Windows Update > Windows Update for Business.
Select when Preview Builds and Feature Updates are received (change from enabled to not
configured)

2. Re-enable services:

Change Update Orchestrator service from disabled to Automatic (Delayed Start).

3. Edit the Windows registry (warning, be careful when editing the registry).

Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState .
Change DeferQualityUpdates from '1' to '0'.
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings

Delete any existing value for PausedQualityDate .

Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\WAU
Set to Disabled.

4. Re-enable scheduled tasks:

Go to Task Scheduler Library > Microsoft > Windows > InstallService > ScanForUpdates.
Go to Task Scheduler Library > Microsoft > Windows > InstallService > ScanForUpdatesAsUser.

5. Restart your device to make all these settings take effect.

6. If you don't want this device offered Feature Updates, go to Settings > Windows Update > Advanced
options > Choose when updates are installed and manually set the option A feature update includes new
capabilities and improvements. It can be deferred for this many days to any nonzero value, such as 180,
365, and so on.

More information
Learn more about Microsoft's VDI architecture at our Azure Virtual Desktop documentation .

If you need more help with troubleshooting sysprep, check out Sysprep fails after you remove or update
Microsoft Store apps that include built-in Windows images .

Feedback
Was this page helpful?  Yes  No
Remote Desktop clients for Remote
Desktop Services and remote PCs
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016

With Microsoft Remote Desktop clients, you can connect to Remote Desktop Services
from Windows Server and remote PCs, and use and control desktops and apps that your
admin has made available to you. There are clients available for many different types of
devices on different platforms and form factors, such as desktops and laptops, tablets,
smartphones, and through a web browser. Using your web browser on desktops and
laptops, you can connect without having to download and install any software.

There are many features you can use to enhance your remote experience, such as:

Multiple monitor support.

Custom display resolutions.
Dynamic display resolutions and scaling.
Device redirection, such as webcams, storage devices, and printers.
Use apps installed on the remote PC.
Access files and network resources on the remote PC.
Leave the apps open when you turn off the client.

Some features are only available with certain clients, so it's important to check Compare
the features of the Remote Desktop clients to understand the differences when
connecting to Remote Desktop Services or remote PCs.

 Tip

You can also use most versions of the Remote Desktop client to also connect to
Azure Virtual Desktop, as well as to Remote Desktop Services in Windows Server or
to a remote PC. If you want information on Azure Virtual Desktop instead, see
Remote Desktop clients for Azure Virtual Desktop.

Here's a list of the Remote Desktop client apps and our documentation for connecting
to Remote Desktop Services or remote PCs, where you can find download links, what's
new, and learn how to install and use each client.

ﾉ Expand table
 Remote Desktop client Documentation and download links Version
information

Web Connect to Remote Desktop Services and remote What's new

PCs with the Remote Desktop client for Web

macOS Connect to Remote Desktop Services and remote What's new

PCs with the Remote Desktop client for macOS

iOS/iPadOS Connect to Remote Desktop Services and remote What's new

PCs with the Remote Desktop client for iOS and
iPadOS

Android/Chrome OS Connect to Remote Desktop Services and remote What's new

PCs with the Remote Desktop client for Android and
Chrome OS

Windows Store Remote Connect to Remote Desktop Services and remote What's new
Desktop app PCs with the Windows Store Remote Desktop app
for Windows

Connecting to your remote PC

Before you can connect to your remote PC, you'll need to enable Remote Desktop on it.
For more information, see Enable Remote Desktop on your PC.

Feedback
Was this page helpful?  Yes  No
Get started with the Remote Desktop
app for Windows
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

You can use the Remote Desktop app for Windows to work with Windows apps and PCs
remotely from a different Windows device.

Use the following information to get started. Be sure to check out the FAQ if you have
any questions.

 Tip

If you want to connect to Azure Virtual Desktop instead of Remote Desktop

Services or a remote PC, see Connect to Azure Virtual Desktop with the Remote
Desktop app for Windows.

） Important

We're no longer updating the Remote Desktop app for Windows with new features
and support for Azure Virtual Desktop will be removed in the future.

For the best Azure Virtual Desktop experience that includes the latest features and
updates, we recommend you download the Windows Desktop client instead.

Get the Remote Desktop app and start using it

Follow these steps to get started with Remote Desktop on your Windows 10 device:

1. Download the Remote Desktop app from the Microsoft Store .

2. Set up your PC to accept remote connections.
3. Add a Remote PC connection or a workspace. You use a connection to connect
directly to a Windows PC and a workspace to use a RemoteApp program, session-
based desktop, or virtual desktop published by your admin.
4. Pin items so you can get to Remote Desktop quickly.

Add a Remote PC connection

To create a Remote PC connection:

1. In the Connection Center, tap + Add, and then tap PCs.

2. Enter the following information for the computer you want to connect to:

PC name – the name of the computer. The PC name can be a Windows

computer name, an Internet domain name, or an IP address. You can also
append port information to the PC name (for example, MyDesktop:3389 or
10.0.0.1:3389).
User account – The user account to use to access the remote PC. Tap + to
add a new account or select an existing account. You can use the following
formats for the username: user_name, domain\user_name, or
[email protected]. You can also specify whether to prompt for
credentials during the connection by selecting Ask me every time.

3. You can also set additional options by tapping on Show more:

Display name – An easy-to-remember name for the PC you're connecting to.

You can use any string, but if you don't specify a friendly name, the PC name
is displayed.
Group – Specify a group to make it easier to find your connections later. You
can add a new group by tapping + or select one from the list.
Gateway – The Remote PC gateway that you want to use to connect to virtual
PCs, RemoteApp programs, and session-based PCs on an internal corporate
network. Get the information about the gateway from your system
administrator.
Connect to admin session - Use this option to connect to a console session
to administrate a Windows server.
Swap mouse buttons – Use this option to swap the left mouse button
functions for the right mouse button. Swapping mouse buttons is necessary
when you use a PC configured for a left-handed user but you only have a
right-handed mouse.
Set my remote session resolution to: – Select the resolution you want to use
in the session. Choose for me will set the resolution based on the size of the
client.
Change the size of the display: – When selecting a high static resolution for
the session, you can use this setting to make items on the screen appear
larger to improve readability. This setting only applies when connecting to
Windows 8.1 or later.
Update the remote session resolution on resize – When enabled, the client
will dynamically update the session resolution based on the size of the client.
This setting only applies when connecting to Windows 8.1 or later.
 Clipboard – When enabled, allows you to copy text and images to/from the
remote PC.
Audio Playback – Select the device to use for audio during your remote
session. You can choose to play sound on the local devices, the remote PC, or
not at all.
Audio Recording – When enabled, allows you to use a local microphone with
applications on the remote PC.
4. Tap Save.

Need to edit these settings? Tap the overflow menu (...) next to the name of the PC, and
then tap Edit.

Want to delete the connection? Again, tap the overflow menu (...), and then tap
Remove.

Add a workspace
Workspaces are RemoteApp programs, session-based desktops, and virtual desktops
published by your admin using Remote Desktop Services.

To add a workspace:

1. On the Connection Center screen, tap + Add, and then tap Workspaces.
2. Enter the Feed URL provided by your admin and tap Find feeds.
3. When prompted, provide the credentials to subscribe to the feed.

The workspaces will be displayed in the Connection Center.

To delete workspaces:

1. In the Connection Center, tap the overflow menu (...) next to the workspace.
2. Tap Remove.

Pin a saved PC to your Start menu

To pin a connection to your Start menu, tap the overflow menu (...) next to the name of
the PC, and then tap Pin to Start.

Now you can start the PC connection directly from your Start menu by tapping it.

Connect to an RD Gateway to access internal

assets
A Remote Desktop Gateway (RD Gateway) lets you connect to a remote computer on a
corporate network from anywhere on the Internet. You can create and manage your
connections to gateways using the Remote Desktop app.

To set up a new Remote Desktop Gateway:

1. In the Connection Center, tap Settings.

2. Next to Gateway, tap + to add a new Gateway.

７ Note

You can also add a gateway when you add a new connection.

3. Enter the following information:

Server name – The name of the computer you want to use as a gateway. The
server name can be a Windows computer name, an Internet domain name, or
an IP address. You can also add port information to the server name (for
example: RDGateway:443 or 10.0.0.1:443).
User account - Select or add a user account to use with the Remote PC
Gateway you're connecting to. You can also select Use desktop user account
to use the same credentials that you used for the remote PC connection.

4. Tap Save.

Global app settings

You can set the following global settings in your client by tapping Settings:

Managed items
User account - Allows you to add, edit, and delete user accounts saved in the
client. You can also update the password for an account after it's changed.
Gateway - Allows you to add, edit, and delete gateway servers saved in the client.
Group - Allows you to add, edit, and delete groups saved in the client. You can
also group connections here.

Session settings
Start connections in full screen - When enabled, anytime a connection is
launched, the client will use the entire screen of the current monitor.
 Start each connection in a new window - When enabled, each connection is
launched in a separate window, allowing you to place them on different monitors
and switch between them using the taskbar.
When resizing the app: - Allows you control over what happens when the client
window is resized. Defaults to Stretch the content, preserving aspect ratio.
Use keyboard commands with: - Lets you specify where keyboard commands like
WIN or ALT+TAB are used. The default is to only send them to the session when
the connection is in full screen.
Prevent the screen from timing out - Allows you to keep the screen from timing
out when a session is active. Preventing timeout is helpful when the connection
doesn't need interaction for long periods of time.

App settings
Show PC Previews - Lets you see a preview of a PC in the Connection Center
before you connect to it. This setting is on by default.
Help improve Remote Desktop - Sends anonymous data to Microsoft. We use this
data to improve the client. To learn more about how we treat this anonymous and
private data, see the Microsoft Privacy Statement . This setting is on by default.

Manage your user accounts

When you connect to a PC or workspace, you can save the account's information to
connect to it later. You can also define user accounts within the client instead of saving
the user data when you connect to a PC.

To create a new user account:

1. In the Connection Center, tap Settings.

2. Next to User account, tap + to add a new user account.
3. Enter the following information:

Username - The name of the user to save for use with a remote connection.
You can enter the user name in any of the following formats: user_name,
domain\user_name, or [email protected].
Password - The password for the user you specified. This field can be left
blank to be prompted for a password during the connection.

4. Tap Save.

To delete a user account:

1. In the Connection Center, tap Settings.

 2. Select the account to delete from the list under User account.
3. Next to User account, tap the edit icon.
4. Tap Remove this account at the bottom to delete the user account.
5. You can also edit the user account and tap Save.

Navigate your remote session

This section describes the tools available to help you navigate your remote session once
you've connected to the service.

Start a remote session

1. Tap the name of the connection you want to use to start the session.
2. If you haven't saved credentials for the connection, you'll be prompted to provide
a Username and Password.
3. If you're asked to verify the certificate for your workspace or PC, review the
information and ensure you trust this PC before tapping Connect. You can also
select Don't ask about this certificate again to always accept this certificate.

Connection bar
The connection bar gives you access to additional navigation controls. By default, the
connection bar is placed in the middle of the top of the screen. Tap and drag the bar to
the left or right to move it.

Pan Control - The pan control enables the screen to be enlarged and moved
around. Pan control is only available on touch-enabled devices and using the direct
touch mode.
To enable or disable the pan control, tap the pan icon in the connection bar to
display the pan control. The screen will zoom in while the pan control is active.
Tap the pan icon in the connection bar again to hide the control and return the
screen to its original resolution.
To use the pan control, tap and hold the pan control and then drag in the
direction you want to move the screen.
To move the pan control, double-tap and hold the pan control to move the
control on the screen.
Additional options - Tap the additional options icon to display the session
selection bar and command bar.
Keyboard - Tap the keyboard icon to display or hide the on-screen keyboard. The
pan control is displayed automatically when the keyboard is displayed.
Command bar
Tap the ... on the connection bar to display the command bar on the right side of the
screen.

Home - Use the Home button to return to the connection center from the
command bar.
You can also use the back button for the same action. If you use the back
button, your active session won't be disconnected, allowing you to launch
additional connections.
Disconnect - Use the Disconnect button to disconnect from the session. Your apps
will remain active as long as the session is still active on the remote PC.
Full-screen - Enters or exits full screen mode.
Touch or Mouse - You can switch between the mouse modes (Direct Touch and
Mouse Pointer).

Use direct touch gestures and mouse modes

You can interact with your session with two available mouse modes:

Direct touch: Passes all of the touch contacts to the session to be interpreted
remotely.
Used in the same way you would use Windows with a touch screen.
Mouse pointer: Transforms your local touch screen into a large touchpad, letting
you move a mouse pointer in the session.
Used in the same way you would use Windows with a touchpad.

７ Note

In Windows 8 or later, the native touch gestures are supported in Direct Touch
mode.

ﾉ Expand table

Mouse Mouse operation Gesture

mode

Direct touch Left-click Tap with one finger

Direct touch Right-click Tap and hold with one finger

Mouse Left-click Tap with one finger

pointer
 Mouse Mouse operation Gesture
mode

Mouse Left-click and Double-tap and hold with one finger, then drag
pointer drag

Mouse Right-click Tap with two fingers

pointer

Mouse Right-click and Double-tap and hold with two fingers, then drag
pointer drag

Mouse Mouse wheel Tap and hold with two fingers, then drag up or down
pointer

Mouse Zoom With two fingers, pinch to zoom out and move fingers apart
pointer to zoom in

Give us feedback
Have a feature suggestion or want to report a problem? Tell us with the Feedback
Hub .

You can also give us feedback by selecting the ellipsis button (...) in the client app, then
selecting Feedback, as shown in the following image.

７ Note

To best help you, we need you to give us as detailed information about the issue as
possible. For example, you can include screenshots or a recording of the actions
you took leading up to the issue. For more tips about how to provide helpful
feedback, see Feedback.
Feedback
Was this page helpful?  Yes  No
What's new in the Remote Desktop app
for Windows
Article • 07/03/2024

In this article you'll learn about the latest updates for the Remote Desktop app for
Windows. To learn more about using the Remote Desktop app for Windows with
Remote Desktop Services, see Get started with the Microsoft Store Client.

） Important

We're no longer updating the Remote Desktop app for Windows with new features.

Latest client versions

The following table lists the current version available for the public release:

ﾉ Expand table

Release Latest version Download

Public 10.2.3012 Microsoft Store

Updates for version 10.2.3012

Published: June 12, 2023

In this release, we've made the following change:

Updated Store description to mention the end of Azure Virtual Desktop support.
Fixed the vulnerability known as CVE-2023-28290 .

Updates for version 10.2.3000

Published: March 6, 2023

There are no changes to the client in this release.

Updates for version 10.2.1810

Published: March 29, 2021

In this release, we've made the following changes:

Fixed an issue that caused crashes during clipboard scenarios.

Fixed an issue that happened when using the client with HoloLens.
Fixed an issue where the lock screen wasn't appearing in the remote session.
Fixed issues that happened when the client tried to connect to devices with the
“Always prompt for password upon connection” group policy set.
Added several stability improvements to the client.

Updates for version 10.2.1534

Published: August 26, 2020

In this release, we've made the following changes:

Rewrote the client to use the same underlying RDP core engine as the iOS, macOS,
and Android clients.
Added support for the Azure Resource Manager-integrated version of Azure
Virtual Desktop.
Added support for x64 and ARM64.
Updated the side panel design to full screen.
Added support for light and dark modes.
Added functionality to subscribe and connect to sovereign cloud deployments.
Added functionality to enable backup and restore of workspaces (bookmarks) in
release to manufacturing (RTM).
Updated functionality to use existing Azure Active Directory (Azure AD) tokens
during the subscription process to reduce the number of times users must sign in.
Updated subscription can now detect whether you're using Azure Virtual Desktop
or Azure Virtual Desktop (classic).
Fixed issue with copying files to remote PCs.
Fixed commonly reported accessibility issues with buttons.
A limit of up to 20 credentials per app is allowed.

Updates for version 10.1.1215

Published: April 20, 2020

In this release, we've made the following change:

Updated the user agent string for Azure Virtual Desktop.

Updates for version 10.1.1195
Published: March 6, 2020

In this release, we've made the following changes:

Audio from the session now continues to play even when the app is minimized or
in the background.
Fixed an issue where the toggle keys (caps lock, num lock, and so on) went out of
sync between the local and remote PCs.
Performance improvements on 64-bit devices.
Fixed a crash that occurred whenever the app was suspended.

Updates for version 10.1.1107

Published: September 4, 2019

In this release, we've made the following changes:

You can now copy files between local and remote PCs.
You can now use your email address to access remote resources (if enabled by
your admin).
You can now change user account assignments for remote resource feeds.
The app now shows the proper icon for .rdp files assigned to this app in File
Explorer instead of a blank default icon.

Updates for version 10.1.1098

Published: March 15, 2019

In this release, we've made the following changes:

You can now set a display name for user accounts so you can save the same
username with different passwords.
It's now possible to select an existing user account when adding Remote
Resources.
Fixed an issue where the client wasn't terminating correctly.
The client now properly handles being suspended when secondary windows are
open.
Additional bug fixes.
Updates for version 10.1.1088
Published: November 6, 2018

In this release, we've made the following changes:

Connection display name is now more discoverable.

Fixed a crash when closing the client window while a connection is still active.
Fix a hang when reconnecting after the client is minimized.
Allow desktops to be dragged anywhere in a group.
Ensure launching a connection from the jump list results in a separate window
when needed.
Additional bug fixes.

Updates for version 10.1.1060

Published: September 14, 2018

In this release, we've made the following changes:

Addressed an issue where double-clicking a desktop connection caused two

sessions to be launched.
Fixed a crash when switching between virtual desktops locally.
Moving a session to a different monitor now also updates the session scale factor.
Handle additional system keys like AltGr.
Additional bug fixes.

Updates for version 10.1.1046

Published: June 20, 2018

In this release, we've made the following changes:

Bug fixes.

Updates for version 10.1.1042

Published: April 2, 2018

In this release, we've made the following changes:

 Updates to address CredSSP encryption oracle remediation described in CVE-
2018-0886.
Additional bug fixes.

Feedback
Was this page helpful?  Yes  No
Get started with the Android client
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

You can use the Remote Desktop client for Android to work with Windows apps and
desktops directly from your Android device or a Chromebook that supports the Google
Play Store.

This article will show you how to get started using the client. If you have any additional
questions, make sure to check our FAQ.

 Tip

If you want to connect to Azure Virtual Desktop instead of Remote Desktop

Services or a remote PC, see Connect to Azure Virtual Desktop with the Remote
Desktop client for Android and Chrome OS.

７ Note

Curious about the new releases for the Android client? Check out What's new
for the Android client.
The Android client supports devices running Android 9 and later, as well as
Chromebooks with ChromeOS 53 and later. Learn more about Android
applications on Chrome at Chrome OS Systems Supporting Android Apps .

Download the Remote Desktop client

Here's how to set up the Remote Desktop client on your Android device:

1. Download the Microsoft Remote Desktop client from Google Play.

2. Launch RD client from your list of apps.
3. Add a Remote Desktop connection or remote resources. Remote Desktop
connections let you connect directly to a Windows PC and remote resources to
access apps and desktops published to you by an admin.

Add a Remote Desktop connection

Now that you have the client on your device, you can add Remote Desktop connections
to access your remote resources.

Before you add a connection, if you haven't done so already, set up your PC to accept
remote connections.

To add a Remote Desktop connection:

1. In the Connection Center, tap +, and then tap Desktop.

2. Enter the name of the remote PC into PC name. This name can be a Windows
computer name, an Internet domain name, or an IP address. You can also append
port information to the PC name (for example, MyDesktop:3389 or 10.0.0.1:3389).
This field is the only required field.

3. Select the User name you use to access the Remote PC.

Select Enter every time for the client to ask for your credentials every time
you connect to the remote PC.
Select Add user account to save an account that you use frequently so you
don't have to enter credentials every time you sign in. To learn more about
user accounts, see Manage your user accounts.

4. You can also tap on Show additional options to set the following optional
parameters:

In Friendly name, you can enter an easy-to-remember name for the PC

you're connecting to. If you don't specify a friendly name, the PC name is
displayed instead.
The Gateway is the Remote Desktop gateway you'll use to connect to a
computer from an external network. Contact your system administrator for
more information.
Sound selects the device your remote session uses for audio. You can choose
to play sound on your local device, the remote device, or not at all.
Customize display resolution sets the resolution for the remote session.
When turned off, the resolution specified in global settings is used.
Swap mouse buttons switches the commands sent by right and left mouse
gestures. Ideal for left-handed users.
Connect to admin session lets you connect to an admin session on the
remote PC.
Redirect local storage enables local storage redirection. This setting is
disabled by default.

5. When you're done, tap Save.

Need to edit these settings? Tap the More options menu (...) next to the name of the
desktop, and then tap Edit.

Want to remove the connection? Again, tap the More options menu (...), and then tap
Remove.

 Tip

If you get an error name "0xf07" that says something like "We couldn't connect to
the remote PC because the password associated with the user account has
expired," try again with a new password.

Add remote resources

Remote resources are RemoteApp programs, session-based desktops, and virtual
desktops published by your admin.

To add remote resources:

1. In the Connection Center, tap +, and then tap Remote Resource Feed.
2. In the Feed URL field, enter the URL for the feed you want to add. This URL can be
either a URL or an email address.

If you use a URL, use the one your admin gave you.
If you use an email address, enter your email address. Entering your email
address tells the client to search for a URL associated with your email address
if your admin configured the server that way.

3. Tap Next.
4. Provide your sign-in information when prompted. The credentials you should use
can vary based on the deployment and can include:

The User name that has permission to access the resources.

The Password associated with the user name.
Additional factor, which you may be prompted for a if authentication was
configured that way by your admin.

5. When you're done, tap Save.

The remote resources will be displayed in the Connection Center.

Remove remote resources

To remove remote resources:

1. In the Connection Center, tap the overflow menu (...) next to the remote resource.
2. Tap Remove.
3. Confirm you've removed the resource.

Pin a connection to your home screen

The Remote Desktop client supports using the Android widget feature to pin
connections to your home screen. The widget adding process depends on which type of
Android device and Android OS version you're using.

To add a widget:

1. Tap Apps to launch the apps menu.

2. Tap Widgets.
3. Swipe through the widgets and look for the Remote Desktop icon with the
description: Pin Remote Desktop.
4. Tap and hold that Remote Desktop widget and move it to the home screen.
5. When you release the icon, you'll see the saved remote desktops. Choose the
connection that you want to save to your home screen.

Now you can start the remote desktop connection directly from your home screen by
tapping it.

７ Note

If you rename the desktop connection in the Remote Desktop client, its pinned
label won't update.

Manage general app settings

To change the general app settings, go to the Connection Center, tap Settings, and then
tap General.

You can set the following general settings:

Show desktop previews lets you see a preview of a desktop in the Connection
Center before you connect to it. This setting is enabled by default.
Pinch to zoom remote session lets you use pinch-to-zoom gestures. If the app
you're using through Remote Desktop supports multi-touch (introduced in
Windows 8), disable this feature.
 Enable Use scancode input when available if your remote app doesn't respond
properly to keyboard input sent as scancode. Input is sent as unicode when
disabled.
Help improve Remote Desktop sends anonymous data about how you use
Remote Desktop for Android to Microsoft. We use this data to improve the client.
To learn more about our privacy policy and what kinds of data we collect, see the
Microsoft Privacy Statement . This setting is enabled by default.

Manage display settings

To change the display settings tap Settings, and then tap Display from the Connection
Center.

You can set the following display settings:

Orientation sets the preferred orientation (landscape or portrait) for your session.

７ Note

If you connect to a PC running Windows 8 or earlier, the session won't scale

correctly if the orientation of the device changes. To make the client scale
correctly, disconnect from the PC, then reconnect in the orientation you want
to use. You can also ensure correct scaling by using a PC with Windows 10
instead.

Resolution sets the remote resolution you want to use for desktop connections
globally. If you have already set a custom resolution for an individual connection,
this setting won't change that.

７ Note

When you change the display settings, the changes only apply to new
connections you make after the you changed the setting. To apply your
changes to the session you're currently connected to, refresh your session by
disconnecting and reconnecting.

Manage your RD Gateways

A Remote Desktop Gateway (RD Gateway) lets you connect to a remote computer on a
private network from anywhere on the Internet. You can create and manage your
gateways using the Remote Desktop client.

To set up a new RD Gateway:

1. In the Connection Center, tap Settings, and then tap Gateways.

2. Tap + to add a new gateway.
3. Enter the following information:

Enter the name of the computer you want to use as a gateway into Server
name. This name can be a Windows computer name, an Internet domain
name, or an IP address. You can also add port information to the server name
(for example: RDGateway:443 or 10.0.0.1:443).
Select the User account you'll use to access the RD Gateway.
Select Use desktop user account to use the same credentials that you
specified for the remote PC.
Select Add user account to save an account that you use frequently so
you don't have to enter credentials every time you sign in. For more
information, see Manage your user accounts.

To delete an RD Gateway:

1. In the Connection Center, tap Settings, and then tap Gateways.

2. Tap and hold a gateway in the list to select it. You can select multiple gateways at
once.
3. Tap the trash can to delete the selected gateway.

Manage your user accounts

You can save user accounts to use whenever you connect to a remote desktop or
remote resources.

To save a user account:

1. In the Connection Center, tap Settings, and then tap User accounts.
2. Tap + to add a new user account.
3. Enter the following information:

The User Name to save for use with a remote connection. You can enter the
user name in any of the following formats: user_name, domain\user_name, or
[email protected].
The Password for the user you specified. Every user account that you want to
save to use for remote connections needs to have a password associated with
it.
 4. When you're done, tap Save.

To delete a saved user account:

1. In the Connection Center, tap Settings, and then tap User accounts.
2. Tap and hold a user account in the list to select it. You can select multiple users at
the same time.
3. Tap the trash can to delete the selected user.

Start a Remote Desktop connection

Now that you've set up your Remote Desktop Android client, let's learn how to start a
Remote Desktop session.

To start a session:

1. Tap the name of your Remote Desktop connection to start the session.
2. If you're asked to verify the certificate for the remote desktop, tap Connect. You
can also select Don't ask me again for connections to this computer to always
accept the certificate by default.

Use the connection bar

The connection bar gives you access to additional navigation controls. By default, the
connection bar is placed in the middle at the top of the screen. Drag the bar to the left
or right to move it.

Pan Control: The pan control enables the screen to be enlarged and moved
around. Pan control is only available for direct touch.
To show the pan control, tap the pan icon in the connection bar to display the
pan control and zoom the screen. Tap the pan icon again to hide the control
and return the screen to its original size.
To use the pan control, tap and hold it, then drag it in the direction you want to
move the screen.
To move the pan control, double-tap and hold it to move the control around on
the screen.
Additional options: Tap the additional options icon to display the session selection
bar and command bar.
Keyboard: Tap the keyboard icon to display or hide the keyboard. The pan control
is displayed automatically when the keyboard is displayed.
Use the session selection bar
You can have multiple connections open to different PCs at the same time. Tap the
connection bar to display the session selection bar on the left side of the screen. The
session selection bar lets you view your open connections and switch between them.

When you're connected to remote resources, you can switch between apps within that
session by tapping the expander menu ( > ) and choosing from the list of available
items.

To start a new session within your current connection, tap Start New, then choose from
the list of available items.

To disconnect a session, tap X in the left side of the session tile.

Use the command bar

Tap the connection bar to display the command bar on the right side of the screen. On
the command bar, you can switch between mouse modes (direct touch and mouse
pointer) or tap the Home button to return to the Connection Center. You can also tap
the Back button to return to the Connection Center. Returning to the Connection Center
won't disconnect your active session.

Touch gestures and mouse modes

The Remote Desktop for Android client uses standard touch gestures. You can also use
touch gestures to replicate mouse actions on the remote desktop. The following table
explains which gestures match which mouse actions in each mouse mode.

７ Note

Native touch gestures are supported in Direct Touch mode in Windows 8 or later.

ﾉ Expand table

Mouse Mouse action Gesture

mode

Direct touch Left-click Tap with one finger

Direct touch Right-click Tap with one finger and hold, then release
 Mouse Mouse action Gesture
mode

Mouse Zoom Use two fingers and pinch to zoom out or move fingers apart
pointer to zoom in.

Mouse Left-click Tap with one finger

pointer

Mouse Left-click and Double-tap and hold with one finger, then drag
pointer drag

Mouse Right-click Tap with two fingers

pointer

Mouse Right-click and Double-tap and hold with two fingers, then drag
pointer drag

Mouse Mouse wheel Tap and hold with two fingers, then drag up or down
pointer

Join the Beta channel

If you want to help us test new builds or find issues in upcoming version updates before
they're released, you should join our Beta channel. Enterprise admins can use the Beta
channel to validate new versions of the Android client for their users.

To join the Beta, download our Beta client and give consent to access preview versions
and download the client. You'll receive preview versions directly through the Google
Play Store.

Feedback
Was this page helpful?  Yes  No
What's new in the Remote Desktop
client for Android and Chrome OS
Article • 07/03/2024

In this article you'll learn about the latest updates for the Remote Desktop client for
Android and Chrome OS. To learn more about using the Remote Desktop client for
Android and Chrome OS with Remote Desktop Services, see Get started with the
Android client.

Latest client versions

The following table lists the current versions available for the public and beta releases:

ﾉ Expand table

Release Latest version Download

Public 10.0.19.1279 Google Play

Beta 10.0.19.1279 Google Play

Updates for version 10.0.19.1279

Published: May 29, 2024

In this release, we made the following changes:

Added Microsoft Intune MAM support for configuring redirection settings. It

includes MAM SDK version 9.7.1.

Updates for version 10.0.18.1251

Published: December 14, 2023

In this release, we made the following changes:

Bug fixes and improvements.

Updates for version 10.0.16.1237

Published: August 14, 2023

In this release, we made the following changes:

Added support for pen redirection.

Azure Virtual Desktop desktop previews are now available.
Display now auto-locks during remote session when setting is enabled.
RDS connections now support Azure Active Directory authentication.
Private Link is now supported.
Reconnect dialog now available for RDS sessions when they're locked.
Search is now supported in PCs and Workspaces tabs.
Bug fixes and improvements.

Updates for version 10.0.15.1207

Published: October 31, 2022

In this release, we made the following changes:

Added support for camera redirection.

Bug fixes and improvements.

Updates for version 10.0.14.1182

Published: June 13, 2022

In this release, we made the following changes:

Bug fixes and improvements.

App localized into 16 languages.

Updates for version 10.0.13.1174

Published: February 22, 2022

In this release, we made the following changes:

Client-side time zone redirection.

HTTP proxy support.
Fixed an issue where input from the ENTER key was sent twice when using IME on
Samsung devices.
Updates to improve Azure Virtual Desktop connection reliability and performance.
UI fixes and fine-tuning.
 Enhanced Chromebook experience:
Windowed mode support.
Support for launching connections in separate windows.
​High DPI support.
Addressed Chromebook compatibility bugs.
Minimum required version of Android is now Android 9.

Updates for version 10.0.12.1148

Published: December 15, 2021

In this release, we made the following changes:

We made an in-session UI that switches between workspaces and PCs.

Updated language support for Input Method Editors (IME) and external keyboards.
Added support for Azure Virtual Desktop workspace subscriptions that use
multiple identities for the same URL.
We added a warning message that says you shouldn't use the RD Gateway for local
addresses.
Added support for the NumLock and ScrLock keys on external keyboards.
Fixed bugs that appeared in dark mode.
The minimum required version of Android is now Android 8.

Updates for version 10.0.11

Published: July 13, 2021

In this release, we made the following changes:

Bug fixes and performance improvements.

Updates for version 10.0.10

Published: 3/24/2021

In this release, we made the following changes:

Added support for client-side IMEs when using built-in and onscreen keyboards.
Added a prompt for credentials when subscribing to a workflow.
Improved Azure Virtual Desktop workspace download performance to prevent
throttling.
Fixed an issue where incorrect command icons would appear in the UI.
Updates for version 10.0.9
Published: 2/2/2021

In this release, we made the following changes:

Support for dark mode on Android 10 and later.

Fixed clipboard redirection synchronization issues.
Added clipboard redirection to the Add/Edit PC UI.
The Android client now supports the DEL key on external keyboards.
Fixed a bug that caused workspace URL auto-complete to stop responding.
Addressed keyboard and screen reader-related accessibility bugs.
Addressed reliability issues identified by user reports.

Updates for version 10.0.8

Published: 12/04/2020

In this release, we made the following changes:

Client now supports microphone redirection.

New UI for subscribing to and editing workspaces.
Cleaned up existing UI throughout the client.
Fixed Samsung DeX keyboard input.
Addressed an issue where clients would report a 0x5000007 error when connecting
using an RD Gateway server.
Addressed several reliability issues identified by users through crash reporting.
Minimum required version of Android is now Android 6.
Fixed an issue where the client stopped responding while saving a file to redirected
storage.

Updates for version 10.0.7

Date Published: 07/24/2020

In this release, we made the following changes:

Implemented full support for Azure Virtual Desktop.

Rewrote the client to use the same underlying RDP core engine as the iOS and
macOS clients.
New Connection Center experience.
New Connection Progress UI.
 New in-session Connection Bar.
Added support for Android TV devices.
Integration with Microsoft Authenticator to enable conditional access when
subscribing to Azure Virtual Desktop feeds.
Enabled the transfer of connections and settings from Remote Desktop 8.

Updates for version 8.1.80

Date Published: 05/26/2020

In this release, we made the following changes:

Changed the client icon to distinguish it from the new client currently in preview.
Prepared the client to support settings and connections transfer to the new client.

Updates for version 8.1.79

Published: 03/24/2020

In this release, we made the following change:

Fixed an issue where barcode scanners didn't work.

Updates for version 8.1.77

Published: 02/11/2020

In this release, we made the following change:

Improved accessibility for users of keyboard-only navigation.

Feedback
Was this page helpful?  Yes  No
Get started with the iOS client
Article • 08/09/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

You can use the Remote Desktop client for iOS to work with Windows apps, resources,
and desktops from your iOS device (iPhones and iPads).

Use the following information to get started. Be sure to check out the FAQ if you have
any questions.

 Tip

If you want to connect to Azure Virtual Desktop instead of Remote Desktop

Services or a remote PC, see Connect to Azure Virtual Desktop with the Remote
Desktop client for iOS and iPadOS.

７ Note

Curious about the new releases for the iOS client? Check out What's new for
Remote Desktop on iOS?.
The iOS client supports devices running iOS 14.x and newer.

Get the Remote Desktop client and start using

it
This section will tell you how to download and set up the Remote Desktop client for iOS.

Download the Remote Desktop client from the iOS store

First you'll need to download the client and configure your PC to connect to remote
resources.

To download the client:

1. Download the Microsoft Remote Desktop client from the iOS App Store or
iTunes .
2. Set up your PC to accept remote connections.
Beta client
If you want to help us test new builds before they're released, you should download our
beta client. Organizations can use the beta client to validate new versions for their users
before they're generally available. You can download the beta client for iOS and iPadOS
from TestFlight. The beta client shouldn't be used in production. To get started, see
Microsoft Remote Desktop for iOS .

） Important

The Remote Desktop app is changing to Windows App. To ensure you can validate
the upcoming Windows App update before it's released into the store, the
Windows App preview is now available in the Remote Desktop Beta channels where
you can test the experience of updating from Remote Desktop to Windows App. To
learn more about Windows App, see Get started with Windows App to connect to
devices and apps.

Add a PC
After you've downloaded the client and configured your PC to accept remote
connections, it's time to actually add a PC.

To add a PC:

1. In the Connection Center, tap +, then tap Add PC.

2. Enter the following information:

PC name – the name of the computer. The PC name can be a Windows

computer name, an Internet domain name, or an IP address. You can also
append port information to the PC name (for example, MyDesktop:3389 or
10.0.0.1:3389).
User name – The user name you'll use to access the remote PC. You can use
the following formats: user_name, domain\user_name, or
[email protected] . You can also select Ask when required to be

prompted for a user name and password when necessary.

3. You can also set the following additional options:

Friendly name (optional) – An easy-to-remember name for the PC you're

connecting to. You can use any string, but if you don't specify a friendly
name, the PC name is displayed instead.
 Gateway (optional) – The Remote Desktop gateway that you want to use to
connect to virtual desktops, RemoteApp programs, and session-based
desktops on an internal corporate network. Get the information about the
gateway from your system administrator.
Sound – Select the device to use for audio during your remote session. You
can choose to play sound on the local devices, the remote device, or not at
all.
Swap mouse buttons – Whenever a mouse gesture would send a command
with the left mouse button, it sends the same command with the right mouse
button instead. Swapping mouse buttons is necessary if the remote PC is
configured for left-handed mouse mode.
Admin Mode - Connect to an administration session on a server running
Windows Server 2003 or later.
Clipboard - Choose whether to redirect text and images in your clipboard to
your PC.
Storage - Choose whether to redirect storage to your PC.
4. Tap Save.

Need to edit these settings? Press and hold the desktop you want to edit, then tap the
settings icon.

Add a workspace
To get a list of managed resources you can access on your iOS, add a workspace by
subscribing to the feed provided by your admin.

To add a workspace:

1. On the Connection Center screen, tap +, and then tap Add workspace.
2. In the Feed URL field, enter the URL for the feed you want to add. This URL can be
either a URL or an email address.

If you use a URL, use the one your admin gave you.
If you use an email address, enter your email address. Entering your email
address tells the client to search for a URL associated with your email address
if your admin configured the server that way.

3. Tap Next.
4. Provide your credentials when prompted.

For User name, give the user name of an account with permission to access
resources.
For Password, give the password for the account.
 You may also be prompted to give additional information depending on the
settings your admin configured authentication with.
5. Tap Save.

After you've finished, the Connection Center should display the remote resources.

Once subscribed to a feed, the feed content will update automatically on a regular basis.
Resources may be added, changed, or removed based on changes made by your
administrator.

Manage your user accounts

When you connect to a PC or workspace, you can save the user accounts to select from
again.

To create a new user account:

1. In the Connection Center, tap Settings, and then tap User Accounts.
2. Tap Add User Account.
3. Enter the following information:

User Name - The name of the user to save for use with a remote connection.
You can enter the user name in any of the following formats: user_name ,
domain\user_name , or [email protected] .

Password - The password for the user you specified.

4. Tap Save.

To delete a user account:

1. In the Connection Center, tap Settings, and then tap User Accounts.
2. Select the account you would like to delete.
3. Tap Delete.

Connect to an RD Gateway to access internal

assets
A Remote Desktop Gateway (RD Gateway) lets you connect to a remote computer on a
corporate network from anywhere on the Internet. You can create and manage your
gateways using the Remote Desktop client.

To set up a new gateway:

 1. In the Connection Center, tap Settings > Gateways.
2. Tap Add gateway.
3. Enter the following information:

Gateway name – The name of the computer you want to use as a gateway.
The gateway name can be a Windows computer name, an Internet domain
name, or an IP address. You can also add port information to the server name
(for example, RDGateway:443 or 10.0.0.1:443).
User name - The user name and password to be used for the Remote
Desktop gateway you're connecting to. You can also select Use connection
credentials to use the same user name and password that you used for the
remote desktop connection.

Navigate the Remote Desktop session

This section describes tools you can use to help navigate your Remote Desktop session.

Start a Remote Desktop connection

1. Tap the remote desktop connection to start the remote desktop session.
2. If you're asked to verify the certificate for the remote desktop, tap Accept. To
accept by default, set Don't ask me again for connections to this computer to On.

Connection bar
The connection bar gives you access to additional navigation controls.

Pan Control: The pan control enables the screen to be enlarged and moved
around. Pan control is only available using direct touch.
To enable or disable the pan control, tap the pan icon in the connection bar to
display the pan control. The screen will zoom in while the pan control is active.
the pan icon in the connection bar again to hide the control and return the
screen to its original resolution.
To use the pan control, tap and hold the pan control. While holding, drag your
fingers in the direction you want to move the screen.
To move the pan control, double-tap and hold the pan control to move the
control on the screen.
Connection name: The current connection name is displayed. Tap the connection
name to display the session selection bar.
Keyboard: Tap the keyboard icon to display or hide the keyboard. The pan control
is displayed automatically when the keyboard is displayed.
 Move the connection bar: Tap and hold the connection bar. While holding the bar,
drag it over to its new location. Let go of the bar to place it at the new location.

Session selection
You can have multiple connections open to different PCs at the same time. Tap the
connection bar to display the session selection bar on the left-hand side of the screen.
The session selection bar enables you to view your open connections and switch
between them.

Here's what you can do with the session selection bar:

To switch between apps in an open remote resource session, tap the expander
menu and choose an app from the list.
Tap Start New to start a new session, then choose a session from the list of
available sessions.
Tap the X icon on the left side of the session tile to disconnect from your session.

Command bar
The command bar replaced the Utility bar starting in version 8.0.1. You can use the
command bar to switch between mouse modes and return to the connection center.

Use touch gestures and mouse modes in a

remote session
The client uses standard touch gestures. You can also use touch gestures to replicate
mouse actions on the remote desktop. The mouse modes available are defined in the
table below.

７ Note

In Windows 8 or later, the native touch gestures are supported in Direct Touch
mode. For more information on Windows 8 gestures, see Touch: Swipe, tap, and
beyond .

ﾉ Expand table
 Mouse Mouse operation Gesture
mode

Direct touch Left-click Tap with one finger

Direct touch Right-click Tap and hold with one finger

Mouse Left-click Tap with one finger

pointer

Mouse Left-click and Tap and hold with one finger, then drag
pointer drag

Mouse Right-click Tap with two fingers

pointer

Mouse Right-click and Double-tap and hold with two fingers, then drag
pointer drag

Mouse Mouse wheel Double-tap and hold with two fingers, then drag up or down
pointer

Mouse Zoom With two fingers, pinch to zoom out and spread fingers apart
pointer to zoom in

Supported input devices and redirection

Mouse input
The client has Bluetooth mouse support for iOS 13 and iPadOS as an accessibility
feature. You can use Swiftpoint GT or ProPoint mice for deeper mouse integration. The
client also supports external keyboards that are compatible with iOS and iPadOS.

For more information about device support, see What's new in the iOS client and the
iOS App Store .

Camera redirection
Camera redirection protocol (MS-RDPECAM) doesn't support dynamically changing the
camera resolution while the camera is in use, such as when rotating the device. You
need to start and restart the camera. For example, in the camera app, assuming you're
using the front camera, change to the rear camera, then back to the front camera.

Use a keyboard in a remote session

You can use either an on-screen keyboard or physical keyboard in your remote session.

For on-screen keyboards, use the button on the right edge of the bar above the
keyboard to switch between the standard and additional keyboard.

If Bluetooth is enabled on your iOS device, the client automatically detects the Bluetooth
keyboard.

While certain key combinations might not work as expected in a remote session, many
of the common Windows key combinations, such as CTRL+C, CTRL+V, and ALT+TAB will
work.

 Tip

Questions and comments are always welcome. However, if you post support
requests or product feedback in this article's comments section, we won't be able
to respond to your feedback. If you need help or want to troubleshoot your client,
we highly recommend you go to the Remote Desktop client forum and start a new
thread.

Feedback
Was this page helpful?  Yes  No
What's new in the Remote Desktop
client for iOS and iPadOS
Article • 07/03/2024

In this article you'll learn about the latest updates for the Remote Desktop client for iOS
and iPadOS. To learn more about using the Remote Desktop client for iOS and iPadOS
with Remote Desktop Services, see Get started with the iOS client.

Latest client versions

The following table lists the current versions available for the public and beta releases:

ﾉ Expand table

Release Latest version Download

Public 10.5.8 App Store

Beta 10.5.8 TestFlight

Updates for version 10.5.8

Published: May 29, 2024

In this release, we made the following changes:

Added Microsoft Intune MAM support for configuring redirection settings. It

includes MAM SDK version 19.3.1.
Added watermarking support for Windows 365.
Bug fixes.

Updates for version 10.5.7

Published: May 22, 2024

In this release, we made the following changes:

Added support for the new iPad models released in May 2024.

Updates for version 10.5.6

Published: March 25, 2024

In this release, we made the following changes:

Bug fixes.

Updates for version 10.5.5

Published: February 24, 2024

In this release, we made the following changes:

Fixed accessibility issues.

Bug fixes.

７ Note

As of this release, only iOS 16 and iPadOS 16 and later are supported.

Updates for version 10.5.4

Published: December 18, 2023

In this release, we made the following changes:

Fixed theming update issues on iOS 17.

Addressed pop-up sheet layout bugs on iOS 17.
Sorted out daylight savings time issues for time zone redirection scenarios.
Repositioned the search box so that it's no longer clipped by the Dynamic Island
on iPhone.
Added support for camera redirection on an iPhone or iPad in portrait orientation.
Resolved an issue where when you go to Settings > Display to view the resolution
list, the list didn't update when you changed the orientation.
Added support for USB-C on iPhone 15 to enable native resolutions when you
connect the device to an external display.
Added watermarking support for Azure Virtual Desktop.

７ Note

There is no version 10.5.3.

Updates for version 10.5.2
Published: October 24, 2023

In this release, we made the following changes:

Added support for dual monitors when using iPads with Stage Manager.
Addressed reported accessibility bugs.
Fixed some keyboard mappings that stopped working after the iOS 17 update.

Updates for version 10.5.1

Published: September 5th, 2023

In this release, we made the following changes:

Added support for displaying sessions on an external monitor. You can use this
new feature with iPad and iPhone using AirPlay or a physical cable.
Added support for location redirection. To use this feature, you need access to
your device location, and your session hosts must be running Windows 11 or later.

Updates for version 10.5.0

Published: July 10, 2023

In this release, we made the following changes:

Fixed an issue with IPv6 address resolution that was blocking connectivity.
Addressed a deadlock that could occur in server redirection scenarios.

Updates for version 10.4.8

Published: June 20, 2023

In this release, we made the following changes:

We changed the connection bar to always start expanded by default. You can
minimize the connection bar by dragging it to a corner of the screen. To return the
connection bar to its regular size, drag it to the center of the screen.
You can now dismiss all in-app messages by swiping downwards.
Fixed an issue that caused graphics to look distorted in Lock to Landscape mode.
Updates for version 10.4.7
Published: May 17, 2023

In this release we made some tweaks around the behavior of the connection bar on
iPads and fixed some bugs to keep things running smoothly.

We made the following changes to the iPad connection bar:

We fixed an issue that caused the connection bar to get stuck under the Stage
Manager ellipsis menu.
The connection bar will now be docked on the right side of the screen when you
turn your iPad on. The iOS client will also save the position you dock your screen in
across all your iPad and iPhone devices.
We moved the Add a PC or Workspace button to the center of the toolbar at the
bottom of the screen.

We also made the following other changes:

Fixed an issue where session rotation wasn't working on iOS 16.

Resolved an issue where the search box in the Connection Center went out of
focus when the user tried entering characters.
Improved audio rendering for low-bandwidth scenarios.

Updates for version 10.4.6

Published: March 7, 2023

In this release, we removed the global prompt for camera and microphone access when
you first open and run the iOS client. Instead, whenever a connection bookmark or
published resource requests access, you'll receive a prompt asking whether you want to
give permission.

We also fixed some bugs and added some small additional features:

Integrated privacy statement compliance flows for select geographical regions.

Added functionality to delete all Azure Virtual Desktop workspaces and associated
keychain items.
Worked around an iOS 16 change that broke Korean language input.
Addressed a bug that stopped the Apple Pencil from working when connected to
Windows 8.1 and Windows Server 2012 R2 and earlier.

７ Note
 As of this release, only iOS 15 and iPadOS 15 and later are supported.

Updates for version 10.4.5

Published: November 2, 2022

In this release, we made the following changes:

Fixed a WebSocket transport bug that affected some Azure Virtual Desktop
deployments
Addressed accessibility compliance issues.

Updates for version 10.4.4

Published: October 4, 2022

In this release, we made targeted bug fixes and performance improvements, and also
added new features. Here's what we included:

You can now use Apple Pencil to draw, write, and interact with remote sessions.
You can now see a live preview of the current active session when switching to the
Connection Center from a remote session.
Gather logs for troubleshooting by going to Settings > Troubleshooting.
Review app highlights from previous versions by going to Settings > About >
Version Highlights.
We made some small appearance changes to the connection bar user interface.
We fixed issues that affected locking to landscape or portrait on iOS 16.

Updates for version 10.4.3

Published: August 11, 2022

In this release, we resolved a customer bug that impacted authentication when

connecting to Azure Virtual Desktop deployments.

Updates for version 10.4.2

Published: July 11, 2022

In this release, we resolved some bugs that impacted Azure Virtual Desktop deployment
connectivity. We also fixed an issue that caused external keyboard input to stop working
when you press Command+Tab to switch out of and return to the app.

Updates for version 10.4.1

Published: June 27, 2022

In this release, we added thumbnail snapshots for published PC resources to the

Workspaces tab of the Connection Center. We also created an in-app highlights user
interface (UI) to advertise new features. The UI automatically appears when you first turn
your machine on after an update. You can also access it by going to Settings > About >
Version Highlights. Finally, we fixed an issue where the mouse cursor would temporarily
get stuck at the bottom of the screen.

Updates for version 10.4.0 (5155)

Published: May 17, 2022

This is a significant update with some new feature additions and lots of bug fixes and
improvements.

The biggest change in this release is that you can now dynamically change the
orientation of the remote session to either landscape or portrait mode while connected
to a machine running Windows 8.1, Windows Server 2012 R2 or later. You can set your
orientation preferences in Settings > Display.

To work seamlessly with dynamic orientation, we made updates to the following

experiences:

The in-session immersive switcher has a revamped look and feel, and can
accommodate both landscape and portrait orientation.
The on-screen keyboard has been redesigned to support portrait orientation.
The connecting UI now supports for both landscape and portrait orientation.
The PC tab of the connection center now supports high-resolution thumbnails and
portrait snapshots.

In addition, we’ve made the following improvements:

Reworked the connection center to apply a consistent set of margins throughout

the UI.
Added the Shift-Command-Space key combo to toggle the visibility of the
connection bar.
 Added the Command-Plus sign (+) and Command-Minus sign (-) key combos to
zoom in and out respectively.
Fixed RemoteApp resource launch and reconnect scenarios.
Updated the client to send the correct physical dimensions for the iPad Mini 6.
Added the username to PC bookmark thumbnails.
Updated the in-session connection bar to fade back after three seconds if you
minimize it.
Added support for smooth scrolling in the connection center on ProMotion-
compatible iPhones and iPads.

We also made some updates to enhance Azure Virtual Desktop scenarios:

Integrated the Microsoft Authentication Library (MSAL) or OneAuth component to

improve current and future authentication scenarios.
Added eTag support to speed up Azure Virtual Desktop workspace refresh.

７ Note

This release removes support for iOS 13 and is only compatible with iOS 14 and 15.

Updates for version 10.3.6 (5090)

Published: November 11, 2021

In this release we added support for the iPad Mini 6 and addressed an issue with Slide
Over windows and keyboard interaction. Thanks for all the feedback. We're working
hard to make this app great!

Updates for version 10.3.5

Published: October 28, 2021

In this release, we added support for time zone redirection. This new feature fixes an
issue in Windows 11 remote sessions that caused the screen to flicker, making the
session unusable.

Updates for version 10.3.1

Published: June 28, 2021
In this release, we worked around a 0x907 (mismatched certificate) error code that was
caused by third-party infrastructure returning an incorrect certificate in redirection
scenarios. We also made some updates to improve compatibility and performance
metrics when connecting to Azure Virtual Desktop (formerly known as Windows Virtual
Desktop).

Updates for version 10.3.0

Published: May 27, 2021*

In this release, we made some significant updates to the shared underlying code that
powers the Remote Desktop experience across all our clients. We also added some new
features and addressed bugs and crashes that were showing up in error reporting.

You can now drag IME candidate window in the client.

Integrated Kerberos support in the CredSSP security protocol sequence.
Added support for HTTP proxies in Azure Virtual Desktop and on-premises
scenarios.
Made updates to improve interoperability with current and upcoming features in
the Azure Virtual Desktop service.

Updates for version 10.2.5

Published: 03/29/2021

In this release, we made the following updates:

Fixed NETBIOS name resolution on iOS 14.

Updated the app to proactively request local network access to enable connections
to PCs around you.
Fixed an issue where an RD Gateway connection would fail with a 0x3000064 error
code.
Fixed a bug where workspace discovery and download would fail if the port
number was included in HTTP GET requests.
Added examples of PC host names to the PC Name page in the Add/Edit PC UX.
Addressed some VoiceOver accessibility issues.

Updates for version 10.2.4

Published: 02/01/2021
In this release, we made the following changes to the connection bar and in-session
user experience:

You can now collapse the connection bar by moving it into one of the four corners
of the screen.
On iPads and large iPhones you can dock the connection bar to the left or right
edge of the screen.
You can now see the zoom slider panel by pressing and holding the connection
bar magnification button. The new zoom slider controls the magnification level of
the session in both touch and mouse pointer mode.

We also addressed some accessibility bugs and the following two issues:

The client now validates the PC name in the Add/Edit PC UI to make sure the name
doesn't contain illegal characters.
Addressed an issue where the UI would stop resolving a workspace name during
subscription.

Updates for version 10.2.3

Published: 12/15/2020

In this release, we fixed issues that caused crashes and interfered with the "Display
Zoom View" setting. We also tweaked the "Use Full Display" setting to only appear on
applicable iPads and adjusted the available resolutions for iPhones and iPads.

Updates for version 10.2.2

Published: 11/23/2020

In this release, we addressed some bugs affecting users running iOS 14 and iPadOS 14.

Updates for version 10.2.1

Published: 11/11/2020

In this release, we made the following fixes:

Added support for newly released iPhone and iPad devices.

Addressed an issue where the client would return a 0x30000066 error when
connecting using an RD Gateway server.
Updates for version 10.2.0
Published: 11/06/2020

In this release, we addressed some compatibility issues with iOS and iPadOS 14. In
addition, we made the following fixes and feature updates:

Addressed crashes on iOS and iPadOS 14 that happened when entering input on
keyboard.
Added the Cmd+S and Cmd+N shortcuts to access the "Add Workspace" and
"Add PC" processes, respectively.
Added the Cmd+F shortcut to invoke Search UI in the Connection Center.
Added the "Expand All" and "Collapse All" commands to the Workspaces tab.
Resolved a bug that caused a 0xD06 protocol error to happen while running
Outlook as a RemoteApp.
The on-screen keyboard will now disappear when you scroll through search results
in the Connection Center.
Updated the animation used when hovering over workspace icons with a mouse or
trackpad pointer on iPadOS 14.

Updates for version 10.1.4

Published: 11/06/2020

We put together some bug fixes and small feature updates for this release. Here's what's
new:

Addressed an issue where the client would report a 0x5000007 error message
when trying to connect to an RD Gateway server.
User account passwords updated in the credential UI are now saved after
successfully signing in.
Addressed an issue where range and multi-select with the mouse or trackpad
(Shift+click and Ctrl+click) didn't work consistently.
Addressed a bug where apps displayed in the in-session switcher UI were out of
sync with the remote session.
Made some cosmetic changes to the layout of Connection Center workspace
headers.
Improved visibility of the on-screen keyboard buttons for dark backdrops.
Fixed a localization bug in the disconnect dialog.

Updates for version 10.1.3

Published: 11/06/2020

We put together some bug fixes and feature updates for this release. Here's what's new:

The input mode (Mouse Pointer or Touch mode) is now global across all active PC
and RemoteApp connections.
Fixed an issue that prevented microphone redirection from working consistently.
Fixed a bug that caused audio output to play from the iPhone earpiece instead of
the internal speaker.
The client now supports automatically switching audio output between the iPhone
or iPad internal speakers, bluetooth speakers, and AirPods.
Audio now continues to play in the background when switching away from the
client or locking the device.
The input mode automatically switches to Touch mode when using a SwiftPoint
mouse on iPhones or iPads (not running iPadOS, version 13.4 or later).
Addressed graphics output issues that occurred when the server was configured to
use AVC444 full screen mode.
Fixed some VoiceOver bugs.
Panning around a zoomed in session works when using an external mouse or
trackpad now works differently. To pan in a zoomed-in session with an external
mouse or trackpad, select the pan knob, then drag your mouse cursor away while
still holding the mouse button. To pan around in Touch mode, press on the pan
knob, then move your finger. The session will stick to your finger and follow it
around. In Mouse Pointer mode, push the virtual mouse cursor against the sides of
the screen.

Updates for version 10.1.2

Published 8/17/2020

In this update, we addressed issues that were reported in this release.

Fixed a crash that occurred for some users when subscribing to an Azure Virtual
Desktop feed using non-brokered authentication.
Fixed the layout of workspace icons on the iPhone X, iPhone XS, and iPhone 11
Pro.

Updates for version 10.1.1

Published: 11/06/2020

Here’s what we included in this release:

 Fixed a bug that prevented typing in Korean.
Added support for F1 through F12, Home, End, PgUp and PgDn keys on hardware
keyboards.
Resolved a bug that made it difficult to move the mouse cursor to the top of the
screen in letterboxed mode on iPadOS devices.
Addressed an issue where pressing backspace after space deleted two characters.
Fixed a bug that caused the iPadOS mouse cursor to appear on top of the Remote
Desktop client mouse cursor in "Tap to Click" mode.
Resolved an issue that prevented connections to some RD Gateway servers (error
code 0x30000064).
Fixed a bug that caused the mouse cursor to be shown in the in-session switcher
UI on iOS devices when using a SwiftPoint mouse.
Resized the RD client mouse cursor to be consistent with the current client scale
factor.
The client now checks for network connectivity before launching a workspace
resource or PC connection.
Hitting the remapped Escape button or Cmd+. now cancels out of any credential
prompt.
We added some animations and polish that appear when you move the mouse
cursor around on iPads running iPadOS 13.4 or later.

Updates for version 10.1.0

Published: 11/06/2020

In this release, we made the following changes:

If you're using iPadOS 13.4 or later, can now control the remote session with a
mouse or trackpad.
The client now supports the following Apple Magic Mouse 2 and Apple Magic
Trackpad 2 gestures: left-click, left-drag, right-click, right-drag, horizontal and
vertical scrolling, and local zooming.
For external mice, the client now supports left-click, left-drag, right-click, right-
drag, middle-click, and vertical scrolling.
The client now supports keyboard shortcuts that use Ctrl, Alt, or Shift keys with the
mouse or trackpad, including multi-select and range-select.
The client now supports the "Tap-to-Click" feature for the trackpad.
We updated the Mouse Pointer mode's right-click gesture to press-and-hold (not
press-and-hold-and-release). On the iPhone client we added taptic feedback when
we detect the right-click gesture.
Added an option to disable NLA enforcement under iOS Settings > RD Client.
 Mapped Control+Shift+Escape to Ctrl+Shift+Esc, where Escape is generated using
a remapped key on iPadOS or Command+.
Mapped Command+F to Ctrl+F.
Fixed an issue where the SwiftPoint middle mouse button didn't work in iPadOS
version 13.3.1 or earlier and iOS.
Fixed some bugs that prevented the client from recognizing the "rdp:" URI.
Addressed an issue where the in-session Immersive Switcher UI showed outdated
app entries if a disconnect was server-initiated.
The client now supports the Azure Resource Manager-integrated version of Azure
Virtual Desktop.

Updates for version 10.0.7

Published: 4/29/2020

In this update we added the ability to sort the PC list view (available on iPhone) by name
or time last connected.

Updates for version 10.0.6

Published: 3/31/2020

In this release, we made the following changes:

Fixed a number of VoiceOver accessibility issues.

Fixed an issue where users couldn't connect with Turkish credentials.
Sessions displayed in the switcher UI are now ordered by when they were
launched.
Selecting the Back button in the Connection Center now takes you back to the last
active session.
Swiftpoint mice are now released when switching away from the client to another
app.
Improved interoperability with the Azure Virtual Desktop service.
Fixed crashes that were showing up in error reporting.

Updates for version 10.0.5

Published: 03/09/20

We put together some bug fixes and feature updates for this release. Here's what's new:
 Launched RDP files are now automatically imported (look for the toggle in General
settings).
You can now launch iCloud-based RDP files that haven't been downloaded in the
Files app yet.
The remote session can now extend underneath the Home indicator on iPhones
(look for the toggle in Display settings).
Added support for typing composite characters with multiple keystrokes, such as é.
Added support for the iPad on-screen floating keyboard.
Added support for adjusting properties of redirected cameras from a remote
session.
Fixed a bug in the gesture recognizer that caused the client to become
unresponsive when connected to a remote session.
You can now enter App Switching mode with a single swipe up (except when
you're in Touch mode with the session extended into the Home indicator area).
The Home indicator will now automatically hide when connected to a remote
session, and will reappear when you tap the screen.
Added a keyboard shortcut to get to app settings in the Connection Center
(Command + ,).
Added a keyboard shortcut to refresh all workspaces in the Connection Center
(Command + R).
Hooked up the system keyboard shortcut for Escape when connected to a remote
session (Command + .).
Fixed scenarios where the Windows on-screen keyboard in the remote session was
too small.
Implemented auto-keyboard focus throughout the Connection Center to make
data entry more seamless.
Pressing Enter at a credential prompt now results in the prompt being dismissed
and the current flow resuming.
Fixed a scenario where the client would crash when pressing Shift + Option + Left,
Up, or Down arrow key.
Fixed a crash that occurred when removing a SwiftPoint device.
Fixed other crashes reported to us by users since the last release.

Updates for version 10.0.4

Published: 02/03/20

In this release, we made the following changes:

Confirmation UI is now shown when deleting user accounts and gateways.

The search UI in the Connection Center has been slightly reworked.
 The username hint, if it exists, is now shown in the credential prompt UI when
launching from an RDP file or URI.
Fixed an issue where the extended on-screen keyboard would extend underneath
the iPhone notch.
Fixed a bug where external keyboards would stop working after being
disconnected and reconnected.
Added support for the Esc key on external keyboards.
Fixed a bug where English characters appeared when entering Chinese characters.
Fixed a bug where some Chinese input would remain in the remote session after
deletion.
Fixed other crashes reported to us by users since the last release.

Updates for version 10.0.3

Published: 01/16/20

In this release, we made the following changes:

Support for launching connections from RDP files and RDP URIs.
Workspace headers are now collapsible.
Zooming and panning at the same time is now supported in Mouse Pointer mode.
A press-and-hold gesture in Mouse Pointer mode will now trigger a right-click in
the remote session.
Removed force-touch gesture for right-click in Mouse Pointer mode.
The in-session switcher screen now supports disconnecting, even if no apps are
connected.
Light dismiss is now supported in the in-session switcher screen.
PCs and apps are no longer automatically reordered in the in-session switcher
screen.
Enlarged the hit test area for the PC thumbnail view ellipses menu.
The Input Devices settings page now contains a link to supported devices.
Fixed a bug that caused the Bluetooth permissions UI to repeatedly appear at
launch for some users.
Fixed other crashes reported to us by users since the last release.

Updates for version 10.0.2

Published: 12/20/19

In this release, we made the following changes:

 Support for Japanese and Chinese input on hardware keyboards.
The PC list view now shows the friendly name of the associated user account, if
one exists.
The permissions UI in the first-run experience is now rendered correctly in Light
mode.
Fixed a crash that happened whenever someone pressed the Option and Up or
Down arrow keys at the same time on a hardware keyboard.
Updated the on-screen keyboard layout used in the password prompt UI to make
finding the Backslash key easier.
Fixed other crashes reported to us by users since the last release.

Updates for version 10.0.1

Published: 12/15/19

Here's what new in this release:

Support for the Azure Virtual Desktop service.

Updated Connection Center UI.
Updated in-session UI.

Updates for version 10.0.0

Published: 12/13/19

In this release, we made the following changes:

Support for the Azure Virtual Desktop service.

A new Connection Center UI.
A new in-session UI that can switch between connected PCs and apps.
New layout for the auxiliary on-screen keyboard.
Improved external keyboard support.
SwiftPoint Bluetooth mouse support.
Microphone redirection support.
Local storage redirection support.
Camera redirection support (only available for Windows 10, version 1809 or later).
Support for new iPhone and iPad devices.
Dark and light theme support.
Control whether your phone can lock when connected to a remote PC or app.
You can now collapse the in-session connection bar by pressing and holding the
Remote Desktop logo button.
Updates for version 8.1.42
Published: 06/20/2018

In this release, we made the following changes:

Bug fixes and performance improvements.

Updates for version 8.1.41

Published: 03/28/2018

In this release, we made the following changes:

Updates to address CredSSP encryption oracle remediation described in CVE-

2018-0886.

Feedback
Was this page helpful?  Yes  No
Get started with the macOS client
Article • 08/09/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

You can use the Remote Desktop client for Mac to work with Windows apps, resources,
and desktops from your Mac computer. Use the following information to get started -
and check out the FAQ if you have questions.

 Tip

If you want to connect to Azure Virtual Desktop instead of Remote Desktop

Services or a remote PC, see Connect to Azure Virtual Desktop with the Remote
Desktop client for macOS.

７ Note

Curious about the new releases for the macOS client? Check out What's new
for Remote Desktop on Mac?
The Mac client runs on computers running macOS 10.10 and newer.
The information in this article applies primarily to the full version of the Mac
client - the version available in the Mac AppStore. Test-drive new features by
downloading our preview app here: beta client release notes .

Get the Remote Desktop client

Follow these steps to get started with Remote Desktop on your Mac:

1. Download the Microsoft Remote Desktop client from the Mac App Store .
2. Set up your PC to accept remote connections. (If you skip this step, you can't
connect to your PC.)
3. Add a Remote Desktop connection or a remote resource. You use a connection to
connect directly to a Windows PC and a remote resource to use a RemoteApp
program, session-based desktop, or a virtual desktop published on-premises using
RemoteApp and Desktop Connections. This feature is typically available in
corporate environments.
What about the Mac beta client?
We're testing new features on our preview channel on AppCenter. Want to check it out?
Go to Microsoft Remote Desktop for Mac and select Download. You don't need to
create an account or sign into AppCenter to download the beta client. The beta client
shouldn't be used in production.

If you already have the client, you can check for updates to ensure you have the latest
version. In the beta client, select Microsoft Remote Desktop Beta at the top, and then
select Check for updates.

） Important

The Remote Desktop app is changing to Windows App. To ensure you can validate
the upcoming Windows App update before it's released into the store, the
Windows App preview is now available in the Remote Desktop Beta channels where
you can test the experience of updating from Remote Desktop to Windows App. To
learn more about Windows App, see Get started with Windows App to connect to
devices and apps.

Add a workspace
Subscribe to the feed your admin gave you to get the list of managed resources
available to you on your macOS device.

To subscribe to a feed:

1. Select Add feed on the main page to connect to the service and retrieve your
resources.
2. In the Feed URL field, enter the URL for the feed you want to add. This URL can be
either a URL or an email address.

If you use a URL, use the one your admin gave you.
If you use an email address, enter your email address. Entering your email
address tells the client to search for a URL associated with your email address
if your admin configured the server that way.

3. Select Subscribe.
4. Sign in with your user account when prompted.

After you've signed in, you should see a list of available resources.
Once you've subscribed to a feed, the feed's content will update automatically regularly.
Resources may be added, changed, or removed based on changes made by your
administrator.

Export and import connections

You can export a remote desktop connection definition and use it on a different device.
Remote desktops are saved in separate RDP files.

To export an RDP file:

1. In the Connection Center, right-click the remote desktop.

2. Select Export.
3. Browse to the location where you want to save the remote desktop RDP file.
4. Select OK.

To import an RDP file:

1. In the menu bar, select File > Import.

2. Browse to the RDP file.
3. Select Open.

Add a remote resource

Remote resources are RemoteApp programs, session-based desktops, and virtual
desktops published using RemoteApp and Desktop Connections.

The URL displays the link to the RD Web Access server that gives you access to
RemoteApp and Desktop Connections.
The configured RemoteApp and Desktop Connections are listed.

To add a remote resource:

1. In the Connection Center select +, and then select Add Remote Resources.
2. Enter information for the remote resource:

Feed URL - The URL of the RD Web Access server. You can also enter your
corporate email account in this field – this tells the client to search for the RD
Web Access Server associated with your email address.
User name - The user name to use for the RD Web Access server you are
connecting to.
Password - The password to use for the RD Web Access server you are
connecting to.
 3. Select Save.

The remote resources will be displayed in the Connection Center.

Connect to an RD Gateway to access internal

assets
A Remote Desktop Gateway (RD Gateway) lets you connect to a remote computer on a
corporate network from anywhere on the Internet. You can create and manage your
gateways in the preferences of the app or while setting up a new desktop connection.

To set up a new gateway in preferences:

1. In the Connection Center, select Preferences > Gateways.

2. Select the + button at the bottom of the table Enter the following information:

Server name – The name of the computer you want to use as a gateway. This
can be a Windows computer name, an Internet domain name, or an IP
address. You can also add port information to the server name (for example:
RDGateway:443 or 10.0.0.1:443).
User name - The user name and password to be used for the Remote
Desktop gateway you are connecting to. You can also select Use connection
credentials to use the same user name and password as those used for the
remote desktop connection.

Manage your user accounts

When you connect to a desktop or remote resources, you can save the user accounts to
select from again. You can manage your user accounts by using the Remote Desktop
client.

To create a new user account:

1. In the Connection Center, select Settings > Accounts.

2. Select Add User Account.
3. Enter the following information:

User Name - The name of the user to save for use with a remote connection.
You can enter the user name in any of the following formats: user_name,
domain\user_name, or [email protected].
Password - The password for the user you specified. Every user account that
you want to save to use for remote connections needs to have a password
 associated with it.
Friendly Name - If you are using the same user account with different
passwords, set a friendly name to distinguish those user accounts.
4. Select Save, then select Settings.

Customize your display resolution

You can specify the display resolution for the remote desktop session.

1. In the Connection Center, select Preferences.

2. Select Resolution.
3. Select +.
4. Enter a resolution height and width, and then select OK.

To delete the resolution, select it, and then select -.

Displays have separate spaces

If you're running macOS X 10.9 and have disabled Displays have separate spaces in
Mavericks (System Preferences > Mission Control), you need to configure this setting in
the Remote Desktop client using the same option.

Drive redirection for remote resources

Drive redirection is supported for remote resources, so that you can save files created
with a remote application locally to your Mac. The redirected folder is always your home
directory displayed as a network drive in the remote session.

７ Note

In order to use this feature, the administrator needs to set the appropriate settings
on the server.

Use a keyboard in a remote session

Mac keyboard layouts differ from the Windows keyboard layouts.

The Command key on the Mac keyboard equals the Windows key.
To perform actions that use the Command button on the Mac, you will need to use
the control button in Windows (for example Copy = Ctrl+C).
 The function keys can be activated in the session by pressing additionally the FN
key (for example, FN+F1).
The Alt key to the right of the space bar on the Mac keyboard equals the Alt
Gr/right Alt key in Windows.

By default, the remote session will use the same keyboard locale as the OS you're
running the client on. (If your Mac is running an en-us OS, it will be used for the remote
sessions as well.) If the OS keyboard locale is not used, check the keyboard setting on
the remote PC and change it manually. See the Remote Desktop Client FAQ for more
information about keyboards and locales.

Support for Remote Desktop gateway

pluggable authentication and authorization
Remote Desktop Gateway pluggable authentication and authorization provides more
flexibility for custom authentication routines. You can now try this authentication model
with the Mac client.

） Important

Custom authentication and authorization models before Windows 8.1 aren't

supported, although the article above discusses them.

To learn more about this feature, check out Remote Desktop Gateway Pluggable
Authentication and Authorization Sample .

Feedback
Was this page helpful?  Yes  No
What's new in the Remote Desktop
client for macOS
Article • 07/03/2024

In this article you'll learn about the latest updates for the Remote Desktop client for
macOS. To learn more about using the Remote Desktop client for macOS with Remote
Desktop Services, see Get started with the macOS client.

Latest client versions

The following table lists the current versions available for the public and beta releases:

ﾉ Expand table

Release Latest version Download

Public 10.9.8 Mac App Store

Beta 10.9.8 Microsoft AppCenter

Updates for version 10.9.8

Published: June 18, 2024

In this release, we made the following changes:

Updated the client connection path to fall back to TLS when NTLM isn't available in
the context of Network Level Authentication (NLA).
Applied a workaround to address a black screen when screen sharing via Microsoft
Teams redirection.

Updates for version 10.9.7

Published: May 21, 2024

In this release, we made the following changes:

Resolved issues with connections that were routed via a Remote Desktop Services
gateway behind an F5 web app filter.
 Fixed bugs in the single sign-on protocol connection sequence that were breaking
connectivity.
Improved diagnostics sent during connections to Azure Virtual Desktop.

Updates for version 10.9.6

Published: February 26, 2024

In this release, we made the following changes:

Bug fixes for issues reported by users and internal telemetry.

） Important

Starting with version 10.9.6, the macOS client only supports macOS 12 and later.

Updates for version 10.9.5

Published: December 12, 2023

In this release, we made the following changes:

Resolved some of the top crashes reported by customers from our telemetry.
Fixed microphone redirection on macOS 14.
Sorted out daylight savings time issues for time zone redirection scenarios.
Added watermarking support for Azure Virtual Desktop scenarios.
Resolved an issue that caused workspace resource icons to be partially obscured
by a white or black rectangle. If you encounter this issue, you can force a
workspace refresh by selecting Help > Troubleshooting > Force Refresh All
Workspaces.

Updates for version 10.9.4

Published: October 20, 2023

In this release, we made the following changes:

Fixed an issue that caused printer redirection to not work for connections between
macOS Sonoma and Windows 10 or later.
Updates for version 10.9.3
Published: October 2, 2023

In this release, we made the following changes:

Fixed an issue where using workspace refresh deleted the workspace.

Resolved a RemoteApp issue where drag operations sometimes didn't work on
certain apps.
Fixed an incorrect error message displayed for expired passwords.
Addressed a number of accessibility bugs.

Updates for version 10.9.2

Published: September 11, 2023

In this release, we made the following changes:

Addressed Proof Key for Code Exchange is required message users receive when
refreshing Azure Virtual Desktop workspaces after upgrading from versions 10.9.0
and 10.9.1.

Updates for version 10.9.1

Published: September 5, 2023

In this release, we made the following changes:

Addressed clipboard redirection issue for macOS 11.

Updates for version 10.9.0

Published: August 16, 2023

In this release, we added two new features for Azure Virtual Desktop and addressed a
number of reported bugs and incidents.

Added support for RDP Shortpath for public networks for Azure Virtual Desktop
connections.
Integrated an Azure Virtual Desktop account profile switcher into the Connection
Center.
Improved diagnostics sent during Azure Virtual Desktop connections.
 Added support for video mirroring in Teams redirection.

７ Note

This release isn't compatible with macOS 10.14 and macOS 10.15.

Updates for Version 10.8.4

Published: June 16, 2023

In this release, we made the following changes:

Updated time zone redirection to accommodate certain daylight savings scenarios.

Resolved an issue that incorrectly toggled Caps Lock in RemoteApp connections.
Changed gesture recognition to make small mouse-scrolling movements
smoother.
Fixed an issue that caused the client to stop responding when resuming a
connection after entering sleep mode.
Updated Azure Virtual Desktop diagnostics to align with service expectations.
Created a workaround for a service-side simulcast regression that affected Teams
redirection.

Updates for Version 10.8.3

Published: May 20, 2023

In this release, we made the following changes:

Fixed connectivity issue that affected connections with Windows XP and Windows
Vista.
Addressed an issue that caused diagnostics reporting for Azure Virtual Desktop
connections to be inaccurate.

Updates for Version 10.8.2

Published: April 25, 2023

In this release, we made the following changes:

Integrated support for the new Remote Desktop Services (RDS) Azure Active
Directory (Azure AD) Auth Protocol for authentication and session security.
 Added deterministic progress UI for Azure Virtual Desktop workspace refresh.
Resolved some of the most common crashes reported by debug telemetry.
Fixed a bug that caused vertical lines to appear in the remote session rendering.
Addressed a scenario where the app would stop responding when running Slack.
Addressed issue with full-screen scenarios that happened when users disabled the
Displays have separate Spaces setting.
Fixed an issue that resulted in the caps lock state syncing incorrectly between
client and server.
Performance and reliability updates to Teams redirection
Updates to improve Azure Virtual Desktop connectivity and diagnostics.

Updates for Version 10.8.1

Published: January 25, 2023

In this release, we made the following changes:

Bug fixes and feature updates.

Teams redirection for Azure Virtual Desktop now supports Noise Cancellation and
Give/Take Control.
Fixed connection blocking issues that affected a small number of users.
Updated Azure Virtual Desktop diagnostics to address a reporting error.
New clipboard redirection options including bidirectional clipboard syncing, local
to remote, or remote to local.

Updates for Version 10.8.0

Published: December 14, 2022

In this release, we made the following changes:

Fixed a few bugs, cleaned up some underlying code, and made changes to prepare
for future updates.
Added a button to the General Preferences dialog that allows you to clear stored
PC thumbnails.

Updates for Version 10.7.10

Published: October 24, 2022
In this release, we've added some new features to Teams redirection for Azure Virtual
Desktop and Windows 365 scenarios:

Give/Take Control support.

Background blur support.
Background replacement support.

We've also made some additional fixes and performance improvements, including the
following:

We resolved some customer-reported time zone redirection mismatches.

We've improved smart card redirection performance.
We addressed overactive Azure Virtual Desktop diagnostics reporting.
We fixed a crash that happened when users moved hidden windows in RemoteApp
scenarios.

Updates for version 10.7.9

Date Published: August 11, 2022

In this release, we fixed some customer-reported bugs and issues reported by telemetry.
Two of the impacted feature areas include Teams redirection and multi-monitor support.

Updates for version 10.7.8

Date Published: July 25, 2022

In this release, we made the following changes:

Added thumbnail snapshots for published PC resources to the Workspaces tab of

the Connection Center.
Integrated logging support that you could previously only access with user
defaults to the UI. To access the logs, go to Help > Troubleshooting > Logging.
You can now reset all subscribed Azure Virtual Desktop workspaces.
Fixed a deadlock in the client logging infrastructure.
Improved diagnostic error reporting for Azure Active Directory authentication
failures in Azure Virtual Desktop scenarios.

Updates for version 10.7.7

Date Published: June 23, 2022
In this release we added the following new features:

A custom app switcher which spans multiple sessions for RemoteApp scenarios
(triggered by the Option+Tab keyboard combination).
Support for the in-session redirection of PIV smart cards (such as Yubikey).

We've also:

Added support for audio and video stream optimizations when connecting to
Azure Virtual Desktop session hosts that support Teams redirection. Learn more at
Use Microsoft Teams on Azure Virtual Desktop.
Made updates to improve connectivity, performance and diagnostic metrics when
connecting to Azure Virtual Desktop deployments.

With respect to bugs and smaller features, the following list summarizes some
highlights:

Added support for eTags in Azure Virtual Desktop workspace refresh scenarios to
improve sync times.
The read-only column in the folder redirection selection UI has been resized to
show the full column header.
Fixed an issue that resulted in the Outlook client showing the incorrect time or
time zone for certain calendar entries.
Resolved discrepancies with the reporting of device physical width and height
across Retina and non-Retina scenarios.
Updated the client to trigger an auto-reconnect in Azure Virtual Desktop scenarios
when a 0x3 error is generated by the Gateway.
Resolved an issue where the mouse cursor on a high DPI monitor is larger than a
regular monitor.
Updated the client to terminate auto-reconnect if the session window is closed
after waking from sleep.
Addressed an issue where the mapped hotkeys CMD+C , CMD+V , and CMD+F didn't
work in nested sessions.
Hid the Import from Remote Desktop 8 option if there is no data to import.

Updates for version 10.7.6

Date Published: February 3, 2022

In this release, we made some changes to improve connection reliability for Azure
Virtual Desktop scenarios.
Updates for version 10.7.5
Published: January 25, 2022

In this release, we made the following changes:

Fixed an issue that caused display configuration to not work properly when using
the client on 2021 MacBook Pro 14" and 16" devices with multiple monitors. This
issue mainly affected devices with external monitors positioned above the
MacBook display.
Fixed an issue that caused the client to crash when used on earlier versions of
macOS 12
Fixed customer-reported smart card and folder redirection issues.

Updates for version 10.7.4

Published: January 13, 2022

In this release, we made the following changes:

Addressed full screen display issues with 2021 MacBook Pro 14" and 16" models.
Better handle load-balanced Remote Desktop Gateway configurations.

Updates for version 10.7.3

Published: December 17, 2021

Unfortunately, the 10.7.2 update disabled smart card redirection for some users when
they'd try to reconnect to their sessions. As a result, we've released this update to
address the issue.

Updates for version 10.7.2

Published: December 13, 2021

In this release, we made the following changes:

Added support for the Touch Bar on MacBook Pro devices.

Refreshed the look and feel of the PCs and Apps tabs in the Connection Center.
Added a new SHIFT+COMMAND+K hotkey that opens the Connection Center.
Improved compatibility with third-party network devices and load balancers for
workspace download and Remote Desktop Gateway-based connections.
 Support for the ms-rd URI scheme.
Improved support for invertible mouse cursors that straddle the image boundary.
Support for .RDPW files produced by the Azure Virtual Desktop web client.
Fixed an issue that caused the workspace subfolder to remain expanded even if
you've collapsed the root folder.
Updates and enhancements to Teams redirection (only available in Azure Virtual
Desktop scenarios).
Addressed reliability issues identified through crash reporting and feedback.

Updates for version 10.7.1

Published: November 4, 2021

In this release, we made the following changes:

Addressed issues that caused the app to crash.

Updates for version 10.7.0

Published: October 21, 2021

In this release, we made the following changes:

Addressed issues brought up by users in crash reports and general feedback.

Invertible cursors, such as the text cursor, are now outlined to make them visible
on dark backgrounds.
Made improvements to the code for the Connection Center for both PCs and
workspaces.
Added support for moving the local window while using a RemoteApp.
By default, local window movement in RemoteApp scenarios is disabled. To
enable local window movement, set the EnableRemoteAppLocalMove policy to
True.
Updated the Connection Information prompt that appears when you go to
Connections > Show Connection Information.
Added screen capture protection for Azure Virtual Desktop scenarios.
Addressed an issue that allowed folders to be redirected multiple times.
Added a link to the new support forum at Help > Submit feedback.
Updates improving security, connectivity and performance while connecting to
Azure Virtual Desktop.

Updates for version 10.6.8

Published: August 16, 2021

In this release, we made the following changes:

Added background refresh for subscribed workspaces.

Addressed issues where the session window may switch to another monitor when
auto-reconnecting.
Addressed issues where the session window would intermittently enlarge after
connecting.
Addressed issues where the name of a redirected folder would be incorrect in the
remote session.
Addressed issues when resizing remote app windows.
Improved error messages that are displayed when user accounts fail to update.
Addressed issues where window titles in the list of connected remote apps were
blank.
Addressed multi-monitor issue where the mouse cursor shape would not update
correctly when dragging between monitors.
Added a checkbox to General Preferences to enable/disable Microsoft Teams
optimizations.
Added a UI to report if a remote app could not be launched on the server due to
not being on the system allowlist.
Addressed issues where the session window could not expand when placed at the
top or bottom of the screen.
Addressed scenarios where the mouse cursor would disappear while connected to
a remote PC.
Deletion of an Azure Virtual Desktop workspace now correctly removes all
associated workspaces.
Addressed issues where adding a folder to redirect to a bookmark would enable
the Add button with an empty PC name.
Addressed issues where double-clicking the title bar incorrectly stretches the
session window.
Updated the mouse to change to a hand glyph when hovering over a red input
error indicator.
Addressed issues where the session window would flash rapidly in the Mission
Control or Application windows view.
Improved connectivity and performance metrics when connecting to Azure Virtual
Desktop.
Subscribed workspaces are refreshed every six hours, by default, and can be
changed using ClientSettings.WorkspaceAutoRefreshInterval (minimum interval is
30 minutes and 24 hours is the maximum).
Updates for version 10.6.7
Published: June 21, 2021

In this release, we made the following changes:

Addressed three connectivity errors that users reported to us:

Worked around a 0x907 (mismatched certificate) error code that was caused by
third-party infrastructure returning an incorrect certificate in redirection
scenarios.

Fixed the root cause of a 0x207 (handshake failure) error code that appeared
when users accidentally tried to connect with an incorrect password to a pre-
Windows 8 server with Network Level Authentication (NLA) enabled.

Resolved a 0x1107 (invalid workstation) error code that appeared when Active
Directory workstation logon restrictions were set.

Updated the default icon for published desktops and worked around an issue that
caused smart card redirection to stop working with recently patched versions of
Windows.

Made some updates to improve compatibility and performance metrics when

connecting to Azure Virtual Desktop.

Updates for version 10.6.6

Published: May 4, 2021

In this release, we made the following changes:

Enabled connections to Windows Server 2003 servers that have Transport Layer
Security (TLS) enabled for Remote Desktop connections.
Addressed a 0x3000066 error message that appeared in Remote Desktop Gateway
scenarios, and aligned TLS version usage with the Windows Remote Desktop client.

Updates for version 10.6.5

Published: April 29, 2021

In this release, we made the following changes:

 Fixed an issue that made the client return a 0x907 error code when connecting to a
server endpoint with a certificate that had a Remote Desktop Authentication EKU
property of 1.3.6.1.4.1.311.54.1.2 .
Updated the client to address a 0x2407 error code that prevented the client from
authorizing users for remote access.

Updates for version 10.6.4

Published: April 22, 2021

In this release, we made the following changes:

Fixed an issue that caused the client to return a 0x907 error code when processing
a server authentication certificate with a validity lifetime of over 825 days.

Updates for version 10.6.3

Published: April 20, 2021

In this release, we made the following changes:

Fixed an issue that caused the client to return a 0x507 error code.
Enabled support for the AVC420 codec on Apple Silicon.
Enabled Smart card redirection (requires macOS 11.2 or later) on Apple Silicon.

Updates for version 10.6.2

Published: April 20, 2021

In this release, we made the following changes:

Removed a double prompt for credentials that occurred in some scenarios when
users tried to connect with a Remote Desktop Gateway.

Updates for version 10.6.1

Published: April 20, 2021

In this update, we fixed an issue that caused the client to stop responding when
connecting to a Remote Desktop Gateway.
Updates for version 10.6.0
Published: April 19, 2021

In this release we made some significant updates to the shared underlying code that
powers the Remote Desktop experience across all our clients. We've also added some
new features and addressed bugs and crashes that were showing up in error reports.

Added native support for Apple Silicon.

Added client-side IME support when using Unicode keyboard mode.
Integrated Kerberos support in the CredSSP security protocol sequence.
Addressed macOS 11 compatibility issues.
Made updates to improve interoperability with current and upcoming features in
the Azure Virtual Desktop service.
Fixed issues that caused mis-paints when decoding AVC data generated by a
server-side hardware encoder.
Addressed an issue that made remote Office app windows invisible even though
they appeared in the app switcher.

） Important

As of this update, the macOS client requires macOS version 10.14 or later to run.

Updates for version 10.5.2

Published: February 15, 2021

In this release, we made the following changes:

Added HTTP proxy support for Remote Desktop Gateway connections.

Fixed an issue where a Remote Desktop Gateway connection would disconnect and
a message with error code 0x3000064 would appear.
Addressed a bug where workspace discovery and download wouldn't work if you
included the port number in HTTP GET requests.
Refreshed the application icon

７ Note

This release is the last release that will be compatible with macOS version 10.13.
Updates for version 10.5.1
Published: January 29, 2021

In this release, we made the following changes:

Addressed an issue where the UI would stop resolving a workspace name during
subscription.
Fixed an in-session bug where graphics updates would stall while the client
continued to send input.
Resolved reliability issues identified through crash reporting.

Updates for version 10.5.0

Published: December 2, 2020

In this release, we made the following changes:

You can now edit the display, device, and folder redirection settings of published
PC connections.
RemoteApp windows now shrink to the dock when minimized.
Added a Connection Information dialog that displays the current bandwidth and
round-trip time.
Added support for Remote Desktop Gateway consent and admin messages.
Fixed an issue where an RDP file specifying a gatewayusagemethod value of 0 or 4
was incorrectly imported.
The Edit Workspace sheet now shows the exact time at which the workspace was
last updated.
Removed trace spew that was output when using the --script parameter.
Addressed an issue where the client would return a 0x30000066 error when
connecting using a Remote Desktop Gateway server.
Fixed an issue that caused the client to repeatedly prompt users for credentials if
Extended Protection for Authentication was set on the server.
Addressed reliability issues that users identified through crash reporting.
Addressed keyboard and VoiceOver-related accessibility bugs.

Updates for version 10.4.1

Published: November 6, 2020

In this release, we made the following changes:

 Addressed several reliability issues identified through crash reporting.
Addressed keyboard and VoiceOver-related accessibility bugs.
Fixed an issue where the client would hang on reconnect when resuming from
sleep.
Fixed an audio artifact heard when playing back the first chunk of a redirected
audio stream.
Addressed an issue where the client would report a 0x5000007 error message
when connecting using a Remote Desktop Gateway server.
Corrected the aspect ratio of PC thumbnails displayed in the Connection Center.
Improved smart card redirection heuristics to better handle nested transactions.
Fixed a bug that prevented bookmark export if the bookmark's display name
contained the / character.
Resolved a bug that caused a 0xD06 protocol error when running Outlook as a
RemoteApp.
Added support for a new integer RDP file property (ForceHiDpiOptimizations) to
enable Retina display optimization.

Updates for version 10.4.0

Published: August 20, 2020

In this release, we made substantial updates to the underlying code for the Remote
Desktop experience across all our clients. We've also added some new features and
addressed bugs and crashes that were showing up in error reporting. Here are some
changes you may notice:

PC Quick Connect (Cmd+K) allows you to connect to a PC without creating a

bookmark.
Auto-reconnect now recovers from transient network glitches for PC connections.
When resuming a suspended MacBook, you can use auto-reconnect to reconnect
to any disconnected PC connections.
Added support for HTTP proxies when subscribing and connecting to Azure Virtual
Desktop resources.
Implemented support for HTTP proxy automatic configuration with PAC files.
Integrated support for NETBIOS name resolution so you can connect to PCs on
your local network more easily.
Fixed an issue where the system menu bar wouldn't respond while the app was in
focus.
Fixed a client-side race condition that could cause decryption errors on the server.
Made improvements to monitor layout and geometry heuristics for multimon
scenarios involving Retina-class monitors.
Multimon layout configurations are now maintained across session redirection
scenarios.
Addressed an issue that prevented the menu bar from dropping in multimon
scenarios.
User account UI that interacts with the macOS keychain will now surface keychain
access errors.
Hitting cancel during workspace subscription will now result in nothing being
added to the Connection Center.
Added key mappings for Cmd+Z and Cmd+F to map to Ctrl+Z and Ctrl+F
respectively.
Fixed a bug that caused a RemoteApp to open behind the Connection Center
when launched.
Worked around an issue in macOS 10.15 where AAC audio playback caused the
client to stall.
Shift+left-click now works in Unicode mode.
Fixed a bug where using the Shift key triggered the Sticky Keys alert in Unicode
mode.
Added a check for network availability before connection initiation.
Addressed pulsing of PC thumbnails that sometimes happened during the
connection sequence.
Fixed a bug where the password field in the Add/Edit User Account sheet become
multiline.
The Collapse All option is now greyed out if all workspaces are collapsed.
The Expand All option is now greyed out if all workspaces are expanded.
The first-run permissions UI is no longer shown on High Sierra.
Fixed an issue where users were unable to connect to Azure Virtual Desktop
endpoints using saved credentials in the DOMAIN\USERNAME format.
The username field in the credential prompt is now always prepopulated for Azure
Virtual Desktop connections.
Fixed a bug that clipped the Edit, Delete, and Refresh buttons for workspaces if the
Connection Center wasn't wide enough.
The email or workspace URL field in the Add Workspace sheet is no longer case-
sensitive.
Fixed accessibility issues that impacted VoiceOver and keyboard navigation
scenarios.
Lots of updates to improve interoperability with current and upcoming features in
the Azure Virtual Desktop service.
You can now configure the AVC support level advertised by the client from a
terminal prompt. Here are the support levels you can configure:
 Don't advertise AVC support to the server: defaults write
com.microsoft.rdc.macos AvcSupportLevel disabled

Advertise AVC420 support to the server: defaults write

com.microsoft.rdc.macos AvcSupportLevel avc420

Advertise support for AVC444 support to the server: defaults write

com.microsoft.rdc.macos AvcSupportLevel avc444

Updates for version 10.3.9

Published: April 6, 2020

In this release, we made some changes to improve interoperability with the Azure Virtual
Desktop service . In addition, we've included the following updates:

Control+Option+Delete now triggers the Ctrl+Alt+Del sequence (previously

required pressing the Fn key).
Fixed the keyboard mode notification color scheme for Light mode.
Addressed scenarios where connections initiated using the GatewayAccessToken
RDP file property didn't work.

７ Note

This is the last release that will be compatible with macOS 10.12.

Updates for version 10.3.8

Published: February 12, 2020

With this update, you can switch between Scancode (Ctrl+Command+K) and Unicode
(Ctrl+Command+U) modes when entering keyboard input. Unicode mode allows
extended characters to be typed using the Option key on a Mac keyboard. For example,
on a US Mac keyboard, Option+2 will enter the trademark (™) symbol. You can also
enter accented characters in Unicode mode. For example, on a US Mac keyboard,
entering Option+E and the A key at the same time will enter the character á on your
remote session.

Other updates in this release include:

Cleaned up the workspace refresh experience and UI.

Addressed a smart card redirection issue that caused the remote session to stop
responding at the sign-in screen when the Checking Status message appeared.
 Reduced time to create temporary files used for clipboard-based file copy and
paste.
Temporary files used for clipboard file copy and paste are now deleted
automatically when you exit the app, instead of relying on macOS to delete them.
PC bookmark actions are now rendered at the top-right corner of thumbnails.
Made fixes to address issues reported through crash telemetry.

Updates for version 10.3.7

Published: January 6, 2020

In this release, we made the following changes:

Copying things from the remote session to a network share or USB drive no longer
creates empty files.
Specifying an empty password in a user account no longer causes a double
certificate prompt.

Updates for version 10.3.6

Published: January 6, 2020

In this release, we made the following changes:

Addressed an issue that created zero-length files whenever you copied a folder
from the remote session to the local machine using file copy and paste.

Updates for version 10.3.5

Published: January 6, 2020

In this release, we made the following changes:

Redirected folders can now be marked as read-only to prevent their contents from
being changed in the remote session.
We addressed a 0x607 error that appeared when connecting using RPC over
HTTPS Remote Desktop Gateway scenarios.
Fixed cases where users were double-prompted for credentials.
Fixed cases where users received the certificate warning prompt twice.
Added heuristics to improve trackpad-based scrolling.
The client no longer shows the Saved Desktops group if there are no user-created
groups.
 Updated UI for the tiles in PC view.
Fixes to address crashes sent to us via application telemetry.

Updates for version 10.3.4

Published: November 18, 2019

In this release, we made the following changes:

When connecting via a Remote Desktop Gateway with multifactor authentication,

the gateway connection will be held open to avoid multiple MFA prompts.
All the client UI is now fully keyboard-accessible with Voiceover support.
Files copied to the clipboard in the remote session are now only transferred when
pasting to the local computer.
URLs copied to the clipboard in the remote session now paste correctly to the local
computer.
Scale factor remoting to support Retina displays is now available for multimonitor
scenarios.
Addressed a compatibility issue with FreeRDP-based RD servers that was causing
connectivity issues in redirection scenarios.
Addressed smart card redirection compatibility with future releases of Windows 10.
Addressed an issue specific to macOS 10.15 where the incorrect available space
was reported for redirected folders.
Published PC connections are represented with a new icon in the Workspaces tab.
Feeds are now called Workspaces, and Desktops are now called PCs.
Fixed inconsistencies and bugs in user account handling in the preferences UI.
Lots of bug fixes to make things run smoother and more reliably.

Updates for version 10.3.3

Published: November 18, 2019

In this release, we made the following changes:

Added user defaults to disable smart card, clipboard, microphone, camera, and
folder redirection:
ClientSettings.DisableSmartcardRedirection

ClientSettings.DisableClipboardRedirection
ClientSettings.DisableMicrophoneRedirection

ClientSettings.DisableCameraRedirection
ClientSettings.DisableFolderRedirection
 Resolved an issue that was causing programmatic session window resizes to not be
detected.

Fixed an issue where the session window contents appeared small when
connecting in windowed mode (with dynamic display enabled).

Addressed initial flicker that occurred when connecting to a session in windowed

mode with dynamic display enabled.

Fixed graphics mis-paints that occurred when connected to Windows 7 after

toggling fit-to-window with dynamic display enabled.

Fixed a bug that caused an incorrect device name to be sent to the remote session
(breaking licensing in some third-party apps).

Resolved an issue where RemoteApp windows would occupy an entire monitor

when maximized.

Addressed an issue where the access permissions UI appeared underneath local

windows.

Cleaned up some shutdown code to ensure the client closes more reliably.

Updates for version 10.3.2

Published: November 18, 2019

In this release, we fixed a bug that made the display low resolution while connecting to
a session

Updates for version 10.3.1

Published: November 18, 2019

In this release, we made the following changes:

Addressed connectivity issues with Remote Desktop Gateway servers that were
using 4096-bit asymmetric keys.
Fixed a bug that caused the client to randomly stop responding when
downloading feed resources.
Fixed a bug that caused the client to crash while opening.
Fixed a bug that caused the client to crash while importing connections from
Remote Desktop, version 8.
Updates for version 10.3.0
Published: August 27, 2019

In this release, we made the following changes:

Camera redirection is now possible when connecting to Windows 10 1809,

Windows Server 2019 and later.
On Mojave and Catalina we've added a new dialog that requests your permission
to use the microphone and camera for device redirection.
The feed subscription flow has been rewritten to be simpler and faster.
Clipboard redirection now includes the Rich Text Format (RTF).
When entering your password, you can now choose to reveal it by selecting the
Show password checkbox.
Addressed scenarios where the session window was jumping between monitors.
The Connection Center displays high-resolution RemoteApp icons when available.
Cmd+A maps to Ctrl+A when Mac clipboard shortcuts are being used.
Cmd+R now refreshes all of your subscribed feeds.
Added new secondary click options to expand or collapse all groups or feeds in the
Connection Center.
Added a new secondary click option to change the icon size in the Feeds tab of the
Connection Center.
A new, simplified, and clean app icon.

Updates for version 10.2.13

Published: May 8, 2019

In this release, we made the following changes:

Fixed a hang that occurred when connecting via a Remote Desktop Gateway.
Added a privacy notice to the Add Feed dialog.

Updates for version 10.2.12

Published: April 16, 2019

In this release, we made the following changes:

Resolved random disconnects (with error code 0x904) that took place when
connecting via a Remote Desktop Gateway.
 Fixed a bug that caused the resolutions list in application preferences to be empty
after installation.
Fixed a bug that caused the client to crash if certain resolutions were added to the
resolutions list.
Addressed an ADAL authentication prompt loop when connecting to Azure Virtual
Desktop deployments.

Updates for version 10.2.10

Published: March 30, 2019

In this release, we made the following changes:

Addressed instability caused by the recent macOS 10.14.4 update.

Fixed mis-paints that appeared when decoding AVC codec data encoded by a
server using NVIDIA hardware.

Updates for version 10.2.9

Published: March 6, 2019

In this release, we made the following changes:

Fixed a Remote Desktop Gateway connectivity issue that can occur when server
redirection takes place.
We also addressed a Remote Desktop Gateway regression caused by the 10.2.8
update.

Updates for version 10.2.8

Published: March 1, 2019

In this release, we made the following changes:

Resolved connectivity issues that surfaced when using a Remote Desktop Gateway.
Fixed incorrect certificate warnings that were displayed when connecting.
Addressed some cases where the menu bar and dock would needlessly hide when
launching a RemoteApp.
Reworked the clipboard redirection code to address crashes and hangs that have
been plaguing some users.
Fixed a bug that caused the Connection Center to needlessly scroll when launching
a connection.
Updates for version 10.2.7
Published: February 6, 2019

In this release, we addressed graphics mis-paints (caused by a server encoding bug) that
appeared when using AVC444 mode.

Updates for version 10.2.6

Published: January 28, 2019

In this release, we made the following changes:

Added support for the AVC (420 and 444) codec, available when connecting to
current versions of Windows 10.
In Fit to Window mode, a window refresh now occurs immediately after a resize to
ensure that content is rendered at the correct interpolation level.
Fixed a layout bug that caused feed headers to overlap for some users.
Cleaned up the Application Preferences UI.
Polished the Add/Edit Desktop UI.
Made lots of fit and finish adjustments to the Connection Center tile and list views
for desktops and feeds.

７ Note

There is a bug in macOS 10.14.0 and 10.14.1 that can cause the
.com.microsoft.rdc.application-data_SUPPORT/_EXTERNAL_DATA folder (nested deep

inside the ~/Library folder) to consume a large amount of disk space. To resolve
this issue, delete the folder content and upgrade to macOS 10.14.2. Note that a
side-effect of deleting the folder contents is that snapshot images assigned to
bookmarks will be deleted. These images will be regenerated when reconnecting to
the remote PC.

Updates for version 10.2.4

Published: December 18, 2018

In this release, we made the following changes:

Added dark mode support for macOS Mojave 10.14.

 An option to import from Microsoft Remote Desktop 8 now appears in the
Connection Center if it is empty.
Addressed folder redirection compatibility with some third-party enterprise
applications.
Resolved issues where users were getting a 0x30000069 Remote Desktop Gateway
error due to security protocol fallback issues.
Fixed progressive rendering issues some users were experiencing with fit to
window mode.
Fixed a bug that prevented file copy and paste from copying the latest version of a
file.
Improved mouse-based scrolling for small scroll deltas.

Updates for version 10.2.3

Published: November 6, 2018

In this release, we made the following changes:

Added support for the remoteapplicationcmdline RDP file setting for RemoteApp
scenarios.
The title of the session window now includes the name of the RDP file (and server
name) when launched from an RDP file.
Fixed reported Remote Desktop Gateway performance issues.
Fixed reported Remote Desktop Gateway crashes.
Fixed issues where the connection would hang when connecting through a Remote
Desktop Gateway.
Better handling of a RemoteApp in full-screen by intelligently hiding the menu bar
and dock.
Fixed scenarios where a RemoteApp remained hidden after being launched.
Addressed slow rendering updates when using Fit to Window with hardware
acceleration disabled.
Handled database creation errors caused by incorrect permissions when the client
starts up.
Fixed an issue where the client was consistently crashing at launch and not starting
for some users.
Fixed a scenario where connections were incorrectly imported as full-screen from
Remote Desktop 8.

Updates for version 10.2.2

Published: October 9, 2018
In this release, we made the following changes:

A brand new Connection Center that supports drag and drop, manual arrangement
of desktops, resizable columns in list view mode, column-based sorting, and
simpler group management.
The Connection Center now remembers the last active pivot (Desktops or Feeds)
when closing the app.
The credential prompting UI and flows have been overhauled.
Remote Desktop Gateway feedback is now part of the connecting status UI.
Settings import from the version 8 client has been improved.
RDP files pointing to RemoteApp endpoints can now be imported into the
Connection Center.
Retina display optimizations for single monitor Remote Desktop scenarios.
Support for specifying the graphics interpolation level (which affects blurriness)
when not using Retina optimizations.
256-color support to enable connectivity to Windows 2000.
Fixed clipping of the right and bottom edges of the screen when connecting to
Windows 7, Windows Server 2008 R2 and earlier.
Copying a local file into Outlook (running in a remote session) now adds the file as
an attachment.
Fixed an issue that was slowing down pasteboard-based file transfers if the files
originated from a network share.
Addressed a bug that was causing to Excel (running in a remote session) to hang
when saving to a file on a redirected folder.
Fixed an issue that was causing no free space to be reported for redirected folders.
Fixed a bug that caused thumbnails to consume too much disk storage on macOS
10.14.
Added support for enforcing Remote Desktop Gateway device redirection policies.
Fixed an issue that prevented session windows from closing when disconnecting
from a connection using Remote Desktop Gateway.
If Network Level Authentication (NLA) is not enforced by the server, you will now
be routed to the sign-in screen if your password has expired.
Fixed performance issues that surfaced when lots of data was being transferred
over the network.
Smart card redirection fixes.
Support for all possible values of the EnableCredSspSupport and Authentication
Level RDP file settings if the ClientSettings.EnforceCredSSPSupport user default
key (in the com.microsoft.rdc.macos domain) is set to 0.
Support for the Prompt for Credentials on Client RDP file setting when NLA is not
negotiated.
 Support for smart card-based sign-in using smart card redirection at the Winlogon
prompt when NLA is not negotiated.
Fixed an issue that prevented downloading feed resources that have spaces in the
URL.

Updates for version 10.2.1

Published: August 6, 2018

In this release, we made the following changes:

Enabled connectivity to Azure Active Directory (Azure AD) joined PCs. To connect
to an Azure AD joined PC, your username must be in one of the following formats:
AzureAD\user or AzureAD\user@domain .

Addressed some bugs affecting the usage of smart cards in a remote session.

Updates for version 10.2.0

Published: July 24, 2018

In this release, we made the following changes:

Incorporated updates for GDPR compliance.

MicrosoftAccount\username@domain is now accepted as a valid username.
Clipboard sharing has been rewritten to be faster and support more formats.
Copy and pasting text, images, or files between sessions now bypasses the local
machine's clipboard.
You can now connect via a Remote Desktop Gateway server with an untrusted
certificate (if you accept the warning prompts).
Metal hardware acceleration is now used (where supported) to speed up rendering
and optimize battery usage.
When using Metal hardware acceleration, we try to work some magic to make the
session graphics appear sharper.
Got rid of some instances where windows would hang around after being closed.
Fixed bugs that were preventing the launch of RemoteApp programs in some
scenarios.
Fixed a Remote Desktop Gateway channel synchronization error that was resulting
in 0x204 errors.
The mouse cursor shape now updates correctly when moving out of a session or
RemoteApp window.
 Fixed a folder redirection bug that was causing data loss when copy and pasting
folders.
Fixed a folder redirection issue that caused incorrect reporting of folder sizes.
Fixed a regression that was preventing logging into an Azure AD-joined machine
using a local account.
Fixed bugs that were causing the session window contents to be clipped.
Added support for RD endpoint certificates that contain elliptic-curve asymmetric
keys.
Fixed a bug that was preventing the download of managed resources in some
scenarios.
Addressed a clipping issue with the pinned connection center.
Fixed the checkboxes in the Display tab of the Add a Desktop window to work
better together.
Aspect ratio locking is now disabled when dynamic display change is in effect.
Addressed compatibility issues with F5 infrastructure.
Updated handling of blank passwords to ensure the correct messages are shown
at connect-time.
Fixed mouse scrolling compatibility issues with MapInfra Pro.
Fixed some alignment issues in the Connection Center when running on Mojave.

Updates for version 10.1.8

Published: May 4, 2018

In this release, we made the following changes:

Added support for changing the remote resolution by resizing the session window!
Fixed scenarios where remote resource feed download would take an excessively
long time.
Resolved the 0x207 error that could occur when connecting to servers not patched
with the CredSSP encryption oracle remediation update (CVE-2018-0886).

Updates for version 10.1.7

Published: April 5, 2018

In this release, we made the following changes:

Made security fixes to incorporate CredSSP encryption oracle remediation updates

as described in CVE-2018-0886.
 Improved RemoteApp icon and mouse cursor rendering to address reported
mispaints.
Addressed issues where RemoteApp windows appeared behind the Connection
Center.
Fixed a problem that occurred when you edit local resources after importing from
Remote Desktop 8.
You can now start a connection by pressing ENTER on a desktop tile.
When you're in full screen view, Cmd+M now correctly maps to WIN+M.
The Connection Center, Preferences, and About windows now respond to Cmd+M.
You can now start discovering feeds by pressing ENTER on the **Adding Remote
Resources*- page.
Fixed an issue where a new remote resources feed showed up empty in the
Connection Center until after you refreshed.

Updates for version 10.1.6

Published: March 26, 2018

In this release, we made the following changes:

Fixed an issue where RemoteApp windows would reorder themselves.

Resolved a bug that caused some RemoteApp windows to get stuck behind their
parent window.
Addressed a mouse pointer offset issue that affected some RemoteApp programs.
Fixed an issue where starting a new connection gave focus to an existing session,
instead of opening a new session window.
We fixed an error with an error message - you'll see the correct message now if we
can't find your gateway.
The Quit shortcut (⌘ + Q) is now consistently shown in the UI.
Improved the image quality when stretching in fit to window mode.
Fixed a regression that caused multiple instances of the home folder to show up in
the remote session.
Updated the default icon for desktop tiles.

Feedback
Was this page helpful?  Yes  No
Get started with the web client
Article • 07/03/2024

The Remote Desktop web client lets you use a compatible web browser to access your
organization's remote resources (apps and desktops) published to you by your admin.
You'll be able to interact with the remote apps and desktops like you would with a local
PC no matter where you are, without having to switch to a different desktop PC. Once
your admin sets up your remote resources, all you need are your domain, user name,
password, the URL your admin sent you, and a supported web browser, and you're good
to go.

 Tip

If you want to connect to Azure Virtual Desktop instead of Remote Desktop

Services, see Connect to Azure Virtual Desktop with the Remote Desktop Web
client.

What you'll need to use the web client

For the web client, you'll need a PC running Windows, macOS, ChromeOS, or Linux.
Mobile devices aren't supported at this time.
A modern browser like Microsoft Edge, Google Chrome, Apple Safari, or Mozilla
Firefox (v55.0 and later).
The URL your admin sent you.

Start using the Remote Desktop client

To sign in to the client, go to the URL your admin sent you. At the sign-in page, enter
your domain and user name in the format DOMAIN\username , enter your password, and
then select Sign in.

７ Note

By signing in to the web client, you agree that your PC complies with your
organization's security policy.

After you sign in, the client will take you to the All Resources tab, which contains all
items published to you under one or more collapsible groups, such as the "Work
Resources" group. You'll see several icons representing the apps, desktops, or folders
containing more apps or desktops that the admin has made available to the work
group. You can come back to this tab at any time to launch additional resources.

To start using an app or desktop, select the item you want to use, enter the same user
name and password you used to sign in to the web client if prompted, and then select
Submit. You might also be shown a consent dialog to access local resources, like
clipboard and printer. You can choose to not redirect either of these, or select Allow to
use the default settings. Wait for the web client to establish the connection, and then
start using the resource as you would normally.

When you're finished, you can end your session by either selecting the Sign Out button
in the toolbar at the top of your screen or closing the browser window.

Web client keyboard shortcuts

The following table describes alternate key combinations to inject standard Windows
shortcut keys in the remote session.

ﾉ Expand table

Shortcut key Description

(Windows) Ctrl+Alt+End Inject Ctrl+Alt+Del in the remote session.

(MacOS)
fn+control+option+delete

Alt+F3 Injects Windows key in the remote session.

Alt+Page up Switches between programs from left to right in the remote

session. (Windows shortcut is Alt+Tab.)

Alt+Page down Switches between programs from right to left in the remote
session. (Windows shortcut is Alt+Shift+Tab.)

Printing from the Remote Desktop web client

Follow these steps to print from the web client:

1. Start the printing process as you would normally for the app you want to print
from.
2. When prompted to choose a printer, select Remote Desktop Virtual Printer.
3. After choosing your preferences, select Print.
4. Your browser will generate a PDF file of your print job.
 5. You can choose to either open the PDF and print its contents to your local printer
or save it to your PC for later use.

Transfer files with the web client

To learn how to enable web client file transfer, check out Configure device redirections.

Follow these steps to transfer files from your local computer to the remote session:

1. Connect to the remote session.

2. Select the file upload icon in the web client menu.
3. When prompted, select the files you want to upload using the local file explorer.
4. Open the file explorer in your remote session. Your files will be uploaded to
Remote Desktop Virtual Drive > Uploads.

To download files from the remote session to your local computer:

1. Connect to the remote session.

2. Open the file explorer in your remote session.
3. Copy the file or files you want to download to Remote Desktop Virtual Drive >
Downloads. There is a file size limit of 255MB.
4. A prompt will ask if you want to download the file or files you selected. At this
point, you can confirm the download by selecting Confirm or cancel it by selecting
Cancel. If you don't want to see this prompt every time you download files from
the current browser, select the check box labeled Don’t ask me again on this
browser before confirming.
5. Your files will be downloaded to your local default downloads folder.

Copy and paste from the Remote Desktop web

client
The web client currently supports copying and pasting text only. Files can't be copied or
pasted to and from the web client. Additionally, you can only use Ctrl+C and Ctrl+V to
copy and paste text.

Keyboard settings in the remote session

The web client supports using an Input Method Editor (IME) in the remote session in
version 1.0.21.16 or later. Before you can use the IME, you must install the language
pack for the keyboard you want to use in the remote session on the host virtual
machine. To learn more about setting up language packs in the remote session, see Add
language packs to a Windows 10 multi-session image.

To select alternative keyboard layout or language:

1. Before you connect to the remote session, go to the web client Settings panel.
2. In Select Remote Keyboard Layout section, expand the drop-down menu and
select the keyboard you want to use in the remote session. Azure Virtual Desktop
web client settings options:

Auto: This configuration will send KeyCodes on key press, which means the
local key is directly sent to the remote machine. For this option, the local
machine keyboard layout is important and should match the layout on all the
hops taken to the remote machine.

Remote: This configuration will send Scan Codes to the remote machine. For
this option, the local machine keyboard layout is not as important, but the
keyboard layout on all other hops taken to the remote machine should match
the selected layout.

Language specific: If you select a specific language and the language pack is
installed on the remote machine, that language will automatically be selected
on new Windows sessions only. For example, if you use English UK, you can
select it from the drop down. Make sure to sign out of ALL the Windows user
sessions you're trying to connect to. When opening a new session, all the
hops should automatically default to using the English UK layout.

Note: There's a known issue when using KeyCodes for PowerShell. By

selecting a mode on AVD Web Client that uses scancode (either Remote or
English UK for example), PowerShell should work as expected.

3. If you are using either an IME-based keyboard or a keyboard with alternate layout,
select either Remote OR pick any of the languages from the list.
4. Connect to the remote session.

The web client will suppress the local IME window when you're focused on the remote
session. If you change the IME settings after you've already connected to the remote
session, the setting changes won't have any effect. The web client doesn't support IME
input while using a private browsing window. Additionally, IMEs do not work with the
Auto setting.

７ Note
 If the language pack isn't installed on the host virtual machine, the remote session
will default to the English (United States) keyboard.

Enable native display resolution in remote

sessions
The web client supports using native display resolution during remote sessions. In
sessions running on a high-DPI display, native resolution can provide higher-fidelity
graphics and improved text clarity.

７ Note

Enabling native display resolution with a high-DPI display may cause increased CPU
or network usage.

Native resolution is set to off by default. To turn native resolution on:

1. In your session, go to the upper-right corner of the taskbar and select Settings.
2. Set Enable native display resolution to On.

Open resources in your installed Azure Virtual

Desktop client
The web client supports opening resources in your installed Azure Virtual Desktop client
instead of the browser by downloading the Remote Desktop Protocol (RDP) file. To learn
how to install a Remote Desktop client, check out Remote Desktop clients.

７ Note

RDP files have a limited lifespan. We recommend you download the RDP file every
time you need to use a resource

To download the RDP file:

1. In the web client, go to the upper-right corner of the taskbar and select the
settings (gear) icon.
2. Under Resource Launch method, select Download the RDP file.
3. Select the resource you want to open (for example, Excel) to download the RDP
file.
 4. Once the download is finished, select the downloaded RDP file to open the
resource.

Get help with the web client

If you've encountered an issue that can't be solved by the information in this article, you
can get help with the web client by raising feedback on the web client's Feedback page.

Feedback
Was this page helpful?  Yes  No
What's new in the web client
Article • 07/03/2024

We regularly update the Remote Desktop web client, adding new features and fixing
issues. Here's where you can find the latest updates.

７ Note

We've changed the versioning system for the web client. Starting with version
1.0.18.0, all web client release versions will contain numbers (in the format of
"W.X.Y.Z"). Release numbers for the Remote Desktop web client will always end
with a 0 (for example, W.X.Y.0). Each Azure Virtual Desktop web client release will
change the last digit until the next Remote Desktop web client release (for example,
1.0.18.1).

Updates for version 2.1.0.0

Date published: March 21, 2024

New client now generally available.

UX improvements added.
New key features added to this client version.
Now available for on-prem download.

Updates for version 1.0.28.0

Date published: December 19, 2022

You can now redirect cameras.

Updated third-party libraries.
Accessibility improvements.
Bug fixes.

Updates for version 1.0.27.0

Date published: March 24, 2022

Added Web client keyboard shortcuts for switching between programs. For more
information, see Keyboard shortcuts.
 The client now supports native resolution on high-DPI devices. For more
information, see Enable native display resolution in remote sessions.
Updated full screen mode icon behavior to disable the icon when you press the
F11 key to enter full screen mode.
Removed support for Internet Explorer and other deprecated browsers.
Fixed an issue where some keys weren’t working correctly on the Japanese
keyboard layout.
Bug fixes and security improvements for file transfer.

Updates for version 1.0.26.0

Date published: December 12, 2021

Bug fixes.
Version 1.0.26.0 is the final version of the client that supports Internet Explorer 11
and WinXP.

Updates for version 1.0.25.0

Date published: 7/22/2021

Client now has web assembly on supported browsers.

Added file transfer support.
Bug fixes.

Updates for 1.0.24.0

Date published: 1/6/2021

） Important

Version 1.0.24.0 includes an important security fix. We have removed earlier

versions of the web client containing this bug.

Added support for redirecting local microphone input to the remote session.
Fixed issues with AltGr and several other keyboard bugs.
Accessibility improvements.

Updates for 1.0.22.0

Date published: 9/2/2020

） Important

In version 1.0.22.0, we introduced a regression that impacts some Chromebook

operating systems. Users on impacted operating systems won't be able to connect
to a remote session using the web client. We're currently investigating this issue
and will release a new version of the web client as soon as we fix this regression.

Users can now move the minimized menu.

Improved support for 4K and ultra-wide monitors and fixed an issue where
copying large amounts of data caused sessions to crash.
Improved support for using an Input Method Editor in the remote session. To learn
more about using an Input Method Editor with the web client, check out Connect
to Azure Virtual Desktop with the web client.
Changed the All Resources page UI.
Fixed several connection sequence failures where web client returned a General
Protocol Error.
Fixed keyboard input issues where specific key sequences weren't handled
appropriately.
Accessibility improvements.

Updates for version 1.0.21.0

Date published: 11/15/2019

Added support for using an Input Method Editor (IME) in the remote session to
input complex characters.
Fixed a regression where users couldn't copy and paste into the remote session on
macOS devices.
Fixed a regression where local Windows Key was sent to the remote session on
Firefox.
Added link to RDWeb password change when enabled by your administrator.

Updates for version 1.0.20.0

Date published: 10/18/2019

Added support for connections to Windows 7 and Windows Server 2008 R2 hosts.
Fixed an issue where certain app icons were shown as transparent tiles.
 Fixed connection issues for Internet Explorer browser on Windows 7.
Fixed unexpected disconnects that happened when the browser was resized.
Accessibility improvements.
Updated third-party libraries.

Updates for version 1.0.18.0

Date published: 5/14/2019

Added Resource Launch Method configuration in the Settings tab, enabling users
to either open resources in the browser or download an .rdp file to handle with
another client. This setting may be configured by your admin. Details regarding
admin configurations for this feature can be found in the web client setup
documentation.
Fixed color rendering issues, enabling more vivid colors in your remote session.
Revised error messages related to remote resource feed errors.
Added support for more office shortcuts, such as paste special (Ctrl+Alt+V).
Added keyboard shortcut for users to invoke the Windows Key in the remote
session (Alt+F3)
Updated error message for users attempting to authenticate using an expired
password.
Refreshed feed UI on the All Resources page.
Resolved overlapping dialogues that occurred during session reconnect.
Fixed remote resource icon sizing in the resource taskbar.

Updates for version 1.0.11

Date published: 2/22/2019

Enabled connection to RD Broker without an RD Gateway in Windows Server 2019.

Sorted feeds alphabetically (i.e., RemoteApps first, Desktops second).
Fixed multiple accessibility bugs improving screen reader compatibility.
Updated our build tools.
Various bug fixes.

Updates for version 1.0.7

Date published: 1/24/2019

Offline use on internal networks is now supported.

Improved rendering on non-Microsoft Edge browsers.
 Implemented limit for feed retrieval retry attempts to prevent DoS.
Fixed accessibility bugs, enabling users with visual disabilities to use the web client.
Improved error messages displayed to the user for feed errors.
Added Ctrl + Alt + End (Windows) and fn + control + option + delete (Mac)
shortcuts to invoke Ctrl + Alt + Del in remote machine.
Improved telemetry for crash events.
Improved our build pipeline and build tools.
Various bug fixes.

Updates for version 1.0.1

Date published: 10/29/2018

Added an option to Capture support information on the About page to diagnose

issues.
InPrivate mode is now supported.
Improved support for non-English keyboards.
Fixed an issue where tooltips with non-English characters showed incorrectly.
Fixed graphics rendering issue that affected Chrome users.
Updated time zone redirection with full DST support.
Improved the error message for out-of-memory error.
Various bug fixes.

Updates for version 1.0.0

Date published: 07/16/2018

Remote Desktop web client is now generally available.

Admins can globally turn off telemetry for the web client.
Various bug fixes.

Updates for version 0.9.0

Date published: 07/05/2018

New sign in experience within the web client.

No longer prompted for credentials when launching a desktop or app connection
(Single sign on).
Added time zone redirection.
Various bug fixes.
Updates for version 0.8.1
Date published: 05/17/2018

Updates to address CredSSP encryption oracle remediation described in CVE-

2018-0886.
Fixed connection failures for some languages when printing is enabled.
Improved error message when a gateway isn't part of the deployment.
Help and Feedback options were added.

Updates for version 0.8.0

Date published: 03/28/2018

Initial public preview release of the web client.

Copy/paste text through the clipboard with CTRL+C and CTRL+V.
Print to a PDF file.
Localized in 18 languages.

Feedback
Was this page helpful?  Yes  No
Use the Remote Desktop Connection
app to connect to a remote PC using
single sign-on with Microsoft Entra
authentication
Article • 07/03/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016

You can use the Remote Desktop Connection app (MSTSC) in Windows to connect to a
remote PC using single sign-on with Microsoft Entra authentication. When you're
signed-in to your local device with your Microsoft Entra account and you connect to a
remote PC, your credentials pass through and automatically sign you in.

Prerequisites
To connect to a remote PC using single sign-on with Microsoft Entra authentication, you
need:

The remote PC and your local device must be running one of the following
operating systems:
Windows 11 with 2022-10 Cumulative Updates for Windows 11 (KB5018418)
or later installed.
Windows 10, version 20H2 or later with 2022-10 Cumulative Updates for
Windows 10 (KB5018410) or later installed.
Windows Server 2022 with 2022-10 Cumulative Update for Microsoft server
operating system (KB5018421) or later installed.

Remote Desktop needs to be enabled in your remote PC. You can follow the steps
in Enable Remote Desktop on your PC to enable Remote Desktop.

The remote PC must be Microsoft Entra joined or Microsoft Entra hybrid joined.
There's no requirement for the local device to be joined to a domain or Microsoft
Entra. As a result, this method allows you to connect to the remote PC from:
Microsoft Entra joined or Microsoft Entra hybrid joined devices.
Active Directory domain joined devices.
Workgroup devices.

If you're accessing an Azure VM, ensure the Microsoft Entra account has been
assigned the Virtual Machine Administrator Login or Virtual Machine User Login
 role. For more information, see Steps to assign an Azure role.

If your organization has configured and is using Microsoft Entra Conditional

Access, your local device must satisfy the Conditional Access requirements to allow
connection to the remote computer. Conditional Access policies may be applied to
the application Microsoft Remote Desktop with ID a4a365df-50f1-4397-bc59-
1a1564b8bb9c to control access to the remote PC when single sign-on is enabled.

７ Note

We recommend that you enforce multi-factor authentication Conditional

Access and configure a periodic reauthentication policy using Sign-in
frequency control for added security.

Connect to a remote PC using single sign-on

with Microsoft Entra authentication
Here's how to connect to a remote PC using single sign-on with Microsoft Entra
authentication

1. Launch the Remote Desktop Connection app on your local device from Windows
Search , or by running mstsc.exe from a command prompt.

2. Select Show Options to expand the Remote Desktop Connection client, then select
the Advanced tab.

3. Check the box Use a web account to sign in to the remote computer. This option
is equivalent to the enablerdsaadauth RDP property. For more information, see
Supported RDP properties with Remote Desktop Services.

4. Select the General tab and enter the NetBIOS domain name or fully qualified
domain name (FQDN) of the remote PC in the Computer field. The name must
match the hostname of the remote PC in Microsoft Entra ID and be network
addressable, resolving to the IP address of the remote PC. You can't use an IP
address.

5. Select Connect.

6. If prompted for credentials, your user account in Microsoft Entra ID may be

automatically selected. If your account is not automatically selected, specify the
user name for your account in the format [email protected] (the User Principal
Name (UPN)).
 7. Select OK to connect. You're prompted to allow the remote desktop connection
when connecting to a new remote PC. Microsoft Entra remembers up to 15 hosts
for 30 days before prompting again. If you see this dialogue, select Yes to connect.

Disconnection when the session is locked

The Windows lock screen in the remote session doesn't support Microsoft Entra
authentication tokens or passwordless authentication methods like FIDO keys. The lack
of support for these authentication methods means that users can't unlock their screens
in a remote session. When you try to lock a remote session, either through user action
or system policy, the session is instead disconnected and the service sends a message to
the user explaining they've been disconnected.

Disconnecting the session also ensures that when the connection is relaunched after a
period of inactivity, Microsoft Entra ID reevaluates the applicable conditional access
policies.

Next steps
Learn about how client features compare to each other when connecting to
remote PCs.

Feedback
Was this page helpful?  Yes  No
Uninstall and reinstall Remote Desktop
Connection
Article • 07/03/2024

You can now uninstall the built-in Remote Desktop Connection app from the Windows
operating system. This article shows not only how to uninstall the app, but also how to
reinstall it should you change your mind about removing it later.

） Important

When you uninstall Remote Desktop Connection, you also become unable to use
the RemoteApp and Desktop Connections control panel.

Prerequisites
In order to uninstall and reinstall Remote Desktop Connection, you must use Windows
11 23H2 or later.

Uninstall Remote Desktop Connection

To uninstall Remote Desktop Connection:

GUI

1. From the Start menu, search for the Settings app and open it.

2. Select Apps, then select Installed apps.

3. Find or search for Remote Desktop Connection, select the three dots to the
right-hand side, then select Uninstall.

4. Confirm you want to uninstall the app by selecting Uninstall.

5. Restart your machine if the app prompts you in order to complete the
installation.

Reinstall Remote Desktop Connection

After you uninstall the Remote Desktop Connection app, you can reinstall it by following
these instructions:

1. Download the Remote Desktop Connection installer file.

Windows 64-bit (most common)

Windows 32-bit
Windows ARM64

2. Open the file to run the installer, then follow all instructions in the workflow until
setup is complete.

Feedback
Was this page helpful?  Yes  No
Remote Desktop client - supported
configuration
Article • 07/03/2024

Learn which PCs you can access by using supported configurations for Remote Desktop
clients.

Supported operating systems for Remote

Desktop client connections
You can connect to PCs that run the following Windows operating systems:

Windows 11 Pro
Windows 11 Enterprise
Windows 10 Pro
Windows 10 Enterprise
Windows Server 2022
Windows Server 2019
Windows Server 2016

７ Note

Windows SKUs that aren't listed in this section, such as Windows 10 Home, aren't
compatible with connecting remotely.

Supported operating systems for Remote

Desktop Gateway, Web Access and RemoteApp
The following operating systems can serve as Remote Desktop Gateway, Web Access,
and RemoteApp:

Windows Server 2022

Windows Server 2019
Windows Server 2016

RD Gateway messaging isn't supported

Remote Desktop Client doesn't support RD Gateway messaging. Verify that the Remote
Desktop Resource Access Policy (RD RAP) for your RD Gateway server doesn't specify
Only allow computers with support for RD Gateway Messaging, or you aren't able to
connect.

Feedback
Was this page helpful?  Yes  No
Enable Remote Desktop on your PC
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

You can use Remote Desktop to connect to and control your PC from a remote device
by using a Microsoft Remote Desktop client (available for Windows, iOS, macOS, and
Android). When you allow remote connections to your PC, you can use another device
to connect to your PC and have access to all of your apps, files, and network resources
as if you were sitting at your desk.

７ Note

You can use Remote Desktop to connect to Professional and Enterprise SKUs of
Windows. You can't connect to computers running a Home edition, such as
Windows 10 Home.

To connect to a remote PC, that computer must be turned on, it must have a network
connection, Remote Desktop must be enabled, you must have network access to the
remote computer (this could be through the Internet), and you must have permission to
connect. For permission to connect, you must be on the list of users. Before you start a
connection, it's a good idea to look up the name of the computer you're connecting to
and to make sure Remote Desktop connections are allowed through its firewall.

If you need to connect to your PC from outside of the network your PC is running on,
you can use port forwarding or set up a VPN. For more information, see Allow access to
your PC from outside your PC's network.

How to enable Remote Desktop

The simplest way to allow access to your PC from a remote device is by using the
Remote Desktop options under Settings. Since this functionality was added in the
Windows 10 Fall Creators update (1709), a separate downloadable app is also available
that provides similar functionality for earlier versions of Windows.

Windows 10 Fall Creator Update (1709) or later

You can configure your PC for remote access with a few easy steps.
 1. On the device you want to connect to, select Start and then choose the Settings
icon on the left.
2. Select the System group followed by the Remote Desktop item.
3. Use the slider to enable Remote Desktop.
4. It's also recommended to keep the PC awake and discoverable to facilitate
connections. Select Show settings to enable.
5. As needed, add users who can connect remotely by clicking Select users that can
remotely access this PC. Members of the Administrators group automatically have
access.
6. Make note of the name of this PC under How to connect to this PC. You'll need
this to configure the clients.

Windows 7 and early version of Windows 10

To configure your PC for remote access, download and run the Microsoft Remote
Desktop Assistant . This assistant updates your system settings to enable remote
access, ensures your computer is awake for connections, and checks that your firewall
allows Remote Desktop connections.

Connect from a client device

To use Remote Desktop to connect to the remote PC you set up, type Remote Desktop
Connection on your local PC, and then select Remote Desktop Connection. Enter the
name of the remote PC, then select Connect.

On your Mac, iOS, or Android device, open the Remote Desktop app (available for free
from the app stores). Add the name of the remote PC, and then wait for the connection
to complete.

Should I enable Remote Desktop?

If you only want to access your PC when you are physically using it, you don't need to
enable Remote Desktop. Enabling Remote Desktop opens a port on your PC that is
visible to your local network. You should only enable Remote Desktop in trusted
networks, such as your home. You also don't want to enable Remote Desktop on any PC
where access is tightly controlled.

Be aware that when you enable access to Remote Desktop, you're granting anyone in
the Administrators group, as well as any additional users you select, the ability to
remotely access their accounts on the computer.
You should ensure that every account that has access to your PC is configured with a
strong password.

Why allow connections only with Network

Level Authentication?
If you want to restrict who can access your PC, choose to allow access only with Network
Level Authentication (NLA). When you enable this option, users have to authenticate
themselves to the network before they can connect to your PC. Allowing connections
only from computers running Remote Desktop with NLA is a more secure authentication
method that can help protect your computer from malicious users and software. To
learn more about NLA and Remote Desktop, check out Configure NLA for RDS
Connections.

If you're remotely connecting to a PC on your home network from outside of that

network, don't select this option.

Feedback
Was this page helpful?  Yes  No
Remote Desktop - Allow access to your
PC from outside your PC's network
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

When you connect to your PC by using a Remote Desktop client, you're creating a peer-
to-peer connection. This means you need direct access to the PC (sometimes called "the
host"). If you need to connect to your PC from outside of the network your PC is running
on, you need to enable that access. You have a couple of options: use port forwarding or
set up a VPN.

Enable port forwarding on your router

Port forwarding simply maps the port on your router's IP address (your public IP) to the
port and IP address of the PC you want to access.

Specific steps for enabling port forwarding depend on the router you're using, so you'll
need to search online for your router's instructions. For a general discussion of the
steps, check out wikiHow to Set Up Port Forwarding on a Router .

Before you map the port you'll need the following:

PC internal IP address: Look in Settings > Network & Internet > Status > View
your network properties. Find the network configuration with an "Operational"
status and then get the IPv4 address.

Your public IP address (the router's IP). There are many ways to find this - you can
search (in Bing or Google) for "my IP" or view the Wi-Fi network properties (for
Windows 10).
 Port number being mapped. In most cases this is 3389 - that's the default port
used by Remote Desktop connections.

Admin access to your router.

２ Warning

You're opening your PC up to the internet, which is not recommended. If you

must, make sure you have a strong password set for your PC. It is preferable
to use a VPN.

After you map the port, you'll be able to connect to your host PC from outside the local
network by connecting to the public IP address of your router (the second bullet above).

The router's IP address can change - your internet service provider (ISP) can assign you a
new IP at any time. To avoid running into this issue, consider using Dynamic DNS - this
lets you connect to the PC using an easy to remember domain name, instead of the IP
address. Your router automatically updates the DDNS service with your new IP address,
should it change.

With most routers you can define which source IP or source network can use port
mapping. So, if you know you're only going to connect from work, you can add the IP
address for your work network - that lets you avoid opening the port to the entire
public internet. If the host you're using to connect uses dynamic IP address, set the
source restriction to allow access from the whole range of that particular ISP.

You might also consider setting up a static IP address on your PC so the internal IP
address doesn't change. If you do that, then the router's port forwarding will always
point to the correct IP address.

Use a VPN
If you connect to your local area network by using a virtual private network (VPN), you
don't have to open your PC to the public internet. Instead, when you connect to the
VPN, your RD client acts like it's part of the same network and be able to access your PC.
There are a number of VPN services available - you can find and use whichever works
best for you.

Feedback
Was this page helpful?  Yes  No
Change the listening port for Remote
Desktop on your computer
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

When you connect to a computer (either a Windows client or Windows Server) through
the Remote Desktop client, the Remote Desktop feature on your computer "hears" the
connection request through a defined listening port (3389 by default). You can change
that listening port on Windows computers by modifying the registry.

1. Start the registry editor. (Type regedit in the Search box.)

2. Navigate to the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-Tcp
3. Find PortNumber
4. Click Edit > Modify, and then click Decimal.
5. Type the new port number, and then click OK.
6. Close the registry editor, and restart your computer.

The next time you connect to this computer by using the Remote Desktop connection,
you must type the new port. If you're using a firewall, make sure to configure your
firewall to permit connections to the new port number.

You can check the current port by running the following PowerShell command:

PowerShell

Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal

Server\WinStations\RDP-Tcp' -name "PortNumber"

For example:

PowerShell

PortNumber : 3389
PSPath :
Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl
Set\Control\Terminal Server\WinStations\RDP-Tcp
PSParentPath :
Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl
Set\Control\Terminal Server\WinStations
PSChildName : RDP-Tcp
 PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry

You can also change the RDP port by running the following PowerShell command. In
this command, we'll specify the new RDP port as 3390.

To add a new RDP Port to the registry:

PowerShell

$portvalue = 3390

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal

Server\WinStations\RDP-Tcp' -name "PortNumber" -Value $portvalue

New-NetFirewallRule -DisplayName 'RDPPORTLatest-TCP-In' -Profile 'Public' -

Direction Inbound -Action Allow -Protocol TCP -LocalPort $portvalue
New-NetFirewallRule -DisplayName 'RDPPORTLatest-UDP-In' -Profile 'Public' -
Direction Inbound -Action Allow -Protocol UDP -LocalPort $portvalue

Feedback
Was this page helpful?  Yes  No
Compare Remote Desktop app features
across platforms and devices
Article • 01/15/2025

 Tip

This article is shared for services and products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and apps.

Use the buttons at the top of this article to select what you want to connect to so
the article shows the relevant information.

The Remote Desktop app is available on Windows, macOS, iOS and iPadOS, Android and
Chrome OS, and in a web browser. However, support for some features differs across
these platforms. This article details which features are supported on which platforms.

There are two versions of the Remote Desktop app for Windows, which are both
supported for connecting to Remote Desktop Services and remote PCs:

Remote Desktop Connection. This is provided in Windows and is referred to in this

article as Windows (MSTSC), after the name of the executable file. It also includes
the RemoteApp and Desktop Connections Control Panel applet.

Remote Desktop app from the Microsoft Store. This version is no longer being
developed and is referred to in this article as Windows (RD Store).

Experience
The following table compares which Remote Desktop app experience features are
supported on which platforms:

ﾉ Expand table

Feature Windows Windows macOS iOS/ Android/ Web

(MSTSC) (RD iPadOS Chrome browser
Store) OS

Appearance (dark or ❌ ✅ ✅ ✅ ✅ ✅
light)

Integrated apps ✅¹ ❌ ❌ ❌ ❌ ❌
 Feature Windows Windows macOS iOS/ Android/ Web
(MSTSC) (RD iPadOS Chrome browser
Store) OS

Localization ✅ ✅ ❌ ✅ ❌ ✅

Pin to Start Menu ✅¹ ✅ ❌ ❌ ❌ ❌

Search ❌ ❌ ✅ ✅ ✅ ✅

URI schemes ❌ ❌ ✅² ✅² ✅² ❌

1. When subscribed to Remote Desktop Services using the RemoteApp and Desktop
Connections Control Panel applet.
2. Legacy RDP URI scheme only.

The following table provides a description for each of the experience features:

ﾉ Expand table

Feature Description

Appearance (dark or light) Change the appearance of the Remote Desktop app to be light or
dark.

Integrated apps Individual apps using RemoteApp are integrated with the local
device as if they're running locally.

Localization User interface available in languages other than English (United

States).

Pin to Start Menu Pin your favorite devices and apps to the Windows Start Menu for
quick access.

Search Quickly search for devices or apps.

Uniform Resource Identifier Start the Remote Desktop app or connect to a remote session with
(URI) schemes specific parameters and values with a URI.

Display
The following table compares which display features are supported on which platforms:

ﾉ Expand table
 Feature Windows Windows macOS iOS/ Android/ Web browser
(MSTSC) (RD Store) iPadOS Chrome OS

Dynamic resolution ❌ ✅ ✅ ✅ ✅ ✅

External monitor ✅ ❌ ✅ ✅ ❌ ❌

Multiple monitors¹ ✅ ❌ ✅ ❌ ❌ ❌

Selected monitors ✅ ❌ ❌ ✅ ❌ ❌

Smart sizing ✅ ✅ ✅ ❌ ❌ ❌

1. Up to 16 monitors.

The following table provides a description for each of the display features:

ﾉ Expand table

Feature Description

Dynamic The resolution and orientation of local displays is dynamically reflected in the
resolution remote session for desktops. If the session is running in windowed mode, the
desktop is dynamically resized to the size of the window.

External Enables the use of an external display for a remote session.

display

Multiple Enables the remote session to use all local displays.

displays
Each display can have a maximum resolution of 8K, with the total combined
resolution limited to 32K. These limits depend on factors such as session host
specification and network connectivity.

Selected Specifies which local displays to use for the remote session.
displays

Smart sizing A desktop in windowed mode is dynamically scaled to the window's size.

Redirection
The following sections detail the redirection support available on each platform.

 Tip

Redirection of some peripheral and resource types needs to be enabled by an

administrator before they can be used in a remote session. For more information,
 see Redirection over the Remote Desktop Protocol, where you can also find links
in the Related content section to articles that explain how to configure redirection
for specific peripheral and resource types.

Device redirection
The following table shows which local devices you can redirect to a remote session on
each platform:

ﾉ Expand table

Feature Windows Windows macOS iOS/ Android/ Web browser

(MSTSC) (RD Store) iPadOS Chrome OS

Cameras ✅ ❌ ✅ ✅ ✅ ✅¹

Local drive/storage ✅ ❌ ✅ ✅ ✅ ✅²

Microphones ✅ ✅ ✅ ✅ ✅ ✅

Printers ✅ ❌ ✅³ ❌ ❌ ✅⁴

Scanners⁵ ✅ ❌ ❌ ❌ ❌ ❌

Smart cards ✅ ❌ ✅ ❌ ❌ ❌

Speakers ✅ ✅ ✅ ✅ ✅ ✅

1. Camera redirection in a web browser is in preview.

2. Limited to uploading and downloading files through a web browser.
3. The Remote Desktop app on macOS supports the Publisher Imagesetter printer
driver by default (Common UNIX Printing System (CUPS) only). Native printer
drivers aren't supported.
4. PDF printing only.
5. High-level redirection of TWAIN scanners isn't supported. You can only redirect
USB scanners using opaque low-level redirection. For more information, see
Peripheral and resource redirection over the Remote Desktop Protocol.

The following table provides a description for each type of device you can redirect:

ﾉ Expand table

Device type Description

Cameras Redirect a local camera to use with apps like Microsoft Teams.
 Device type Description

Local drive/storage Access local disk drives in a remote session.

Microphones Redirect a local microphone to use with apps like Microsoft Teams.

Printers Print from a remote session to a local printer.

Scanners Access a local scanner in a remote session.

Smart cards Use smart cards in a remote session.

Speakers Play audio in the remote session or on local device.

Input redirection
The following table shows which input methods you can redirect:

ﾉ Expand table

Feature Windows Windows macOS iOS/ Android/ Web

(MSTSC) (RD iPadOS Chrome browser
Store) OS

Keyboard ✅ ✅ ✅ ✅ ✅ ✅

Keyboard input ✅ ✅ ✅ ❌ ❌ ✅¹
language

Keyboard shortcuts ✅ ✅ ✅ ✅ ✅ ✅

Mouse/trackpad ✅ ✅ ✅ ✅ ✅ ✅

Multi-touch ✅ ✅ ❌ ✅ ✅ ❌

Pen ✅ ❌ ❌ ✅ ✅ ✅

Touch ✅ ✅ ❌ ✅ ✅ ✅

1. Enabled by alternative keyboard layout.

The following table provides a description for each type of input you can redirect:

ﾉ Expand table

Input type Description

Keyboard Redirect keyboard inputs to the remote session.

 Input type Description

Mouse/trackpad Redirect mouse or trackpad inputs to the remote session.

Multi-touch Redirect multiple touches simultaneously to the remote session.

Pen Redirect pen inputs, including pressure, to the remote session.

Touch Redirect touch inputs to the remote session.

Port redirection
The following table shows which ports you can redirect:

ﾉ Expand table

Feature Windows Windows macOS iOS/ Android/ Web browser

(MSTSC) (RD Store) iPadOS Chrome OS

Serial ✅ ❌ ❌ ❌ ❌ ❌

USB ✅ ❌ ❌ ❌ ❌ ❌

The following table provides a description for each port you can redirect:

ﾉ Expand table

Port type Description

Serial Redirect serial (COM) ports on the local device to the remote session.

USB Redirect supported USB devices on the local device to the remote session.

Other redirection
The following table shows which other features you can redirect:

ﾉ Expand table

Feature Windows Windows macOS iOS/ Android/ Web

(MSTSC) (RD iPadOS Chrome browser
Store) OS

Clipboard - bidirectional ✅ ✅ ✅ ✅¹ ✅² ✅²
 Feature Windows Windows macOS iOS/ Android/ Web
(MSTSC) (RD iPadOS Chrome browser
Store) OS

Clipboard - ✅ ✅ ✅ ✅ ✅ ✅
unidirectional³

Location ✅⁴ ❌ ❌ ✅ ❌ ✅

Third-party virtual ✅ ❌ ❌ ❌ ❌ ❌
channel plugins

Time zone ✅ ✅ ✅ ✅ ✅ ✅

WebAuthn ✅ ❌ ❌ ❌ ❌ ❌

1. Text and images only.

2. Text only.
3. macOS support is native in the Remote Desktop app. All other platforms require
remote session configuration. For more information, see Configure the clipboard
transfer direction and types of data that can be copied.
4. From a local device running Windows 11 only.

The following table provides a description for each other redirection feature you can
redirect:

ﾉ Expand table

Feature Description

Clipboard - Redirect the clipboard on the local device is to the remote session and
bidirectional from the remote session to the local device.

Clipboard - Control the direction in which the clipboard can be used and restrict the
unidirectional types of data that can be copied.

Location The location of the local device can be available in the remote session.

Third-party virtual Enables third-party virtual channel plugins to extend Remote Desktop
channel plugins Protocol (RDP) capabilities.

Time zone The time zone of the local device can be available in the remote session.

WebAuthn Authentication requests in the remote session can be redirected to the

local device allowing the use of security devices such as Windows Hello
for Business or a security key.
Network
The following table shows which network features are available on each platform:

ﾉ Expand table

Feature Windows Windows macOS iOS/ Android/ Web

(MSTSC) (RD iPadOS Chrome browser
Store) OS

Connection ✅ ❌ ✅ ❌ ✅
information

The following table provides a description for each network feature:

ﾉ Expand table

Feature Description

Connection information See the connection information of the remote session.

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Supported RDP properties
Article • 09/27/2024

 Tip

This article is shared for services and products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and apps.

The Remote Desktop Protocol (RDP) has a number of properties you can set to
customize the behavior of a remote session, such as for device redirection, display
settings, session behavior, and more.

The following sections contain each RDP property available and lists its syntax,
description, supported values, the default value, and connections to which services and
products you can use them with.

How you use these RDP properties depends on the service or product you're using:

ﾉ Expand table

Product Configuration point

Azure Virtual Desktop Host pool RDP properties. To learn more, see Customize RDP properties
for a host pool.

Remote Desktop Session collection RDP properties

Services

Remote PC The .rdp file you use to connect to a remote PC.

connections

７ Note

For each RDP property, replace <value> with an allowed value for that property.

Connections
Here are the RDP properties that you can use to configure connections.

alternate full address

 Syntax: alternate full address:s:<value>
Description: Specifies an alternate name or IP address of the remote computer.
Supported values:
A valid hostname, IPv4 address, or IPv6 address.
Default value: None.
Applies to:
Remote Desktop Services
Remote PC connections

alternate shell

Syntax: alternate shell:s:<value>

Description: Specifies a program to be started automatically in a remote session as
the shell instead of explorer.
Supported values:
A valid path to an executable file, such as C:\Program Files\MyApp\myapp.exe .
Default value: None.
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

authentication level

Syntax: authentication level:i:<value>

Description: Defines the server authentication level settings.
Supported values:
0 : If server authentication fails, connect to the computer without warning.
1 : If server authentication fails, don't establish a connection.

2 : If server authentication fails, show a warning, and choose to connect or

refuse the connection.

3 : No authentication requirement specified.

Default value: 3
Applies to:
Remote Desktop Services
Remote PC connections

disableconnectionsharing
 Syntax: disableconnectionsharing:i:<value>
Description: Determines whether the client reconnects to any existing
disconnected session or initiate a new connection when a new connection is
launched.
Supported values:
0 : Reconnect to any existing session.
1 : Initiate new connection.

Default value: 0
Applies to:
Remote Desktop Services

domain

Syntax: domain:s:<value>
Description: Specifies the name of the Active Directory domain in which the user
account that will be used to sign in to the remote computer is located.
Supported values:
A valid domain name, such as CONTOSO .
Default value: None.
Applies to:
Remote Desktop Services
Remote PC connections

enablecredsspsupport

Syntax: enablecredsspsupport:i:<value>
Description: Determines whether the client will use the Credential Security Support
Provider (CredSSP) for authentication if it's available.
Supported values:
0 : RDP won't use CredSSP, even if the operating system supports CredSSP.
1 : RDP will use CredSSP if the operating system supports CredSSP.

Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

enablerdsaadauth
 Syntax: enablerdsaadauth:i:<value>
Description: Determines whether the client will use Microsoft Entra ID to
authenticate to the remote PC. When used with Azure Virtual Desktop, this
provides a single sign-on experience. This property replaces the property
targetisaadjoined.
Supported values:
0 : Connections won't use Microsoft Entra authentication, even if the remote PC

supports it.
1 : Connections will use Microsoft Entra authentication if the remote PC

supports it.
Default value: 0
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

full address

Syntax: full address:s:<value>

Description: Specifies the hostname or IP address of the remote computer that
you want to connect to.. This is the only mandatory property in a .rdp file.
Supported values:
A valid hostname, IPv4 address, or IPv6 address.
Default value: None.
Applies to:
Remote Desktop Services
Remote PC connections

gatewaycredentialssource

Syntax: gatewaycredentialssource:i:<value>
Description: Specifies the authentication method used for Remote Desktop
gateway connections.
Supported values:
0 : Ask for password (NTLM).
1 : Use smart card.

2 : Use the credentials for the currently signed in user.

3 : Prompt the user for their credentials and use basic authentication.
4 : Allow user to select later.
 5 : Use cookie-based authentication.

Default value: 0
Applies to:
Remote Desktop Services

gatewayhostname

Syntax: gatewayhostname:s:<value>
Description: Specifies the host name of a Remote Desktop gateway.
Supported values:
A valid hostname, IPv4 address, or IPv6 address.
Default value: None.
Applies to:
Remote Desktop Services

gatewayprofileusagemethod

Syntax: gatewayprofileusagemethod:i:<value>
Description: Specifies whether to use the default Remote Desktop gateway
settings.
Supported values:
0 : Use the default profile mode, as specified by the administrator.

1 : Use explicit settings, as specified by the user.

Default value: 0
Applies to:
Remote Desktop Services

gatewayusagemethod

Syntax: gatewayusagemethod:i:<value>
Description: Specifies whether to use a Remote Desktop gateway for the
connection.
Supported values:
0 : Don't use a Remote Desktop gateway.
1 : Always use a Remote Desktop gateway.

2 : Use a Remote Desktop gateway if a direct connection can't be made to the

RD Session Host.
3 : Use the default Remote Desktop gateway settings.
 4 : Don't use a Remote Desktop gateway, bypass gateway for local addresses.

Setting this property value to 0 or 4 are effectively equivalent, but 4 enables

the option to bypass local addresses.
Default value: 0
Applies to:
Remote Desktop Services

kdcproxyname

Syntax: kdcproxyname:s:<value>
Description: Specifies the fully qualified domain name of a KDC proxy.
Supported values:
A valid path to a KDC proxy server, such as kdc.contoso.com .
Default value: None.
Applies to:
Azure Virtual Desktop. For more information, see Configure a Kerberos Key
Distribution Center proxy.

promptcredentialonce

Syntax: promptcredentialonce:i:<value>
Description: Determines whether a user's credentials are saved and used for both
the Remote Desktop gateway and the remote computer.
Supported values:
0 : Remote session doesn't use the same credentials.
1 : Remote session does use the same credentials.

Default value: 1
Applies to:
Remote Desktop Services

targetisaadjoined

Syntax: targetisaadjoined:i:<value>
Description: Allows connections to Microsoft Entra joined session hosts using a
username and password. This property is only applicable to non-Windows clients
and local Windows devices that aren't joined to Microsoft Entra. It is being
replaced by the property enablerdsaadauth.
Supported values:
 0 : Connections to Microsoft Entra joined session hosts will succeed for

Windows devices that meet the requirements, but other connections will fail.
1 : Connections to Microsoft Entra joined hosts will succeed but are restricted to

entering user name and password credentials when connecting to session hosts.
Default value: 0
Applies to:
Azure Virtual Desktop. For more information, see Microsoft Entra joined session
hosts in Azure Virtual Desktop.

username

Syntax: username:s:<value>
Description: Specifies the name of the user account that will be used to sign in to
the remote computer.
Supported values:
Any valid username.
Default value: None.
Applies to:
Remote Desktop Services

Session behavior
Here are the RDP properties that you can use to configure session behavior.

autoreconnection enabled

Syntax: autoreconnection enabled:i:<value>

Description: Determines whether the local device will automatically try to
reconnect to the remote computer if the connection is dropped, such as when
there's a network connectivity interruption.
Supported values:
0 : The local device doesn't automatically try to reconnect.
1 : The local device automatically tries to reconnect.

Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
bandwidthautodetect

Syntax: bandwidthautodetect:i:<value>
Description: Determines whether or not to use automatic network bandwidth
detection.
Supported values:
0 : Don't use automatic network bandwidth detection.

1 : Use automatic network bandwidth detection.

Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

compression

Syntax: compression:i:<value>
Description: Determines whether bulk compression is enabled when transmitting
data to the local device.
Supported values:
0 : Disable bulk compression.

1 : Enable RDP bulk compression.

Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

networkautodetect

Syntax: networkautodetect:i:<value>
Description: Determines whether automatic network type detection is enabled.
Supported values:
0 : Disable automatic network type detection.

1 : Enable automatic network type detection.

Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
 Remote PC connections

videoplaybackmode

Syntax: videoplaybackmode:i:<value>
Description: Determines whether the connection will use RDP-efficient multimedia
streaming for video playback.
Supported values:
0 : Don't use RDP efficient multimedia streaming for video playback.
1 : Use RDP-efficient multimedia streaming for video playback when possible.

Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

Device redirection
Here are the RDP properties that you can use to configure device redirection. To learn
more, see Redirection over the Remote Desktop Protocol.

audiocapturemode

Syntax: audiocapturemode:i:<value>
Description: Indicates whether audio input redirection is enabled.
Supported values:
0 : Disable audio capture from a local device.
1 : Enable audio capture from a local device and redirect it to a remote session.

Default value: 0
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

To learn how to use this property, see Configure audio and video redirection over the
Remote Desktop Protocol.

audiomode

Syntax: audiomode:i:<value>
 Description: Determines whether the local or remote machine plays audio.
Supported values:
0 : Play sounds on the local device.
1 : Play sounds in a remote session.

2 : Don't play sounds.

Default value: 0
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

To learn how to use this property, see Configure audio and video redirection over the
Remote Desktop Protocol.

camerastoredirect

Syntax: camerastoredirect:s:<value>
Description: Configures which cameras to redirect. This setting uses a semicolon-
delimited list of KSCATEGORY_VIDEO_CAMERA interfaces of cameras enabled for
redirection.
Supported values:
* : Redirect all cameras.

\\?\usb#vid_0bda&pid_58b0&mi : Specifies a list of cameras by device instance

path, such as this example.

- : Exclude a specific camera by prepending the symbolic link string.

Default value: None.

Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

To learn how to use this property, see Configure camera, webcam, and video capture
redirection over the Remote Desktop Protocol.

devicestoredirect

Syntax: devicestoredirect:s:<value>
Description: Determines which peripherals that use the Media Transfer Protocol
(MTP) or Picture Transfer Protocol (PTP), such as a digital camera, are redirected
from a local Windows device to a remote session.
 Supported values:
* : Redirect all supported devices, including ones that are connected later.

\\?\usb#vid_0bda&pid_58b0&mi : Specifies a list of MTP or PTP peripherals by

device instance path, such as this example.

DynamicDevices : Redirect all supported devices that are connected later.

Default value: *
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

To learn how to use this property, see Configure Media Transfer Protocol and Picture
Transfer Protocol redirection on Windows over the Remote Desktop Protocol.

drivestoredirect

Syntax: drivestoredirect:s:<value>
Description: Determines which fixed, removable, and network drives on the local
device will be redirected and available in a remote session.
Supported values:
Empty: Don't redirect any drives.
* : Redirect all drives, including drives that are connected later.

DynamicDrives : Redirect any drives that are connected later.

drivestoredirect:s:C:\;E:\; : Redirect the specified drive letters for one or

more drives, such as this example.

Default value: *
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

To learn how to use this property, see Configure fixed, removable, and network drive
redirection over the Remote Desktop Protocol.

encode redirected video capture

Syntax: encode redirected video capture:i:<value>

Description: Enables or disables encoding of redirected video.
Supported values:
0 : Disable encoding of redirected video.
 1 : Enable encoding of redirected video.

Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

To learn how to use this property, see Configure camera, webcam, and video capture
redirection over the Remote Desktop Protocol.

keyboardhook

Syntax: keyboardhook:i:<value>
Description: Determines whether Windows key combinations ( Windows , Alt + Tab )
are applied to a remote session.
Supported values:
0 : Windows key combinations are applied on the local device.

1 : (Desktop sessions only) Windows key combinations are applied on the

remote computer when in focus.

2 : (Desktop sessions only) Windows key combinations are applied on the

remote computer in full screen mode only.

3 : (RemoteApp sessions only) Windows key combinations are applied on the

RemoteApp when in focus. We recommend you use this value only when
publishing the Remote Desktop Connection app ( mstsc.exe ) from the host pool
on Azure Virtual Desktop. This value is only supported when using the Windows
client.
Default value: 2
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

redirectclipboard

Syntax: redirectclipboard:i:<value>
Description: Determines whether to redirect the clipboard.
Supported values:
0 : Clipboard on local device isn't available in remote session.

1 : Clipboard on local device is available in remote session.

Default value: 1
 Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

To learn how to use this property, see Configure clipboard redirection over the Remote
Desktop Protocol.

redirectcomports

Syntax: redirectcomports:i:<value>
Description: Determines whether serial or COM ports on the local device are
redirected to a remote session.
Supported values:
0 : Serial or COM ports on the local device aren't available in a remote session.
1 : Serial or COM ports on the local device are available in a remote session.

Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

To learn how to use this property, see Configure serial or COM port redirection over the
Remote Desktop Protocol.

redirected video capture encoding quality

Syntax: redirected video capture encoding quality:i:<value>

Description: Controls the quality of encoded video.
Supported values:
0 : High compression video. Quality may suffer when there's a lot of motion.

1 : Medium compression.
2 : Low compression video with high picture quality.

Default value: 0
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

To learn how to use this property, see Configure camera, webcam, and video capture
redirection over the Remote Desktop Protocol.
redirectlocation

Syntax: redirectlocation:i:<value>
Description: Determines whether the location of the local device is redirected to a
remote session.
Supported values:
0 : A remote session uses the location of the remote computer or virtual

machine.
1 : A remote session uses the location of the local device.

Default value: 0
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

To learn how to use this property, see Configure location redirection over the Remote
Desktop Protocol.

redirectprinters

Syntax: redirectprinters:i:<value>
Description: Determines whether printers available on the local device are
redirected to a remote session.
Supported values:
0 : The printers on the local device aren't redirected to a remote session.
1 : The printers on the local device are redirected to a remote session.

Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

To learn how to use this property, see Configure printer redirection over the Remote
Desktop Protocol.

redirectsmartcards

Syntax: redirectsmartcards:i:<value>
Description: Determines whether smart card devices on the local device will be
redirected and available in a remote session.
 Supported values:
0 : Smart cards on the local device aren't redirected to a remote session.

1 : Smart cards on the local device are redirected a remote session.

Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

To learn how to use this property, see Configure smart card redirection over the Remote
Desktop Protocol.

redirectwebauthn

Syntax: redirectwebauthn:i:<value>
Description: Determines whether WebAuthn requests from a remote session are
redirected to the local device allowing the use of local authenticators (such as
Windows Hello for Business and security keys).
Supported values:
0 : WebAuthn requests from a remote session aren't sent to the local device for

authentication and must be completed in the remote session.

1 : WebAuthn requests from a remote session are sent to the local device for

authentication.
Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

To learn how to use this property, see Configure WebAuthn redirection over the Remote
Desktop Protocol.

usbdevicestoredirect

Syntax: usbdevicestoredirect:s:<value>
Description: Determines which supported USB devices on the client computer are
redirected using opaque low-level redirection to a remote session.
Supported values:
* : Redirect all USB devices that aren't already redirected by high-level

redirection.
 {*Device Setup Class GUID*} : Redirect all devices that are members of the

specified device setup class.

*USBInstanceID* : Redirect a specific USB device identified by the instance ID.

Default value: *
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

To learn how to use this property, see Configure USB redirection on Windows over the
Remote Desktop Protocol.

Display settings
Here are the RDP properties that you can use to configure display settings.

desktop size id

Syntax: desktop size id:i:<value>

Description: Specifies the dimensions of a remote session desktop from a set of
predefined options. This setting is overridden if desktopheight and desktopwidth
are specified.
Supported values:
0 : 640×480

1 : 800×600
2 : 1024×768

3 : 1280×1024
4 : 1600×1200

Default value: None. Match the local device.

Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

desktopheight

Syntax: desktopheight:i:<value>
Description: Specifies the resolution height (in pixels) of a remote session.
Supported values:
Numerical value between 200 and 8192 .
 Default value: None. Match the local device.
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

desktopscalefactor

Syntax: desktopscalefactor:i:*value*
Description: Specifies the scale factor of the remote session to make the content
appear larger.
Supported values:
Numerical value from the following list: 100 , 125 , 150 , 175 , 200 , 250 , 300 , 400 ,
500

Default value: None. Match the local device.

Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

７ Note

The desktopscalefactor property is being deprecated and will soon be unavailable.

desktopwidth

Syntax: desktopwidth:i:<value>
Description: Specifies the resolution width (in pixels) of a remote session.
Supported values:
Numerical value between 200 and 8192 .
Default value: None. Match the local device.
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

dynamic resolution

Syntax: dynamic resolution:i:<value>

 Description: Determines whether the resolution of a remote session is
automatically updated when the local window is resized.
Supported values:
0 : Session resolution remains static during the session.

1 : Session resolution updates as the local window resizes.

Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

maximizetocurrentdisplays

Syntax: maximizetocurrentdisplays:i:<value>
Description: Determines which display a remote session uses for full screen on
when maximizing. Requires use multimon set to 1 . Only available on Windows
App for Windows and the Remote Desktop app for Windows.
Supported values:
0 : Session is full screen on the displays initially selected when maximizing.
1 : Session dynamically is full screen on the displays the session window spans

when maximizing.
Default value: 0
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

screen mode id

Syntax: screen mode id:i:<value>

Description: Determines whether a remote session window appears full screen
when you launch the connection.
Supported values:
1 : A remote session appears in a window.

2 : A remote session appears full screen.

Default value: 2
Applies to:
Azure Virtual Desktop
Remote Desktop Services
 Remote PC connections

selectedmonitors

Syntax: selectedmonitors:s:<value>
Description: Specifies which local displays to use in a remote session. The selected
displays must be contiguous. Requires use multimon set to 1 . Only available on
Windows App for Windows, the Remote Desktop app for Windows, and the inbox
Remote Desktop Connection app on Windows.
Supported values:
A comma separated list of machine-specific display IDs. You can retrieve
available IDs by running mstsc.exe /l from the command line. The first ID listed
is set as the primary display in a remote session.
Default value: None. All displays are used.
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

singlemoninwindowedmode

Syntax: singlemoninwindowedmode:i:<value>
Description: Determines whether a multi display remote session automatically
switches to single display when exiting full screen. Requires use multimon set to 1.
Only available on Windows App for Windows and the Remote Desktop app for
Windows.
Supported values:
0 : A remote session retains all displays when exiting full screen.
1 : A remote session switches to a single display when exiting full screen.

Default value: 0
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

smart sizing

Syntax: smart sizing:i:<value>

Description: Determines whether the local device scales the content of the remote
session to fit the window size.
 Supported values:
0 : The local window content doesn't scale when resized.

1 : The local window content does scale when resized.

Default value: 0
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

use multimon

Syntax: use multimon:i:<value>

Description: Determines whether the remote session will use one or multiple
displays from the local device.
Supported values:
0 : A remote session uses a single display.

1 : A remote session uses multiple displays.

Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections

RemoteApp
Here are the RDP properties that you can use to configure RemoteApp behavior for
Remote Desktop Services.

remoteapplicationcmdline

Syntax: remoteapplicationcmdline:s:<value>
Description: Optional command line parameters for the RemoteApp.
Supported values:
Valid command-line parameters for the application.
Default value: None.
Applies to:
Remote Desktop Services

remoteapplicationexpandcmdline
 Syntax: remoteapplicationexpandcmdline:i:<value>
Description: Determines whether environment variables contained in the
RemoteApp command line parameters should be expanded locally or remotely.
Supported values:
0 : Environment variables should be expanded to the values of the local device.

1 : Environment variables should be expanded to the values of the remote

session.
Default value: 1
Applies to:
Remote Desktop Services

remoteapplicationexpandworkingdir

Syntax: remoteapplicationexpandworkingdir:i:<value>
Description: Determines whether environment variables contained in the
RemoteApp working directory parameter should be expanded locally or remotely.
Supported values:
0 : Environment variables should be expanded to the values of the local device.

1 : Environment variables should be expanded to the values of the remote

session.
The RemoteApp working directory is specified through the shell working
directory parameter.
Default value: 1
Applies to:
Remote Desktop Services

remoteapplicationfile

Syntax: remoteapplicationfile:s:<value>
Description: Specifies a file to be opened in the remote session by the RemoteApp.
For local files to be opened, you must also enable drive redirection for the source
drive.
Supported values:
A valid file path in the remote session.
Default value: None.
Applies to:
Remote Desktop Services

remoteapplicationicon
 Syntax: remoteapplicationicon:s:<value>
Description: Specifies the icon file to be displayed in Windows App or the Remote
Desktop app while launching a RemoteApp. If no file name is specified, the client
will use the standard Remote Desktop icon. Only .ico files are supported.
Supported values:
A valid file path to an .ico file.
Default value: None.
Applies to:
Remote Desktop Services

remoteapplicationmode

Syntax: remoteapplicationmode:i:<value>
Description: Determines whether a connection is started as a RemoteApp session.
Supported values:
0 : Don't launch a RemoteApp session.

1 : Launch a RemoteApp session.

Default value: 1
Applies to:
Remote Desktop Services

remoteapplicationname

Syntax: remoteapplicationname:s:<value>
Description: Specifies the name of the RemoteApp in Windows App or the Remote
Desktop app while starting the RemoteApp.
Supported values:
A valid application display name, for example Microsoft Excel .
Default value: None.
Applies to:
Remote Desktop Services

remoteapplicationprogram

Syntax: remoteapplicationprogram:s:<value>
Description: Specifies the alias or executable name of the RemoteApp.
Supported values:
A valid application name or alias, for example EXCEL .
Default value: None.
 Applies to:
Remote Desktop Services

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Remote Desktop URI scheme
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

This document defines the format of Uniform Resource Identifiers (URIs) for Remote
Desktop. These URI schemes allow for Remote Desktop clients to be invoked with
various commands.

ms-rd URI scheme

７ Note

The ms-rd URI scheme is currently only supported with the Windows Desktop client
(MSRDC).

The ms-rd URI provides the option to specify a command for the client and a set of
parameters specific to the command using the following format:

ms-rd:command?parameters

Parameters uses the query string format of key=value pair separated by & to provide
additional information for the given command:

param1=value1&param2=value2&…

Commands and parameters

Here is the list of currently supported commands and their corresponding parameters.

Using ms-rd: without any commands launches the client.

Subscribe

This command launches the client and starts the subscription process.
Command name: subscribe

Command parameters:

ﾉ Expand table

Parameter Description Values

url Specifies the Workspace URL. A valid URL, such as https://contoso.com .

Example: ms-rd:subscribe?url=https://contoso.com

Legacy rdp URI scheme

７ Note

The following URI scheme is only supported with the clients for macOS, iOS, and
Android devices. It is being replaced by the new ms-rd URI above.

Microsoft Remote Desktop uses the URI scheme rdp://query_string to store

preconfigured attribute settings that are used when launching the client. The query
strings represent a single or set of RDP attributes provided in the URL.

The RDP attributes are separated by the ampersand symbol (&). For example, when
connecting to a PC, the string is:

rdp://full%20address=s:mypc:3389&audiomode=i:2&disable%20themes=i:1

This table gives a complete list of supported attributes that may be used with the iOS,
Mac, and Android Remote Desktop clients. (An "x" in the platform column indicates the
attribute is supported. The values denoted by chevrons (<>) represent the values that
are supported by the Remote Desktop clients.)

ﾉ Expand table

RDP attribute Android Mac iOS

allow desktop composition=i:<0 or 1> x x x

allow font smoothing=i:<0 or 1> x x x

RDP attribute Android Mac iOS

alternate shell=s:<string> x x x

audiomode=i:<0, 1, or 2> x x x

authentication level=i:<0 or 1> x x x

connect to console=i:<0 or 1> x x x

disable cursor settings=i:<0 or 1> x x x

disable full window drag=i:<0 or 1> x x x

disable menu anims=i:<0 or 1> x x x

disable themes=i:<0 or 1> x x x

disable wallpaper=i:<0 or 1> x x x

drivestoredirect=s:* (this is the only supported value) x x

desktopheight=i:<value in pixels> x

desktopwidth=i:<value in pixels> x

domain=s:<string> x x x

full address=s:<string> x x x

gatewayhostname=s:<string> x x x

gatewayusagemethod=i:<1 or 2> x x x

prompt for credentials on client=i:<0 or 1> x

loadbalanceinfo=s:<string> x x x

redirectprinters=i:<0 or 1> x

remoteapplicationcmdline=s:<string> x x x

remoteapplicationmode=i:<0 or 1> x x x

remoteapplicationprogram=s:<string> x x x

shell working directory=s:<string> x x x

Use redirection server name=i:<0 or 1> x x x

username=s:<string> x x x

screen mode id=i:<1 or 2> x

 RDP attribute Android Mac iOS

session bpp=i:<8, 15, 16, 24, or 32> x

use multimon=i:<0 or 1> x

Feedback
Was this page helpful?  Yes  No
Frequently asked questions about
the Remote Desktop clients
FAQ

Now that you've set up the Remote Desktop client on your device (Android, Mac, iOS, or
Windows), you may have questions. Here are answers to the most commonly asked
questions about the Remote Desktop clients.

Setting up
Connections, gateway, and networks
Web client
Monitors, audio, and mouse
Mac hardware
Specific error messages

The majority of these questions apply to all of the clients, but there are a few client
specific items.

If you have additional questions that you'd like us to answer, leave them as feedback on
this article.

Setting up
Which PCs can I connect to?
Check out the supported configuration article for information about what PCs you can
connect to.

How do I set up a PC for Remote Desktop?

I have my device set up, but I don't think the PC's ready. Help?

First, have you seen the Remote Desktop Setup Wizard? It walks you through getting
your PC ready for remote access. Download and run that tool on your PC to get
everything set.

Otherwise, if you prefer to do things manually, read on.

For Windows 10, do the following:

 1. On the device you want to connect to, open Settings.
2. Select System and then Remote Desktop.
3. Use the slider to enable Remote Desktop.
4. In general, it's best to keep the PC awake and discoverable to facilitate
connections. Click Show settings to go to the power settings for your PC, where
you can change this setting.

７ Note

You can't connect to a PC that's asleep or hibernating, so make sure the

settings for sleep and hibernation on the remote PC are set to Never.
(Hibernation isn't available on all PCs.)

Make note of the name of this PC under How to connect to this PC. You'll need this to
configure the clients.

You can grant permission for specific users to access this PC - to do that, click Select
users that can remotely access this PC. Members of the Administrators group
automatically have access.

For Windows 8.1, follow the instructions to allow remote connections in Connect to
another desktop using Remote Desktop Connections .

Connection, gateway, and networks

Why can't I connect using Remote Desktop?
Here are some possible solutions to common problems you might encounter when
trying to connect to a remote PC. If these solutions don't work, you can find more help
on the Microsoft Community website .

The remote PC can't be found. Make sure you have the right PC name, and then
check to see if you entered that name correctly. If you still can't connect, try using
the IP address of the remote PC instead of the PC name.

There's a problem with the network. Make sure you have internet connection.

The Remote Desktop port might be blocked by a firewall. If you're using

Windows Firewall, follow these steps:

1. Open Windows Firewall.

 2. Click Allow an app or feature through Windows Firewall.

3. Click Change settings. You might be asked for an admin password or to

confirm your choice.

4. Under Allowed apps and features, select Remote Desktop, and then tap or
click OK.

If you're using a different firewall, make sure the port for Remote Desktop
(usually 3389) is open.

Remote connections might not be set up on the remote PC. To fix this, scroll back
up to How do I set up a PC for Remote Desktop? question in this topic.

The remote PC might only allow PCs to connect that have Network Level
Authentication set up.

The remote PC might be turned off. You can't connect to a PC that's turned off,
asleep, or hibernating, so make sure the settings for sleep and hibernation on the
remote PC are set to Never (hibernation isn't available on all PCs.).

Why can't I find or connect to my PC?

Check the following:

Is the PC on and awake?

Did you enter the right name or IP address?

） Important

Using the PC name requires your network to resolve the name correctly
through DNS. In many home networks, you have to use the IP address instead
of the host name to connect.

Is the PC on a different network? Did you configure the PC to let outside

connections through? Check out Allow access to your PC from outside your
network for help.

Are you connecting to a supported Windows version?

７ Note
 Windows XP Home, Windows Media Center Edition, Windows Vista Home and
Windows 7 Home or Starter aren't supported without 3rd party software.

Why can't I sign in to a remote PC?

If you can see the sign-in screen of the remote PC but you can't sign in, you might not
have been added to the Remote Desktop Users Group or to any group with
administrator rights on the remote PC. Ask your system admin to do this for you.

Which connection methods are supported for

company networks?
If you want to access your office desktop from outside your company network, your
company must provide you with a means of remote access. The RD Client currently
supports the following:

Terminal Server Gateway or Remote Desktop Gateway

Remote Desktop Web Access
VPN (through iOS built-in VPN options)

VPN doesn't work

VPN issues can have several causes. The first step is to verify that the VPN works on the
same network as your PC or Mac computer. If you can't test with a PC or Mac, you can
try to access a company intranet web page with your device's browser.

Other things to check:

The 3G network blocks or corrupts VPN. There are several 3G providers in the
world who seem to block or corrupt 3G traffic. Verify VPN connectivity works
correctly for over a minute.
L2TP or PPTP VPNs. If you're using L2TP or PPTP in your VPN, please set Send All
Traffic to ON in the VPN configuration.
VPN is misconfigured. A misconfigured VPN server can be the reason why the
VPN connections never worked or stopped working after some time. Ensure
testing with the iOS device's web browser or a PC or Mac on the same network if
this happens.

How can I test if VPN is working properly?

Verify that VPN is enabled on your device. You can test your VPN connection by going
to a webpage on your internal network or using a web service which is only available via
the VPN.

How do I configure L2TP or PPTP VPN

connections?
If you're using L2TP or PPTP in your VPN, make sure to set Send all traffic to ON in the
VPN configuration.

Web client
Which browsers can I use?
The web client supports Microsoft Edge, Mozilla Firefox (v55.0 and later), Safari, and
Google Chrome.

What PCs can I use to access the web client?

The web client supports Windows, macOS, Linux, and ChromeOS. Mobile devices aren't
supported at this time.

Can I use the web client in a Remote Desktop

deployment without a gateway?
No. The client requires a Remote Desktop Gateway to connect. Don't know what that
means? Ask your admin about it.

Does the Remote Desktop web client replace the

Remote Desktop Web Access page?
No. The Remote Desktop web client is hosted at a different URL than the Remote
Desktop Web Access page. You can use either the web client or the Web Access page to
view the remote resources in a browser.

Can I embed the web client in another web

page?
This feature isn't supported at the moment.

Monitors, audio, and mouse

How do I use all of my monitors?
To use two or more screens, do the following:

1. Right-click the remote desktop that you want to enable multiple screens for, and
then click Edit.
2. Enable Use all monitors and Full screen.

Is bi-directional sound supported?

Bi-directional sound can be configured in the Windows client on a per-connection basis.
The relevant settings can be accessed in the Remote audio section of the Local
Resources options tab.

What can I do if the sound won't play?

Sign out of the session (don't just disconnect, sign all the way out), and then sign in
again.

Mac client - hardware questions

Is retina resolution supported?
Yes, the remote desktop client supports retina resolution.

How do I enable secondary right-click?

In order to make use of the right-click inside an open session you have three options:

Standard PC two button USB mouse

Apple Magic Mouse: To enable right-click, click System Preferences in the dock,
click Mouse, and then enable Secondary click.
Apple Magic Trackpad or MacBook Trackpad: To enable right-click, click System
Preferences in the dock, click Trackpad, and then enable Secondary click.

Is AirPrint supported?
No, the Remote Desktop client doesn't support AirPrint. (This is true for both Mac and
iOS clients.)

Why do incorrect characters appear in the

session?
If you're using an international keyboard, you might see an issue where the characters
that appear in the session don't match the characters you typed on the Mac keyboard.

This can occur in the following scenarios:

You're using a keyboard that the remote session doesn't recognize. When Remote
Desktop doesn't recognize the keyboard, it defaults to the language last used with
the remote PC.
You're connecting to a previously disconnected session on a remote PC and that
remote PC uses a different keyboard language than the language you're currently
trying to use.

You can fix this issue by manually setting the keyboard language for the remote session.
See the steps in the next section.

How do language settings affect keyboards in a

remote session?
There are many types of Mac keyboard layouts. Some of these are Mac specific layouts
or custom layouts for which an exact match may not be available on the version of
Windows you're remoting into. The remote session maps your keyboard to the best
matching keyboard language available on the remote PC.

If your Mac keyboard layout is set to the PC version of the language keyboard (for
example, French – PC) all your keys should be mapped correctly and your keyboard
should just work.

If your Mac keyboard layout is set to the Mac version of a keyboard (for example,
French) the remote session will map you to the PC version of the French language. Some
of the Mac keyboard shortcuts you're used to using on OSX won't work in the remote
Windows session.

If your keyboard layout is set to a variation of a language (for example, Canadian-

French) and if the remote session cannot map you to that exact variation, the remote
session will map you to the closest language (for example, French). Some of the Mac
keyboard shortcuts you're used to using on OSX won't work in the remote Windows
session.

If your keyboard layout is set to a layout the remote session cannot match at all, your
remote session will default to give you the language you last used with that PC. In this
case, or in cases where you need to change the language of your remote session to
match your Mac keyboard, you can manually set the keyboard language in the remote
session to the language that is the closest match to the one you wish to use as follows.

Use the following instructions to change the keyboard layout inside the remote desktop
session:

On Windows 10 or Windows 8:

1. From inside the remote session, open Region and Language. Click Start > Settings
> Time and Language. Open Region and Language.
2. Add the language you want to use. Then close the Region and Language window.
3. Now, in the remote session, you'll see the ability to switch between languages. (In
the right side of the remote session, near the clock.) Click the language you want
to switch to (such as Eng).

You might need to close and restart the application you're currently using for the
keyboard changes to take effect.

Specific errors
Why do I get an "Insufficient privileges" error?
You aren't allowed to access the session you want to connect to. The most likely cause is
that you're trying to connect to an admin session. Only administrators are allowed to
connect to the console. Verify that the console switch is off in the advanced settings of
the remote desktop. If this isn't the source of the problem, please contact your system
administrator for further assistance.

Why does the client say that there's no CAL?

When a remote desktop client connects to a Remote Desktop server, the server issues a
Remote Desktop Services Client Access License (RDS CAL) stored by the client.
Whenever the client connects again it will use its RDS CAL and the server won't issue
another license. The server will issue another license if the RDS CAL on the device is
missing or corrupt. When the maximum number of licensed devices is reached the
server won't issue new RDS CALs. Contact your network administrator for assistance.
Why did I get an "Access Denied" error?
The "Access Denied" error is a generated by the Remote Desktop Gateway and the
result of incorrect credentials during the connection attempt. Verify your username and
password. If the connection worked before and the error occurred recently, you possibly
changed your Windows user account password and haven't updated it yet in the remote
desktop settings.

What does the "Failed to parse NTLM challenge"

error mean?
This error is caused by a misconfiguration on the remote PC. Make sure the RDP security
level setting on the remote PC is set to "Client Compatible." (Talk to your system admin
if you need help doing this.)

What does "TS_RAP You are not allowed to

connect to the given host" mean?
This error happens when a Resource Authorization Policy on the gateway server stops
your user name from connecting to the remote PC. This can happen in the following
instances:

The remote PC name is the same as the name of the gateway. Then, when you try
to connect to the remote PC, the connection goes to the gateway instead, which
you probably don't have permission to access. If you need to connect to the
gateway, don't use the external gateway name as PC name. Instead use "localhost"
or the IP address (127.0.0.1), or the internal server name.
Your user account isn't a member of the user group for remote access.

Feedback
Was this page helpful?  Yes  No
Privacy settings for managed apps and
desktops
Article • 11/01/2024 •
Applies ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅
to: Windows Server 2016, ✅ Windows 11, ✅ Windows 10

When accessing managed resources (apps or desktops) provided by your IT

administrator, the privacy settings for the remote system have been preconfigured by
your IT administrator. These settings may be different than the privacy settings on your
local system. If you have questions, contact your IT administrator.

７ Note

Using managed resources in regions other than the United States may result in
data transfer to the United States.

These are some of the Windows 10 privacy settings you can configure in your managed
desktop:

Speech recognition
Find my device
Inking & typing
Advertising ID
Location
Diagnostic data
Tailored experiences

You can always review the information collected and sent to Microsoft by accessing your
Privacy Dashboard .

Learn more about privacy settings

If your IT administrator has provided you with a managed desktop, you can follow the
instructions in the next section to learn more about these settings and change any
settings not locked by your IT Administrator.

How to change privacy settings in Windows 10 remote

desktops
To change privacy settings in a Windows 10 remote desktop:

1. From the remote desktop, select the Windows button on the taskbar or press the
Windows key on your keyboard to open the Start menu.
2. Select the gear icon to open Settings.
3. Search for the names of the configurable privacy settings listed earlier in this topic
to learn more about it.

７ Note

If your IT Administrator has configured the managed desktop to not retain user
configuration settings between connections, any changes you make to these
settings won't be saved.

Feedback
Was this page helpful?  Yes  No
Remote Desktop Web Access FAQ
FAQ

This article provides answers to some of the most common questions about Remote
Desktop Web Access (RD Web Access). The RD Web Access website enables you to use a
Web browser to access RemoteApp and Desktop Connections.

What should I do if I can't sign in?

If you enter an invalid user name or password, you see a message saying: "The user
name or password that you entered is not valid. Try typing it again." If your account is
locked because of too many incorrect sign in attempts, you see the same message.

Contact your Active Directory administrator to reset your password, and if needed,
unlock your account.

How do I reset my expired password?

If an administrator didn't enable password reset, you see a message saying: "Your
password is expired. Please contact your administrator for assistance." You need to
contact your Active Directory administrator to reset your password.

If an administrator enabled password reset, follow the link to change your expired
password. You need to enter your old password, then your new password, and confirm
the new password.
How does an administrator enable
password reset?
Administrators can enable remote users to change their own password from within the
RD Web access interface if it's expired.

） Important

This option isn't helpful for users who forgot their password since the old password
still needs to be entered before selecting a new password. For forgotten passwords,
you must contact your Active Directory administrator.

To set up password reset password for Remote Desktop Web access:

1. Open Server Manager on the Server running RD Web Access.

2. In the menu under Tools, navigate to Internet Information Services (IIS) Manager.
3. Next, locate your server and navigate to Sites > Default Web Site > RDWeb >
Pages.
4. Select Application Settings from the menu. Then, select the setting
PasswordChangeEnabled and change the value to true.
Now, when users open the RD Web Access page and try to sign in using an expired
password, a link appears to reset your password.

When you open the password reset page there's a user interface where you enter your
current password, new password, and confirm the new password.
 ７ Note

If the remote server is running in Azure, you need create an endpoint for public
port 443 in the Azure management portal so that users can access the RD Web
Access portal.

How do I change my password?

First, connect to your server using RemoteApp and Desktop Connections. To change
your password:

1. Enter Ctrl+Alt+Del.
2. Select Change a password.
3. Enter in the old password, then the new password, and confirm the new password.

Contact your administrator if you can't change your password, don't know the password
requirements, or you can't sign in.

What is RemoteApp and Desktop

Connections?
RemoteApp and Desktop Connections gives you a customized view of RemoteApp
programs and virtual desktops that are available to you.

What is RemoteApp?
Using RemoteApp, you can access programs on a remote computer through Remote
Desktop Services. Although the programs are running on a remote computer,
RemoteApp programs behave as if they're running on your local computer. For example,
a RemoteApp program has its own entry in the taskbar, and you can resize, minimize, or
maximize the program window.

How do I start a RemoteApp program?

To start a RemoteApp program or Remote Desktop session, click the program icon in RD
Web Access. When you're prompted for user credentials, log on with your network user
name and password.

What are the public vs. private

computer settings?
If you connect to the RD Web Access website from a public computer, such as a kiosk
computer in a public establishment, or from a computer that you share with other users,
click This is a public or shared computer. You need to provide both your user name and
password each time you sign in to the RD Web Access website.

If you're using a work computer assigned to you and that you don't share with other
people, click This is a private computer.

To protect against unauthorized access, RD Web Access sessions automatically end after
a period of inactivity. If your RD Web Access session ends, you need to sign in again.
The administrator sets how long a session lasts.

Feedback
Was this page helpful?  Yes  No
Cannot connect to RDS because no RD
Licensing servers are available
Article • 01/20/2025

This article helps you troubleshoot the "No licenses available" error in a deployment that
includes a Remote Desktop Session Host (RDSH) server and a Remote Desktop Licensing
server.

Symptoms
Clients cannot connect to Remote Desktop Services, and they display messages that
resemble the following:

Output

The remote session was disconnected because there are no Remote Desktop
License Servers available to provide a license.

Output

Access was denied because of a security error.

Sign in to the RD Session Host as a domain administrator and open the RD License
Diagnoser. Look for messages like the following:

Output

The grace period for the Remote Desktop Session Host server has expired, but
the RD Session Host server hasn't been configured with any license servers.
Connections to the RD Session Host server will be denied unless a license
server is configured for the RD Session Host server.

Output

License server <computer name> is not available. This could be caused by

network connectivity problems, the Remote Desktop Licensing service is
stopped on the license server, or RD Licensing isn't available.

Cause
These issue could be caused by the following user messages:

The remote session was disconnected because there are no Remote Desktop client
access licenses available for this computer.
The remote session was disconnected because there are no Remote Desktop
License Servers available to provide a license.

In this case, check the RD Licensing configuration.

If the RD License Diagnoser lists other problems, such as "The RDP protocol component
X.224 detected an error in the protocol stream and has disconnected the client," there
might be a problem that affects the license certificates. Such problems tend to be
associated with user messages, such as the following:

Because of a security error, the client could not connect to the Terminal server. After
making sure that you are signed in to the network, try connecting to the server again.

In this case, refresh the X509 Certificate registry keys.

Check the RD Licensing configuration

You can check the RD Licensing configuration by using Server Manager and RD
Licensing Manager. Verify the following:

The RD Licensing role is installed and the license server is activated.

７ Note

For more information about this configuration, see Activate the Remote
Desktop Services license server.

The license server has a client access license (CAL) for each user and device that
can connect to RDS.

７ Note

For more information about this configuration, see Install RDS client access
licenses on the Remote Desktop license server.

The configuration of the licenses should resemble the following screenshot. There
should be a green check mark beside the license server name, and the numbers in
the columns should reflect the numbers of total and available licenses.
 The RDS deployment uses the correct license server, licensing mode, and policy
settings. The details of the configuration depend on the type of deployment that
you have:
Configure licensing for an RDS deployment that includes the Remote Desktop
Connection Broker (RD Connection Broker) role.
Configure licensing for an RDS deployment that includes only the Remote
Desktop Session Host (RD Session Host) role and the RD Licensing role.

Configure licensing for an RDS deployment that includes

the RD Connection Broker role
1. On the RD Connection Broker computer, open Server Manager.

2. In Server Manager, select Remote Desktop Services > Overview > Edit
Deployment Properties > RD Licensing.

3. Select the Remote Desktop licensing mode (either Per User or Per Device, as
appropriate for your deployment).

７ Note

If you use domain-joined servers for your RDS deployment, you can use both
Per User and Per Device CALs. If you use workgroup servers for your RDS
 deployment, you have to use Per Device CALs In that case, Per User CALs are
not permitted.

4. Specify a license server, and then select Add.

Configure licensing for an RDS deployment that includes

only the RD Session Host role and the RD Licensing role
1. On the RD Session Host computer, select Start, and then enter gpedit.msc to open
Local Group Policy Editor.

2. Go to Computer Configuration > Administrative Templates > Windows

Components > Remote Desktop Services > Remote Desktop Session Host >
Licensing.

3. In the policy list, right-click Use the specified Remote Desktop license servers, and
then select Properties.
4. Select Enabled, and then enter the name of the license server under License
servers to use. If you have more than one license server, use commas to separate
their names.

5. Select OK.

6. In the policy list, right-click Set the Remote Desktop licensing mode, and then
select Properties.

7. Select Enabled.

8. Under Specify the licensing mode for the Remote Desktop Session Host server,
select Per Device or Per User, as appropriate for your deployment.
Check for blocked ports between the Remote
Desktop Services servers
Make sure that the required ports are open on the firewalls between the RD Session
Host and the RD Licensing server.

For lists of the ports that have to be open between the different RDS components, see:

Ports that are used by Remote Desktop Services

Service overview and network port requirements for Windows

For more information, see "Your session will be disconnected in 60 minutes" message
when you connect to RDS.

Check security policy setting - Access this

computer from the network
Check the Access this computer from the network security policy setting under
Computer Configuration\Windows Settings\Security Settings\Local Policies\User
Rights Assignment in the Local Group Policy Editor.

Assign this right to Authenticated Users, Domain Computers, or Session Host computer
account if Everyone isn't assigned.

For more information, see Access this computer from the network - security policy
setting.

Refresh the X509 Certificate registry keys

） Important

Follow this section's instructions carefully. Serious problems can occur if the
registry is modified incorrectly. Before you start modifying the registry, back up the
registry so that you can restore it in case something goes wrong.

To resolve this problem, back up and then remove the X509 Certificate registry keys,
restart the computer, and then reactivate the RD Licensing server. Follow these steps.

７ Note

Perform the following procedure on each of the RDSH servers.

Here's how to reactivate the RD Licensing server:

1. Open the Registry Editor and navigate to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\RCM.
2. On the Registry menu, select Export Registry File.
3. Enter exported- Certificate into the File name box, and then select Save.
4. Right-click each of the following values, select Delete, and then select Yes to verify
the deletion:

Certificate
X509 Certificate
X509 Certificate ID
X509 Certificate2
Additional troubleshooting methods
If you verify that the licensing configuration is correct, but the system still isn't correctly
issuing CALs, follow these steps:

1. Use RD Licensing Diagnoser to check for issues

2. Make sure that the versions of your RDS CALs, RD Session Hosts, and RD License
Servers are compatible
3. Make sure that you're using the appropriate type of RDS CAL for your RDS
environment

Step 1: Use RD Licensing Diagnoser to check for issues

To open RD Licensing Diagnoser, open Server Manager, and select Tools > Terminal
Services > RD Licensing Diagnoser.

The top window of the RD Licensing Diagnoser lists problems that the diagnoser has
detected. For example, you might see a message that resembles the following:

Licenses are not available for this Remote Desktop Session Host server, and RD
Licensing Diagnoser has identified licensing problems for the RD Session Host
 Server

The RD Licensing Diagnoser Information section shows more information about the
problem, including its possible causes and the steps to follow to remediate it.

Step 2: Make sure that the versions of your RDS CALs, RD

Session Hosts, and RD License Servers are compatible
The following table shows which RDS CAL and RD Session Host versions are compatible
with one another.

ﾉ Expand table

RDS 2008 R2 and RDS 2012 RDS 2016 RDS 2019

earlier CAL CAL CAL CAL

2008, 2008 R2 session Yes Yes Yes Yes

host

2012 session host No Yes Yes Yes

2012 R2 session host No Yes Yes Yes

2016 session host No No Yes Yes

2019 session host No No No Yes

The following table shows which RDS CAL and license server versions are compatible
with one another.

ﾉ Expand table

RDS 2008 R2 and RDS 2012 RDS 2016 RDS 2019

earlier CAL CAL CAL CAL

2008, 2008 R2 license Yes No No No

server

2012 license server Yes Yes No No

2012 R2 license server Yes Yes No No

2016 license server Yes Yes Yes No

2019 license server Yes Yes Yes Yes

For more information, see RDS CAL version compatibility.

Step 3: Make sure that you're using the appropriate type
of RDS CAL for your RDS environment
If you use domain-joined servers for your RDS deployment, you can use both Per User
and Per Device CALs. If you use workgroup servers for your RDS deployment, you have
to use Per Device CALs In that case, Per User CALs aren't permitted.

Feedback
Was this page helpful?  Yes  No

Provide product feedback