RDS Services Remoto Dektop

Download as pdf or txt
Download as pdf or txt
You are on page 1of 399
At a glance
Powered by AI
The document covers topics related to planning, building, deploying, running and managing Remote Desktop Services environments.

Some of the main topics covered include deployment guidance, licensing, integrating with Azure services, high availability, disaster recovery, managing users and optimizing Windows 10 for VDI.

Some ways to optimize Windows 10 for VDI mentioned are configuring recommended settings for VDI desktops and optimizing specific Windows 10 versions like 1803, 1909 and 2004 for the VDI role.

Contents

Remote Desktop Services


Get started
What's new in RDS?
Supported configurations for RDS
Supported security configurations for Windows 10 VDI
Planning poster for Remote Desktop Services
Remote Desktop Services hosting partners
Plan and design
Build anywhere
Remote Desktop workloads
Network guidelines
Virtual machine sizing guidelines
Access from anywhere
High availability
Multifactor Authentication
Secure data storage
GPU acceleration
Connect from any device
Choose how you pay
Office 2016 in RDS and VDI deployments
Dealing with Outlook search in non-persistent environments
OneDrive for Business and VDI environments
Desktop Hosting Reference Architecture
Remote Desktop Services architecture
Desktop hosting service
Remote Desktop Services roles
Azure services and considerations for desktop hosting
Build and deploy
Deploy a proof-of-concept RDS environment with ARM and Azure Marketplace
Migrate your Remote Desktop Services deployments to Windows Server 2016
Migrate your Remote Desktop Services Client Access Licenses (RDS CALs)
Upgrade your Remote Desktop Services deployments to Windows Server 2016
Upgrade Remote Desktop Session Host servers
Upgrade Remote Desktop Virtualization Host servers
Deploy a Remote Desktop Services infrastructure
Create and deploy a Remote Desktop Services collection
Set up the Remote Desktop web client for your users
Set up email discovery for your users
License your Remote Desktop deployment
Activate the license server
Install RDS CALs on the license server
Track the CALs used in your deployment
Integrate Azure services
Learn how to use Multi-factor Authentication with RDS
Integrate Azure AD Domain Services with your RDS deployment
Publish Remote Desktop with Azure AD Application Proxy
Extend your RDS environment for high availability
Scale out an existing RDS collection with an RD Session Host farm
Add high availability to the RD Connection Broker infrastructure
Add high availability to the RD Web and RD Gateway web front
Deploy a two-node Storage Spaces Direct file system for UPD storage
Deploy and manage a personal session desktops environment
Create VMs for RDS
Set up disaster recovery for your RDS environment
Create a geo-redundant RDS deployment
Set up Azure Site Recovery for RDS
Enable disaster recovery for RDS components
Create your disaster recovery plan
Run and tune
Manage personal desktop session collections
Recommended configuration for VDI desktops
Optimizing Windows 10, version 2004 for a Virtual Desktop Infrastructure (VDI) role
Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role
Optimizing Windows 10, version 1803, for a Virtual Desktop Infrastructure (VDI) role
Manage users in your RDS collection
Customize the RDS title "Work Resources" using PowerShell on Windows Server
Diagnose app performance issues with performance counters
Access your Remote Desktop resources
Available Remote Desktop clients
Windows Desktop client
Get started with the Windows Desktop client
Windows Desktop client for admins
What's new in the Windows Desktop client
Shortcut keys
Microsoft Store client
Get started with the Microsoft Store client
What's new in the Microsoft Store client
Android client
Get started with the Android client
What's new in the Android client
iOS client
Get started with the iOS client
What's new in the iOS client
macOS client
Get started with the macOS client
What's new in the macOS client
Web client
Get started with the web client
What's new in the web client
Setting up your PC for Remote Desktop
Supported PCs
Grant Remote Desktop access to your PC
Grant access to your PC from outside your network
Change the RD listening port on your PC
Configure the RD Gateway role
Advanced information
Compare the clients: features
Compare the clients: redirections
Supported Remote Desktop RDP file settings
Remote Desktop URI scheme
Remote Desktop client FAQ
Privacy settings for managed apps and desktops
Known issues
General Remote Desktop connection troubleshooting
Credential limit per app
Clients can't connect and get the "Class not registered" error
Clients can't connect and see "No licenses available" error
User can't authenticate or must authenticate twice
"Remote Desktop Service is currently busy" error on connecting
Remote Desktop client disconnects and can't reconnect to the same session
Remote laptop disconnects from wireless network
Poor performance or application problems during remote desktop connection
Input method editor issue in RemoteApp scenarios
Additional resources
Welcome to Remote Desktop Services
11/2/2020 • 2 minutes to read • Edit Online

Remote Desktop Services (RDS) is the platform of choice for building virtualization solutions for every end
customer need, including delivering individual virtualized applications, providing secure mobile and remote
desktop access, and providing end users the ability to run their applications and desktops from the cloud.

RDS offers deployment flexibility, cost efficiency, and extensibility—all delivered through a variety of
deployment options, including Windows Server 2016 for on-premises deployments, Microsoft Azure for cloud
deployments, and a robust array of partner solutions.
Depending on your environment and preferences, you can set up the RDS solution for session-based
virtualization, as a virtual desktop infrastructure (VDI), or as a combination of the two:
Session-based vir tualization : Leverage the compute power of Windows Server to provide a cost-effective
multi-session environment to drive your users' everyday workloads.
VDI : Leverage Windows client to provide the high performance, app compatibility, and familiarity that your
users have come to expect of their Windows desktop experience.
Within these virtualization environments, you have additional flexibility in what you publish to your users:
Desktops : Give your users a full desktop experience with a variety of applications that you install and
manage. Ideal for users that rely on these computers as their primary workstations or that are coming from
thin clients, such as with MultiPoint Services.
RemoteApps : Specify individual applications that are hosted/run on the virtualized machine but appear as if
they're running on the user's desktop like local applications. The apps have their own taskbar entry and can
be resized and moved across monitors. Ideal for deploying and managing key applications in the secure,
remote environment while allowing users to work from and customize their own desktops.
For environments where cost-effectiveness is crucial and you want to extend the benefits of deploying full
desktops in a session-based virtualization environment, you can use MultiPoint Services to deliver the best
value.
With these options and configurations, you have the flexibility to deploy the desktops and applications your
users need in a remote, secure, and cost-effective fashion.

Next steps
Here are some next steps to help you get a better understanding of RDS and even start deploying your own
environment:
Understand the supported configurations for RDS with the various Windows and Windows Server versions
Plan and design an RDS environment to accommodate various requirements, such as high availability and
multi-factor authentication.
Review the Remote Desktop Services architecture models that work best for your desired environment.
Start to deploy your RDS environment with ARM and Azure Marketplace.
Get started with Remote Desktop Services in
Windows Server 2016
7/29/2021 • 2 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

Use the following information to begin exploring and using Remote Desktop Services in Windows Server 2016.
What's new in Remote Desktop Services? - Check out the new features added in Windows Server 2016, as
well as improvements to existing features and scenarios.
Remote Desktop Services planning poster - We've created a poster that walks you through all the
considerations for planning your Remote Desktop Deployment.
Host Windows desktops and applications - learning path - Need to create a desktop hosting solution on
virtual machines? Learn about the new Remote Desktop Services learning path, as well as identify partners
that can help you build your environment.
Once you've reviewed the information about, take the next step and start planning your deployment.
What's new in Remote Desktop Services
11/2/2020 • 2 minutes to read • Edit Online

Remote Desktop Services (RDS) built on Windows Server 2016 is a virtualization platform enabling a wide
range of customer scenarios. Improvements in the overall RDS solution incorporates the work done by both the
Remote Desktop team and other technology partners at Microsoft. The following scenarios and technologies are
new or improved in Windows Server 2016.
Also be sure to check out our session from Ignite 2016: Harness RDS improvements in Windows Server 2016. In
this video, the product team reviews all of the new and improved features in Remote Desktop Services,
including vGPU support.

App Compatibility - Windows Server 2016 and Windows 10


Built on the same foundation of Windows 10, Windows Server 2016 not only has the same look and feel you
expect out of a desktop but can also run many of the same applications. Pairing Windows Server 2016 with the
graphics capabilities (below) gives you an environment for all users to be productive.

Azure SQL Database - the new database for your highly available
environment
The RD Connection Broker is able to store all of the deployment information (like connection states and
user/host mappings) in a shared SQL database, such as an Azure SQL database. Ditch the SQL Server Always On
Availability Group deployment manual, grab the connection string to the Azure SQL database, and start using
your highly available environment.
Additional information: Use Azure SQL DB for your Remote Desktop Connection Broker high availability
environment

Graphics - solving graphics needs across various scenarios


Thanks to Hyper-V's Discrete Device Assignment, you can now map GPUs on a host machine directly to a VM to
be consumed by its GPU-requiring applications. Improvements have also been made in RemoteFX vGPU,
including support for OpenGL 4.4, OpenCL 1.1, 4k resolution, and Windows Server virtual machines.
Additional information: Discrete Device Assignment

RD Connection Broker - improved connection handling during logon


storms
With improved connection handling, the RD Connection Broker is now able to handle over 10,000 concurrent
logon requests, sometimes seen during "logon storms". The improved RD Connection Broker also makes
maintenance of the deployment simpler by being able to more quickly add servers back into the environment.
Additional information: Improved Remote Desktop Connection Broker Performance

RDP 10 - new capabilities built into the protocol


RDP 10 now uses the H.264/AVC 444 codec, appropriately optimizing across both video and text. With this
release, pen remoting is also supported. With these capabilities, your remote sessions start to feel even more
like a local session.
Additional information: RDP 10 AVC/H.264 improvements in Windows 10 and Windows Server 2016

Personal session desktops - providing individual desktops to any end-


user
Personal session desktops is a new way to have your own personal desktop hosted for you in the cloud.
Administrative privileges and dedicated session hosts removes the complexity of hosting environments where
users want to manage the desktop like it's their own.
Additional information: Personal Session Desktops
Supported configurations for Remote Desktop
Services
7/29/2021 • 6 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2016, Windows Server 2019

When it comes to supported configurations for Remote Desktop Services environments, the largest concern
tends to be version interoperability. Most environments include multiple versions of Windows Server - for
example, you may have an existing Windows Server 2012 R2 RDS deployment but want to upgrade to Windows
Server 2016 to take advantage of the new features (like support for OpenGL\OpenCL, Discrete Device
Assignment, or Storage Spaces Direct). The question then becomes, which RDS components can work with
different versions and which need to be the same?
So with that in mind, here are basic guidelines for supported configurations of Remote Desktop Services in
Windows Server.

NOTE
Make sure to review the system requirements for Windows Server 2016 and system requirements for Windows Server
2019.

Best practices
Use Windows Server 2019 for your Remote Desktop infrastructure (the Web Access, Gateway,
Connection Broker, and license server). Windows Server 2019 is backward-compatible with these
components, which means a Windows Server 2016 or Windows Server 2012 R2 RD Session Host can
connect to a 2019 RD Connection Broker, but not the other way around.
For RD Session Hosts - all Session Hosts in a collection need to be at the same level, but you can have
multiple collections. You can have a collection with Windows Server 2016 Session Hosts and one with
Windows Server 2019 Session Hosts.
If you upgrade your RD Session Host to Windows Server 2019, also upgrade the license server.
Remember that a 2019 license server can process CALs from all previous versions of Windows Server,
down to Windows Server 2003.
Follow the upgrade order recommended in Upgrading your Remote Desktop Services environment.
If you are creating a highly available environment, all of your Connection Brokers need to be at the same
OS level.

RD Connection Brokers
Windows Server 2016 removes the restriction for the number of Connection Brokers you can have in a
deployment when using Remote Desktop Session Hosts (RDSH) and Remote Desktop Virtualization Hosts
(RDVH) that also run Windows Server 2016. The following table shows which versions of RDS components
work with the 2016 and 2012 R2 versions of the Connection Broker in a highly available deployment with three
or more Connection Brokers.
3+ C O N N EC T IO N B RO K ERS
IN H A RDSH O R RDVH 2019 RDSH O R RDVH 2016 RDSH O R RDVH 2012 R2

Windows Server 2019 Supported Supported Supported


Connection Broker

Windows Server 2016 N/A Supported Supported


Connection Broker

Windows Server 2012 R2 N/A N/A Not Supported


Connection Broker

Support for graphics processing unit (GPU) acceleration


Remote Desktop Services support systems equipped with GPUs. Applications that require a GPU can be used
over the remote connection. Additionally, GPU-accelerated rendering and encoding can be enabled for improved
app performance and scalability.
Remote Desktop Services Session Hosts and single-session client operating systems can take advantage of the
physical or virtual GPUs presented to the operating system in many ways, including the Azure GPU optimized
virtual machine sizes, GPUs available to the physical RDSH server, and GPUs presented to the VMs by supported
hypervisors.
See Which graphics virtualization technology is right for you? for help figuring out what you need. For specific
information about DDA, check out Plan for deploying Discrete Device Assignment.
GPU vendors may have a separate licensing scheme for RDSH scenarios or restrict GPU use on the server OS,
verify the requirements with your favorite vendor.
GPUs presented by a non-Microsoft hypervisor or Cloud Platform must have drivers digitally-signed by WHQL
and supplied by the GPU vendor.
Remote Desktop Session Host support for GPUs
The following table shows the scenarios supported by different versions of RDSH hosts.

W IN DO W S SERVER W IN DO W S SERVER W IN DO W S SERVER W IN DO W S SERVER


F EAT URE 2008 R2 2012 R2 2016 2019

Use of hardware GPU No Yes Yes Yes


for all RDP sessions

H.264/AVC hardware No No Yes Yes


encoding (if
suppported by the
GPU)

Load balancing No No No Yes


between multiple
GPUs presented to
the OS

H.264/AVC encoding No No No Yes


optimizations for
minimizing
bandwidth usage
W IN DO W S SERVER W IN DO W S SERVER W IN DO W S SERVER W IN DO W S SERVER
F EAT URE 2008 R2 2012 R2 2016 2019

H.264/AVC support No No No Yes


for 4K resolution

VDI support for GPUs


The following table shows support for GPU scenarios in the client OS.

F EAT URE W IN DO W S 7 SP 1 W IN DO W S 8. 1 W IN DO W S 10

Use of hardware GPU for all No Yes Yes


RDP sessions

H.264/AVC hardware No No Windows 10 1703 and later


encoding (if suppported by
the GPU)

Load balancing between No No Windows 10 1803 and later


multiple GPUs presented to
the OS

H.264/AVC encoding No No Windows 10 1803 and later


optimizations for
minimizing bandwidth
usage

H.264/AVC support for 4K No No Windows 10 1803 and later


resolution

RemoteFX 3D Video Adapter (vGPU ) support

NOTE
Because of security concerns, RemoteFX vGPU is disabled by default on all versions of Windows starting with the July 14,
2020 Security Update and removed starting with the April 13, 2021 Security Update. To learn more, see KB 4570006.

Remote Desktop Services supports RemoteFX vGPUs when VM is running as a Hyper-V guest on Windows
Server 2012 R2 or Windows Server 2016. The following guest operating systems have RemoteFX vGPU
support:
Windows 7 SP1
Windows 8.1
Windows 10 1703 or later
Windows Server 2016 in a single-session deployment only
Discrete Device Assignment support
Remote Desktop Services supports Physical GPUs presented with Discrete Device Assignment from Windows
Server 2016 or Windows Server 2019 Hyper-V hosts. See Plan for deploying Discrete Device Assignment for
more details.

VDI deployment – supported guest OSes


Windows Server 2016 and Windows Server 2019 RD Virtualization Host servers support the following guest
OSes:
Windows 10 Enterprise
Windows 8.1 Enterprise
Windows 7 SP1 Enterprise

NOTE
Remote Desktop Services doesn't support heterogeneous session collections. The OSes of all VMs in a collection must
be the same version.
You can have separate homogeneous collections with different guest OS versions on the same host.
The Hyper-V host used to run VMs must be the same version as the Hyper-V host used to create the original VM
templates.

Single sign-on
Windows Server 2016 and Windows Server 2019 RDS supports two main SSO experiences:
In-app (Remote Desktop application on Windows, iOS, Android, and Mac)
Web SSO
Using the Remote Desktop application, you can store credentials either as part of the connection info (Mac) or as
part of managed accounts (iOS, Android, Windows) securely through the mechanisms unique to each OS.
To connect to desktops and RemoteApps with SSO through the inbox Remote Desktop Connection client on
Windows, you must connect to the RD Web page through Internet Explorer. The following configuration options
are required on the server side. No other configurations are supported for Web SSO:
RD Web set to Forms-Based Authentication (Default)
RD Gateway set to Password Authentication (Default)
RDS Deployment set to "Use RD Gateway credentials for remote computers" (Default) in the RD Gateway
properties

NOTE
Due to the required configuration options, Web SSO is not supported with smartcards. Users who login via smartcards
might face multiple prompts to login.

For more information about creating VDI deployment of Remote Desktop Services, check out Supported
Windows 10 security configurations for Remote Desktop Services VDI.

Using Remote Desktop Services with application proxy services


You can use Remote Desktop Services with Azure AD Application Proxy. Remote Desktop Services does not
support using Web Application Proxy, which is included in Windows Server 2016 and earlier versions.
Supported Windows 10 security configurations for
Remote Desktop Services VDI
7/29/2021 • 2 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

Windows 10 and Windows Server 2016 have new layers of protection built into the operating system to further
safeguard against security breaches, help block malicious attacks and enhance the security of virtual machines,
applications, and data.

NOTE
Make sure to review the Remote Desktop Services supported configuration information.

The following table outlines which of these new features are supported in a VDI deployment using RDS.

VDI C O L L EC T IO N M A N A GED UN M A N A GED UN M A N A GED


TYPE M A N A GED P O O L ED P ERSO N A L P O O L ED P ERSO N A L

Credential Guard Yes Yes Yes Yes

Device Guard Yes Yes Yes Yes

Remote Credential No No No No
Guard

Shielded & No No Encryption Encryption


Encryption supported VMs with supported VMs with
Supported VMs additional additional
configuration configuration

Remote Credential Guard:


Remote Credential Guard is only supported for direct connections to the target machines and not for the ones
via Remote Desktop Connection Broker and Remote Desktop Gateway.

NOTE
If you have a Connection Broker in a single-instance environment, and the DNS name matches the computer name, you
may be able to use Remote Credential Guard, although this is not supported.

Shielded VMs and Encryption Supported VMs:


Shielded VMs are not supported in Remote Desktop Services VDI
For leveraging Encryption Supported VMs:
Use an unmanaged collection and a provisioning technology outside of the Remote Desktop Services
collection creation process to provision the virtual machines.
User Profile Disks are not supported as they rely on differential disks
Remote Desktop Services - planning poster
7/2/2021 • 2 minutes to read • Edit Online

Azure Virtual Desktop


You may have heard us talk about a new "modern infrastructure" for Remote Desktop. Maybe you've heard us
use the phrase "RDmi." The phrase you need to know is "Azure Virtual Desktop." Learn more at our Azure
Virtual Desktop documentation page.
The Remote Desktop Services team have created a poster to help you plan, build, and run your Azure Virtual
Desktop environment.

You can get a copy of the poster by right-clicking the image and saving it to your local system.

Remote Desktop Services in Windows Server


The Remote Desktop Services team have created a poster to help you plan, build, and run your RDS
environment.
You can get a copy of the poster by right-clicking the image and saving it to your local system.
Check out the following topics to learn more about planning:
Plan and design your RDS deployment
Build and deploy RDS
Run and tune your RDS environment
Remote Desktop Services hosting partners and
assessment
11/2/2020 • 2 minutes to read • Edit Online

Recently, Microsoft delivered a new learning path within the Microsoft Partner Network: "Hosting Windows
Desktop and Applications using Remote Desktop Services in Azure."
If you are a Microsoft partner and want to be included in the list of partners who have passed the assessment,
here are the steps you can take to complete the learning path:
1. Become a Microsoft Partner, if you're not already.
2. Watch the Hosting Windows and Applications using Remote Desktop Services in Azure training session.
3. Take the technical assessment.
4. Make sure you meet the requirements for the Cloud Platform competency.
Already a Microsoft Partner and have questions? Contact the Remote Desktop team at
[email protected].

Partners who have passed the learning path assessment


If you are a customer looking for a partner to help you host Windows desktops and applications in Azure for
your users, we have compiled a list of partners who have passed the assessment. Here is a list of those partners,
as of 03/28/2017, that you can download.
You can find more information on each partner using these steps:
1. Open Find a partner.
2. Clear the Location field.
3. Enter the name of the partner in the I'm looking for help with field.
Plan and design your Remote Desktop Services
environment
11/2/2020 • 2 minutes to read • Edit Online

A highly scalable Remote Desktop deployment requires the use of specific patterns and practices. Designing for
optimal performance and scale-out is key. Use the scenarios below to help you envision, architect, and
continually refine your deployment.
Use the following information to plan and design your deployment:
Build anywhere
Network guidance
Access from anywhere
High availability
MultiFactor Authentication
Secure data storage
GPU acceleration
Connect from any device
Choose how you pay
Be sure to also review the Desktop Hosting Reference Architecture, which provides an overview of the Remote
Desktop architecture and helps you plan a hybrid RDS environment that includes Azure infrastructure.
Remote Desktop Services - Build anywhere
7/29/2021 • 2 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

Deploy on-premises, in the cloud, or a hybrid of the two. Modify your deployment as your business needs
change.
Regardless of where you are, the underlying architecture of the Remote Desktop Services environment remains
the same:
You still must have an internet-facing server to utilize RD Web Access and RD Gateway for external users
You still must have an Active Directory and--for highly available environments--a SQL database to house
user and Remote Desktop properties
You still must have communication access between the RD infrastructure roles (RD Connection Broker, RD
Gateway, RD Licensing, and RD Web Access) and the end RDSH or RDVH hosts to be able to connect end-
users to their desktops or applications.
This flexibility allows you to get the best of both worlds:
The simplicity and pay-as-you-go methods associated with the cloud and the online world.
The familiarity and hassle-free way of leveraging heavy resources that already exist on-premises.
For additional information, look at how to build and deploy your Remote Desktop Services deployment.
Remote Desktop workloads
7/2/2021 • 2 minutes to read • Edit Online

Users can run different types of workloads on the virtual machines managed by Remote Desktop Services or
Azure Virtual Desktop. Scale your deployment depending on the expected need of each type of user. The
following table provides examples of a range of workload types to help you estimate what size your virtual
machines need to be. After you set up your virtual machines, you should continually monitor their actual usage
and adjust their size accordingly. If you end up needing a bigger or smaller virtual machine, you can easily scale
your existing deployment up or down in Azure.
The following table describes each workload. "Example users" are the types of users that might find each
workload most helpful. "Example apps" are the kinds of apps that work best for each workload.

W O RK LO A D T Y P E EXA M P L E USERS EXA M P L E A P P S

Light Users doing basic data entry tasks Database entry applications,
command-line interfaces

Medium Consultants and market researchers Database entry applications,


command-line interfaces, Microsoft
Word, static web pages

Heavy Software engineers, content creators Database entry applications,


command-line interfaces,
Microsoft Word, static web pages,
Microsoft Outlook,
Microsoft PowerPoint, dynamic web
pages

Power Graphic designers, 3D model makers, Database entry applications,


machine learning researchers command-line interfaces, Microsoft
Word, static web pages,
Microsoft Outlook,
Microsoft PowerPoint, dynamic web
pages, Adobe Photoshop,
Adobe Illustrator, computer-aided
design (CAD), computer-aided
manufacturing (CAM)

For information about sizing recommendations, see Virtual machine sizing guidance.
Network guidelines
7/2/2021 • 2 minutes to read • Edit Online

When using a remote Windows session, your network's available bandwidth greatly impacts the quality of your
experience. Different applications and display resolutions require different network configurations, so it's
important to make sure your network is configured to meet your needs.

NOTE
The following recommendations apply to networks with less than 0.1% loss. These recommendations apply regardless of
how many sessions you're hosting on your virtual machines (VMs).

Applications
The following table lists the minimum recommended bandwidths for a smooth user experience. These
recommendations are based on the guidelines in Remote Desktop workloads.

W O RK LO A D T Y P E REC O M M EN DED B A N DW IDT H

Light 1.5 Mbps

Medium 3 Mbps

Heavy 5 Mbps

Power 15 Mbps

Keep in mind that the stress put on your network depends on both your app workload's output frame rate and
your display resolution. If either the frame rate or display resolution increases, the bandwidth requirement will
also rise. For example, a light workload with a high-resolution display requires more available bandwidth than a
light workload with regular or low resolution.
Other scenarios can have their bandwidth requirements change depending on how you use them, such as:
Voice or video conferencing
Real-time communication
Streaming 4K video
Make sure to load test these scenarios in your deployment using simulation tools like Login VSI. Vary the load
size, run stress tests, and test common user scenarios in remote sessions to better understand your network's
requirements.

Display resolutions
Different display resolutions require different available bandwidths. The following table lists the bandwidths we
recommend for a smooth user experience at typical display resolutions with a frame rate of 30 frames per
second (fps). These recommendations apply to single and multiple user scenarios. Keep in mind that scenarios
involving a frame rate under 30 fps, such as reading static text, require less available bandwidth.
T Y P IC A L DISP L AY RESO L UT IO N S AT 30 F P S REC O M M EN DED B A N DW IDT H

About 1024 × 768 px 1.5 Mbps

About 1280 × 720 px 3 Mbps

About 1920 × 1080 px 5 Mbps

About 3840 × 2160 px (4K) 15 Mbps

Azure Virtual Desktop experience estimator


The Azure region you're in can affect user experience as much as network conditions. Check out the Azure
Virtual Desktop experience estimator to learn more.

Assistive technologies
Assistive technology workloads, like using Narrator in the remote session, require connections with a
connection round trip time (RTT) of 20 milliseconds (ms) or better for the best user experience.
Virtual machine sizing guidelines
7/2/2021 • 4 minutes to read • Edit Online

Whether you're running your virtual machine on Remote Desktop Services or Azure Virtual Desktop, different
types of workloads require different session host virtual machine (VM) configurations. For the best possible
experience, scale your deployment depending on your users' needs.

Multi-session recommendations
The examples in this section are generic guidelines and you should only use them for initial performance
estimates. The following tables list the maximum suggested number of users per virtual central processing unit
(vCPU) and the minimum VM configuration for each workload. These recommendations are based on Remote
Desktop workloads.
The following table shows an example of a smaller, proof-of-concept scenario with a user workload of less than
20 users:

M A XIM UM USERS VC P U/ RA M / O S EXA M P L E A Z URE P RO F IL E C O N TA IN ER


W O RK LO A D T Y P E P ER VC P U STO RA GE M IN IM UM IN STA N C ES STO RA GE M IN IM UM

Light 4 4 vCPUs, 16 GB D4s_v4, F4s_v2, 30 GB


RAM, 32 GB storage D4as_v4

Medium 4 4 vCPUs, 16 GB D4s_v4, F4s_v2, 30 GB


RAM, 32 GB storage D4as_v4

Heavy 2 4 vCPUs, 16 GB D8s_v4, F8s_v2, 30 GB


RAM, 32 GB storage D8as_v4, D16s_v4,
F16s_v2, D16as_v4

Power 1 6 vCPUs, 56 GB D4s_v4, F4s_v2, 30 GB


RAM, 340 GB D4as_v4, NV12,
storage NVv4

This table shows examples of standard or larger user workloads with 20 or more users:

M A XIM UM USERS VC P U/ RA M / O S EXA M P L E A Z URE P RO F IL E C O N TA IN ER


W O RK LO A D T Y P E P ER VC P U STO RA GE M IN IM UM IN STA N C ES STO RA GE M IN IM UM

Light 6 8 vCPUs, 16 GB D8s_v4, F8s_v2, 30 GB


RAM, 16 GB storage D8as_v4, D16s_v4,
F16s_v2, D16as_v4

Medium 4 8 vCPUs, 16 GB D8s_v4, F8s_v2, 30 GB


RAM, 32 GB storage D8as_v4, D16s_v4,
F16s_v2, D16as_v4

Heavy 2 8 vCPUs, 16 GB D8s_v4, F8s_v2, 30 GB


RAM, 32 GB storage D8as_v4, D16s_v4,
F16s_v2, D16as_v4
M A XIM UM USERS VC P U/ RA M / O S EXA M P L E A Z URE P RO F IL E C O N TA IN ER
W O RK LO A D T Y P E P ER VC P U STO RA GE M IN IM UM IN STA N C ES STO RA GE M IN IM UM

Power 1 6 vCPUs, 56 GB D8s_v4, F8s_v2, 30 GB


RAM, 340 GB D8as_v4, D16s_v4,
storage F16s_v2, D16as_v4,
NV12, NVv4

Recommended VM sizes for standard or larger environments


We recommend limiting VM size to between 4 vCPUs and 24 vCPUs. We don't recommend using 2 cores or 32
or more cores for standard and larger environments. Why is that?
All VMs should have more than two cores
Windows 10 and its UI components rely on using at least two parallel threads for some of the heavier rendering
operations. Having multiple users on a two-core VM will lead to the UI and apps becoming unstable, which
lowers the quality of user experience. Four cores is the lowest possible number of cores that a stable multi-user
VM can have.
VMs should not have more than 32 cores
As the number of cores increase, the system's synchronization overhead also increases. For most workloads, at
around 16 cores the return on investment gets lower, with most of the extra capacity being offset by
synchronization overhead. It is likely to get more capacity from two 16 core VMs as opposed to one 32 core one.
The recommended range between 4 and 24 cores will generally provide better capacity returns for your users as
you increase the number of cores. For example, let’s say you have 12 users sign in at the same time to a VM with
four cores. The ratio is three users per core. Meanwhile, on a VM with eight cores and 14 users, the ratio is 1.75
users per core. The 1.75 ratio scenario offers greater burst capacity for your applications have short-term CPU
demand.
For scenarios with 20 or more connections on a single VM, several smaller VMs would perform better than one
or two large VMs. For example, if you're expecting 30 or more users to simultaneously sign in on the same
session host within 10 minutes, two eight-core VMs will handle the workload better than one 16-core VM. You
can also use breadth-first load balancing to evenly distribute users across different VMs.
It's better to use a large number of smaller VMs instead of a few large VMs because it's easier to shut down VMs
that need to be updated or aren't currently in use. With larger VMs, you're guaranteed to always have at least
one user signed in at any time, which prevents you from shutting down the VM. When you have many smaller
VMs, it's more likely you'll have some that don't have any users signed in. You can safely shut these unused VMs
to conserve resources, making your deployment more resilient, easier to maintain, and less expensive.

Single-session recommendations
For VM sizing recommendations for single-session scenarios, we recommend at least two physical CPU cores
per VM (typically four vCPUs with hyperthreading). If you need more specific VM sizing recommendations for
single-session scenarios, ask the software vendors specific to your workload. VM sizing for single-session VMs
will likely align with physical device guidelines.

General virtual machine recommendations


For VM requirements to run the operating system, see Windows 10 computer specifications and system
requirements.
We recommend you use Premium SSD storage in your OS disk for production workloads that require a service
level agreement (SLA). For more details, see the SLA for virtual machines.
Graphics processing units (GPUs) are a good choice for users who regularly use graphics-intensive programs
for video rendering, 3D design, and simulations. To learn more about graphics acceleration, see Choose your
graphics rendering technology. Azure has several graphics acceleration deployment options and multiple
available GPU VM sizes. Learn more at GPU optimized virtual machine sizes.
B-series burstable VMs are a good choice for users who don't always need maximum CPU performance. For
more information about VM types and sizes, see Sizes for Windows virtual machines in Azure and the pricing
information on our Virtual Machine series page.

Test your workload


Finally, we recommend you use simulation tools to test your deployment with both stress tests and real-life
usage simulations. Make sure your system is responsive and resilient enough to meet user needs, and
remember to vary the load size to avoid surprises.
Remote Desktop Services - Access from anywhere
7/29/2021 • 2 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

End users can connect to internal network resources securely from outside the corporate firewall through RD
Gateway.
Regardless of how you configure the desktops for your end-users, you can easily plug the RD Gateway into the
connection flow for a fast, secure connection. For end-users connecting through published feeds, you can
configure the RD Gateway property as you configure the overall deployment properties. For end-users
connecting through to their desktops without a feed, they can easily add the name of the organization's RD
Gateway as a connection property no matter which Remote Desktop client application they use.
The three primary purposes of the RD Gateway, in the order of the connection sequence, are:
1. Establish an encr ypted SSL tunnel between the end-user's device and the RD Gateway Ser ver : In
order to connect through any RD Gateway server, the RD Gateway server must have a certificate installed
that the end-user's device recognizes. In testing and proofs of concepts, self-signed certificates can be used,
but only publicly trusted certificates from a certificate authority should be used in any production
environment.
2. Authenticate the user into the environment : The RD Gateway uses the inbox IIS service to perform
authentication, and can even utilize the RADIUS protocol to leverage multi-factor authentication solutions
such as Azure MFA. Aside from the default policies created, you can create additional RD Resource
Authorization Policies (RD RAPs) and RD Connection Authorization Policies (RD CAPs) to more specifically
define which users should have access to which resources within the secure environment.
3. Pass traffic back and for th between the end-user's device and the specified resource : The RD
Gateway continues to perform this task for as long as the connection is established. You can specify different
timeout properties on the RD Gateway servers to maintain the security of the environment in case the user
walks away from the device.
You can find additional details on the overall architecture of a Remote Desktop Services deployment in the
desktop hosting reference architecture.
Remote Desktop Services - High availability
7/29/2021 • 2 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

Failures and throttling are unavoidable in large-scale systems. It's simple to set up Remote Desktop
infrastructure roles to support high availability and allow end users to connect seamlessly, every time.
In Remote Desktop Services, the following items represent the Remote Desktop infrastructure roles, with their
respective guidance to establish high availability:
Remote Desktop Connection Broker
Remote Desktop Gateway
Remote Desktop Licensing
Remote Desktop Web Access
High availability is established by duplicating each of the roles services on a second machines. In Azure, you can
receive a guaranteed uptime by placing the set of the two virtual machines (hosting the same role) in an
availability sets.
Along with availability sets, you can now leverage the power of Azure SQL Database and its Azure-backed SLA
to ensure that you always have connection information and can redirect users to their desktops and
applications.
For best practices on creating your RDS environment, please see the desktop hosting architecture.
Remote Desktop Services - Multi-Factor
Authentication
7/29/2021 • 2 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

Leverage the power of Active Directory with Multi-Factor Authentication to enforce high security protection of
your business resources.
For your end-users connecting to their desktops and applications, the experience is similar to what they already
face as they perform a second authentication measure to connect to the desired resource:
Launch a desktop or RemoteApp from an RDP file or through a Remote Desktop client application
Upon connecting to the RD Gateway for secure, remote access, receive an SMS or mobile application MFA
challenge
Correctly authenticate and get connected to their resource!
For more details on the configuration process, check out Integrate your Remote Desktop Gateway infrastructure
using the Network Policy Server (NPS) extension and Azure AD.
Remote Desktop Services - Secure data storage
with UPDs
7/29/2021 • 2 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

Store business resources, user personalization data, and settings securely on-premises or in Azure. RD Session
Hosts use AD authentication and empower users with the resources they need in a personalized environment,
securely.
Ensuring users have a consistent experience, regardless of the endpoint from which they access their remote
resources, is an important aspect of managing an RDS deployment. User Profile Disks (UPDs) allow user data,
customizations, and application settings to follow a user within a single collection. A UPD is a per-user, per-
collection VHD file saved in a central share that is mounted to a user's session when they sign in - the UPD is
treated as a local drive for the duration of that session.
From the user's perspective, the UPD provides a famililar experience - they save their documents to their
Documents folder (on what appears to be a local drive), change their app settings as usual, and make any
customizations to their Windows environment. All this data, including the registry hive, is stored on the UPD and
persists in a central network share. UPDs are only available to the user when the user is actively connected to a
desktop or RemoteApp. UPDs can only roam within a collection because the user's entire C:\Users\<username\>
directory (including AppData\Local) is stored on the UPD.
You can use PowerShell cmdlets to designate the path to the central share, the size of each UPD, and which
folders should be included or excluded from the user profile saved to the UPD. Alternatively, you can enable
UPDs through Server Manager by going to Remote Desktop Ser vices > Collections > Desktop Collection
> Desktop Collection Proper ties > User Profile Disks . Note that you enable or disable UPDs for all users
of an entire collection, not for specific users in that collection. UPDs must be stored on a central file share where
the servers in the collection have full control permissions.
You can achieve high availability for your UPDs by storing them in Azure with Storage Spaces Direct.
Remote Desktop Services - GPU acceleration
11/2/2020 • 2 minutes to read • Edit Online

Remote Desktop Services works with native graphics acceleration as well as the graphics virtualization
technologies supported by Windows Server. For information on those technologies, their differences, and how
to deploy them, see Plan for GPU acceleration in Windows Server.
When planning for graphics acceleration in your RDS environment, your choice of user scale and user
workloads will drive your choice of graphics rendering technology:
Remote Desktop Services - Connect from any
device
7/29/2021 • 2 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

Access corporate resources from any Windows, Apple, or Android computer, tablet, or phone. Enable users to
easily see their available desktops and applications from any device through RD Web Feed.
Learn more about Microsoft Remote Desktop clients.
Remote Desktop Services - Choose how you pay
7/29/2021 • 2 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

Choose your licensing based on what makes sense for your company. License per user to enable users to
remote on any of their devices in a BYOD scenario. License per device if users share the same devices. If you are
a service provider (HSP or MSP) or ISV, choose the per user SALs license for a flexible, pay-as-you-go model.
For more information, check out License your RDS deployment with client access licenses (CALs).
Desktop Hosting Reference Architecture
7/29/2021 • 2 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

This article defines a set of architectural blocks for using Remote Desktop Services (RDS) and Microsoft Azure
virtual machines to create multitenant, hosted Windows desktop and application services, which we call
"desktop hosting." You can use this architecture reference to create highly secure, scalable, and reliable desktop
hosting solutions for small- and medium-sized organizations with 5 to 5000 users.
The primary audience for this reference architecture are hosting providers who want to leverage Microsoft
Azure Infrastructure Services to deliver desktop hosting services and Subscriber Access Licenses (SALs) to
multiple tenants via the Microsoft Service Provider Licensing Agreement (SPLA) program. A second audience
for this reference architecture are end customers who want to create and manage desktop hosting solutions in
Microsoft Azure Infrastructure Services for their own employees using RDS User CALs extended rights through
Software Assurance (SA).
To deliver a desktop hosting solutions, hosting partners and SA customers leverage Windows Server to deliver
Windows users an application experience that is familiar to business users and consumers. Built on the
foundations of Windows 10, Windows Server 2016 provides familiar application support and user experience.
The scope of this document is limited to:
Architectural design guidance for a desktop hosting service. Detailed information, such as deployment
procedures, performance, and capacity planning is explained in separate documents. For more general
information about Azure Infrastructure Services, see Microsoft Azure Virtual Machines.
Session-based desktops, RemoteApp applications, and server-based personal desktops that use Windows
Server 2016 Remote Desktop Session Host (RD Session Host). Windows client-based virtual desktop
infrastructures are not covered because there is no Service Provider License Agreement (SPLA) for
Windows client operating systems. Windows Server-based virtual desktop infrastructures are allowed
under the SPLA, and Windows client-based virtual desktop infrastructures are allowed on dedicated
hardware with end-customer licenses in certain scenarios. However, client-based virtual desktop
infrastructures are out-of-scope for this document.
Microsoft products and features, primarily Windows Server 2016 and Microsoft Azure Infrastructure
Services.
Desktop hosting services for tenants ranging in size from 5 to 5000 users. For larger tenants, you may
need to modify this architecture to provide adequate performance. The Server Manager RDS graphical
user interface (GUI) is not recommended for deployments over 500 users. PowerShell is recommended
for managing RDS deployments between 500 and 5000 users.
The minimum set of components and services required for a desktop hosting service. There are many
optional components and services that can be added to enhance a desktop hosting service, but these are
out-of-scope for this document.
After reading this document, the reader should understand:
The building blocks that are necessary to provide a secure, reliable, multitenant desktop hosting solution
based in Microsoft Azure Services.
The purpose of each building block and how they fit together.
There are multiple ways to build a desktop hosting solution based on this architecture. This architecture outlines
integration and improvements in Azure with Windows Server 2016. Other deployment options are available
with the Desktop Hosting Reference Architecture Guide for Windows Server 2012 R2.
The following topics are covered:
Desktop hosting logical architecture
Understand the RDS Roles
Understand the desktop hosting environment
Azure services and considerations for desktop hosting
Remote Desktop Services architecture
7/29/2021 • 2 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

Below are various configurations for deploying Remote Desktop Services to host Windows apps and desktops
for end-users.

NOTE
The architecture diagrams below show using RDS in Azure. However, you can deploy Remote Desktop Services on-
premises and on other clouds. These diagrams are primarily intended to illustrate how the RDS roles are colocated and
use other services.

Standard RDS deployment architectures


Remote Desktop Services has two standard architectures:
Basic deployment – This contains the minimum number of servers to create a fully effective RDS
environment
Highly available deployment – This contains all necessary components to have the highest guaranteed
uptime for your RDS environment
Basic deployment

Highly available deployment


RDS architectures with unique Azure PaaS roles
Though the standard RDS deployment architectures fit most scenarios, Azure continues to invest in first-party
PaaS solutions that drive customer value. Below are some architectures showing how they incorporate with
RDS.
RDS deployment with Azure AD Domain Services
The two standard architecture diagrams above are based on a traditional Active Directory (AD) deployed on a
Windows Server VM. However, if you don't have a traditional AD and only have an Azure AD tenant—through
services like Office365—but still want to leverage RDS, you can use Azure AD Domain Services to create a fully
managed domain in your Azure IaaS environment that uses the same users that exist in your Azure AD tenant.
This removes the complexity of manually syncing users and managing more virtual machines. Azure AD
Domain Services can work in either deployment: basic or highly available.
RDS deployment with Azure AD Application Proxy
The two standard architecture diagrams above use the RD Web/Gateway servers as the Internet-facing entry
point into the RDS system. For some environments, administrators would prefer to remove their own servers
from the perimeter and instead use technologies that also provide additional security through reverse proxy
technologies. The Azure AD Application Proxy PaaS role fits nicely with this scenario.
For supported configurations and how to create this setup, see how to publish Remote Desktop with Azure AD
Application Proxy.
Desktop hosting service
7/29/2021 • 3 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

This article will tell you more about the desktop hosting service's components.

Tenant environment
As described in Remote Desktop service roles, each role plays a distinct part in the tenant envrionment.
The provider's desktop hosting service is implemented as a set of isolated tenant environments. Each tenant's
environment consists of a storage container, a set of virtual machines, and a combination of Azure services, all
communicating over an isolated virtual network. Each virtual machine contains one or more of the components
that make up the tenant's hosted desktop environment. The following subsections describe the components that
make up each tenant's hosted desktop environment.

Active Directory Domain Services


Active Directory Domain Services (AD DS) provides the domain and forest information, such that the tenant's
users can sign in to the desktops and applications to carry out their workloads. This also enables you to set up
or connect to required file shares and databases that may be required for Windows applications.
The tenant's forest does not require any trust relationship with the provider's management forest. A domain
administrator account may be set up in the tenant's domain to allow the provider's technical personnel to
perform administrative tasks in the tenant's environment (such as monitoring system status and applying
software updates) and to assist with troubleshooting and configuration.
There are multiple ways to deploy AD DS:
1. Enable Azure Active Directory Domain Services in the tenant's virtual networking environment. This will
create a managed AD DS instance for the tenant based on the users and groups that exist in Azure AD.
2. Set up a stand-alone AD DS server in the tenant's virtual networking environment. This gives you all of the
full control of the AD DS instance running on virtual machines.
3. Create a site-to-site VPN connection to an AD DS server located on the tenant's premises. This allows the
tenant to connect to their existing AD DS instance and reduce duplication of users, groups, organizational
units, and so on.
For more information, see the following articles:
Azure Active Directory Domain Services documentation
Desktop Hosting Reference Architecture Guide for Windows Server 2012 R2
Create a site-to-site connection in the Azure portal

SQL database
A highly-available SQL database is used by the Remote Desktop Connection Broker to store deployment
information, such as the mapping of current users' connections to the host servers.
There are multiple ways to deploy an SQL database:
1. Create an Azure SQL Database in the tenant's environment. This provides you with the functionality of a
redundant SQL database without you having to manage the servers themselves. This also allows you to pay
for what you consume instead of investing in infrastructure.
2. Create an SQL Server AlwaysOn cluster. This allows you to leverage existing SQL Server infrastructure and
gives you complete control over the SQL Server instances.
For more information about how to set up a highly-available SQL database infrastructure, see the following
articles:
What is the Azure SQL Database service?
Creation and configuration of availability groups (SQL Server).
Add the RD Connection Broker server to the deployment and configure high availability.

File server
The file server uses the Server Message Block (SMB) 3.0 protocol to provide shared folders. These shared
folders are used to create and store user profile disk files (.vhdx) to back up data and let users share data with
each other within the tenant's cloud service.
The virtual machine that deploys the file server must have an Azure data disk attached and configured with
shared folders. Azure data disks use write-through caching, guaranteeing that writes to the disk will not be
erased whenever the virtual machine is restarted.
Small tenants can reduce costs by combining the file server and RD Licensing role on a single virtual machine in
the tenant's environment.
For more information, see the following articles:
Storage in Windows Server
How to attach a managed data disk to a Windows VM in the Azure portal
User profile disks
User profile disks allow users to save personal settings and files when they are signed in to a session on an RD
Session Host server in one collection, then access the same settings and files when signing in to a different RD
Session Host server in the collection. When the user first signs in, the tenant's file server creates a user profile
disk that gets mounted to the RD Session Host server that the user is currently connected to. For each
subsequent sign-in, the user profile disk is mounted to the appropriate RD Session host server, and it is
unmounted with each sign-out. Only the user can access the profile disk's contents.
Remote Desktop Services roles
7/29/2021 • 7 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

This article describes the roles within a Remote Desktop Services environment.

Remote Desktop Session Host


The Remote Desktop Session Host (RD Session Host) holds the session-based apps and desktops you share with
users. Users get to these desktops and apps through one of the Remote Desktop clients that run on Windows,
MacOS, iOS, and Android. Users can also connect through a supported browser by using the web client.
You can organize desktops and apps into one or more RD Session Host servers, called "collections." You can
customize these collections for specific groups of users within each tenant. For example, you can create a
collection where a specific user group can access specific apps, but anyone outside of the group you designated
won't be able to access those apps.
For small deployments, you can install applications directly onto the RD Session Host servers. For larger
deployments, we recommend building a base image and provisioning virtual machines from that image.
You can expand collections by adding RD Session Host server virtual machines to a collection farm with each
RDSH virtual machine within a collection assigned to same availability set. This provides higher collection
availability and increases scale to support more users or resource-heavy applications.
In most cases, multiple users share the same RD Session Host server, which most efficiently utilizes Azure
resources for a desktop hosting solution. In this configuration, users must sign in to collections with non-
administrative accounts. You can also give some users full administrative access to their remote desktop by
creating personal session desktop collections.
You can customize desktops even more by creating and uploading a virtual hard disk with the Windows Server
OS that you can use as a template for creating new RD Session Host virtual machines.
For more information, see the following articles:
Remote Desktop Services - Secure data storage
Upload a generalized VHD and use it to create new VMs in Azure
Update RDSH collection (ARM template)

Remote Desktop Connection Broker


Remote Desktop Connection Broker (RD Connection Broker) manages incoming remote desktop connections to
RD Session Host server farms. RD Connection Broker handles connections to both collections of full desktops
and collections of remote apps. RD Connection Broker can balance the load across the collection's servers when
making new connections. If RD Connection Broker is enabled, using DNS round robin to RD Session Hosts for
balacing servers is not supported. If a session disconnects, RD Connection Broker will reconnect the user to the
correct RD Session Host server and their interrupted session, which still exists in the RD Session Host farm.
You'll need to install matching digital certificates on both the RD Connection Broker server and the client to
support single sign-on and application publishing. When developing or testing a network, you can use a self-
generated and self-signed certificate. However, released services require a digital certificate from a trusted
certification authority. The name you give the certificate must be the same as the internal Fully Qualified
Domain Name (FQDN) of the RD Connection Broker virtual machine.
You can install the Windows Server 2016 RD Connection Broker on the same virtual machine as AD DS to
reduce cost. If you need to scale out to more users, you can also add additional RD Connection Broker virtual
machines in the same availability set to create an RD Connection Broker cluster.
Before you can create an RD Connection Broker cluster, you must either deploy an Azure SQL Database in the
tenant's environment or create an SQL Server AlwaysOn Availability Group.
For more information, see the following articles:
Add the RD Connection Broker server to the deployment and configure high availability
SQL database in Desktop hosting service.

Remote Desktop Gateway


Remote Desktop Gateway (RD Gateway) grants users on public networks access to Windows desktops and
applications hosted in Microsoft Azure's cloud services.
The RD Gateway component uses Secure Sockets Layer (SSL) to encrypt the communications channel between
clients and the server. The RD Gateway virtual machine must be accessible through a public IP address that
allows inbound TCP connections to port 443 and inbound UDP connections to port 3391. This lets users connect
through the internet using the HTTPS communications transport protocol and the UDP protocol, respectively.
The digital certificates installed on the server and client have to match for this to work. When you're developing
or testing a network, you can use a self-generated and self-signed certificate. However, a released service
requires a certificate from a trusted certification authority. The name of the certificate must match the FQDN
used to access RD Gateway, whether the FQDN is the public IP address' externally facing DNS name or the
CNAME DNS record pointing to the public IP address.
For tenants with fewer users, the RD Web Access and RD Gateway roles can be combined on a single virtual
machine to reduce cost. You can also add more RD Gateway virtual machines to an RD Gateway farm to increase
service availability and scale out to more users. Virtual machines in larger RD Gateway farms should be
configured in a load-balanced set. IP affinity isn't required when you're using RD Gateway on a Windows Server
2016 virtual machine, but it is when you're running it on a Windows Server 2012 R2 virtual machine.
For more information, see the following articles:
Add high availability to the RD Web and Gateway web front
Remote Desktop Services - Access from anywhere
Remote Desktop Services - Multi-factor authentication
Set up the RD Gateway role

Remote Desktop Web Access


Remote Desktop Web Access (RD Web Access) lets users access desktops and applications through a web portal
and launches them through the device's native Microsoft Remote Desktop client application. You can use the
web portal to publish Windows desktops and applications to Windows and non-Windows client devices, and
you can also selectively publish desktops or apps to specific users or groups.
RD Web Access needs Internet Information Services (IIS) to work properly. A Hypertext Transfer Protocol Secure
(HTTPS) connection provides an encrypted communications channel between the clients and the RD Web server.
The RD Web Access virtual machine must be accessible through a public IP address that allows inbound TCP
connections to port 443 to allow the tenant's users to connect from the internet using the HTTPS
communications transport protocol.
Matching digital certificates must be installed on the server and clients. For development and testing purposes,
this can be a self-generated and self-signed certificate. For a released service, the digital certificate must be
obtained from a trusted certification authority. The name of the certificate must match the Fully Qualified
Domain Name (FQDN) used to access RD Web Access. Possible FQDNs include the externally facing DNS name
for the public IP address and the CNAME DNS record pointing to the public IP address.
For tenants with fewer users, you can reduce costs by combining the RD Web Access and Remote Desktop
Gateway workloads into a single virtual machine. You can also add additional RD Web virtual machines to an RD
Web Access farm to increase service availability and scale out to more users. In an RD Web Access farm with
multiple virtual machines, you'll have to configure the virtual machines in a load-balanced set.
For more information about how to configure RD Web Access, see the following articles:
Set up the Remote Desktop web client for your users
Create and deploy a Remote Desktop Services collection
Create a Remote Desktop Services collection for desktops and apps to run

Remote Desktop Licensing


Activated Remote Desktop Licensing (RD Licensing) servers let users connect to the RD Session Host servers
hosting the tenant's desktops and apps. Tenant environments usually come with the RD Licensing server already
installed, but for hosted environments you'll have to configure the server in per-user mode.
The service provider needs enough RDS Subscriber Access Licenses (SALs) to cover all authorized unique (not
concurrent) users that sign in to the service each month. Service providers can purchase Microsoft Azure
Infrastructure Services directly, and can purchase SALs through the Microsoft Service Provider Licensing
Agreement (SPLA) program. Customers looking for a hosted desktop solution must purchase the complete
hosted solution (Azure and RDS) from the service provider.
Small tenants can reduce costs by combining the file server and RD Licensing components onto a single virtual
machine. To provide higher service availability, tenants can deploy two RD License server virtual machines in the
same availability set. All RD servers in the tenant's environment are associated with both RD License servers to
keep users able to connect to new sessions even if one of the servers goes down.
For more information, see the following articles:
License your RDS deployment with client access licenses (CALs)
Activate the Remote Desktop Services license server
Track your Remote Desktop Services client access licenses (RDS CALs)
Microsoft Volume Licensing: licensing options for service providers
Azure services and considerations for desktop
hosting
7/29/2021 • 4 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

The following sections describe Azure Infrastructure Services.

Azure portal
After the provider creates an Azure subscription, the Azure portal can be used to manually create each tenant's
environment. This process can also be automated using PowerShell scripts.
For more information, visit the Microsoft Azure website.

Azure Load Balancer


The tenant's components run on virtual machines that communicate with each other on an isolated network.
During the deployment process, you can externally access these virtual machines through the Azure Load
Balancer using Remote Desktop Protocol endpoints or a Remote PowerShell endpoint. Once a deployment is
complete, these endpoints will typically be deleted to reduce the attack surface area. The only endpoints will be
the HTTPS and UDP endpoints created for the virtual machine running the RD Web and RD Gateway
components. This allows clients on the internet to connect to sessions running in the tenant's desktop hosting
service. If a user opens an application that connects to the internet, such as a web browser, the connections will
be passed through the Azure Load Balancer.
For more information, see What is Azure Load Balancer?

Security considerations
This Azure Desktop Hosting Reference Architecture Guide is designed to provide a highly secure and isolated
environment for each tenant. System security also depends on safeguards taken by the provider during
deployment and operation of the hosted service. The following list describes some considerations the provider
should take to keep their desktop hosting solution based on this reference architecture secure.
All administrative passwords must be strong, ideally randomly generated, changed frequently, and saved in a
secure central location only accessible to a select few provider administrators.
When replicating the tenant environment for new tenants, avoid using the same or weak administrative
passwords.
The RD Web Access site URL, name, and certificates must be unique and recognizable to each tenant to
prevent spoofing attacks.
During the normal operation of the desktop hosting service, all public IP addresses should be deleted for all
virtual machines except the RD Web and RD Gateway virtual machine that lets users securely connect to the
tenant's desktop hosting cloud service. Public IP addresses may be temporarily added when necessary for
management tasks, but they should always be deleted afterwards.
For more information, see the following articles:
Security and protection
Security best practices for IIS 8
Secure Windows Server 2012 R2

Design considerations
It's important to consider the constraints of Microsoft Azure Infrastructure Services when designing a
multitenant desktop hosting service. The following list describes considerations the provider must take to
achieve a functional and cost-effective desktop hosting solution based on this reference architecture.
An Azure subscription has a maximum number of virtual networks, VM cores, and Cloud Services that can be
used. If a provider needs more resources than this, they may need to create multiple subscriptions.
An Azure Cloud Service has a maximum number of virtual machines that can be used. The provider may
need to create multiple Cloud Services for larger tenants that exceed the maximum.
Azure deployment costs are based partially on the number and size of virtual machines. The provider should
optimize the number and size of the virtual machines for each tenant to provide a functional and highly
secure Desktop Hosting environment at the lowest cost.
The physical computer resources in the Azure data center are virtualized by using Hyper-V. Hyper-V hosts are
not configured in host clusters, so the availability of the virtual machines is dependent on the availability of
the individual servers used in the Azure infrastructure. To provide higher availability, multiple instances of
each role service virtual machine can be created in an availability set, then guest clustering can be
implemented within the virtual machines.
In a typical storage configuration, a service provider will have a single storage account with multiple
containers (for example, one for each tenant), and multiple disks within each container. However, there is a
limit to the total storage and performance that can be achieved for a single storage account. For service
providers that support large numbers of tenants or tenants with high storage capacity or performance
requirements, the service provider may need to create multiple storage accounts.
For more information, see the following articles:
Sizes for Cloud Services
Microsoft Azure virtual machine pricing details
Hyper-V overview
Azure Storage scalability and performance targets

Azure Active Directory Application Proxy


Azure Active Directory (AD) Application Proxy is a service provided in paid SKUs of Azure AD that allow users to
connect to internal applications through Azure's own reverse-proxy service. This allows the RD Web and RD
Gateway endpoints to be hidden inside of the virtual network, eliminating the need to be exposed to the internet
by a public IP address. Hosters can use Azure AD Application Proxy to condense the number of virtual machines
in the tenant's environment while still maintaining a full deployment. Azure AD Application Proxy also enables
many of the benefits that Azure AD provides, such as conditional access and multi-factor authentication.
For more information, see Get started with Application Proxy and install the connector.
Build and deploy your Remote Desktop Services
deployment
11/2/2020 • 2 minutes to read • Edit Online

A Remote Desktop Services deployment is the infrastructure used to share apps and resources with your users.
Depending on the experience you want to provide, you can make it as small or complex as you need. Remote
Desktop deployments are easily scaled. You can increase and decrease Remote Desktop Web Access, Gateway,
Connection Broker and Session Host servers at will. You can use Remote Desktop Connection Broker to
distribute workloads. Active Directory based authentication provides a highly secure environment.
Remote Desktop clients enable access from any Windows, Apple, or Android computer, tablet, or phone.
See Remote Desktop Services architecture for a detailed discussion of the different pieces that work together to
make up your Remote Desktop Services deployment.
Have an existing Remote Desktop deployment built on a previous version of Windows Server? Check out your
options for moving to WIndows Server 2016, where you can take advantage of new and better functionality
around performance and scale:
Migrate your RDS deployment to Windows Server 2016
Upgrade your RDS deployment to Windows Server 2016
Want to create a new Remote Desktop deployment? Use the following information to deploy Remote Desktop in
Windows Server 2016:
Deploy the Remote Desktop Services infrastructure
Create a session collection to hold the apps and resources you want to share
License your RDS deployment
Have your users install a Remote Desktop client so they can access the apps and resources.
Enable high availability by adding additional Connection Brokers and Session Hosts:
Scale out an existing RDS collection with an RD Session Host farm
Add high availability to the RD Connection Broker infrastructure
Add high availability to the RD Web and RD Gateway web front
Deploy a two-node Storage Spaces Direct file system for UPD storage
If you're a hosting partner interested in using Remote Desktop to provide apps and resources to customers or a
customer looking for someone to host your apps, check out Remote Desktop Services hosting partners for
information about an assessment you can take about using RDS in Azure as a hosting environment, as well as a
list of partners who've passed it.
Seamlessly deploy RDS with ARM and Azure
Marketplace
7/29/2021 • 4 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2

Remote Desktop Services (RDS) is the platform of choice to cost-effectively host Windows desktops and
applications. You can use an Azure Marketplace offering or a quickstart template to quickly create an RDS on
Azure IaaS deployment. Azure marketplace creates a test domain for you, making it a simple and easy
mechanism for testing and proof-of-concepts. The quickstart templates, on the other hand, allow you to use an
existing domain, making them a great tool to build out a production environment. Once set up, you can connect
to the published desktops and applications from various platforms and devices, using the Microsoft Remote
Desktop apps for Windows, Mac, iOS, and Android.

Basic RDS through the Azure Marketplace


Creating your deployment through the Azure Marketplace is the quickest way to get up and running. When
everything is completed, your environment will look like the basic RDS architecture. The offering creates all the
RDS components that you need - all you need to do is supply some information.
You'll need to supply the following information when you deploy the Marketplace offering:
Administrator user name and password. This is a new user that will manage the deployment.
DNS name and AD domain name. These are NEW resources that are created. Make sure the names are
meaningful.
VM size. You get to choose the size of VMs to use for the RDSH endpoints. You can also manually change the
sizes after the initial deployment to help you optimize the VMs for your workloads and for cost.
Use these steps to create your small-footprint RDS deployment from the Azure Marketplace:
1. Launch the Azure Marketplace RDS deployment:
a. Sign into the Azure portal.
b. Click New to add your deployment.
c. Type "RDS" in the search field and press Enter.
d. Click Remote Desktop Ser vices (RDS) - Basic - Dev/Test , and then click Create .
e. Follow the steps in the portal to create and deploy RDS. You'll add key configuration details, like the
information listed above.
2. Connect to your deployment. When the deployment finishes, check the outputs section for final steps to
complete and connect to your deployment.
a. Download and run this PowerShell script on your test device to install any certificates needed to
connect to the RDS deployment.
This step is only necessary during the testing phase. When you deploy RDS in Azure in production,
make sure to follow best practices like purchasing and using a publicly trusted SSL certificate on
your web servers.
b. When prompted, sign into your Azure account. Select the Azure subscription, resource group, and
public IP address created for this new deployment.
c. When the script is finished, the RD Web page launches in your default browser. You can double-
check the RD Web page by comparing the URL for the page to the DNS address you provided
during deployment.
Sign in with the admin credentials you created during deployment to see the default desktop
published for you. You can also send users the RD Web site to test their desktops and applications.

TIP
Forget the domain name or admin user? You can go back to the new Resource Group in the portal, click
Deployments , and then view the parameters you entered.

Now that you have an RDS deployment, you can add and manage users.

Customized RDS using Quickstart templates


You can use Azure Resource Manager templates to deploy RDS in Azure. This is especially useful if you want a
basic RDS deployment but have existing components (like AD) that you want to use. Unlike the Marketplace
offering, you can make further customizations, such as using an existing AD on a virtual network, using a
custom OS image for the RDSH VMs, and layering on high availability for RDS components. After adding on
high availability to each component, your environment will look like the highly availabile RDS architecture.
Use these steps to create your small-footprint RDS deployment with an Azure RDS template:
1. Pick your Azure Quickstart template:
a. Go to the RDS Azure Quickstart Templates site.
b. Choose the template that matches what you are trying to do. Make sure you meet any prerequisites
for that specific template. (For example, if you are want to use a custom image for your VMs, make
sure you have already uploaded that image to an Azure storage account.)
c. Click Deploy to Azure .
d. You'll need to provide some details (like admin user name, AD domain name) in the Azure portal. This
varies based on the template you choose.
e. Click Purchase .
2. Connect to your deployment.
a. Download and run this PowerShell script on your test device to install any certificates needed to
connect to the RDS deployment.
This step is only necessary during the testing phase. When you deploy RDS in Azure in production,
make sure to follow best practices like purchasing and using a publicly trusted SSL certificate on
your web servers.
b. When prompted, sign into your Azure account. Select the Azure subscription, resource group, and
public IP address created for this new deployment.
c. When the script is finished, the RD Web page launches in your default browser. You can double-
check the RD Web page by comparing the URL for the page to the DNS address you provided
during deployment.
Sign in with the admin credentials you created during deployment to see the default desktop
published for you. You can also send users the RD Web site to test their desktops and applications.
TIP
Forget the domain name or admin user? You can go back to the new Resource Group in the portal, click
Deployments , and then view the parameters you entered.

Now that you have an RDS deployment, you can add and manage users.
Migrate your Remote Desktop Services deployment
to Windows Server 2016
11/2/2020 • 5 minutes to read • Edit Online

If you are currently running Remote Desktop Services in Windows Server 2012 R2, you can move to Windows
Server 2016 to take advantage of new features like support for Azure SQL and Storage Spaces Direct.
Migration for a Remote Desktop Services deployment is supported from source servers running Windows
Server 2016 to destination servers running Windows Server 2016. In other words, there is no direct in-place
migration from RDS in Windows Server 2012 R2 to Windows Server 2016. Instead, for most of the RDS
components, you first upgrade to Windows Server 2016 and then migrate data and licenses. The only
components with a direct migration are RD Web, RD Gateway, and the licensing server.
For more information on the upgrade process and requirements, see upgrading your Remote Desktop Services
deployments to Windows Server 2016.
Use the following steps to migrate your Remote Desktop Services deployment:
Migrate RD Connection Broker servers
Migrate session collections
Migrate virtual desktop collections
Migrate RD Web Access servers
Migrate RD Gateway servers
Migrate RD Licensing servers
Migrate certificates

Migrate RD Connection Broker servers


This is the first and most important step for migrating: migrating your RD Connection Brokers to destination
servers running Windows Server 2016.

IMPORTANT
The Remote Desktop Connection Broker (RD Connection Broker) source servers must be configured for high availability to
support migration. For more information, see Deploy a Remote Desktop Connection Broker cluster.

1. If you have more than one RD Connection Broker server in the high availability setup, remove all the
RD Connection Broker servers except the one that is currently active.
2. Upgrade the remaining RD Connection Broker server in the deployment to Windows Server 2016.
3. Add Windows Server 2016 RD Connection Broker servers into the high availability deployment.
NOTE
A mixed high availability configuration with Windows Server 2016 and Windows Server 2012 R2 is not supported for
RD Connection Broker servers. An RD Connection Broker running Windows Server 2016 can serve session collections
with RD Session Host servers running Windows Server 2012 R2, and it can serve virtual desktop collections with
RD Virtualization Host servers running Windows Server 2012 R2.

Migrate session collections


Follow these steps to migrate a session collection in Windows Server 2012 R2 to a session collection in
Windows Server 2016.

IMPORTANT
Migrate session collections only after successfully completing the previous step, Migrate RD Connection Broker servers.

1. Upgrade the session collection from Windows Server 2012 R2 to Windows Server 2016.
2. Add the new RD Session Host server running Windows Server 2016 to the session collection.
3. Sign out of all sessions in the RD Session Host servers, and remove the servers that require migration
from the session collection.

NOTE
If the UVHD template (UVHD-template.vhdx) is enabled in the session collection and the file server has been
migrated to a new server, update the User Profile Disks: Location collection property with the new path. The User
Profile Disks must be available at the same relative path in the new location as they were on the source server.
A session collection of RD Session Host servers with a mix of servers running Windows Server 2012 R2 and
Windows Server 2016 is not supported.

Migrate virtual desktop collections


Follow these steps to migrate a virtual desktop collection from a source server running Windows Server 2012
R2 to a destination server running Windows Server 2016.

IMPORTANT
Migrate virtual desktop collections only after successfully completing the previous step, Migrate RD Connection Broker
servers.

1. Upgrade the virtual desktop collection from the server running Windows Server 2012 R2 to Windows
Server 2016.
2. Add the new Windows Server 2016 RD Virtualization Host servers to the virtual desktop collection.
3. Migrate all virtual machines in the current virtual desktop collection that are running on RD Virtualization
Host servers to the new servers.
4. Remove all RD Virtualization Host servers that required migration from the virtual desktop collection in
the source server.
NOTE
If the UVHD template (UVHD-template.vhdx) is enabled in the session collection and the file server has been migrated to
a new server, update the User Profile Disks: Location collection property with the new path. The User Profile Disks must
be available at the same relative path in the new location as they were on the source server.
A virtual desktop collection of RD Virtualization Host servers with a mix of servers running Windows Server 2012 R2 and
Windows Server 2016 is not supported.

Migrate RD Web Access servers


Follow these steps to migrate RD Web Access servers:
Join the destination servers running Windows Server 2016 to the Remote Desktop Services deployment
and install the RD Web role
Use IIS Web Deploy tool to migrate the RD Web website settings from the current RD Web Access
servers to the destination servers running Windows Server 2016.
Migrate certificates to the destination servers running Windows Server 2016.
Remove the source servers from the Remote Desktop Services deployment.

Migrate RD Gateway servers


Follow these steps to migrate RD Gateway servers:
Join the destination servers running Windows Server 2016 to the Remote Desktop Services deployment
and install the RD Gateway role
Use IIS Web Deploy tool to migrate the RD Gateway endpoint settings from the current RD Gateway
servers to the destination servers running Windows Server 2016.
Migrate certificates to the destination servers running Windows Server 2016.
Remove the source servers from the Remote Desktop Services deployment.

Migrate RD Licensing servers


Follow these steps to migrate an RD Licensing server from a source server running Windows Server 2012 or
Windows Server 2012 R2 to a destination server running Windows Server 2016.
1. Migrate the Remote Desktop Services client access licenses (RDS CALs) from the source server to the
destination server.
2. Edit the Deployment Proper ties in Ser ver Manager on the Remote Desktop management server
(which is typically being run on the first RD Connection Broker server) to include only the new RD
Licensing servers running Windows Server 2016.
3. Deactivate the source RD Licensing server: In Remote Desktop Licensing Manager , right-click the
appropriate server, hover over Advanced to select Deactivate Ser ver , and then follow the steps in the
wizard.
4. Remove the source RD Licensing servers from the deployment in Ser ver Manager on the Remote
Desktop management server.

Migrate certificates
Successful certificate migration requires both the actual process of migrating certificates and updating
certificate information in the Remote Desktop Services Deployment Properties.
Typical certificate migration includes the following steps:
Export the certificate to a PFX file with the private key.
Import the certificate from a PFX file.
After migrating the appropriate certificates, update the following required certificates for the Remote Desktop
Services deployment in server manager or PowerShell:
RD Connection Broker - single sign-on
RD Connection Broker - RDP file publishing
RD Gateway - HTTPS connection
RD Web Access - HTTPS connection and RemoteApp/desktop connection subscription
Migrate your Remote Desktop Services Client
Access Licenses (RDS CALs)
11/2/2020 • 6 minutes to read • Edit Online

You have three options to migrate your RDS CALs:


1. Automatic connection method: This recommended method communicates via internet directly to the
Microsoft Clearinghouse outbound over TCP port 443.
2. Using a web browser: This method allows migration when the server running the Remote Desktop Licensing
Manager tool does not have internet connectivity, but the administrator has internet connectivity on a
separate device. The URL for the Web migration method is displayed in the Manage RDS CALs Wizard.
3. Using a telephone: This method allows the administrator to complete the migration process over the phone
with a Microsoft representative. The appropriate telephone number is determined by the country/region that
you chose in the Activate Server Wizard and is displayed in the Manage RDS CALs Wizard.
In this article, the Establish RDS CAL migration method highlights the general steps common across any RDS
CAL migration method, while Migrate RDS CALs highlights the steps specific to each migration method.
Regardless of migration method, you must, at a minimum, be a member of the local Administrators group to
perform the migration steps.

Establish RDS CAL migration method


1. On the license server, open Remote Desktop Licensing Manager . (Click Star t > Administrative Tools .
Enter the Remote Desktop Ser vices directory, and launch Remote Desktop Licensing Manager .)
2. Verify the connection method for the Remote Desktop license server: right-click the license server to which
you want to migrate the RDS CALs, and then click Proper ties . On the Connection Method tab, verify the
Connection method - you can change it in the dropdown menu. Click OK .
3. Right-click the license server to which you want to migrate the RDS CALs, and then click Manage RDS
CALs .
4. Follow the steps in the wizard to the Action Selection page. Click Migrate RDS CALs from another
license ser ver to this license ser ver .
5. Choose the reason for migrating the RDS CALs, and then click Next . You have the following choices:
The source license server is being replaced by this license server.
The source license server is no longer functioning.
6. The next page in the wizard depends on the migration reason that you chose.
If you chose The source license ser ver is being replaced by this license ser ver as the
reason for migrating the RDS CALs, the Source License Ser ver Information page is displayed.
On the Source License Server Information page, enter the name or IP address of the source license
server.
If the source license server is available on the network, click Next . The wizard contacts the source
license server. If the source license server is running an operating system earlier than Windows
Server 2008 R2 or the source license server is deactivated, you are reminded that you must
remove the RDS CALs manually from the source license server after the wizard has completed.
After you confirm that you understand this requirement, the Obtain Client License Key Pack
page appears.
If the source license server is not available on the network, select The specified source license
ser ver is not available on the network . Specify the operating system that the source license
server is running, and then provide the license server ID for the source license server. After you
click Next , you are reminded that you must remove the RDS CALs manually from the source
license server after the wizard has completed. After you confirm that you understand this
requirement, the Obtain Client License Key Pack page appears.
If you chose The source license ser ver is no longer functioning as the reason for migrating
the RDS CALs, you are reminded that you must remove the RDS CALs manually from the source
license server after the wizard has completed. After you confirm that you understand this
requirement, the Obtain Client License Key Pack page appears.
The next step is to migrate the CALs - use the information below to complete the wizard. Note that what you see
in the wizard depends on the connection method you identified in Step 2 above.

Migrate RDS CALs


There are three mechanisms to migrate licenses to the destination license server; continue the steps
corresponding to the Connection method verified in Step 2:
Automatic connection method
Using a web browser
Using a telephone
Automatic connection method
1. On the License Program page, select the appropriate program through which you purchased your
RDS CALs, then click Next .
2. Enter the required information (typically a license code or an agreement number, depending on the License
program ), and then click Next . Consult the documentation provided when you purchased your RDS CALs.
3. Select the appropriate product version, license type, and quantity of RDS CALs for your environment based
on your RDS CAL purchase agreement, and then click Next .
4. The Microsoft Clearinghouse is automatically contacted and processes your request. The RDS CALs are then
migrated onto the license server.
5. Click Finish to complete the RDS CAL migration process.
Using a web browser
1. On the Obtain Client License Key Pack page, click the hyperlink to connect to the Remote Desktop
Services Licensing Web site. If you are running Remote Desktop Licensing Manager on a computer that
does not have Internet connectivity, note the address for the Remote Desktop Services Licensing Web
site, and then connect to the Web site from a computer that has Internet connectivity.
2. On the Remote Desktop Services Licensing Web page, under Select Option , select Manage CALs , and
then click Next .
3. Provide the following required information, then click Next :
Target License Ser ver ID : A 35-digit number, in groups of 5 numerals, which is displayed on the
Obtain Client License Key Pack page in the Manage RDS CALs Wizard.
Reason for recover y : Choose the reason for migrating the RDS CALs.
License Program : Choose the program through which you purchased your RDS CALs.
4. Provide the following required information, then click Next :
Last name or surname
First name or given name
Company name
Country/region
You can also provide the optional information requested, such as company address, e-mail
address, and phone number. In the organizational unit field, you can describe the unit within your
organization that this license server serves.
5. The License Program that you selected on the previous page determines what information you need to
provide on the next page. In most cases, you must provide either a license code or an agreement number.
Consult the documentation provided when you purchased your RDS CALs. In addition, you need to
specify which type of RDS CAL and the quantity that you want to migrate to the license server.
6. After you have entered the required information, click Next .
7. Verify that all of the information that you have entered is correct, then click Next to submit your request
to the Microsoft Clearinghouse. The web page then displays a license key pack ID generated by the
Microsoft Clearinghouse.

IMPORTANT
Keep a copy of the license key pack ID. Having this information with you facilitates communications with the
Microsoft Clearinghouse, should you need assistance with recovering RDS CALs.

8. On the same Obtain Client License Key Pack page, enter the license key pack ID, and then click Next
to migrate the RDS CALs to your license server.
9. Click Finish to complete the RDS CAL migration process.
Using a telephone
1. On the Obtain Client License Key Pack page, use the displayed telephone number to call the
Microsoft Clearinghouse. Give the representative your Remote Desktop license server ID and the required
information for the licensing program through which you purchased your RDS CALs. The representative
then processes your request to migrate the RDS CALs, and gives you a unique ID for the RDS CALs. This
unique ID is referred to as the license key pack ID .

IMPORTANT
Keep a copy of the license key pack ID. Having this information with you facilitates communications with the
Microsoft Clearinghouse should you need assistance with recovering RDS CALs.

2. On the same Obtain Client License Key Pack page, enter the license key pack ID, and then click Next
to migrate the RDS CALs to your license server.
3. Click Finish to complete the RDS CAL migration process.
Upgrading your Remote Desktop Services
deployments to Windows Server 2016
7/29/2021 • 2 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

Supported OS upgrades with RDS role installed


Upgrades to Windows Server 2016 are supported only from Windows Server 2012 R2 and Windows Server
2016.

Flow for deployment upgrades


In order to keep the down-time to a minimum, it is best to follow the steps below:
1. RD Connection Broker ser vers should be the first to be upgraded. If there is active/active setup in the
deployment, remove all but one server from the deployment and perform an in-place upgrade. Perform
upgrades on the remaining RD Connection Broker servers offline and then re-add them to the
deployment. The deployment will not be available during RD Connection Broker servers upgrade.

NOTE
It is mandatory to upgrade RD Connection Broker servers. We do not support Windows Server 2012 R2 RD
Connection Broker servers in a mixed deployment with Windows Server 2016 servers. Once the RD Connection
Broker server(s) are running Windows Server 2016 the deployment will be functional, even if the rest of the
servers in the deployment are still running Windows Server 2012 R2.

2. RD License ser vers should be upgraded before you upgrade your RD Session Host servers.

NOTE
Windows Server 2012 and 2012 R2 RD license servers will work with Windows Server 2016 deployments, but
they can only process CALs from Windows Server 2012 R2 and older. They cannot use Windows Server 2016
CALs. See License your RDS deployment with client access licenses (CALs) for more information about RD license
servers.

3. RD Session Host ser vers can be upgraded next. To avoid down time during upgrade the admin can
split the servers to be upgraded in 2 steps as detailed below. All will be functional after the upgrade. To
upgrade, use the steps described in Upgrading Remote Desktop Session Host servers to Windows Server
2016.
4. RD Vir tualization Host ser vers can be upgraded next. To upgrade, use the steps described in
Upgrading Remote Desktop Virtualization Host servers to Windows Server 2016.
5. RD Web Access ser vers can be upgraded anytime.
NOTE
Upgrading RD Web may reset IIS properties (such as any configuration files). To not lose your changes, make
notes or copies of customizations done to the RD Web site in IIS.

NOTE
Windows Server 2012 and 2012 R2 RD Web Access servers will work with Windows Server 2016 deployments.

6. RD Gateway ser vers can be upgraded anytime.

NOTE
Windows Server 2016 does not include Network Access Protection (NAP) policies - they will have to be removed.
The easiest way to remove the correct policies is by running the upgrade wizard. If there are any NAP policies you
must delete, the upgrade will block and create a text file on the desktop that includes the specific policies. To
manage NAP policies, open the Network Policy Server tool. After deleting them, click Refresh in the Setup tool to
continue with the upgrade process.

NOTE
Windows Server 2012 and 2012 R2 RD Gateway servers will work with Windows Server 2016 deployments.

VDI deployment – supported guest OS upgrade


Administrators will have the following options to upgrade of VM collections:
Upgrade Managed Shared VM collections
Administrators will need to create VM templates with the desired OS version and use it to patch all the VMs in
the pool.
We support the following patching scenarios:
Windows 7 SP1 can be patched to Windows 8 or Windows 8.1
Windows 8 can be patched to Windows 8.1
Windows 8.1 can be patched to Windows 10
Upgrade unmanaged shared VM collections
End users cannot upgrade their personal desktops. Administrators should perform the upgrade. The exact steps
are still to be determined.
Upgrading your Remote Desktop Session Host to
Windows Server 2016
7/29/2021 • 2 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

IMPORTANT
All applications must be uninstalled before the upgrade and reinstalled after the upgrade to avoid any app compatibility
issues that may rise because of the upgrade.

Supported OS upgrades with RDS role installed


Upgrades to Windows Server 2016 are supported only from Windows Server 2012 R2 and Windows Server
2016 TP5.

Upgrading a RDS session-based collection


In order to keep the down-time to a minimum, it is best to follow the steps below while upgrading a RDS
session-based collection:
1. Identify the servers to be upgraded, say, half the servers in the collection.
2. Prevent new connections to these servers by setting Allow New Connections to false.
3. Log off all sessions on these servers.
4. Remove these servers from the collection.
5. Upgrade the servers to Windows Server 2016.
6. Set Allow New Connections to "false" on the remaining servers in the collection.
7. Add the upgraded servers back to their corresponding collections.
8. Remove the remaining set of servers to be upgraded from the collection.
9. Set Allow New Connections to "true" on the upgraded servers in the collection.
10. Now upgrade the remaining servers in the deployment by following steps 3 through 9 above.

Upgrading a standalone RD Session Host server


A standalone RD Session Host server can be upgraded anytime.
Upgrading your Remote Desktop Virtualization
Host to Windows Server 2016
7/29/2021 • 3 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

Supported OS upgrades with RDS role installed


Upgrades to Windows Server 2016 are supported only from Windows Server 2012 R2 and Windows Server
2016 TP5.

RD Virtualization Host servers in the deployment where VMs are


stored locally
These servers should be upgraded all at once. Follow the following steps to upgrade:
1. Log off all users.
2. Turn off or save all virtual machines on each host.
3. Upgrade the servers to Windows Server 2016.
4. All collections should be available and functional after the upgrades are complete.

RD Virtualization Host servers in the deployment where VMs are


stored in Cluster Shared Volumes (CSV)
1. Determine an upgrade strategy where some of the RDVH servers will be upgraded and some will continue to
host VMs on Windows Server 2012 R2.
2. Isolate one or more of the RDVH servers, targeted for the initial round of upgrading, by migrating all VMs to
other 'not to be upgraded yet' RDVH servers that will remain part of the original 2012 R2 cluster.
a. Open Failover Cluster Manager.
b. Click Roles .
c. Select one or more VMs. Right-click to open the context menu.
d. Click Move and choose either Live or Quick Migration to move the VMs to one or more of the RD
Virtualization Host Servers that are not part of the initial upgrade. Use Live or Quick Migration
depending on factors such as hardware compatibility or online requirements.
3. Evict the RDVH servers, prepared for upgrading, from the original cluster.
4. Upgrade the isolated RDVH servers.
5. After the targeted RDVH servers have been successfully upgraded, create a new cluster and CSV, which needs
to be on an entirely different SAN volume.
6. Join all upgraded RDVH servers to the new cluster.
7. Create a folder structure in the new CSV that mimics the existing folder structure in the existing CSV. This will
include the collection folders and each VM's top level sub-folders.
8. From the various VM Collection folders on the original CSV, copy over the /IMGS folder and contents to the
new collection folders in the same locations on the new CSV.
9. On the source RDVH machine, use Cluster Manager to remove the VM's configuration for high availability:
a. Launch Cluster Manager.
b. Click Roles .
c. Right-click the VM objects, and then click Remove .
10. On one of the non-upgraded RDVH servers, use Hyper-V Manager to move all VMs to one of the upgraded
RDVH servers and new Cluster CSV:
a. Open Hyper-V Manager.
b. Select one of the non-upgraded RDVH servers.
c. Right-click one of the VMs to be moved, and then click Move .
d. Choose Move the vir tual machine , and then click Next .
e. Provide the targeted upgraded RDVH server's name on the Specify Destination Computer
page, and then click Next .
f. Choose Move the vir tual machine's data to a single location , and then click Next .
g. Browse to the destination location.

IMPORTANT
Ensure this path is to an empty folder for the specific VM.

NOTE
As mentioned, you will need to have already created a new destination sub folder prior to this step. The
Select Folder dialog will not allow you to create a sub folder in this step.

Click Next , and then click Finished .


11. Once the VMs are relocated, add them as cluster High Availability objects:
a. Open Failover Cluster Manager on an upgraded RD Virtualization Host Server.
b. Right-click the Roles node, and then click Configure Role . Click Next on the Star t page of the High
Availability wizard.
c. Choose Vir tual Machine from the list of available roles, and then click Next . A list of VMs that are
not configured will be shown.
d. Select all the VMs. Click Next and then click Next again on the confirmation page to start the
configuration task.
12. Once you have relocated all VMs, upgrade the remaining RDVH servers. Use the above steps for balancing
VM locations as appropriate.

NOTE
Heterogeneous Hyper-V servers in a cluster are not supported.
Deploy your Remote Desktop environment
7/29/2021 • 5 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

Use the following steps to deploy the Remote Desktop servers in your environment. You can install the server
roles on physical machines or virtual machines, depending on whether you are creating an on-premises, cloud-
based, or hybrid environment.
If you are using virtual machines for any of the Remote Desktop Services servers, make sure you have prepared
those virtual machines.
1. Add all the servers you're going to use for Remote Desktop Services to Server Manager:
a. In Server Manager, click Manage > Add Ser vers .
b. Click Find Now .
c. Click each server in the deployment (for example, Contoso-Cb1, Contoso-WebGw1, and Contoso-Sh1)
and click OK .
2. Create a session-based deployment to deploy the Remote Desktop Services components:
a. In Server Manager, click Manage > Add Roles and Features .
b. Click Remote Desktop Ser vices installation , Standard Deployment , and Session-based
desktop deployment .
c. Select the appropriate servers for the RD Connection Broker server, RD Web Access server, and RD
Session Host server (for example, Contoso-Cb1, Contoso-WebGw1, and Contoso-SH1, respectively).
d. Select Restar t the destination ser ver automatically if required , and then click Deploy .
e. Wait for the deployment to complete successfully
3. Add RD License Server:
a. In Server Manager, click Remote Desktop Ser vices > Over view > +RD Licensing .
b. Select the virtual machine where the RD license server will be installed (for example, Contoso-Cb1).
c. Click Next , and then click Add .
4. Activate the RD License Server and add it to the License Servers group:
a. In Server Manager, click Tools > Terminal Ser vices > Remote Desktop Licensing Manager .
b. In RD Licensing Manager, select the server, and then click Action > Activate Ser ver .
c. Accept the default values in the Activate Server Wizard. Continue accepting default values until you
reach the Company information page. Then, enter your company information.
d. Accept the defaults for the remaining pages until the final page. Clear Star t Install Licenses Wizard
now , and then click Finish .
e. Click Action > Review Configuration > Add to Group > OK . Enter credentials for a user in the
AAD DC Administrators group, and register as SCP. This step might not work if you are using Azure AD
Domain Services, but you can ignore any warnings or errors.
5. Add the RD Gateway server and certificate name:
a. In Server Manager, click Remote Desktop Ser vices > Over view > + RD Gateway .
b. In the Add RD Gateway Servers wizard, select the virtual machine where you want to install the RD
Gateway server (for example, Contoso-WebGw1).
c. Enter the SSL certificate name for the RD Gateway server using the external fully qualified DNS Name
(FQDN) of the RD Gateway server. In Azure, this is the DNS name label and uses the format
servicename.location.cloudapp.azure.com. For example, contoso.westus.cloudapp.azure.com.
d. Click Next , and then click Add .
6. Create and install self-signed certificates for the RD Gateway and RD Connection Broker servers.

NOTE
If you are providing and installing certificates from a trusted certificate authority, perform the procedures from
step h to step k for each role. You will need to have the .pfx file available for each of these certificates.

a. In Server Manager, click Remote Desktop Ser vices > Over view > Tasks > Edit Deployment
Proper ties .
b. Expand Cer tificates , and then scroll down to the table. Click RD Gateway > Create new
cer tificate .
c. Enter the certificate name, using the external FQDN of the RD Gateway server (for example,
contoso.westus.cloudapp.azure.com) and then enter the password.
d. Select Store this cer tificate and then browse to the shared folder you created for certificates in a
previous step. (For example,\Contoso-Cb1\Certificates.)
e. Enter a file name for the certificate (for example, ContosoRdGwCert), and then click Save .
f. Select Allow the cer tificate to be added to the Trusted Root Cer tificate Authorities
cer tificate store on the destination computers , and then click OK .
g. Click Apply , and then wait for the certificate to be successfully applied to the RD Gateway server.
h. Click RD Web Access > Select existing cer tificate .
i. Browse to the certificate created for the RD Gateway server (for example, ContosoRdGwCert), and
then click Open .
j. Enter the password for the certificate, select Allow the cer tificate to be added to the Trusted
Root Cer tificate store on the destination computers , and then click OK .
k. Click Apply , and then wait for the certificate to be successfully applied to the RD Web Access server.
l. Repeat substeps 1-11 for the RD Connection Broker - Enable Single Sign On and RD
Connection Broker - Publishing ser vices , using the internal FQDN of the RD Connection Broker
server for the new certificate's name (for example, Contoso-Cb1.Contoso.com).
7. Export self-signed public certificates and copy them to a client computer. If you are using certificates from
a trusted certificate authority, you can skip this step.
a. Launch certlm.msc.
b. Expand Personal , and then click Cer tificates .
c. In the right-hand pane right-click the RD Connection Broker certificate intended for client
authentication, for example Contoso-Cb1.Contoso.com .
d. Click All Tasks > Expor t .
e. Accept the default options in the Certificate Export Wizard accept defaults until you reach the File to
Expor t page.
f. Browse to the shared folder you created for certificates, for example \Contoso-Cb1\Certificates.
g. Enter a File name, for example ContosoCbClientCert, and then click Save .
h. Click Next , and then click Finish .
i. Repeat substeps 1-8 for the RD Gateway and Web certificate, (for example
contoso.westus.cloudapp.azure.com), giving the exported certificate an appropriate file name, for
example ContosoWebGwClientCer t .
j. In File Explorer, navigate to the folder where the certificates are stored, for example \Contoso-
Cb1\Certificates.
k. Select the two exported client certificates, then right-click them, and click Copy .
l. Paste the certifcates on the local client computer.
8. Configure the RD Gateway and RD Licensing deployment properties:
a. In Server Manager, click Remote Desktop Ser vices > Over view > Tasks > Edit Deployment
Proper ties .
b. Expand RD Gateway and clear the Bypass RD Gateway ser ver for local addresses option.
c. Expand RD licensing and select Per User
d. Click OK .
9. Create a session collection. These steps create a basic collection. Check out Create a Remote Desktop
Services collection for desktops and apps to run for more information about collections.
a. In Server Manager, click Remote Desktop Ser vices > Collections > Tasks > Create Session
Collection .
b. Enter a collection Name (for example, ContosoDesktop).
c. Select an RD Session Host Server (Contoso-Sh1), accept the default user groups (Contoso\Domain
Users), and enter the Universal Naming Convention (UNC) Path to the user profile disks created above
(\Contoso-Cb1\UserDisks).
d. Set a Maximum size, and then click Create .
You've now created a basic Remote Desktop Services infrastructure. If you need to create a highly-available
deployment, you can add a connection broker cluster or a second RD Session Host server.
Create a Remote Desktop Services collection for
desktops and apps to run
7/29/2021 • 2 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

Use the following steps to create a Remote Desktop Services session collection. A session collection holds the
apps and desktops you want to make available to users. After you create the collection, publish it so users can
access it.
Before you create a collection, you need to decide what kind of collection you need: pooled desktop sessions or
personal desktop sessions.
Use pooled desktop sessions for session-based vir tualization : Leverage the compute power of
Windows Server to provide a cost-effective multi-session environment to drive your users' everyday
workloads
Use personal desktop sessions for to create a vir tual desktop infrastructure (VDI) : Leverage
Windows client to provide the high performance, app compatibility, and familiarity that your users have
come to expect of their Windows desktop experience.
With a pooled session, multiple users access a shared pool of resources, while with a personal desktop session,
users are assigned their own desktop from within the pool. The pooled session provides lower overall cost,
while personal sessions enable users to customize their desktop experience.
If you need to share graphics-intensive hosted applications, you can combine personal session desktops with
the new Discrete Device Assignment (DDA) capability to also provide support for hosted applications that
require accelerated graphics. Check out Which graphics virtualization technology is right for you for more
information.
Regardless of the type of collection you choose, you'll populate those collections with RemoteApps - programs
and resources that users can access from any supported device and work with as though the program was
running locally.

Create a pooled desktop session collection


1. In Server Manager, click Remote Desktop Ser vices > Collections > Tasks > Create Session
Collections .
2. Enter a name for the collection, for example ContosoAps .
3. Select the RD Session Host server you created (for example, Contoso-Shr1).
4. Accept the default User Groups .
5. Enter the location of the file share you created for the user profile disks for this collection (for example,
\Contoso-Cb1\UserDisksr ).
6. Click Create . When the collection is created, click Close .

Create a personal desktop session collection


Use the New-RDSessionCollection cmdlet to create a personal session desktop collection. The following three
parameters provide the configuration information required for personal session desktops:
-PersonalUnmanaged - Specifies the type of session collection that lets you assign users to a personal
session host server. If you don't specify this parameter, then the collection is created as a traditional RD
Session Host collection, where users are assigned to the next available session host when they sign in.
-GrantAdministrativePrivilege - If you use -PersonalUnmanaged , specifies that the user assigned to
the session host be given administrative privileges. If you don't use this parameter, users are granted only
standard user privileges.
-AutoAssignUser - If you use -PersonalUnmanaged , specifies that new users connecting through the RD
Connection Broker are automatically assigned to an unassigned session host. If there are no unassigned
session hosts in the collection, the user will see an error message. If you don't use this parameter, you have to
manually assign users to a session host before they sign in.
You can use PowerShell cmdlets to manage your personal desktop session collections. See Manage your
personal desktop session collections for more information.

Publish RemoteApp programs


Use the following steps to publish the apps and resources in your collection:
1. In Server Manager, select the new collection (ContosoApps ).
2. Under RemoteApp Programs, click Publish RemoteApp programs .
3. Select the programs you want to publish, and then click Publish .
Set up the Remote Desktop web client for your
users
7/2/2021 • 12 minutes to read • Edit Online

The Remote Desktop web client lets users access your organization's Remote Desktop infrastructure through a
compatible web browser. They'll be able to interact with remote apps or desktops like they would with a local PC
no matter where they are. Once you set up your Remote Desktop web client, all your users need to get started is
the URL where they can access the client, their credentials, and a supported web browser.

IMPORTANT
The web client does support using Azure AD Application Proxy but does not support Web Application Proxy at all. See
Using RDS with application proxy services for details.

What you'll need to set up the web client


Before getting started, keep the following things in mind:
Make sure your Remote Desktop deployment has an RD Gateway, an RD Connection Broker, and RD Web
Access running on Windows Server 2016 or 2019.
Make sure your deployment is configured for per-user client access licenses (CALs) instead of per-device,
otherwise all licenses will be consumed.
Install the Windows 10 KB4025334 update on the RD Gateway. Later cumulative updates may already
contains this KB.
Make sure public trusted certificates are configured for the RD Gateway and RD Web Access roles.
Make sure that any computers your users will connect to are running one of the following OS versions:
Windows 10
Windows Server 2008R2 or later
Your users will see better performance connecting to Windows Server 2016 (or later) and Windows 10 (version
1611 or later).

IMPORTANT
If you used the web client during the preview period and installed a version prior to 1.0.0, you must first uninstall the old
client before moving to the new version. If you receive an error that says "The web client was installed using an older
version of RDWebClientManagement and must first be removed before deploying the new version," follow these steps:
1. Open an elevated PowerShell prompt.
2. Run Uninstall-Module RDWebClientManagement to uninstall the new module.
3. Close and reopen the elevated PowerShell prompt.
4. Run Install-Module RDWebClientManagement -RequiredVersion <old version> to install the old
module.
5. Run Uninstall-RDWebClient to uninstall the old web client.
6. Run Uninstall-Module RDWebClientManagement to uninstall the old module.
7. Close and reopen the elevated PowerShell prompt.
8. Proceed with the normal installation steps as follows.
How to publish the Remote Desktop web client
To install the web client for the first time, follow these steps:
1. On the RD Connection Broker server, obtain the certificate used for Remote Desktop connections and
export it as a .cer file. Copy the .cer file from the RD Connection Broker to the server running the RD Web
role.
2. On the RD Web Access server, open an elevated PowerShell prompt.
3. On Windows Server 2016, update the PowerShellGet module since the inbox version doesn't support
installing the web client management module. To update PowerShellGet, run the following cmdlet:

Install-Module -Name PowerShellGet -Force

IMPORTANT
You'll need to restart PowerShell before the update can take effect, otherwise the module may not work.

4. Install the Remote Desktop web client management PowerShell module from the PowerShell gallery with
this cmdlet:

Install-Module -Name RDWebClientManagement

5. After that, run the following cmdlet to download the latest version of the Remote Desktop web client:

Install-RDWebClientPackage

6. Next, run this cmdlet with the bracketed value replaced with the path of the .cer file that you copied from
the RD Broker:

Import-RDWebClientBrokerCert <.cer file path>

7. Finally, run this cmdlet to publish the Remote Desktop web client:

Publish-RDWebClientPackage -Type Production -Latest

Make sure you can access the web client at the web client URL with your server name, formatted as
https://server_FQDN/RDWeb/webclient/index.html . It's important to use the server name that matches the
RD Web Access public certificate in the URL (typically the server FQDN).

NOTE
When running the Publish-RDWebClientPackage cmdlet, you may see a warning that says per-device CALs
are not supported, even if your deployment is configured for per-user CALs. If your deployment uses per-user
CALs, you can ignore this warning. We display it to make sure you're aware of the configuration limitation.

8. When you're ready for users to access the web client, just send them the web client URL you created.
NOTE
To see a list of all supported cmdlets for the RDWebClientManagement module, run the following cmdlet in PowerShell:

Get-Command -Module RDWebClientManagement

How to update the Remote Desktop web client


When a new version of the Remote Desktop web client is available, follow these steps to update the deployment
with the new client:
1. Open an elevated PowerShell prompt on the RD Web Access server and run the following cmdlet to
download the latest available version of the web client:

Install-RDWebClientPackage

2. Optionally, you can publish the client for testing before official release by running this cmdlet:

Publish-RDWebClientPackage -Type Test -Latest

The client should appear on the test URL that corresponds to your web client URL (for example,
https://server_FQDN/RDWeb/webclient-test/index.html).
3. Publish the client for users by running the following cmdlet:

Publish-RDWebClientPackage -Type Production -Latest

This will replace the client for all users when they relaunch the web page.

How to uninstall the Remote Desktop web client


To remove all traces of the web client, follow these steps:
1. On the RD Web Access server, open an elevated PowerShell prompt.
2. Unpublish the Test and Production clients, uninstall all local packages and remove the web client settings:

Uninstall-RDWebClient

3. Uninstall the Remote Desktop web client management PowerShell module:

Uninstall-Module -Name RDWebClientManagement

How to install the Remote Desktop web client without an internet


connection
Follow these steps to deploy the web client to an RD Web Access server that doesn't have an internet
connection.
NOTE
Installing without an internet connection is available in version 1.0.1 and above of the RDWebClientManagement
PowerShell module.

NOTE
You still need an admin PC with internet access to download the necessary files before transferring them to the offline
server.

NOTE
The end-user PC needs an internet connection for now. This will be addressed in a future release of the client to provide a
complete offline scenario.

From a device with internet access


1. Open a PowerShell prompt.
2. Import the Remote Desktop web client management PowerShell module from the PowerShell gallery:

Import-Module -Name RDWebClientManagement

3. Download the latest version of the Remote Desktop web client for installation on a different device:

Save-RDWebClientPackage "C:\WebClient\"

4. Download the latest version of the RDWebClientManagement PowerShell module:

Find-Module -Name "RDWebClientManagement" -Repository "PSGallery" | Save-Module -Path "C:\WebClient\"

5. Copy the content of "C:\WebClient" to the RD Web Access server.


From the RD Web Access server
Follow the instructions under How to publish the Remote Desktop web client, replacing steps 4 and 5 with the
following.
4. You have two options to retrieve the latest web client management PowerShell module:
Import the Remote Desktop web client management PowerShell module:

Import-Module -Name RDWebClientManagement

Copy the downloaded RDWebClientManagement folder to one of the local PowerShell module folders
listed under $env:psmodulePath , or add the path to the folder with the downloaded files to the
$env:psmodulePath .
5. Deploy the latest version of the Remote Desktop web client from the local folder (replace with the
appropriate zip file):

Install-RDWebClientPackage -Source "C:\WebClient\rdwebclient-1.0.1.zip"


Connecting to RD Broker without RD Gateway in Windows Server
2019
This section describes how to enable a web client connection to an RD Broker without an RD Gateway in
Windows Server 2019.
Setting up the RD Broker server
Follow these steps if there is no certificate bound to the RD Broker server
1. Open Ser ver Manager > Remote Desktop Ser vices .
2. In Deployment Over view section, select the Tasks dropdown menu.
3. Select Edit Deployment Proper ties , a new window titled Deployment Proper ties will open.
4. In the Deployment Proper ties window, select Cer tificates in the left menu.
5. In the list of Certificate Levels, select RD Connection Broker - Enable Single Sign On . You have two
options: (1) create a new certificate or (2) an existing certificate.
Follow these steps if there is a certificate previously bound to the RD Broker server
1. Open the certificate bound to the Broker and copy the Thumbprint value.
2. To bind this certificate to the secure port 3392, open an elevated PowerShell window and run the
following command, replacing "< thumbprint >" with the value copied from the previous step:

netsh http add sslcert ipport=0.0.0.0:3392 certhash="<thumbprint>" certstorename="Remote Desktop"


appid="{00000000-0000-0000-0000-000000000000}"

NOTE
To check if the certificate has been bound correctly, run the following command:

netsh http show sslcert

In the list of SSL Certificate bindings, ensure that the correct certificate is bound to port 3392.

3. Open the Windows Registry (regedit), go to


HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp and locate the key
WebSocketURI . Next, set the value to https://+:3392/rdp/ .
Setting up the RD Session Host
Follow these steps if the RD Session Host server is different from the RD Broker server:
1. Create a certificate for the RD Session Host machine, open it and copy the Thumbprint value.
2. To bind this certificate to the secure port 3392, open an elevated PowerShell window and run the
following command, replacing "< thumbprint >" with the value copied from the previous step:

netsh http add sslcert ipport=0.0.0.0:3392 certhash="<thumbprint>" appid="{00000000-0000-0000-0000-


000000000000}"
NOTE
To check if the certificate has been bound correctly, run the following command:

netsh http show sslcert

In the list of SSL Certificate bindings, ensure that the correct certificate is bound to port 3392.

3. Open the Windows Registry (regedit) and navigate to


HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp and locate the key
WebSocketURI . The value must be set to https://+:3392/rdp/ .
General Observations
Ensure that both the RD Session Host and RD Broker server are running Windows Server 2019.
Ensure that public trusted certificates are configured for both the RD Session Host and RD Broker server.

NOTE
If both the RD Session Host and the RD Broker server share the same machine, set the RD Broker server
certificate only. If the RD Session Host and RD Broker server use different machines, both must be configured with
unique certificates.

The Subject Alternative Name (SAN) for each certificate must be set to the machine's Fully
Qualified Domain Name (FQDN) . The Common Name (CN) must match the SAN for each
certificate.

How to pre-configure settings for Remote Desktop web client users


This section will tell you how to use PowerShell to configure settings for your Remote Desktop web client
deployment. These PowerShell cmdlets control a user's ability to change settings based on your organization's
security concerns or intended workflow. The following settings are all located in the Settings side panel of the
web client.
Suppress telemetry
By default, users may choose to enable or disable collection of telemetry data that is sent to Microsoft. For
information about the telemetry data Microsoft collects, please refer to our Privacy Statement via the link in the
About side panel.
As an administrator, you can choose to suppress telemetry collection for your deployment using the following
PowerShell cmdlet:

Set-RDWebClientDeploymentSetting -Name "SuppressTelemetry" $true

By default, the user may select to enable or disable telemetry. A boolean value $false will match the default
client behavior. A boolean value $true disables telemetry and restricts the user from enabling telemetry.
Remote resource launch method

NOTE
This setting currently only works with the RDS web client, not the Azure Virtual Desktop web client.
By default, users may choose to launch remote resources (1) in the browser or (2) by downloading an .rdp file to
handle with another client installed on their machine. As an administrator, you can choose to restrict the remote
resource launch method for your deployment with the following PowerShell command:

Set-RDWebClientDeploymentSetting -Name "LaunchResourceInBrowser" ($true|$false)

By default, the user may select either launch method. A boolean value $true will force the user to launch
resources in the browser. A boolean value $false will force the user to launch resources by downloading an .rdp
file to handle with a locally installed RDP client.
Reset RDWebClientDeploymentSetting configurations to default
To reset a deployment-level web client setting to the default configuration, run the following PowerShell cmdlet
and use the -name parameter to specify the setting you want to reset:

Reset-RDWebClientDeploymentSetting -Name "LaunchResourceInBrowser"


Reset-RDWebClientDeploymentSetting -Name "SuppressTelemetry"

Troubleshooting
If a user reports any of the following issues when opening the web client for the first time, the following sections
will tell you what to do to fix them.
What to do if the user's browser shows a security warning when they try to access the web client
The RD Web Access role might not be using a trusted certificate. Make sure the RD Web Access role is
configured with a publicly trusted certificate.
If that doesn't work, your server name in the web client URL might not match the name provided by the RD
Web certificate. Make sure your URL uses the FQDN of the server hosting the RD Web role.
What to do if the user can't connect to a resource with the web client even though they can see the items
under All Resources
If the user reports that they can't connect with the web client even though they can see the resources listed,
check the following things:
Is the RD Gateway role properly configured to use a trusted public certificate?
Does the RD Gateway server have the required updates installed? Make sure that your server has the
KB4025334 update installed.
If the user gets an "unexpected server authentication certificate was received" error message when they try to
connect, then the message will show the certificate's thumbprint. Search the RD Broker server's certificate
manager using that thumbprint to find the right certificate. Verify that the certificate is configured to be used for
the RD Broker role in the Remote Desktop deployment properties page. After making sure the certificate hasn't
expired, copy the certificate in .cer file format to the RD Web Access server and run the following command on
the RD Web Access server with the bracketed value replaced by the certificate's file path:

Import-RDWebClientBrokerCert <certificate file path>

Diagnose issues with the console log


If you can't solve the issue based on the troubleshooting instructions in this article, you can try to diagnose the
source of the problem yourself by watching the console log in the browser. The web client provides a method
for recording the browser console log activity while using the web client to help diagnose issues.
Select the ellipsis in the upper-right corner and navigate to the About page in the dropdown menu.
Under Capture suppor t information select the Star t recording button.
Perform the operation(s) in the web client that produced the issue you are trying to diagnose.
Navigate to the About page and select Stop recording .
Your browser will automatically download a .txt file titled RD Console Logs.txt . This file will contain the full
console log activity generated while reproducing the target issue.
The console may also be accessed directly through your browser. The console is generally located under the
developer tools. For example, you can access the log in Microsoft Edge by pressing the F12 key, or by selecting
the ellipsis, then navigating to More tools > Developer Tools .

Get help with the web client


If you've encountered an issue that can't be solved by the information in this article, you can report it on Tech
Community. You can also request or vote for new features at our suggestion box.
Set up email discovery to subscribe to your RDS
feed
7/2/2021 • 2 minutes to read • Edit Online

Have you ever had trouble getting your end users connected to their published RDS feed, either because of a
single missing character in the feed URL or because they lost the email with the URL? Nearly all Remote Desktop
client applications support finding your subscription by entering your email address, making it easier than ever
to get your users connected to their RemoteApps and desktops.
Before you set up email discovery, do the following:
Make sure you have permission to add a TXT record to the domain associated with your email (for example,
if your users have @contoso.com email addresses, you would need permissions for the contoso.com
domain)
Create an RD Web feed URL (https://<rdweb-dns-name>.domain/RDWeb/Feed/webfeed.aspx, such as
https://rdweb.contoso.com/RDWeb/Feed/webfeed.aspx)

NOTE
If you're using Azure Virtual Desktop instead of Remote Desktop, you'll want to use these URLs instead:
If you're using Azure Virtual Desktop (classic):
https://rdweb.wvd.microsoft.com/api/feeddiscovery/webfeeddiscovery.aspx
If you're using Azure Virtual Desktop: https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery

Now, follow these steps to set up email discovery:


1. In your browser, connect to the website of the domain name registrar where your domain is registered.
2. Navigate to the appropriate page for your registered domain where you can view, add, and edit DNS
records.
3. Enter a new DNS record with the following properties:
Host: _msradc
Text: <RD Web Feed URL>
TTL: 300 seconds
The names of the DNS records fields vary by domain name registrar, but this process will result in a TXT
record named _msradc.<domain_name> (such as _msradc.contoso.com) that has a value of the full RD
Web feed.
That's it! Now, launch the Remote Desktop application on your device and subscribe yourself!
License your RDS deployment with client access
licenses (CALs)
7/29/2021 • 4 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

Each user and device that connects to a Remote Desktop Session host needs a client access license (CAL). You
use RD Licensing to install, issue, and track RDS CALs.
When a user or a device connects to an RD Session Host server, the RD Session Host server determines if an
RDS CAL is needed. The RD Session Host server then requests an RDS CAL from the Remote Desktop license
server. If an appropriate RDS CAL is available from a license server, the RDS CAL is issued to the client, and the
client is able to connect to the RD Session Host server and from there to the desktop or apps they're trying to
use.
There is a licensing grace period of 120 Days during which no license server is required. Once the grace period
ends, clients must have a valid RDS CAL issued by a license server before they can log on to an RD Session Host
server.
Use the following information to learn about how client access licensing works in Remote Desktop Services and
to deploy and manage your licenses:
License your RDS deployment with client access licenses (CALs)
Understanding the RDS CAL model
RDS CAL version compatibility

Understanding the RDS CAL model


There are two types of RDS CALs:
RDS Per Device CALs
RDS Per User CALs
The following table outlines the differences between the two types of CALs:

P ER DEVIC E P ER USER

RDS CALs are physically assigned to each device. RDS CALs are assigned to a user in Active Directory.

RDS CALs are tracked by the license server. RDS CALs are tracked by the license server.

RDS CALs can be tracked regardless of Active Directory RDS CALs cannot be tracked within a workgroup.
membership.

You can revoke up to 20% of RDS CALs. You cannot revoke any RDS CALs.

Temporary RDS CALs are valid for 52–89 days. Temporary RDS CALs are not available.

RDS CALs cannot be overallocated. RDS CALs can be overallocated (in breach of the Remote
Desktop licensing agreement).
When you use the Per Device model, a temporary license is issued the first time a device connects to the RD
Session Host. The second time that device connects, as long as the license server is activated and there are
available RDS CALs, the license server issues a permanent RDS Per Device CAL.
When you use the Per User model, licensing is not enforced and each user is granted a license to connect to an
RD Session Host from any number of devices. The license server issues licenses from the available RDS CAL
pool or the Over-Used RDS CAL pool. It's your responsibility to ensure that all of your users have a valid license
and zero Over-Used CALs—otherwise, you're in violation of the Remote Desktop Services license terms.
An example of where one would use the Per Device model would be in an environment where there are two or
more shifts using the same computers to access the RD Session Host(s). The Per User model would be best for
environments where users have their own dedicated Windows device to access the RD Session Host(s).
To ensure you are in compliance with the Remote Desktop Services license terms, track the number of RDS Per
User CALs used in your organization and be sure to have enough RDS Per User CALs installed on the license
server for all of your users.
You can use the Remote Desktop Licensing Manager to track and generate reports on RDS Per User CALs.

RDS CAL version compatibility


The RDS CAL for your users or devices must be compatible with the version of Windows Server that the user or
device is connecting to. You can't use RDS CALs for earlier versions to access later versions of Windows Server,
but you can use later versions of RDS CALs to access earlier versions of Windows Server. For example, an RDS
2016 CAL or higher is required to connect to a Windows Server 2016 RD Session Host, while an RDS 2012 CAL
or higher is required to connect to a Windows Server 2012 R2 RD Session Host.
The following table shows which RDS CAL and RD Session Host versions are compatible with each other.

RDS 2008 R2 A N D
EA RL IER C A L RDS 2012 C A L RDS 2016 C A L RDS 2019 C A L

2008, 2008 R2 Yes Yes Yes Yes


session host

2012 session host No Yes Yes Yes

2012 R2 session No Yes Yes Yes


host

2016 session host No No Yes Yes

2019 session host No No No Yes

You must install your RDS CAL on a compatible RD license server. Any RDS license server can host licenses from
all previous versions of Remote Desktop Services and the current version of Remote Desktop Services. For
example, a Windows Server 2016 RDS license server can host licenses from all previous versions of RDS, while
a Windows Server 2012 R2 RDS license server can only host licenses up to Windows Server 2012 R2.
The following table shows which RDS CAL and license server versions are compatible with each other.

RDS 2008 R2 A N D
EA RL IER C A L RDS 2012 C A L RDS 2016 C A L RDS 2019 C A L

2008, 2008 R2 Yes No No No


license ser ver
RDS 2008 R2 A N D
EA RL IER C A L RDS 2012 C A L RDS 2016 C A L RDS 2019 C A L

2012 license Yes Yes No No


ser ver

2012 R2 license Yes Yes No No


ser ver

2016 license Yes Yes Yes No


ser ver

2019 license Yes Yes Yes Yes


ser ver
Activate the Remote Desktop Services license server
7/29/2021 • 2 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

The Remote Desktop Services license server issues client access licenses (CALs) to users and devices when they
access the RD Session Host. You can activate the license server by using the Remote Desktop Licensing Manager.

Install the RD Licensing role


1. Sign into the server you want to use as the license server using an administrator account.
2. In Server Manager, click Roles Summar y , and then click Add Roles . Click Next on the first page of the
roles wizard.
3. Select Remote Desktop Ser vices , and then click Next , and then Next on the Remote Desktop Services
page.
4. Select Remote Desktop Licensing , and then click Next .
5. Configure the domain - select Configure a discover y scope for this license ser ver , click This domain ,
and then click Next .
6. Click Install .

Activate the license server


1. Open the Remote Desktop Licensing Manager: click Star t > Administrative Tools > Remote Desktop
Ser vices > Remote Desktop Licensing Manager .
2. Right-click the license server, and then click Activate Ser ver .
3. Click Next on the welcome page.
4. For the connection method, select Automatic connection (recommended) , and then click Next .
5. Enter your company information (your name, the company name, your geographic region), and then click
Next .
6. Optionally enter any other company information (for example, email and company addresses), and then click
Next .
7. Make sure that Star t Install Licenses Wizard now is not selected (we'll install the licenses in a later step),
and then click Next .
Your license server is now ready to start issuing and managing licenses.
Install RDS client access licenses on the Remote
Desktop license server
7/29/2021 • 2 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

Use the following information to install Remote Desktop Services client access licenses (CALs) on the license
server. Once the CALs are installed, the license server will issue them to users as appropriate.
Note you need Internet connectivity on the computer running Remote Desktop Licensing Manager but not on
the computer running the license server.
1. On the license server (usually the first RD Connection Broker), open the Remote Desktop Licensing Manager.
2. Right-click the license server, and then click Install licenses .
3. Click Next on the welcome page.
4. Select the program you purchased your RDS CALs from, and then click Next . If you are a service provider,
select Ser vice Provider License Agreement .
5. Enter the information for your license program. In most cases, this will be the license code or an agreement
number, but this varies depending on the license program you're using.
6. Click Next .
7. Select the product version, license type, and number of licenses for your environment, and then click Next .
The license manager contacts the Microsoft Clearinghouse to validate and retrieve your licenses.
8. Click Finish to complete the process.
Track your Remote Desktop Services client access
licenses (RDS CALs)
7/29/2021 • 2 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

You can use the Remote Desktop Licensing Manager tool to create reports to track the RDS Per User CALs that
have been issued by a Remote Desktop license server.

NOTE
If you are using Azure AD Domain Services in your environment, the Remote Desktop Licensing Manager tool won't work
to obtain Per User CALs. Instead, you need to track licensing manually, either through logon events, polling active Remote
Desktop connections through the Connection Broker, or another mechanism that works for you.

Use the following steps to generate a per User CALs report:


1. In Remote Desktop Licensing Manager right-click the license server, click Create Repor t , and then click
CAL Usage .
2. The report is created and a message appears to confirm that the report was successfully created. Click
OK to close the message.
The report that you created appears in the Reports section under the node for the license server. The report
provides the following information:
Date and time the report was created
The scope of the report (e.g., Domain, OU=Sales, or All trusted domains)
The number of RDS Per User CALs that are installed on the license server
The number of RDS Per User CALs that have been issued by the license server specific to the scope of the
report
You can also save the report as a CSV file to a folder location on the computer. To save the report, right-click the
report that you want to save, click Save As, and then specify the file name and location to save the report.
Reports that you create are listed in the Reports node under the node for the license server in Remote Desktop
Licensing Manager. If you no longer need a report, you can delete it.
Remote Desktop Services - Integrating with Azure
services
11/2/2020 • 2 minutes to read • Edit Online

Windows Server 2016 combines the powerful secure delivery of desktops and apps through Remote Desktop
Services with the flexible, scalable services provided by Microsoft Azure. You can deploy RDS with Azure
services to help reduce infrastructure maintenance cost for on-premises servers, increase stability by using
Azure services to ensure high availability, improve security by using Multi-factor Authentication, and improve
your users' experience by using existing identities to access resources in RDS.
Use the following information to integrate Azure into your Remote Desktop deployment:
Learn how to use Multi-factor Authentication with RDS
Integrate Azure AD Domain Services with your RDS deployment
Publish Remote Desktop with Azure AD Application Proxy
To see how these services simplify the architecture of your Remote Desktop deployment, check out RDS
architectures with unique Azure PaaS roles.
Integrate Azure AD Domain Services with your RDS
deployment
11/2/2020 • 2 minutes to read • Edit Online

You can use Azure AD Domain Services (Azure AD DS) in your Remote Desktop Services deployment in the
place of Windows Server Active Directory. Azure AD DS lets you use your existing Azure AD identities in with
classic Windows workloads.
With Azure AD DS you can:
Create an Azure environment with a local domain for born-in-the-cloud organizations.
Create an isolated Azure environment with the same identities used for your on-premises and online
environment, without needing to create a site-to-site VPN or ExpressRoute.
When you finish integrating Azure AD DS into your Remote Desktop deployment, your architecture will look
something like this:

To see how this architecture compares with other RDS deployment scenarios, check out Remote Desktop
Services architectures.
To get a better understanding of Azure AD DS, check out the Azure AD DS overview and How to decide if Azure
AD DS is right for your use-case.
Use the following information to deploy Azure AD DS with RDS.

Prerequisites
Before you can bring your identities from Azure AD to use in an RDS deployment, configure Azure AD to save
the hashed passwords for your users' identities. Born-in-the-cloud organizations don't need to make any
additional changes in their directory; however, on-premises organizations need to allow password hashes to be
synchronized and stored in Azure AD, which may not be permissible to some organizations. Users will have to
reset their passwords after making this configuration change.

Deploy Azure AD DS and RDS


Use the following steps to deploy Azure AD DS and RDS.
1. Enable Azure AD DS. Note that the linked article does the following:
Walk through creating the appropriate Azure AD groups for domain administration.
Highlight when you might have to force users to change their password so their accounts can work
with Azure AD DS.
2. Set up RDS. You can either use an Azure template or deploy RDS manually.
Use the Existing AD template. Make sure to customize the following:
Settings
Resource group : Use the resource group where you want to create the RDS
resources.

NOTE
Right now this has to be the same resource group where the Azure resource manager
virtual network exists.

Dns Label Prefix : Enter the URL that you want users to use to access RD Web.
Ad Domain Name : Enter the full name of your Azure AD instance, for example,
"contoso.onmicrosoft.com" or "contoso.com".
Ad Vnet Name and Ad Subnet Name : Enter the same values that you used when
you created the Azure resource manager virtual network. This is the subnet to which
the RDS resources will connect.
Admin Username and Admin Password : Enter the credentials for an admin user
that's a member of the AAD DC Administrators group in Azure AD.
Template
Remove all properties of dnsSer vers : after selecting Edit template from the Azure
quickstart template page, search for "dnsServers" and remove the property.
For example, before removing the dnsSer vers property:
And here's the same file after removing the property:

Deploy RDS manually.


Scale out your Remote Desktop Services
deployment by adding an RD Session Host farm
7/29/2021 • 2 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

You can improve the availability and scale of your RDS deployment by adding a Remote Desktop Session Host
(RDSH) farm.
Use the following steps to add another RD Sesssion Host to your deployment:
1. Create a server to host the second RD Session Host. If you are using Azure virtual machines, make sure to
include the new VM in the same availability set that holds your first RD Session Host.
2. Enable remote management on the new server or virtual machine:
a. In Server Manager, click Local Ser ver > Remote management current setting (disabled) .
b. Select Enable remote management for this ser ver , and then click OK .
c. Optional: You can temporarily set Windows Update to not automatically download and install updates.
This helps prevent changes and system restarts while you deploy the RDSH server. In Server Manager,
click Local Ser ver > Windows Update current setting . Click Advanced options > Defer
upgrades .
3. Add the server or vm to the domain:
a. In Server Manager, click Local Ser ver > Workgroup current setting .
b. Click Change > Domain , and then enter the domain name (for example, Contoso.com).
c. Enter the domain administrator credentials.
d. Restart the server or vm.
4. Add the new RD Session Host to the farm:

NOTE
Step 1, creating a public IP address for the RDMS virtual machine, is only necessary if you are using a vm for the
RDMS and if it does not already have an IP address assigned.

a. Create a public IP address for the virtual machine running Remote Desktop Management Services
(RDMS). The RDMS virtual machine will typically be the virtual machine running the first instance of
the RD Connection Broker role.
a. In the Azure portal, click Browse > Resource groups , click the resource group for the
deployment and then click the RDMS virtual machine (for example, Contoso-Cb1).
b. Click Settings > Network interfaces , and then click the corresponding network interface.
c. Click Settings > IP address .
d. For Public IP address , select Enabled , and then click IP address .
e. If you have an existing public IP address you want to use, select it from the list. Otherwise, click
Create new , enter a name, and then click OK and then Save .
b. Sign into the RDMS.
c. Add the new RDSH server to Server Manager:
a. Launch Server Manager, click Manage > Add Ser vers .
b. In the Add Servers dialog, click Find Now .
c. Select the server you want to use for the RD Session Host or the newly created virtual machine
(for example, Contoso-Sh2) and click OK .
d. Add the RDSH server to the deployment
a. Launch Server Manager .
b. Click Remote Desktop Ser vices > Over view > Deployment Ser vers > Tasks > Add RD
Session Host Ser vers .
c. Select the new server (for example, Contoso-Sh2), and then click Next .
d. On the Confirmation page, select Restar t remote computers as needed , and then click
Add .
e. Add RDSH server to the collection farm:
a. Launch Server Manager.
b. Click Remote Desktop Ser vices and then click the collection to which you want to add the
newly created RDSH server (for example, ContosoDesktop).
c. Under Host Ser vers , click Tasks > Add RD Session Host Ser vers .
d. Select the newly created server (for example, Contoso-Sh2), and then click Next .
e. On the Confirmation page, click Add .
Add the RD Connection Broker server to the
deployment and configure high availability
7/29/2021 • 6 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

You can deploy a Remote Desktop Connection Broker (RD Connection Broker) cluster to improve the availability
and scale of your Remote Desktop Services infrastructure.

Pre-requisites
Set up a server to act as a second RD Connection Broker—this can be either a physical server or a VM.
Set up a database for the Connection Broker. You can use Azure SQL Database instance or SQL Server in your
local environment. We talk about using Azure SQL below, but the steps still apply to SQL Server. You'll need to
find the connection string for the database and make sure you have the correct ODBC driver.

Step 1: Configure the database for the Connection Broker


1. Find the connection string for the database you created - you need it both to identify the version of ODBC
driver you need and later, when you're configuring the Connection Broker itself (step 3), so save the string
someplace where you can reference it easily. Here's how you find the connection string for Azure SQL:
a. In the Azure portal, click Browse > Resource groups and click the resource group for the
deployment.
b. Select the SQL database you just created (for example, CB-DB1).
c. Click Settings > Proper ties > Show database connection strings .
d. Copy the connection string for ODBC (includes Node.js) , which should look like this:

Driver={ODBC Driver 13 for SQL Server};Server=tcp:cb-


sqls1.database.windows.net,1433;Database=CB-DB1;Uid=sqladmin@contoso;Pwd=
{your_password_here};Encrypt=yes;TrustServerCertificate=no;Connection Timeout=30;

e. Replace "your_password_here" with the actual password. You'll use this entire string, with your
included password, when connecting to the database.
2. Install the ODBC driver on the new Connection Broker:
a. If you are using a VM for the Connection Broker, create a public IP address for the first RD Connection
Broker. (You only have to do this if the RDMS virtual machine does not already have a public IP
address to allow RDP connections.)
a. In the Azure portal, click Browse > Resource groups , click the resource group for the
deployment, and then click the first RD Connection Broker virtual machine (for example,
Contoso-Cb1).
b. Click Settings > Network interfaces , and then click the corresponding network interface.
c. Click Settings > IP address .
d. For Public IP address , select Enabled , and then click IP address .
e. If you have an existing public IP address you want to use, select it from the list. Otherwise, click
Create new , enter a name, and then click OK and then Save .
b. Connect to the first RD Connection Broker:
a. In the Azure portal, click Browse > Resource groups , click the resource group for the
deployment, and then click the first RD Connection Broker virtual machine (for example,
Contoso-Cb1).
b. Click Connect > Open to open the Remote Desktop client.
c. In the client, click Connect , and then click Use another user account . Enter the user name
and password for a domain administrator account.
d. Click Yes when warned about the certificate.
c. Download the ODBC driver for SQL Server that matches the version in the ODBC connection string.
For the example string above, we need to install the version 13 ODBC driver.
d. Copy the sqlincli.msi file to the first RD Connection Broker server.
e. Open the sqlincli.msi file and install the native client.
f. Repeat steps 1-5 for each additional RD Connection Brokers (for example, Contoso-Cb2).
g. Install the ODBC driver on each server that will run the connection broker.

Step 2: Configure load balancing on the RD Connection Brokers


If you are using Azure infrastructure, you can create an Azure load balancer; if not, you can set up DNS round-
robin.
Create a load balancer
1. Create an Azure Load Balancer
a. In the Azure portal click Browse > Load balancers > Add .
b. Enter a name for the new load balancer (for example, hacb).
c. Select Internal for the Scheme , Vir tual Network for your deployment (for example, Contoso-VNet),
and the Subnet with all of your resources (for example, default).
d. Select Static for the IP address assignment and enter a Private IP address that is not currently in
use (for example, 10.0.0.32).
e. Select the appropriate Subscription , the Resource group with all of your resources, and the
appropriate Location .
f. Select Create .
2. Create a probe to monitor which servers are active:
a. In Azure portal, click Browse > Load Balancers , and then click the load balancer you just created,
(for example, CBLB). Click Settings .
b. Click Probes > Add .
c. Enter a name for the probe (for example, RDP ), select TCP as the Protocol , enter 3389 for the Por t ,
and then click OK .
3. Create the backend pool of the Connection Brokers:
a. In Settings , Click Backend address pools > Add .
b. Enter a name (for example, CBBackendPool), then click Add a vir tual machine .
c. Choose an availability set (for example, CbAvSet), and then click OK .
d. Click Choose the vir tual machines , select each virtual machine, and then click Select > OK > OK .
4. Create the RDP load balancing rule:
a. In Settings , click Load balancing rules , and then click Add .
b. Enter a name (for example, RDP), select TCP for the Protocol , enter 3389 for both Por t and Backend
por t , and click OK .
5. Add a DNS record for the Load Balancer:
a. Connect to the RDMS server virtual machine (for example, Contoso-CB1). Check out the Prepare the
RD Connection Broker VM article for steps on how you connect to the VM.
b. In Server Manager, click Tools > DNS .
c. In the left-hand pane, expand DNS , click the DNS machine, click For ward Lookup Zones , and then
click your domain name (for example, Contoso.com). (It might take a few seconds to process the query
to the DNS server for the information.)
d. Click Action > New Host (A or AAAA) .
e. Enter the name (for example, hacb) and the IP address specified earlier (for example, 10.0.0.32).
Configure DNS round-robin
The following steps are an alternative to creating an Azure Internal Load Balancer.
1. Connect to the RDMS server in the Azure portal. using Remote Desktop Connection client
2. Create DNS records:
a. In Server Manager, click Tools > DNS .
b. In the left-hand pane, expand DNS , click the DNS machine, click For ward Lookup Zones , and then
click your domain name (for example, Contoso.com). (It might take a few seconds to process the query
to the DNS server for the information.)
c. Click Action and New Host (A or AAAA) .
d. Enter the DNS Name for the RD Connection Broker cluster (for example, hacb), and then enter the IP
address of the first RD Connection Broker.
e. Repeat steps 3-4 for each additional RD Connection Broker, providing each unique IP address for each
additional record.
For example, if the IP addresses for the two RD Connection Broker virtual machines are 10.0.0.8 and 10.0.0.9,
you would create two DNS host records:
Host name: hacb.contoso.com , IP address: 10.0.0.8
Host name: hacb.contoso.com , IP address: 10.0.0.9

Step 3: Configure the Connection Brokers for high availability


1. Add the new RD Connection Broker server to Server Manager:
a. In Server Manager, click Manage > Add Ser vers .
b. Click Find Now .
c. Click the newly created RD Connection Broker server (for example, Contoso-Cb2) and click OK .
2. Configure high availability for the RD Connection Broker:
a. In Server Manager, click Remote Desktop Ser vices > Over view .
b. Right-click RD Connection Broker , and then click Configure High Availability .
c. Page through the wizard until you get to the Configuration type section. Select Shared database
ser ver , and then click Next .
d. Enter the DNS name for the RD Connection Broker cluster.
e. Enter the connection string for the SQL DB, and then page through the wizard to establish high
availability.
3. Add the new RD Connection Broker to the deployment
a. In Server Manager, click Remote Desktop Ser vices > Over view .
b. Right-click the RD Connection Broker, and then click Add RD Connection Broker Ser ver .
c. Page through wizard until you get to Server Selection, then select the newly created RD Connection
Broker server (for example, Contoso-CB2).
d. Complete the wizard, accepting the default values.
4. Configure trusted certificates on RD Connection Broker servers and clients.
Add high availability to the RD Web and Gateway
web front
7/29/2021 • 6 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

You can deploy a Remote Desktop Web Access (RD Web Access) and Remote Desktop Gateway (RD Gateway)
farm to improve the availability and scale of a Windows Server Remote Desktop Services (RDS) deployment
Use the following steps to add an RD Web and Gateway server to an existing Remote Desktop Services basic
deployment.

Pre-requisites
Set up a server to act as an additional RD Web and RD Gateway - this can be either a physical server or VM. This
includes joining the server to the domain and enabling remote management.

Step 1: Configure the new server to be part of the RDS environment


1. Connect to the RDMS server in the Azure portal, using Remote Desktop Connection client.
2. Add the new RD Web and Gateway server to Server Manager:
a. Launch Server Manager, click Manage > Add Ser vers .
b. In the Add Servers dialog, click Find Now .
c. Select the newly created RD Web and Gateway server (for example, Contoso-WebGw2) and click OK .
3. Add RD Web and Gateway servers to the deployment
a. Launch Server Manager .
b. Click Remote Desktop Ser vices > Over view > Deployment Ser vers > Tasks > Add RD Web
Access Ser vers .
c. Select the newly created server (for example, Contoso-WebGw2), and then click Next .
d. On the Confirmation page, select Restar t remote computers as needed , and then click Add .
e. Repeat these steps to add the RD Gateway server, but choose RD Gateway Ser vers in step b.
4. Re-install certificates for the RD Gateway servers:
a. In Server Manager on the RDMS server, click Remote Desktop Ser vices > Over view > Tasks >
Edit Deployment Proper ties .
b. Expand Cer tificates .
c. Scroll down to the table. Click RD Gateway Role Ser vice > Select existing cer tificate.
d. Click Choose a different cer tificate and then browse to the certificate location. For example,
\Contoso-CB1\Certificates). Select the certificate file for the RD Web and Gateway server created
during the prerequisites (e.g. ContosoRdGwCert), and then click Open .
e. Enter the password for the certificate, select Allow the cer tificate to be added to the Trusted
Root Cer tificate Authorities cer tificate store on the destination computers , and then click
OK .
f. Click Apply .
NOTE
You may need to manually restart the TSGateway service running on each RD Gateway server, either
through Server Manager or Task Manager.

g. Repeat steps a through f for the RD Web Access Role Service.

Step 2: Configure RD Web and RD Gateway properties on the new


server
1. Configure the server to be part of an RD Gateway farm:
a. In Server Manager on the RDMS server, click All Ser vers . Right-click one of the RD Gateway servers,
and then click Remote Desktop Connection .
b. Sign into to the RD Gateway server using a domain admin account.
c. In Server Manager on the RD Gateway server, click Tools > Remote Desktop Ser vices > RD
Gateway Manager .
d. In the navigation pane, click the local computer (e.g. Contoso-WebGw1).
e. Click Add RD Gateway Ser ver Farm members .
f. On the Ser ver Farm tab, enter the name of each RD Gateway server, then click Add and Apply .
g. Repeat steps a through f on each RD Gateway server so that they recognize each other as RD Gateway
servers in a farm. Do not be alarmed if there are warnings, as it might take time for DNS settings to
propagate.
2. Configure the server to be part of an RD Web Access farm. The steps below configure the Validation and
Decryption Machine Keys to be the same on both RDWeb sites.
a. In Server Manager on the RDMS server, click All Ser vers . Right-click the first RD Web Access server
(e.g. Contoso-WebGw1) and then click Remote Desktop Connection .
b. Sign into the RD Web Access server using a domain admin account.
c. In Server Manager on the RD Web Access server, click Tools > Internet Information Ser vices (IIS)
Manager .
d. In the left pane of IIS Manager, expand the Ser ver (e.g. Contoso-WebGw1) > Sites > Default
Web Site , and then click RDWeb .
e. Right-click Machine Key , and then click Open Feature .
f. On the Machine Key page, in the Actions pane, select Generate Keys , and then click Apply .
g. Copy the validation key (you can right-click the key and then click Copy .)
h. In IIS Manager, under Default Web Site , select Feed , FeedLogon and Pages in turn.
i. For each:
a. Right-click Machine Key , and then click Open Feature .
b. For the Validation Key, clear Automatically generate at runtime , and then paste the key you
copied in step g.
j. Minimize the RD Connection window to this RD Web server.
k. Repeat steps b through e for the second RD Web Access server, ending on the feature view of
Machine Key .
l. For the Validation Key, clear Automatically generate at runtime , and then paste the key you copied
in step g.
m. Click Apply .
n. Complete this process for the RDWeb , Feed , FeedLogon and Pages pages.
o. Minimize the RD Connection window to the second RD Web Access server, and then maximize the RD
Connection window to the first RD Web Access server.
p. Repeat steps g through n to copy over the Decryption Key.
q. When validation keys and decryption keys are identical on both RD Web Access servers for the
RDWeb , Feed , FeedLogon and Pages pages, sign out of all RD Connection windows.

Step 3: Configure load balancing for the RD Web and RD Gateway


servers
If you are using Azure infrastructure, you can create an external Azure load balancer; if not, you can set up a
separate hardware or software load balancer. Load balancing is key so that traffic will be evenly distributed the
long-lived connections from Remote Desktop clients, through the RD Gateway, to the servers that users will be
running their workloads.

NOTE
If your previous server running RD Web and RD Gateway was already set up behind an external load balancer, skip ahead
to step 4, select the existing backend pool, and add the new server to the pool.

1. Create an Azure Load Balancer:


a. In the Azure portal click Browse > Load balancers > Add .
b. Enter a name, for example WebGwLB .
c. Select Public for the Scheme .
d. Under Public IP address , select Choose a public IP address , and then pick an existing public IP
address or create a new one.
e. Select the appropriate Subscription , Resource Group , and Location .
f. Click Create .
2. Create a probe to monitor which servers are alive:
a. In the Azure portal, select Browse > Load Balancers , and then choose the load balancer that you
created in the previous step.
b. Select All settings > Probes > Add .
c. Enter a name, for example, HTTPS , for the probe. Select TCP as the Protocol , and enter 443 for the
Por t , then click OK .
3. Create the HTTPS and UDP load balancing rules:
a. In Settings , click Load balancing rules .
b. Select Add for the HTTPS rule .
c. Enter a name for the rule, for example, HTTPS, and select TCP for the Protocol . Enter 443 for both
Por t and Backend por t , and click OK .
d. In Load balancing rules , click Add for the UDP rule .
e. Enter a name for the rule, for example, UDP , and select UDP for the Protocol . Enter 3391 for both
Por t and Backend por t , and click OK .
4. Create the backend pool for the RD Web and RD Gateway servers:
a. In Settings , click Backend address pools > Add .
b. Enter a name (for example, WebGwBackendPool ), then click Add a vir tual machine .
c. Choose an availability set (for example, WebGwAvSet), and then click OK .
d. Click Choose the vir tual machines , select each virtual machine, and then click Select > OK > OK .
Deploy a two-node Storage Spaces Direct scale-out
file server for UPD storage in Azure
7/29/2021 • 5 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

Remote Desktop Services (RDS) requires a domain-joined file server for user profile disks (UPDs). To deploy a
high availability domain-joined scale-out file server (SOFS) in Azure, use Storage Spaces Direct with Windows
Server 2016. If you're not familiar with UPDs or Remote Desktop Services, check out Welcome to Remote
Desktop Services.

NOTE
Microsoft just published an Azure template to deploy a Storage Spaces Direct scale-out file server! You can use the
template to create your deployment, or use the steps in this article.

We recommend deploying your SOFS with DS-series VMs and premium storage data disks, where there are the
same number and size of data disks on each VM. You will need a minimum of two storage accounts.
For small deployments, we recommend a 2-node cluster with a cloud witness, where the volume is mirrored
with 2 copies. Grow small deployments by adding data disks. Grow larger deployments by adding nodes (VMs).
These instructions are for a 2-node deployment. The following table shows the VM and disk sizes you'll need to
store UPDs for the number of users in your business.

DISK SIZ E C O N F IGURAT I


USERS TOTA L ( GB ) VM # DISK S DISK T Y P E ( GB ) ON

10 50 DS1 2 P10 128 2x(DS1 + 2


P10)

25 125 DS1 2 P10 128 2x(DS1 + 2


P10)

50 250 DS1 2 P10 128 2x(DS1 + 2


P10)

100 500 DS1 2 P20 512 2x(DS1 + 2


P20)

250 1250 DS1 2 P30 1024 2x(DS1 + 2


P30)

500 2500 DS2 3 P30 1024 2x(DS2 + 3


P30)

1000 5000 DS3 5 P30 1024 2x(DS3 + 5


P30)
DISK SIZ E C O N F IGURAT I
USERS TOTA L ( GB ) VM # DISK S DISK T Y P E ( GB ) ON

2500 12500 DS4 13 P30 1024 2x(DS4 + 13


P30)

5000 25000 DS5 25 P30 1024 2x(DS5 + 25


P30)

Use the following steps to create a domain controller (we called ours "my-dc" below) and two node VMs ("my-
fsn1" and "my-fsn2") and configure the VMs to be a 2-node Storage Spaces Direct SOFS.
1. Create a Microsoft Azure subscription.
2. Sign into the Azure portal.
3. Create an Azure storage account in Azure Resource Manager. Create it in a new resource group and use the
following configurations:
Deployment model: Resource Manager
Type of storage account: General purpose
Performance tier: Premium
Replication option: LRS
4. Set up an Active Directory forest by either using a quickstart template or deploying the forest manually.
Deploy using an Azure quickstart template:
Create an Azure VM with a new AD forest
Create a new AD domain with 2 domain controllers (for high availability)
Manually deploy the forest with the following configurations:
Create the virtual network in the same resource group as the storage account.
Recommended size: DS2 (increase the size if the domain controller will host more domain
objects)
Use an automatically generated VNet.
Follow the steps to install AD DS.
5. Set up the file server cluster nodes. You can do this by deploying the Windows Server 2016 Storage Spaces
Direct SOFS cluster Azure template or by following steps 6-11 to deploy manually.
6. To manually set up the file server cluster nodes:
a. Create the first node:
a. Create a new virtual machine using the Windows Server 2016 image. (Click New > Vir tual
Machines > Windows Ser ver 2016. Select Resource Manager , and then click Create .)
b. Set the basic configuration as follows:
Name: my-fsn1
VM disk type SSD
Use an existing resource group, the one that you created in step 3.
c. Size: DS1, DS2, DS3, DS4, or DS5 depending on your user needs (see table at beginning of
these instructions). Ensure premium disk support is selected.
d. Settings:
Storage account: Choose the storage account you created in step 3.
High Availability - create a new availability set. (Click High Availability > Create new ,
and then enter a name (for example, s2d-cluster). Use the default values for Update
domains and Fault domains .)
b. Create the second node. Repeat the step above with the following changes:
Name: my-fsn2
High Availability - select the availability set you created above.
7. Attach data disks to the cluster node VMs according to your user needs (as seen in the table above). After the
data disks are created and attached to the VM, set host caching to None .
8. Set IP addresses for all VMs to static .
a. In the resource group, select a VM, and then click Network interfaces (under settings ). Select the
listed network interface, and then click IP Configurations . Select the listed IP configuration, select
static , and then click Save .
b. Note the domain controller (my-dc for our example) private IP address (10.x.x.x).
9. Set primary DNS server address on NICs of the cluster node VMs to the my-dc server. Select the VM, and
then click Network Interfaces > DNS ser vers > Custom DNS . Enter the private IP address you noted
above, and then click Save .
10. Create an Azure storage account to be your cloud witness. (If you use the linked instructions, stop when you
get to "Configuring Cloud Witness with Failover Cluster Manager GUI" - we'll do that step below.)
11. Set up the Storage Spaces Direct file server. Connect to a node VM, and then run the following Windows
PowerShell cmdlets.
a. Install Failover Clustering Feature and File Server Feature on the two file server cluster node VMs:

$nodes = ("my-fsn1", "my-fsn2")


icm $nodes {Install-WindowsFeature Failover-Clustering -IncludeAllSubFeature -
IncludeManagementTools}
icm $nodes {Install-WindowsFeature FS-FileServer}

b. Validate cluster node VMs and create 2-node SOFS cluster:

Test-Cluster -node $nodes


New-Cluster -Name MY-CL1 -Node $nodes –NoStorage –StaticAddress [new address within your addr
space]

c. Configure the cloud witness. Use your cloud witness storage account name and access key.

Set-ClusterQuorum –CloudWitness –AccountName <StorageAccountName> -AccessKey


<StorageAccountAccessKey>

d. Enable Storage Spaces Direct.

Enable-ClusterS2D

e. Create a virtual disk volume.

New-Volume -StoragePoolFriendlyName S2D* -FriendlyName VDisk01 -FileSystem CSVFS_REFS -Size


120GB

To view information about the cluster shared volume on the SOFS cluster, run the following
cmdlet:

Get-ClusterSharedVolume

f. Create the scale-out file server (SOFS):


Add-ClusterScaleOutFileServerRole -Name my-sofs1 -Cluster MY-CL1

g. Create a new SMB file share on the SOFS cluster.

New-Item -Path C:\ClusterStorage\VDisk01\Data -ItemType Directory


New-SmbShare -Name UpdStorage -Path C:\ClusterStorage\VDisk01\Data

You now have a share at \\my-sofs1\UpdStorage , which you can use for UPD storage when you enable UPD for
your users.
Use personal session desktops with Remote Desktop
Services
7/29/2021 • 3 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

You can deploy server-based personal desktops in a cloud-computing environment by using personal session
desktops. (A cloud-computing environment has a separation between the fabric Hyper-V servers and the guest
virtual machines, such as Microsoft Azure Cloud or the Microsoft Cloud Platform.) The personal session desktop
capability extends the session-based desktop deployment scenario in Remote Desktop Services to create a new
type of session collection where each user is assigned to their own personal session host with administrative
rights.
Use the following information to create and manage a personal session desktop collection.

Create a personal session desktop collection


Use the New-RDSessionCollection cmdlet to create a personal session desktop collection. The following three
parameters provide the configuration information required for personal session desktops:
-PersonalUnmanaged - Specifies the type of session collection that lets you assign users to a personal
session host server. If you don't specify this parameter, then the collection is created as a traditional RD
Session Host collection, where users are assigned to the next available session host when they sign in.
-GrantAdministrativePrivilege - If you use -PersonalUnmanaged , specifies that the user assigned to
the session host be given administrative privileges. If you don't use this parameter, users are granted only
standard user privileges.
-AutoAssignUser - If you use -PersonalUnmanaged , specifies that new users connecting through the RD
Connection Broker are automatically assigned to an unassigned session host. If there are no unassigned
session hosts in the collection, the user will see an error message. If you don't use this parameter, you have to
manually assign users to a session host before they sign in.

Manually assign a user to a personal session host


Use the Set-RDPersonalSessionDesktopAssignment cmdlet to manually assign a user to a personal session
host server in the collection. The cmdlet supports the following parameters:
-CollectionName <string>
-ConnectionBroker <string>
-User <string>
-Name <string>
–CollectionName - specifies the name of the personal session desktop collection. This parameter is
required.
–ConnectionBroker - specifies the Remote Desktop Connection Broker (RD Connection Broker) server for
your Remote Desktop deployment. If you don't supply a value, the cmdlet uses the fully qualified domain
name (FQDN) of the local computer.
–User - specifies the user account to associate with the personal session desktop, in DOMAIN\User format.
This parameter is required.
–Name - specifies the name of the session host server. This parameter is required. The session host
identified here must be a member of the collection that the -CollectionName parameter specifies.
The Impor t-RDPersonalSessionDesktopAssignment cmdlet imports associations between user accounts
and personal session desktops from a text file. The cmdlet supports the following parameters:
-CollectionName <string>
-ConnectionBroker <string>
-Path <string>
–Path specifies the path and file name of a file to import.

Removing a User Assignment from a Personal Session Host


Use the Remove-RDPersonalSessionDesktopAssignment cmdlet to remove the association between a
personal session desktop and a user. The cmdlet supports the following parameters:
-CollectionName <string>
-ConnectionBroker <string>
-Force
-Name <string>
-User <string>
–Force forces the command to run without asking for user confirmation.

Query user assignments


Use the Get-RDPersonalSessionDesktopAssignment cmdlet to get a list of personal session desktops and
associated user accounts. The cmdlet supports the following parameters:
-CollectionName <string>
-ConnectionBroker <string>
-User <string>
-Name <string>
You can run the cmdlet to query by collection name, user name, or by session desktop name. If you specify only
the –CollectionName parameter, the cmdlet returns a list of session hosts and associated users. If you also
specify the –User parameter, the session host associated with that user is returned. If you provide the –Name
parameter, the user associated with that session host is returned.
The Expor t-RDPersonalPersonalDesktopAssignment cmdlet exports the current associations between
users and personal virtual desktops to a text file. The cmdlet supports the following parameters:
-CollectionName <string>
-ConnectionBroker <string>
-Path <string>
All new cmdlets support the common parameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer,
and -OutVariable. For more information, see about_CommonParameters.
Prepare your virtual machines for Remote Desktop
7/29/2021 • 2 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

You can install Remote Desktop Services components on physical servers or on virtual machines.
The first step is to create Windows Server virtual machines in Azure. You'll want to create three VMs: one for the
RD Session Host, one for the Connection Broker, and one for the RD Web and RD Gateway. To ensure the
availability of your RDS deployment, create an availability set (under High availablility in the VM creation
process) and group multiple VMs in that availability set.
After you create your VMs, use the following steps to prepare them for RDS.
1. Connect to the virtual machine using the Remote Desktop Connection (RDC) client:
a. In the Azure portal open the Resource groups view, and then click the resource group to use for the
deployment.
b. Select the new RDSH virtual machine (for example, Contoso-Sh1).
c. Click Connect > Open to open the Remote Desktop client.
d. In the client, click Connect , and then click Use another user account . Enter the user name and
password for the local administrator account.
e. Click Yes when warned about the certificate.
2. Enable remote management:
a. In Server Manager, click Local Ser ver > Remote management current setting (disabled) .
b. Select Enable remote management for this ser ver .
c. Click OK .
3. Optional: You can temporarily set Windows Update to not automatically download and install updates. This
helps prevent changes and system restarts while you deploy the RDSH server.
a. In Server Manager, click Local Ser ver > Windows Update current setting .
b. Select Advanced options > Defer upgrades .
4. Add the server to the domain:
a. In Server Manager, click Local Ser ver > Workgroup current setting .
b. Click Change > Domain , and then enter the domain name (for example, Contoso.com).
c. Enter the domain administrator credentials.
d. Restart the virtual machine.
5. Repeat steps 1 through 4 for the RD Web and GW virtual machine.
6. Repeat steps 1 through 4 for the RD Connection Broker virtual machine.
7. Initialize and format the attached disk on the RD Connection Broker virtual machine:
a. Connect to the RD Connection Broker virtual machine (step 1 above).
b. In Server Manager, click Tools > Computer Management .
c. Click Disk Management .
d. Select the attached disk, then MBR (Master Boot Record) , and then click OK .
e. Right-click the new disk (marked as Unallocated ) and click New Simple Volume .
f. In the New Simple Volume wizard, accept the default values but provide a applicable name for the
Volume label (like Shares).
8. On the RD Connection Broker virtual machine create file shares for the user profile disks and certificates:
a. Open File Explorer, click This PC , and open the disk that you added for file shares.
b. Click Home and New Folder .
c. Enter a name for the user disks folder, for example, UserDisks .
d. Right-click the new folder and click Proper ties > Sharing > Advanced Sharing .
e. Select Share this folder and click Permissions .
f. Select Ever yone , and then click Remove . Now click Add , enter Domain Admins , and click OK .
g. Select Allow Full Control , and then click OK > OK > Close .
h. Repeat steps c. to g. to create a shared folder for certificates.
Configure disaster recovery for Remote Desktop
Services
11/2/2020 • 2 minutes to read • Edit Online

When you deploy Remote Desktop Services into your environment, it becomes a critical part of your
infrastructure, particularly the apps and resources that you share with users. If the RDS deployment goes down
due to anything from a network failure to a natural disaster, users can't access those apps and resources, and
your business is negatively impacted. To avoid this, you can configure a disaster recovery solution that allows
you to failover your deployment - if your RDS deployment is unavailable, for whatever reason, there is a backup
available to automatically take over.
To keep your RDS deployment running in the case of a single component or machine going down, we
recommend configuring your RDS deployment for high availability. You can do this by setting up an RDSH farm
and ensuring your Connection Brokers are clustered for high availability.
The disaster recovery solutions we recommend here are to protect your deployment from catastrophic disaster
- something that takes down your entire RDS deployment (including redundant roles configured for high
availability). If such a disaster hits, having a disaster recovery solution built into your deployment will allow you
to failover the entire deployment and quickly get apps and resources up and running for your users.
Use the following information to deploy disaster recovery solutions in RDS:
Leverage multiple Azure data centers to ensure users can access your RDS deployment, even if one Azure
data center goes down (geo-redundancy)
Deploy Azure Site Recovery to provide failover for RDS components in site-to-site or site-to-Azure failovers
Create a geo-redundant, multi-data center RDS
deployment for disaster recovery
7/29/2021 • 11 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

You can enable disaster recovery for your Remote Desktop Services deployment by leveraging multiple data
centers in Azure. Unlike a standard highly available RDS deployment (as outlined in the Remote Desktop
Services architecture), which uses data centers in a single Azure region (for example, Western Europe), a multi-
data center deployment uses data centers in multiple geographic locations, increasing the availability of your
deployment - one Azure data center might be unavailable, but it is unlikely that multiple regions would go down
at the same time. By deploying a geo-redundant RDS architecture, you can enable failover in the case of
catastrophic failure of an entire region.
You can use the instructions below to leverage Microsoft Azure infrastructure services and RDS to deliver geo-
redundant desktop hosting services and Subscriber Access Licenses (SALs) to multiple tenants through the
Microsoft Service Provider License Agreement (SPLA) program. You can also use the steps below to create a
geo-redundant hosting service for your own employees using RDS User CALs extended rights through Software
Assurance.

Logical architecture for high availability - single and multiple regions


The following image shows the architecture for a highly available deployment in a single Azure region:
The deployment consists of three layers:
Azure services - the Azure Management interfaces, including the Azure portal and APIs, and public
networking services, such as DNS and public IP addressing.
Desktop hosting service - Virtual machines, networks, storage, Azure services, and Windows Server role
services
Azure Fabric - Windows Server operating systems running the Hyper-V role, used to virtualize physical
servers, storage units, network switches, and routers. Using Azure Fabric lets you create VMs, networks,
storage, and applications independent from underlying hardware.
In comparison, here is the architecture for a deployment that uses multiple Azure data centers:
The entire RDS deployment is replicated in a second Azure region to create a geo-redundant deployment. This
architecture uses an active-passive model, where only one RDS deployment is running at a time. A VNet-to-
VNet connection lets the two environments communicate with each other. The RDS deployments are based on a
single Active Directory forest/domain, and the AD servers replicate across the two deployments, meaning users
can sign into either deployment using the same credentials. User settings and data stored in User Profile Disks
(UPD) are stored on a two-node cluster Storage Spaces Direct scale-out file server (SOFS). A second identical
Storage Spaces Direct cluster is deployed in the second (passive) region, and Storage Replica is used to replicate
the user profiles from the active to passive deployment. Azure Traffic Manager is used to automatically direct
end users to whichever deployment is currently active - from the end user perspective, they access the
deployment using a single URL and are not aware of which region they end up using.
You could create a non-highly available RDS deployment in each region, but if even a single VM is restarted in
one region, a failover would occur, increasing the likelihood of failovers occurring with associated performance
impacts.

Deployment steps
Create the following resources in Azure to create a geo-redundant multi-data center RDS deployment:
1. Two resource groups in two separate Azure regions. For example RG A (the active deployment, RG stands
for "resource group") and RG B (the passive deployment).
2. A highly-available Active Directory deployment in RG A. You can use the New AD Domain with 2 Domain
Controllers template to create the deployment.
3. A highly-available RDS deployment in RG A. Use the RDS farm deployment using existing active directory
template to create the basic RDS deployment, and then follow the information in Remote Desktop
Services - High availability to configure the other RDS components for high availability.
4. A VNet in RG B - make sure to use an address space that does not overlap the deployment in RG A.
5. A VNet-to-VNet connection between the two resource groups.
6. Two AD virtual machines in an availability set in RG B - make sure the VM names are different from the
AD VMs in RG A. Deploy two Windows Server 2016 VMs in a single availability set, install the Active
Directory Domain Services role, and then promote them to the domain controller in the domain you
created in step 1.
7. A second highly-available RDS deployment in RG B.
a. Use the RDS farm deployment using existing active directory template again, but this time make the
following changes. (To customize the template, select it in the gallery, click Deploy to Azure and then
Edit template .)
a. Adjust the address space of the DNS server private IP to correspond to the VNet in RG B.
Search for "dnsServerPrivateIp" in variables. Edit the default IP (10.0.0.4) to correspond to
the address space you defined in the VNet in RG B.
b. Edit the computer names so that they don't collide with those in the deployment in RG A.
Locate the VMs in the Resources section of the template. Change the computerName
field under osProfile . For example, "gateway" can become"gateway-b "; "[concat('rdsh-',
copyIndex())]" can become "[concat('rdsh-b-', copyIndex())]", and "broker" can become
"broker-b ".
(You can also change the names of the VMs manually after you run the template.)
b. As in step 3 above, use the information in Remote Desktop Services - High availability to configure the
other RDS components for high availability.
8. A Storage Spaces Direct scale-out file server with Storage Replica across the two deployments. Use the
PowerShell script to deploy the template across the resource groups.

NOTE
You can provision storage manually (instead of using the PowerShell script and template):
1. Deploy a two-node Storage Spaces Direct SOFS in RG A to store your user profile disks (UPDs).
2. Deploy a second, identical Storage Spaces Direct SOFS in RG B - make sure to use the same amount of storage
in each cluster.
3. Set up Storage Replica with asynchronous replication between the two.

Enable UPDs
Storage Replica replicates data from a source volume (associated with the primary/active deployment) to a
destination volume (associated with the secondary/passive deployment). By design, the destination cluster
appears as Online (No Access) - Storage Replica dismounts the destination volumes and their drive letters or
mount points. This means that enabling UPDs for the secondary deployment by providing the file share path
will fail, because the volume is not mounted.
Want to learn more about managing replication? Check out Cluster to cluster Storage Replication.
To enable UPDs on both deployments, do the following:
1. Run the Set-RDSessionCollectionConfiguration cmdlet to enable the user profile disks for the primary
(active) deployment - provide a path to the file share on the source volume (which you created in Step 7
in the deployment steps).
2. Reverse the Storage Replica direction so that the destination volume becomes the source volume (this
mounts the volume and makes it accessible by the secondary deployment). You can run Set-
SRPar tnership cmdlet to do this. For example:

Set-SRPartnership -NewSourceComputerName "cluster-b-s2d-c" -SourceRGName "cluster-b-s2d-c" -


DestinationComputerName "cluster-a-s2d-c" -DestinationRGName "cluster-a-s2d-c"

3. Enable the user profile disks in the secondary (passive) deployment. Use the same steps as you did for
the primary deployment, in step 1.
4. Reverse the Storage Replica direction again, so the original source volume is again the source volume in
the SR Partnership, and the primary deployment can access the file share. For example:

Set-SRPartnership -NewSourceComputerName "cluster-a-s2d-c" -SourceRGName "cluster-a-s2d-c" -


DestinationComputerName "cluster-b-s2d-c" -DestinationRGName "cluster-b-s2d-c"

Azure Traffic Manager


Create an Azure Traffic Manager profile, and make sure to select the Priority routing method. Set the two
endpoints to the public IP addresses of each deployment. Under Configuration , change the protocol to HTTPS
(instead of HTTP) and the port to 443 (instead of 80). Take note of the DNS time to live , and set it
appropriately for your failover needs.
Note that Traffic Manager requires endpoints to return 200 OK in response to a GET request in order to be
marked as "healthy." The publicIP object created from the RDS templates will function, but do not add a path
addendum. Instead, you can give end users the Traffic Manager URL with "/RDWeb" appended, for example:
http://deployment.trafficmanager.net/RDWeb

By deploying Azure Traffic Manager with the Priority routing method, you prevent end users from accessing the
passive deployment while the active deployment is functional. If end users access the passive deployment and
the Storage Replica direction hasn't been switched for failover, the user sign-in hangs as the deployment tries
and fails to access the file share on the passive Storage Spaces Direct cluster - eventually the deployment will
give up and give the user a temporary profile.
Deallocate VMs to save resources
After you configure both deployments, you can optionally shut down and deallocate the secondary RDS
infrastructure and RDSH VMs to save cost on these VMs. The Storage Spaces Direct SOFS and AD server VMs
must always stay running in the secondary/passive deployment to enable user account and profile
synchronization.
When a failover occurs, you'll need to start the deallocated VMs. This deployment configuration has the
advantage of being lower cost, but at the expense of fail-over time. If a catastrophic failure occurs in the active
deployment, you'll have to manually start the passive deployment, or you'll need an automation script to detect
the failure and start the passive deployment automatically. In either case, it may take several minutes to get the
passive deployment running and available for users to sign in, resulting in some downtime for the service. This
downtime depends on the amount of time it takes to start the RDS infrastructure and RDSH VMs (typically 2-4
minutes, if the VMs are started in parallel rather than serially), and the time to bring the passive cluster online
(which depends on the size of the cluster, typically 2-4 minutes for a 2-node cluster with 2 disks per node).
Active Directory
The Active Directory servers in each deployment are replicas within the same Forest/Domain. Active Directory
has a built-in synchronization protocol to keep the four domain controllers in sync. However, there may be some
lag so that if a new user is added to one AD server, it may take some time to replicate across all the AD servers
in the two deployments. Consequently, be sure to warn users to not try to sign in immediately after being added
to the domain.
RD License Server
Provide a per-user RD CAL for each named user that is authorized to access the geo-redundant deployment.
Distribute the per user CALs evenly across the two RD License Servers in the active deployment. Then, duplicate
these CALs to the two RD License Servers in the passive deployment. Because the CALs are duplicated between
the active and passive deployment, at any given time only one deployment can be active with users connecting;
otherwise, you violate the license agreement.
Image Management
As you update your RDSH images to provide software updates or new applications, you'll need to separately
update the RDSH collections in each deployment to maintain a common user experience across both
deployments. You can use the Update RDSH collection template, but note that the passive deployment's RDS
infrastructure and RDSH VMs must be running to run the template.

Failover
In the case of the Active-Passive deployment, failover requires you to start the VMs of the secondary
deployment. You can do this manually or with an automation script. In the case of a catastrophic failover of the
Storage Spaces Direct SOFS, change the Storage Replica partnership direction, so that the destination volume
becomes the source volume. For example:

Set-SRPartnership -NewSourceComputerName "cluster-b-s2d-c" -SourceRGName "cluster-b-s2d-c" -


DestinationComputerName "cluster-a-s2d-c" -DestinationRGName "cluster-a-s2d-c"

You can learn more in Cluster to cluster Storage Replication.


Azure Traffic Manager automatically recognizes that the primary deployment failed and that the secondary
deployment is healthy (in the RD Gateway VMs have been started in RG B) and directs user traffic to the
secondary deployment. Users can use the same Traffic Manager URL to continue working on their remote
resources, enjoying a consistent experience. Note that the client DNS cache will not update the record for the
duration of the TTL set in Azure Traffic Manager configuration.
Test failover
In a Storage Replica partnership, only one volume (the source) can be active at a time. This means when you
switch the SR Partnership direction, the volume in the primary deployment (RG A) becomes the destination of
replication and is therefore hidden. Thus, any users connecting to RG A will no longer have access to their UPDs
stored on the SOFS in RG A.
To test the failover while allowing users to continue logging in:
1. Start the infrastructure VMs and RDSH VMs in RG B.
2. Switch the SR Partnership direction (cluster-b-s2d-c becomes the source volume).
3. Disable the endpoint of RG A in the Azure Traffic Manager profile to force the ATM to direct traffic to RG
B. Alternatively, use a PowerShell script:

Disable-AzureRmTrafficManagerEndpoint -Name publicIpA -Type AzureEndpoints -ProfileName


MyTrafficManagerProfile -ResourceGroupName RGA -Force

RG B is now the active primary deployment. To switch back to RG A as the primary deployment:
1. Switch the SR Partnership direction (cluster-a-s2d-c becomes the source volume):

Set-SRPartnership -NewSourceComputerName "cluster-a-s2d-c" -SourceRGName "cluster-a-s2d-c" -


DestinationComputerName "cluster-b-s2d-c" -DestinationRGName "cluster-b-s2d-c"

2. Re-enable the endpoint of RG A in the Azure Traffic Manager profile:

Enable-AzureRmTrafficManagerEndpoint -Name publicIpA -Type AzureEndpoints -ProfileName


MyTrafficManagerProfile -ResourceGroupName RGA

Considerations for on-premises deployments


While an on-premises deployment couldn't use the Azure Quickstart Templates referenced in this article, you
can implement all the infrastructure roles manually. In an on-premises deployment where cost is not driven by
Azure consumption, consider using an active-active model for quicker failover.
You can use Azure Traffic Manager with on-premises endpoints, but it requires an Azure subscription.
Alternatively, for the DNS provided to end users, give them a CNAME record that simply directs users to the
primary deployment. In the case of failover, modify the DNS CNAME record to redirect to the secondary
deployment. In this way, the end user uses a single URL, just like with Azure Traffic Manager, that directs the user
to the appropriate deployment.
If you are interested in creating an on-premises-to-Azure-site model, consider using Azure Site Recovery.
Set up disaster recovery for RDS using Azure Site
Recovery
7/29/2021 • 2 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

You can use Azure Site Recovery to create a disaster recovery solution for your Remote Desktop Services
deployment.
Azure Site Recovery is an Azure-based service that provides disaster recovery capabilities by orchestrating
replication, failover, and recovery of virtual machines. Azure Site Recovery supports a number of replication
technologies to consistently replicate, protect, and seamlessly failover virtual machines and applications to
private/public or hoster's clouds.
Use the following information to create and validate the disaster recovery solution.

Disaster recovery deployment options


You can deploy RDS on either physical servers or virtual machines running Hyper-V or VMWare. Azure Site
Recovery can protect both on-premises and virtual deployments to either a secondary site or to Azure. The
following table shows the different supported RDS deployments in site-to-site and site-to-Azure disaster
recvoery scenarios.

H Y P ER- V SIT E- TO - H Y P ER- V SIT E- TO - VM WA RE SIT E- TO - P H Y SIC A L SIT E- TO -


DEP LO Y M EN T T Y P E SIT E A Z URE A Z URE A Z URE

Pooled virtual Yes No No No


desktop
(unmanaged)

Pooled virtual Yes No No No


desktop (managed,
no UPD)

RemoteApps and Yes Yes Yes Yes


desktop sessions (no
UPD)

Prerequisites
Before you can configure Azure Site Recovery for your deployment, make sure you meet the following
requirements:
Create an on-premises RDS deployment.
Add Azure Site Recovery Services vault to your Microsoft Azure subscription.
If you are going to use Azure as your recovery site, run the Azure Virtual Machine Readiness Assessment tool
on your VMs to ensure they are compatible with Azure VMs and Azure Site Recovery Services.

Implementation checklist
We'll cover the various steps to enable Azure Site Recovery Services for your RDS deployment in more detail,
but here are the high-level implementation steps.

ST EP 1 - C O N F IGURE VM S F O R DISA ST ER REC O VERY

Hyper-V - Download the Microsoft Azure Site Recovery Provider. Install it on your VMM server or Hyper-V host. See
Prerequisites for replication to Azure by using Azure Site Recovery for information.

VMWare - Configure protection server, configuration server, and target servers

Step 2 - Prepare your resources

Add an Azure Storage account.

Hyper-V - Download the Microsoft Azure Recovery Services agent and install it on Hyper-V host servers.

VMWare - Make sure the mobility service is installed on all VMs.

Enable protection for VMs in VMM cloud, Hyper-V sites, or VMWare sites.

Step 3 - Design your recover y plan.

Map your resources - map on-premises networks to Azure VNETs.

Create the recovery plan.

Test the recovery plan by creating a test failover. Ensure all VMs can access required resources, like Active Directory. Ensure
network redirections are configured and working for RDS. For detailed steps on testing your recovery plan, see Run a test
failover

Step 4 - Run a disaster recover y drill.

Run a disaster recovery drill using planned and unplanned failovers. Ensure that all VMs have access to required resources,
such as Active Directory. Ensure that all VMs have access to required resources, such as Active Directory. For detailed steps on
failovers and how to run drills, see Failover in Site Recovery.
Enable disaster recovery of RDS using Azure Site
Recovery
7/29/2021 • 2 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

To ensure that your RDS deployment is adequately configured for disaster recovery, you need to protect all of
the components that make up your RDS deployment:
Active Directory
SQL Server tier
RDS components
Network components

Configure Active Directory and DNS replication


You need Active Directory on the disaster recovery site for your RDS deployment to work. You have two choices
based on how complex your RDS deployment is:
Option 1 - If you have a small number of applications and a single domain controller for your entire on-
premises site, and you will be failing over the entire site together, use ASR-Replication to replicate the
domain controller to the secondary site (true for both site-to-site and site-to-Azure scenarios).
Option 2 - If you have a large number of applications and you're running an Active Directory forest, and
you'll failover a few applications at a time, set up an additional domain controller on the disaster recovery
site (either a secondary site or in Azure).
See Protect Active Directory and DNS with Azure Site Recovery for details on making a domain controller
available on the disaster recovery site. For the rest of this guidance, we assume that you've followed those steps
and have the domain controller available.

Set up SQL Server replication


See Protect SQL Server using SQL Server disaster recovery and Azure Site Recovery for the steps to set up SQL
Server replication.

Enable protection for the RDS application components


Depending on your RDS deployment type you can enable protection for different component VMs (as listed in
the table below) in Azure Site Recovery. Configure the relevant Azure Site Recovery elements based on whether
your VMs are deployed on Hyper-V or VMWare.

DEP LO Y M EN T T Y P E P ROT EC T IO N ST EP S

Personal virtual desktop (unmanaged) 1. Make sure all virtualization hosts are ready with the RDVH
role installed.
2. Connection Broker.
3. Personal desktops.
4. Gold template VM.
5. Web Access, License server, and Gateway server
DEP LO Y M EN T T Y P E P ROT EC T IO N ST EP S

Pooled virtual desktop (managed with no UPD) 1. All virtualization hosts are ready with the RDVH role
installed.
2. Connection Broker.
3. Gold template VM.
4. Web Access, License server, and Gateway server.

RemoteApps and Desktop Sessions (no UPD) 1. Session Hosts.


2. Connection Broker.
3. Web Access, License server, and Gateway server.
Create your disaster recovery plan for RDS
7/29/2021 • 5 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

You can create a disaster recovery plan in Azure Site Recovery to automate the failover process. Add all RDS
component VMs to the recovery plan.
Use the following steps in Azure to create your recovery plan:
1. Open Azure Site Recovery Vault in the Azure portal, and then click Recover y Plans .
2. Click Create and enter a name for the plan.
3. Select your Source and Target . The target is either a secondary RDS site or Azure.
4. Select the VMs that host your RDS components, and then click OK .
The following sections provide additional information about creating recovery plans for the different types of
RDS deployment.

Sessions-based RDS deployment


For an RDS sessions-based deployment, group the VMs so they come up in sequence:
1. Failover group 1 - Session Host VM
2. Failover group 2 - Connection Broker VM
3. Failover group 3 - Web Access VM
Your plan will look something like this:
Pooled desktops RDS deployment
For an RDS deployment with pooled desktops, group the VMs so they come up in sequence, adding manual
steps and scripts.
1. Failover group 1 - RDS Connection Broker VM
2. Group 1 manual action - Update DNS
Run PowerShell in an elevated mode on the Connection Broker VM. Run the following command and
wait for a couple of minutes to ensure the DNS is updated with the new value:

ipconfig /registerdns

3. Group 1 script - add Virtualization hosts


Modify the script below to run for each virtualization host in the cloud. Typically after you add a
virtualization host to a Connection Broker, you need to restart the host. Ensure that the host doesn't have
a reboot pending before the script runs, or else it will fail.

Broker - broker.contoso.com
Virtualization host - VH1.contoso.com

ipmo RemoteDesktop;
add-rdserver –ConnectionBroker broker.contoso.com –Role RDS-VIRTUALIZATION –Server VH1.contoso.com

4. Failover group 2 - Template VM


5. Group 2 script 1 - Turn off Template VM
The template VM when recovered to the secondary site will start, but it is a sysprepped VM and cannot
start completely. Also RDS requires that the VM be shutdown to create a pooled VM configuration from
it. So, we need to turn it off. If you have a single VMM server, the template VM name is the same on the
primary and the secondary. Because of that, we use the VM ID as specified by the Context variable in the
script below. If you have multiple templates, turn them all off.

ipmo virtualmachinemanager;
Foreach($vm in $VMsAsTemplate)
{
Get-SCVirtualMachine -ID $vm | Stop-SCVirtualMachine –Force
}

6. Group 2 script 2 - Remove existing pooled VMs


You need to remove the pooled VMs on the primary site from the Connection Broker so new VMs can be
created on the secondary site. In this case you need to specify the exact host on which to create the
pooled VM. Note that this will delete the VMs from only the collection.

ipmo RemoteDesktop
$desktops = Get-RDVirtualDesktop -CollectionName Win8Desktops;
Foreach($vm in $desktops){
Remove-RDVirtualDesktopFromCollection -CollectionName Win8Desktops -VirtualDesktopName
$vm.VirtualDesktopName –Force
}

7. Group 2 manual action - Assign new template


You need to assign the new template to the Connection Broker for the collection so you can create new
pooled VMs on the recovery site. Go to the RDS Connection Broker and identify the collection. Edit the
properties and specify a new VM image as its template.
8. Group 2 script 3 - Recreate all pooled VMs
Recreate the pooled VMs on the recovery site through the Connection Broker. In this case, you need to
specify the exact host on which to create the pooled VM.
The pooled VM name needs to be unique, using the prefix and suffix. If the VM name already exists, the
script will fail. Also, if the primary side VMs are numbered from 1-5, the recovery site numbering will
continue from 6.

ipmo RemoteDesktop;
Add-RDVirtualDesktopToCollection -CollectionName Win8Desktops -VirtualDesktopAllocation
@{"RDVH1.contoso.com" = 1}

9. Failover group 3 - Web Access and Gateway server VM


The recovery plan will look like this:

Personal desktops RDS deployment


For an RDS deployment with personal desktops, group the VMs so they come up in sequence, adding manual
steps and scripts.
1. Failover group 1 - RDS Connection Broker VM
2. Group 1 manual action - Update DNS
Run PowerShell in an elevated mode on the Connection Broker VM. Run the following command and
wait for a couple of minutes to ensure the DNS is updated with the new value:

ipconfig /registerdns

3. Group 1 script - Add Virtualization hosts


Modify the script below to run for each virtualization host in the cloud. Typically after you add a
virtualization host to a Connection Broker, you need to restart the host. Ensure that the host doesn't have
a reboot pending before the script runs, or else it will fail.

Broker - broker.contoso.com
Virtualization host - VH1.contoso.com

ipmo RemoteDesktop;
add-rdserver –ConnectionBroker broker.contoso.com –Role RDS-VIRTUALIZATION –Server VH1.contoso.com

4. Failover group 2 - Template VM


5. Group 2 script 1 - Turn off template VM
The template VM when recovered to the secondary site will start, but it is a sysprepped VM and cannot
start completely. Also RDS requires that the VM be shutdown to create a pooled VM configuration from
it. So, we need to turn it off. If you have a single VMM server, the template VM name is the same on the
primary and the secondary. Because of that, we use the VM ID as specified by the Context variable in the
script below. If you have multiple templates, turn them all off.

ipmo virtualmachinemanager;
Foreach($vm in $VMsAsTemplate)
{
Get-SCVirtualMachine -ID $vm | Stop-SCVirtualMachine –Force
}

6. Failover group 3 - Personal VMs


7. Group 3 script 1 - Remove existing personal VMs and add them
Remove the personal VMs on the primary site from the Connection Broker so new VMs can be created on
the secondary site. You need to extract the VMs' assignments and re-add the virtual machines to the
Connection Broker with the hash of assignments. This will only remove the personal VMs from the
collection and re-add them. The personal desktop allocation will be exported and imported back into the
collection.

ipmo RemoteDesktop
$desktops = Get-RDVirtualDesktop -CollectionName CEODesktops;
Export-RDPersonalVirtualDesktopAssignment -CollectionName CEODesktops -Path ./Desktopallocations.txt
-ConnectionBroker broker.contoso.com

Foreach($vm in $desktops){
Remove-RDVirtualDesktopFromCollection -CollectionName CEODesktops -VirtualDesktopName
$vm.VirtualDesktopName –Force
}

Import-RDPersonalVirtualDesktopAssignment -CollectionName CEODesktops -Path ./Desktopallocations.txt


-ConnectionBroker broker.contoso.com

8. Failover group 3 - Web Access and Gateway server VM


Your plan will look something like this:
Run and tune your Remote Desktop Services
environment
3/5/2021 • 2 minutes to read • Edit Online

Tuning your deployment takes time and requires instrumentation and monitoring. Use the processes below to
refine your Remote Desktop deployment, keep it running and enable scaling out (and in) as needed.
It's a good practice to continually assess the metrics and balance against running costs.

Management and monitoring


Check out Manage users in your RDS collection for information about how to manage access to your desktops
and remote resources.
Use Microsoft Operations Management Suite (OMS) to monitor Remote Desktop deployments for
potential bottlenecks and manage them using one of the following ways:
Ser ver Manager : Use the RD management tool that is built in to Windows Server to manage deployments
with up to 500 concurrent remote end-users.
PowerShell : Use the RD PowerShell module, also built into Windows Server, to manage deployments with
up to 5000 concurrent remote end-users.

Scale: Bigger, better, faster


With visibility into the deployment, you can control scale with more precision. Easily add or remove Remote
Desktop host servers based on scale needs.
Remote Desktop deployments that are built on Azure can make use of Azure services, like Azure SQL, to scale
automatically on demand.

Automation: Script for success


Maintaining a running, highly scaled application involves repeating operations on a regular basis. Use Remote
Desktop Services PowerShell cmdlets and WMI providers to develop scripts that can be run on multiple
deployments when needed. Run Best Practice Analyzer (BPA) rules for Remote Desktop Services on your
deployments to tune your deployments.

Load testing: Avoid surprises


Load test the deployment with both stress tests and simulation of real-life usage. Vary the load size to avoid
surprises! Ensure that responsiveness meets user requirements, and that the entire system is resilient. Create
load tests with simulation tools, like LoginVSI, that check your deployment's ability to meet the users' needs.
Manage your personal desktop session collections
6/17/2021 • 2 minutes to read • Edit Online

Use the following information to manage a personal desktop session collection in Remote Desktop Services.

Manually assign a user to a personal session host


Use the Set-RDPersonalSessionDesktopAssignment cmdlet to manually assign a user to a personal session
host server in the collection. The cmdlet supports the following parameters:
-CollectionName <string>
-ConnectionBroker <string>
-User <string>
-Name <string>
–CollectionName - specifies the name of the personal session desktop collection. This parameter is
required.
–ConnectionBroker - specifies the Remote Desktop Connection Broker (RD Connection Broker) server for
your Remote Desktop deployment. If you don't supply a value, the cmdlet uses the fully qualified domain
name (FQDN) of the local computer.
–User - specifies the user account to associate with the personal session desktop, in DOMAIN\User format.
This parameter is required.
–Name - specifies the name of the session host server. This parameter is required. The session host
identified here must be a member of the collection that the -CollectionName parameter specifies.
The Impor t-RDPersonalSessionDesktopAssignment cmdlet imports associations between user accounts
and personal session desktops from a text file. The cmdlet supports the following parameters:
-CollectionName <string>
-ConnectionBroker <string>
-Path <string>
–Path specifies the path and file name of a file to import.

Removing a User Assignment from a Personal Session Host


Use the Remove-RDPersonalSessionDesktopAssignment cmdlet to remove the association between a
personal session desktop and a user. The cmdlet supports the following parameters:
-CollectionName <string>
-ConnectionBroker <string>
-Force
-Name <string>
-User <string>
–Force forces the command to run without asking for user confirmation.
Query user assignments
Use the Get-RDPersonalSessionDesktopAssignment cmdlet to get a list of personal session desktops and
associated user accounts. The cmdlet supports the following parameters:
-CollectionName <string>
-ConnectionBroker <string>
-User <string>
-Name <string>
You can run the cmdlet to query by collection name, user name, or by session desktop name. If you specify only
the –CollectionName parameter, the cmdlet returns a list of session hosts and associated users. If you also
specify the –User parameter, the session host associated with that user is returned. If you provide the –Name
parameter, the user associated with that session host is returned.
The Expor t-RDPersonalPersonalDesktopAssignment cmdlet exports the current associations between
users and personal virtual desktops to a text file. The cmdlet supports the following parameters:
-CollectionName <string>
-ConnectionBroker <string>
-Path <string>
All new cmdlets support the common parameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer,
and -OutVariable. For more information, see about_CommonParameters.
Recommended settings for VDI desktops
7/29/2021 • 24 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows 10

Microsoft Desktop Virtualization automatically detects device configurations and network conditions to get
users up and running sooner by enabling the instant setup of corporate applications and desktops, and it equips
IT to provide access to legacy applications during migration to Windows 10.
Although the Windows 10 operating system is very well tuned out of the box, there are opportunities for you to
refine it further specifically for the corporate Microsoft Virtual Desktop Infrastructure (VDI) environment. In the
VDI environment, many background services and tasks are disabled from the beginning.
This topic is not a blueprint, but rather a guide or starting point. Some recommendations might disable
functionality that you would prefer to use, so you should consider the cost versus the benefit of adjusting any
particular setting in your scenario.
These instructions and recommended settings are relevant to Windows 10 1607 (version 10.0.1393).

NOTE
Any settings not specifically mentioned in this topic can be left at their default values (or set per your requirements and
policies) without appreciable impact on VDI functionality.

When you create an image to base the VDI deployment, be sure to use the Current Branch . For more
information about Current Branch, see Windows 10 release information.

Creating the Windows 10 image


The first step is to install a reference image of Windows 10 1607 (version 10.0.1393) on either a physical or
virtual machine. Installing to a virtual machine is easy and allows you to save versions of the virtual hard-disk
(VHD) file, in case you want to roll back to an earlier version.
During installation, you can choose either Express Settings or Customize . The settings offered during the
Customize option are adjustable by using Group Policy, so the method of installing the base OS is not that
important.
If you chose Customize , you can adjust these settings during installation:

In "Customize settings"
You can also adjust these after installation with Group Policy Editor; see the "Group Policy settings" section of
this topic.

SET T IN G DEFA ULT VA L UE REC O M M EN DED VA L UE F O R VDI USE

Personalization

Personalize your speech, typing, and On Off


inking input by sending your input
data to Microsoft.
SET T IN G DEFA ULT VA L UE REC O M M EN DED VA L UE F O R VDI USE

Send typing and inking data to On Off


Microsoft to improve the recognition
and suggestion platform.

Let apps use your advertising ID for On Off


experience across apps.

Let Skype (if installed) help you On Off


connect with friends in your address
book and verify your mobile number.
SMS and data charges may apply.

Location

Turn on Find My Device and let On Off


Windows and apps request your
location, including location history

Connectivity and error reporting

Automatically connect to suggested On Off


open hotspots. Not all networks are
secure.

Automatically connect to open On Off


hotspots temporarily to see if paid
network services are available.

Send full diagnostic and usage data to On Off


Microsoft. Turning this off sends only
basic data.

Browser, protection, and update

Use SmartScreen online services to On On (If there is no Internet access, then


help protect against malicious content set to Off.)
and downloads in sites loaded by
Windows browsers and Store apps

Use page prediction to improve On Off


reading, speed up browsing, and make
your overall experience better in
Windows browsers. Your browsing
data will be sent to Microsoft.

Get updates from and send updates to On Off


other PCs on the Internet to speed up
app and Windows Update downloads

Once installation is complete, you can continue adjusting settings starting with Windows Settings .

In Windows Settings
To access Windows Settings, click Star t (the Windows icon on the taskbar), and then click the Settings icon
(shaped like a gear).
In the "System" area of Windows Settings
In Windows Settings area, clicking the System icon gives you access to a number of system-related settings.
Not all of them need adjustment for optimum VDI use--these settings are the most important:
Apps and features
To remove an app, thereby excluding it from your VDI image, click the app, and then click Uninstall . If Uninstall
is grayed out, you cannot remove it by this method; you might be able to remove it with Windows PowerShell,
or try these steps:
1. Click Manage optional features (immediately below the Apps and features heading on the same page).
2. Click the optional feature, and then click Uninstall .
Features to consider removing (if present) include the following:
Contact suppor t
English (United States) Retail Demo Content
Neutral Retail Demo Content
Quick Assist
Default apps
This area defines the app to be used by default for certain generic functions such as e-mail, web browsing, and
maps. If you want a different app to be used for a particular function, click the current entry, and then click the
app you prefer to be used in the VDI image. For a non-Microsoft app to be an available choice, you must install
the app prior to adjusting this setting.
Notifications and actions
These recommended values will reduce notifications and background network activity in a VDI environment:

SET T IN G DEFA ULT VA L UE REC O M M EN DED VA L UE F O R VDI USE

Get notifications from apps and other On Off


senders

Show notifications on the lock screen. On Off

Show alarms, reminders, and incoming On Off


VoIP calls on the lock screen.

Show tips, tricks, and suggestions as On Off


you use Windows.

Offline maps
This setting is only applicable if the Maps app is installed. Its default value is On ; for VDI use the recommended
value is Off .
Tablet mode

SET T IN G DEFA ULT VA L UE REC O M M EN DED VA L UE F O R VDI USE

When I sign in Use the appropriate mode for my Use desktop mode
hardware

When this device automatically Always ask me before switching Don't ask me and don't switch
switches mode on or off
SET T IN G DEFA ULT VA L UE REC O M M EN DED VA L UE F O R VDI USE

Hide app icons on the taskbar in tablet On Off


mode

In the "Devices" area of Windows Settings


In Windows Settings area, clicking the Devices icon gives you access to a number of system-related settings.
Not all of them need adjustment for optimum VDI use--these settings are the most important:
Autoplay

SET T IN G DEFA ULT VA L UE REC O M M EN DED VA L UE F O R VDI USE

Use Autoplay for all media and devices On Off

Removable drive: Choose a default Take no action

Memory card Choose a default Take no action

In the "Personalization" area of Windows Settings


In Windows Settings area, clicking the Personalization icon gives you access to a number of system-related
settings. Not all of them need adjustment for optimum VDI use--these settings are the most important:
Background
Sometimes the default black background can cause users to think the computer is not responding. Changing the
background color can help make it clearer. To do this, follow these steps:
1. In the Background area, click the pull-down menu.
2. To change the background color, click Solid color , and then click any of the colors other than black.
Alternately, you could click Picture and then select an image to use as the background.
Start

SET T IN G DEFA ULT VA L UE REC O M M EN DED VA L UE F O R VDI USE

Occasionally show suggestions in Start On Off

Show most used apps On Off

Show recently added apps On Off

Show recently opened items in Jump On Off


Lists on Start or the Taskbar

Taskbar
The default setting is to use large taskbar buttons (that is, a value of "Off" for Use small taskbar buttons ). This
setting causes the Cortana item to use a lot of taskbar area. To avoid this, set Use small taskbar buttons to
"On." If you prefer that the taskbar items stay larger, but prefer not to have Cortana taking up so much space,
right-click the taskbar, point to Cor tana , and in the menu that flies out, select Hidden .
In the "Privacy" area of Windows Settings
In Windows Settings area, clicking the Privacy icon gives you access to a number of system-related settings.
Not all of them need adjustment for optimum VDI use--these settings are the most important:
General
Some of these settings are also set from the "Customize settings" window, discussed at the beginning of this
topic.

SET T IN G DEFA ULT VA L UE REC O M M EN DED VA L UE F O R VDI USE

Let apps use my advertising ID for On Off


experiences across apps (turning this
off will reset your ID)

Let websites provide locally relevant On Off


content by accessing my language list

Let apps on my other devices open On Off


apps and continue experiences on this
device

Camera
The default value for "Let apps use my camera" is On ; for VDI use the recommended value is Off .
Microphone
The default value for "Let apps use my microphone" is On ; for VDI use the recommended value is Off .
Notifications
The default value for "Let apps access my notifications" is On ; for VDI use the recommended value is Off .
Contacts
The default value for "Let apps access my contacts" is On ; for VDI use the recommended value is Off .
Calendar
The default value for "Let apps access my calendar" is On ; for VDI use the recommended value is Off .
Call history
The default value for "Let apps access my call history" is On ; for VDI use the recommended value is Off .
Email
The default value for "Let apps access and send email" is On ; for VDI use the recommended value is Off .
Messaging
The default value for "Let apps read or send messages (text or MMS)" is On ; for VDI use the recommended
value is Off .
Radios
The default value for "Let apps control radios" is On ; for VDI use the recommended value is Off .
Other devices
The default value for "Let your apps automatically share and sync info with wireless devices that don't explicitly
pair with your PC, tablet, or phone" is On ; for VDI use the recommended value is Off .
Feedback and diagnostics
The default value for "Windows should ask for my feedback" is Automatically ; for VDI use, the recommended
value is Never .
Background apps
Listed apps have a default value of On , which allows them to receive information, send notifications, and update
themselves whether they are being used or not. You should disable (set to Off ) any apps you don't want running
in the background in the VDI image.
Update and security
Windows Update
In the Update settings area, click Advanced options to adjust these settings:
SET T IN G DEFA ULT VA L UE REC O M M EN DED VA L UE F O R VDI USE

Give me updates for other Microsoft cleared selected


products when I update Windows

Defer feature updates cleared selected

Use my sign in info to automatically cleared Depends on specific VDI configuration


finish setting up my device after an
update

On the Advanced options page, click Choose how updates are delivered to access the setting for "Updates
from more than one place." The default value is On ; for VDI use the recommended value is Off .

In Control Panel and other system utilities


The settings in this section are adjustable either by navigating through Control Panel or opening the utility
directly.

NOTE
Any settings not specifically mentioned in this topic can be left at their default values (or set per your requirements and
policies) without appreciable impact on VDI functionality.

Task Scheduler
The fastest way to open Task Scheduler is to push the Windows button and type task scheduler or taskschd.msc.
In the results that return, click Task Scheduler to open the utility. In Task Scheduler, expand Task Scheduler
Librar y , expand Microsoft , and then expand Windows . You now have access to the list of task collections. To
change the state of each scheduled task, right-click it, and then click the desired state (typically, Disabled for VDI
use).

REC O M M EN DED STAT E F O R


TA SK C O L L EC T IO N TA SK N A M E DEFA ULT STAT E VDI USE

Customer Experience
Improvement Program

Consolidator Enabled Disabled

KernelCeipTask Enabled Disabled

UsbCeip Enabled Disabled

Defrag

ScheduledDefrag Enabled Disabled

Location

Notifications Enabled Disabled

WindowsActionDialog Enabled Disabled


REC O M M EN DED STAT E F O R
TA SK C O L L EC T IO N TA SK N A M E DEFA ULT STAT E VDI USE

Maintenance

WinSAT Enabled Disabled

Maps

MapsToastTask Enabled Disabled

MapsUpdateTask Enabled Disabled

Mobile Broadband
Accounts

MNO Metadata Parser Enabled Disabled

Power Efficiency Diagnostics

Analyze System Enabled Disabled

Recovery Environment

VerifyWinRE Enabled Disabled

Retail Demo

CleanupOfflineContent Enabled Disabled

Shell

FamilySafetyMonitor Enabled Disabled

FamilySafetyRefreshTask Enabled Disabled

Windows Error Reporting

QueueReporting Enabled Disabled

Windows Media Sharing

UpdateLibrary Enabled Disabled

Click Windows again to collapse it, then click XblGameSave . This gives you access to the tasks
XBLGameSaveTask and XBLGameSaveTaskLogon ; both of these can be set to Disabled .
Performance Monitor
The fastest way to open Performance Monitor is to push the Windows button and type performance monitor or
perfmon.msc. In the results that return, click Performance Monitor . In Performance Monitor, click Data
Collector Sets and then double-click Event Trace Sessions . Right-click WiFiSession ; if it is in the default
state of Running , then click Stop .
Click Star tupEventTraceSessions , then right-click ReadyBoot ; if it is running, click Stop . Click Event Trace
Sessions , right-click ReadyBoot , and then click Proper ties . In the dialog that opens, click the Trace Session
tab. Clear the Enabled check box.
Services
The fastest way to manage Services is to push the Windows button and type services. In the results that return,
click Ser vices . The following services are good candidates to disable for use in VDI scenarios; however, you
might need to do some testing to verify that they aren't needed for your purposes. To disable a service, in the
Ser vices snap-in, right-click the service name, and then click Proper ties . On the General tab, click the
Star tup type pull-down menu, and then click Disabled . Click OK .
BranchCache
Delivery Optimization
Diagnostic Service Host
Windows Mobile Hotspot Service
Xbox Live Auth Manager
Xbox Live Game Save
Xbox Live Networking Service
File Explorer Options
Push the Windows button and type control panel. In the results that return, click Control Panel . In Control
Panel, click File Explorer Options . In the dialog that opens, click the Search tab, and then in the When
searching non-indexed locations area, clear the check box for Include system directories . Click OK to
save.
Flash settings
Push the Windows button and type control panel. In the results that return, click Control Panel . In Control
Panel, click Flash Player to open the Flash Player Settings Manager. On the Storage tab, select the radio button
for Block all sites from storing information on this computer . In the dialog that opens, click OK .
On the Camera and Mic tab, in the Camera and Microphone Settings area, select the radio button for
Block all sites from using the camera and microphone .
On the Playback tab, in the Peer-assisted Networking area, select the radio button for Block all sites from
using peer-assisted networking . Close the Flash Player Settings Manager.
Internet Options
Push the Windows button and type control panel. In the results that return, click Control Panel . In Control
Panel, click Internet Options to open Internet Properties. In the Home page area, enter the URL for the web
site you want users to see as the home page in browsers. This could be a web site for your company or you can
set it to a blank home page by entering about:blank.
In the Browsing histor y area, select the check box for Delete browsing histor y on exit .
Power Options
Push the Windows button and type control panel. In the results that return, click Control Panel . In Control
Panel, click Power Options to open the Power Options control panel. In the Choose or customize a power
plan area, click the down arrow for Show additional plans , and then select the radio button for High
performance . This setting will have very little impact on the VDI host.
System
Push the Windows button and type control panel. In the results that return, click Control Panel . In Control
Panel, click System to open the System control panel. In the right pane, click Advanced system settings . In
the dialog that opens, click the Advanced tab. In the Performance area, click the Settings button, then on
Visual Effects tab in the dialog that opens, select the Adjust for best performance radio button. Click OK to
save and exit.

Group Policy settings


To edit Group Policy settings, press the Windows button and type group policy or gpedit.msc. In the results that
return, click Edit group policy to open Local Group Policy Editor.

NOTE
Any settings not specifically mentioned in this topic can be left at their default values (or set per your requirements and
policies) without appreciable impact on VDI functionality.

Under Computer Configuration , expand Windows Settings , and then expand Security Settings . Click
Network List Manager Policies , and then double-click All Networks . In the dialog that opens, in the
Network location area, select the radio button for User cannot change location . Click the OK button to
save.
Collapse Windows Settings , and then expand Administrative Templates . Click or expand Network , and
then adjust each setting as follows by double-clicking it, then selecting the radio button for the indicated value
and clicking the OK button:

SET T IN G A REA SET T IN G REC O M M EN DED VA L UE F O R VDI USE

Background Intelligent Transfer Service


(BITS)

Do not allow the BITS client to use Enabled


Windows Branch Cache

Do not allow the computer to act as a Enabled


BITS Peercaching client

Do not allow the computer to act as a Enabled


BITS Peercaching server

Allow BITS Peercaching Disabled

BranchCache

Turn on BranchCache Disabled

Hotspot Authentication

Enable Hotspot Authentication Disabled

Microsoft Peer-to-Peer Networking


Services

Turn off Microsoft Peer-to-Peer Enabled


Networking Services

Offline Files
SET T IN G A REA SET T IN G REC O M M EN DED VA L UE F O R VDI USE

Allow or Disallow use of the Offline Disabled


Files feature

Collapse Network , and then expand System . Adjust each setting as follows double-clicking it, then selecting
the radio button for the indicated value and clicking the OK button:

SET T IN G A REA SET T IN G REC O M M EN DED VA L UE F O R VDI USE

Device Installation

Do not send a Windows error report Enabled


when a generic driver is installed on a
device

Prevent creation of a system restore Enabled


point during device activity that would
normally prompt creation of a restore
point

Prevent device metadata retrieval from Enabled


the Internet

Prevent Windows from sending an Enabled


error report when a device driver
requests additional software during
installation

Turn off "Found New Hardware" Enabled


balloons during device installation

Expand Filesystem , double-click NTFS , double-click Shor t name creation options , select the radio button
for Enabled , and then use the Options pull-down menu to select Disable on all volumes . Click the OK
button to save.
Collapse Filesystem , and then expand Internet Communication Management . Click Internet
Communication settings . Adjust each setting as follows by double-clicking it, then selecting the radio button
for Enabled , and then clicking the OK button:
Turn off Event Viewer "Events.asp" links
Turn off handwriting personalization data sharing
Turn off handwriting recognition error reporting
Turn off Help and Support Center "Did you know?" content
Turn off Help and Support Center Microsoft Knowledge Base search
Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com
Turn off Internet download for Web publishing and online ordering wizards
Turn off Internet File Association service
Turn off Registration if URL connection is referring to Microsoft.com
Turn off the "Order Prints" picture task
Turn off the "Publish to Web" task for files and folders
Turn off the Windows Messenger Customer Experience Improvement Program
Turn off Windows Customer Experience Improvement Program
Turn off Windows Error Reporting
Turn off Windows Update device driver searching
Click Power Management and then double-click Select an active power plan . Select the radio button for
Enabled , and then use the Options pull-down menu to select High Performance . Click the OK button to save.
Click Recover y , and then double-click Allow restore of system to default state . Select the radio button for
Enabled , and then click the OK button to save.
Expand Troubleshooting and Diagnostics . Click Scheduled Maintenance , double-click Configure
Scheduled Maintenance Behavior , and then select the radio button for Disabled . Click the OK button to
save.
For each of the following settings areas, click it, then double-click Configure Scenario Execution Level , select
the radio button for Disabled , and then click the OK button to save:
Windows Boot Performance Diagnostics
Windows Memory Leak Diagnostics
Windows Resource Exhaustion Detection and Resolution
Windows Shutdown Performance Diagnostics
Windows Standby/Resume Performance Diagnostics
Windows System Responsiveness Performance Diagnostics
Collapse System , and then expand Windows Components . Adjust each setting as follows by double-clicking
it, then selecting the radio button for the indicated value and clicking the OK button:

SET T IN G A REA SET T IN G REC O M M EN DED VA L UE F O R VDI USE

Add features to Windows 10

Prevent the wizard from running Enabled

Autoplay Policies

Set the default behavior for AutoRun Enabled, then use the Options pull-
down menu to select Do not execute
any autorun commands

Cloud Content

Do not show Windows tips Enabled

Turn off Microsoft consumer Enabled


experiences

Data Collection and Preview Builds

Allow Telemetry Enabled, then use the Options pull-


down menu to select 1- Basic

Disable pre-release features or settings Disabled

Do not show feedback notifications Enabled

Toggle user control over Insider builds Disabled


SET T IN G A REA SET T IN G REC O M M EN DED VA L UE F O R VDI USE

Desktop Window Manager

Do not allow Flip3D invocation Enabled

Do not allow window animations Enabled

Use solid color for Start background Enabled

Edge UI

Allow edge swipe Disabled

Disable help tips Enabled

File Explorer

Do not show the ‘new application Enabled


installed' notification

Game Explorer

Turn off downloading of game Enabled


information

Turn off game updates Enabled

Turn off tracking of last play time of Enabled


games in the Games folder

Homegroup

Prevent the computer from joining a Enabled


homegroup

Internet Explorer

Allow Microsoft services to provide Disabled


enhanced suggestions as the user
types in the Address bar

Disable Periodic Check for Internet Enabled


Explorer software updates

Disable showing the splash screen Enabled

Install new versions of Internet Disabled


Explorer automatically

Prevent participation in the Customer Enabled


Experience Improvement Program
SET T IN G A REA SET T IN G REC O M M EN DED VA L UE F O R VDI USE

Prevent running First Run wizard Go Enabled, then use the Options pull-
directly to home page down menu to select Go directly to
home page

Set tab process growth Enabled, then type the following in the
Tab Process Growth box: Low.

Specify default behavior for a new tab Enabled, then use the Options pull-
down menu to select New tab page

Turn off add-on performance Enabled


notifications

Turn off browser geolocation Enabled

Turn off Reopen Last Browsing Session Enabled

Turn off suggestions for all user- Enabled


installed providers

Turn on Suggested Site Disabled

At the same level as the Internet Explorer settings you just adjusted in the preceding table, note another level
of folders ranging from Accelerators to Toolbars . In other words, you are now at Local Computer Policy >
Computer Configuration > Administrative Templates > Windows Components > Internet Explorer.
Open the Delete Browsing Histor y folder, double-click Allow deleting browsing histor y on exit , select
Enable , and then click OK to save and exit.
Use the back arrow in the upper left of Local Group Policy Editor to go back to the Internet Explorer level.
Double-click Internet Settings , double-click Advanced Settings , and then adjust the settings in the
subfolders as follows:

SET T IN G F O L DER UN DER A DVA N C ED


SET T IN GS SET T IN G REC O M M EN DED VA L UE F O R VDI USE

Browsing

Turn off phone number detection Enabled

Multimedia

Allow Internet Explorer to play media Disabled


files that use alternative codecs

Go back up to the level of Internet Explorer , then double-click Internet Settings . In this folder, set these two
settings under AutoComplete to Enabled :
Turn off URL Suggestions
Turn off Windows Search AutoComplete
Go back up four levels to Windows Components , double-click Location and Sensors , and then set these
three settings to Enabled (for each, click OK to save and exit):
Turn off location
Turn off location scripting
Turn off sensors
While at the level of Location and Sensors , double-click Windows Location Provider and set Turn off
Windows Location Provider to Enabled . Click OK to save and exit.
In the left pane, click Maps , set these settings to Enabled ; for each, then click OK to save and exit:
Turn off Automatic Download and Update of Map Data
Turn off unsolicited network traffic on the Offline Maps settings page
Using the left pane, enter each of the following settings subfolders and adjust the individual settings as follows:

SET T IN GS F O L DER UN DER W IN DO W S


C O M P O N EN T S SET T IN G REC O M M EN DED VA L UE F O R VDI USE

OneDrive

Prevent the usage of OneDrive for file Enabled


storage

Save documents to OneDrive by Disabled


default

RSS Feeds

Prevent automatic discovery of feeds Enabled


and Web Slices

Search

Allow Cortana Disabled

Allow Cortana above lock screen Disabled

Allow search and Cortana to use Disabled


location

Do not allow web search Enabled

Don't search the web or display web Enabled


results in Search

Prevent adding UNC locations to index Enabled


from Control Panel

Prevent indexing files in offline files Enabled


cache

Store

Turn off the offer to update to the Enabled


latest version of Windows
SET T IN GS F O L DER UN DER W IN DO W S
C O M P O N EN T S SET T IN G REC O M M EN DED VA L UE F O R VDI USE

Windows Error Repor ting

Automatically send memory dumps for Disabled


OS-generated error reports

Disable Windows Error Reporting Enabled

Windows Installer

Control maximum size of baseline file Enabled, then use the spin box in the
cache Options area to set Baseline file
cache maximum size to 5.

Turn off creation of System Restore Enabled


checkpoints

Windows Mail

Turn off the communities feature Enabled

Windows Media Player

Do Not Show First Use Dialog Boxes Enabled

Prevent Media Sharing Enabled

Windows Mobility Center

Turn off Windows Mobility Center Enabled

Windows Reliability Analysis

Configure Reliability WMI Providers Disabled

Windows Update

Allow Automatic Updates immediate Enabled


installation

Remove access to all Windows Update Enabled


features

In the Windows Update folder, open


Defer Windows Update
SET T IN GS F O L DER UN DER W IN DO W S
C O M P O N EN T S SET T IN G REC O M M EN DED VA L UE F O R VDI USE

Select when feature updates are Enabled, then in the Options area,
received use the Select the branch
readiness level for the feature
updates you want to receive pull-
down menu to select Current Branch
for Business . Set the After a
feature update is released, defer
receiving it for this many days
spin box to 180 days.

Select when Quality Updates are Enabled, then in the Options area, Set
received the After a quality update is
released, defer receiving it for
this many days spin box to 30 days
and select the check box for Pause
quality updates .

In the left pane of Local Group Policy Editor, click User Configuration . Using the left pane, click
Administrative Templates and then enter each of the following settings subfolders and adjust the individual
settings as follows:

SET T IN GS F O L DER UN DER


A DM IN IST RAT IVE T EM P L AT ES SET T IN G REC O M M EN DED VA L UE F O R VDI USE

Desktop

Do not add shares of recently opened Enabled


documents to Network Locations

In the Desktop folder, open Active


Director y

Maximum size of Active Directory Enabled, then in the Options area,


searches use the spin box to set Number of
objects returned to 5000.

Star t Menu and Taskbar

Clear the recent programs list for new Enabled


users

Do not display or track items in Jump Enabled


Lists from remote locations

Turn off feature advertisement balloon Enabled


notifications

Turn off user tracking Enabled

In the Star t Menu and Taskbar


folder, open Notifications

Turn off toast notifications Enabled


SET T IN GS F O L DER UN DER
A DM IN IST RAT IVE T EM P L AT ES SET T IN G REC O M M EN DED VA L UE F O R VDI USE

In the Windows Components folder,


open:

Cloud Content

Turn off all Windows spotlight features Enabled

File Explorer

Turn off caching of thumbnail pictures Enabled

Turn off display of recent search entries Enabled


in the File Explorer search box

Turn off the caching of thumbnails in Enabled


hidden thumbs.db file

Microsoft Store apps


There are a number of Microsoft Store apps that you might want to remove from the VDI image; removing them
will decrease CPU usage and conserve disk space. Good candidates for removal include:
Get Office
Skype (preview)
Get Started (especially if there is no Internet connection)
Feedback Hub
Microsoft Solitaire Collection
Paid Wi-Fi and Cellular
To customize the default user profile used for creating VDI images, use the built-in Administrator account. If it is
not already enabled, do so by using Local Users and Groups in Computer Management. Then log in to the
Administrator account to complete the following steps.

NOTE
Don't remove system apps such as the Store app. They are difficult to reinstall. Other apps are easily reinstallable from the
Store.

Delete unwanted apps from the Administrator user profile


1. In Windows PowerShell, run Get-AppxPackage | ft PackageFamilyName to see the list of installed apps.
2. For each app packager you want to uninstall run cmdlets of this example format:
Get-AppxPackage *messaging* | Remove-AppxPackage

Get-AppxPackage *WindowsMaps* | Remove-AppxPackage

Get-AppxPackage *ZuneMusic* | Remove-AppxPackage

Delete the payload of unwanted Store apps


This will prevent the apps from being reinstalled.
1. List Store apps and other items that have provisioned data in storage with this cmdlet:
Get-AppxProvisionedPackage -Online .
2. Remove a given package with Remove-AppxProvisionedPackage -Online -PackageName MyAppPackage , using the
appropriate MyAppPackage returned from Step 1. For example, to remove the Zune-related package, you
would run
Remove-AppxProvisionedPackage -Online -PackageName
Microsoft.ZuneMusic_2019.17012.10311.0_neutral_~_8wekyb3d8bbwe
.

Removing other items


You can remove the OneDrive icon and app, turn off system icons, and delete downloaded updates.
Remove OneDrive icon and app
1. Click Star t and scroll to the OneDrive icon.
2. Right-click the OneDrive icon, point to More , and then click Open file location .
3. Right-click the OneDrive icon in its file location, and click Delete .
To remove the OneDrive app:
1. Click Star t and scroll to the OneDrive icon.
2. Right-click the OneDrive icon, and then click Uninstall . Programs and Features opens.
3. In Programs and Features, right-click Microsoft OneDrive and click Uninstall .
Programs and Features (from previous versions of Control Panel)
1. Push the Star t button, type Control, and then press ENTER.
2. Tap or double-click Programs and Features .
3. On the far left, under Control Panel Home , tap or click Turn Windows features on or off . A new user
interface will open.
4. Clear the check boxes for any items that you do not want or need in the base image, for example: SMB
1.0/CIFS File Sharing Suppor t .
Turn system icons off
1. Push or click Star t , and then click Settings (the gear icon).
2. In the Find a Setting text area, type Taskbar, and then click Taskbar Settings .
3. Under the Taskbar section, scroll or swipe down to the Notification area section.
4. Click or tap Turn system icons on or off , and then turn each system icon on or off as you prefer for the
image.
Delete downloaded updates
1. Using File Explorer, navigate to C:\Windows\SoftwareDistribution\Download .
2. Delete all files and folders in that directory.
Optimizing Windows 10, version 2004 for a Virtual
Desktop Infrastructure (VDI) role
7/29/2021 • 77 minutes to read • Edit Online

This article is intended to provide suggestions for configurations for Windows 10, build 2004, for optimal
performance in Virtualized Desktop environments, including Virtual Desktop Infrastructure (VDI) and Azure
Virtual Desktop. All settings in this guide are suggested optimization settings only and are in no way
requirements.
The information in this guide is pertinent to Windows 10, version 2004, operating system (OS) build 19041.
The guiding principles to optimize performance of Windows 10 in a virtual desktop environment are to
minimize graphic redraws and effects, background activities that have no major benefit to the virtual desktop
environment, and generally reduce running processes to the bare minimum. A secondary goal is to reduce disk
space usage in the base image to the bare minimum. With virtual desktop implementations, the smallest
possible base, or "gold" image size, can slightly reduce memory utilization on the host system, as well as a small
reduction in overall network operations required to deliver the desktop environment to the consumer.
No optimizations should reduce the user experience. Each optimization setting has been carefully reviewed to
ensure that there is no appreciable degradation to the user experience.

NOTE
The settings in this article can be applied to other Windows 10 installations, such as version 1909, physical devices, or
other virtual machines. There are no recommendations in this article that should affect supportability of Windows 10 in a
virtual desktop environment.

VDI optimization principles


A "full" virtual desktop environment can present a complete desktop session, including applications, to a
computer user over a network. The network delivery vehicle can be an on-premises network, the Internet, or
both. Some implementations of virtual desktop environments use a "base" operating system image, which then
becomes the basis for the desktops subsequently presented to the users for work. There are variations of virtual
desktop implementations such as "persistent", "non-persistent", and "desktop session." The persistent type
preserves changes to the virtual desktop operating system from one session to the next. The non-persistent
type does not preserve changes to the virtual desktop operating system from one session to the next. To the
user this desktop is little different than other virtual or physical device, other than it is accessed over a network.
The optimization settings could take place on a reference machine. A virtual machine (VM) would be an ideal
place to build the VM, because state can be saved, checkpoints can be made, backups can be made, and so on. A
default OS installation is performed to the base VM. That base VM is then optimized by removing unneeded
apps, installing Windows updates, installing other updates, deleting temporary files, applying settings, and so
on.
There are other types of virtual desktop technology such as Remote Desktop Session (RDS) and the recently
released Microsoft Azure Azure Virtual Desktop. An in-depth discussion regarding these technologies is outside
the scope of this article. This article focuses on the Windows base image settings, without reference to other
factors in the environment such as host hardware optimization.
Security and stability are among the highest priorities for Microsoft when it comes to products and services. In
the virtual desktop realm, security is not handled much differently than physical devices. Enterprise customers
may choose to utilize the built-in to Windows services of Windows Security, which comprises a suite of services
that work well connected or not connected to the Internet. For those virtual desktop environments not
connected to the Internet, security signatures can be downloaded proactively several times per day, because
Microsoft may release more than one signature update per day. Those signatures can then be provided to the
virtual desktop devices and scheduled to be installed during production, regardless of persistent or non-
persistent. That way the VM protection is as current as possible.
There are some security settings that are not applicable to virtual desktop environments that are not connected
to the Internet, and thus not able to participate in cloud-enabled security. There are other settings that "normal"
Windows devices may utilize such as Cloud Experience, The Windows Store, and so on. Removing access to
unused features reduces footprint, network bandwidth, and attack surface.
Regarding updates, Windows 10 utilizes a monthly update rhythm. In some cases virtual desktop administrators
control the process of updating through a process of shutting down VMs based on a "master" or "gold" image,
unseal that image which is read-only, patch the image, then reseal it and bring it back into production. Therefore,
there is no need to have virtual desktop devices checking Windows Update. However, there are cases where
normal patching procedures take place, like the case of persistent "personal" virtual desktop devices. In some
cases, Windows Update can be utilized. In some cases, Intune could be utilized. In some cases Microsoft
Endpoint Configuration Manager (formerly SCCM) is utilized to handle update and other package delivery. It is
up to each organization to determine the best approach to updating virtual desktop devices, while reducing
overhead cycles.
The local policy settings, as well as many other settings in this guide, can be overridden with domain-based
policy. It is recommended to go through the policy settings thoroughly and remove or not use any that are not
desired or applicable to your environment. The settings listed in this document try to achieve the best balance of
performance optimization in virtual desktop environments, while maintaining a quality user experience.

NOTE
There is a set of scripts available at GitHub.com, that will do all the work items documented in this paper. The Internet URL
for the optimization scripts can be found at https://github.com/The-Virtual-Desktop-Team/Virtual-Desktop-Optimization-
Tool. This script was designed to be easily customizable for your environment and requirements. The main code is
PowerShell, and the work is done by calling input files, which are plain text (now .JSON), with also Local Group Policy
Object (LGPO) tool export files. These text files contain lists of the apps to be removed, services to be disabled, and so on.
If you don't want to remove a particular app or disable a particular service, you can edit the corresponding text file and
remove the item you do not want acted upon. Finally, there is an export of local policy settings that can be imported into
your environment machines. It's better to have some of the settings within the base image, than to have the settings
applied through group policy, as some of the settings take effect on the next restart or when a component is first used.

Persistent virtual desktop environments


Persistent virtual desktop is at the basic level, a device that saves operating system state in between reboots.
Other software layers of the virtual desktop solution provide the users easy and seamless access to their
assigned VMs, often with a single sign-on solution.
There are several different implementations of persistent virtual desktop.
Traditional VMs, where the VM has its own virtual disk file, starts up normally, and saves changes from one
session to the next. The difference is how the user accesses this VM. There may be a web portal the user
signs in to that automatically directs the user to one or more virtual desktop devices (VMs) assigned to them.
Image-based persistent VMs, optionally with personal virtual disks (PVD). In this type of implementation
there is a base/gold image on one or more host servers. A VM is created, and one or more virtual disks are
created and assigned to this disk for persistent storage.
When the VM is started, a copy of the base image is read into the memory space of that VM. At the
same time, a persistent virtual disk assigned to that VM, with any previous OS deltas is merged
through a complex process.
Changes such as event log writes, log writes, and so on. are redirected to the read/write virtual disk
assigned to that VM.
In this circumstance, OS and app servicing may operate normally, using traditional servicing software
such as Windows Server Update Services, or other management technologies.
The difference between a persistent virtual desktop device and a "normal" virtual desktop device is the
relationship to the master/gold image. At some point updates must be applied to the master. It is at this point
where organizations decide how the user persistent changes are handled. In some cases, the disk with the
user changes is discarded or reset. It may also be that the changes the user makes to the machine are kept
through monthly Quality Updates, and the base is reset following a Feature Update.
Non-persistent virtual desktop environments
When a non-persistent virtual desktop implementation is based on a base or "gold" image, the optimizations
are mostly performed in the base image, and then through local settings and local policies.
With image-based non-persistent (NP) virtual desktop environments, the base image is read-only. When an NP
virtual desktop device (VM) is started, a copy of the base image is streamed to the VM. Activity that occurs
during startup and thereafter until the next reboot is redirected to a temporary location. Usually the users are
provided network locations to store their data. In some cases, the user’s profile is merged with the standard VM
to provide the user their settings.
One important aspect of NP virtual desktop that is based on a single image, is servicing. Updates to the
operating system (OS) and components of the OS are delivered usually once per month. With image based
virtual desktop environment, there is a set of processes that must be performed to get updates to the image:
On a given host, all the VMs on that host, based from the base image must be shut down or turned off.
This means the users are redirected to other VMs.
In some implementations, this is referred to as "draining." The virtual machine or session host, when set
to draining mode, stops accepting new requests, but continues servicing users currently connected to the
device.
In draining mode, when the last user logs off the device, that device is then ready for servicing
operations.
The base image is then opened and started up. All maintenance activities are then performed, such as OS
updates, .NET updates, app updates, and so on.
Any new settings that need to be applied are applied at this time.
Any other maintenance is performed at this time.
The base image is then shut down.
The base image is sealed and set to go back into production.
Users are allowed to log back on.

NOTE
Windows 10 performs a set of maintenance tasks, automatically, on a periodic basis. There is a scheduled task that is set
to run at 3:00 AM every day by default. This scheduled task performs a list of tasks, including Windows Update cleanup.
You can view all the categories of maintenance that take place automatically with this PowerShell command:

Get-ScheduledTask | Where-Object {$_.Settings.MaintenanceSettings}


One of the challenges with non-persistent virtual desktop is that when a user logs off, nearly all the OS activity is
discarded. The user’s profile and/or state may be saved to a centralized location, but the virtual machine itself
discards nearly all changes that were made since last boot. Therefore, optimizations intended for a Windows
computer that saves state from one session to the next are not applicable.
Depending on the architecture of virtual desktop device, things like PreFetch and SuperFetch are not going to
help from one session to the next, as all the optimizations are discarded on VM restart. Indexing may be a partial
waste of resources, as would be any disk optimizations such as a traditional defragmentation.

NOTE
If preparing an image using virtualization, and if connected to the Internet during image creation process, on first logon
you should postpone Feature Updates by going to Settings > Windows Update .

To sysprep or not sysprep


Windows 10 has a built-in capability called the System Preparation Tool, also known as sysprep. The sysprep
tool is used to prepare a customized Windows 10 image for duplication. The sysprep process assures the
resulting OS is properly unique to run in production.
There are reasons for and against running sysprep. In the case of virtual desktop environments, you may want
the ability to customize the default user profile which would be used as the profile template for subsequent
users that sign in using this image. You may have apps that you want installed, but also able to control per-app
settings.
The alternative is to use a standard .ISO to install from, possibly using an unattended installation answer file, and
a task sequence to install applications or remove applications. You can also use a task sequence to set local
policy settings in the image, perhaps using the Local Group Policy Object Utility (LGPO) tool.
To learn more about image preparation for Azure, see Prepare a Windows VHD or VHDX to upload to Azure
Supportability
Anytime that Windows defaults are changed, questions arise regarding supportability. Once a virtual desktop
image (VM or session) is customized, every change made to the image needs to be tracked in a change log. If a
time comes to troubleshoot, often an image can be isolated in a pool and configured for problem analysis. Once
a problem has been tracked to root cause, that change can then be rolled out to the test environment first, and
ultimately to the production workload.
This document intentionally avoids touching system services, policies, or tasks that affect security. After that
comes Windows servicing. The ability to service virtual desktop images outside of maintenance windows is
removed, as maintenance windows are when most servicing events take place in virtual desktop environments,
except for security software updates. Microsoft has published guidance for Windows Security in virtual desktop
environments, here:
Microsoft : Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI)
environment
Please consider supportability when altering default Windows settings. Occasionally difficult to solve problems
arise when altering system services, policies, or scheduled tasks, in the name of hardening, "lightening," and so
on. Consult the Microsoft Knowledge Base for current known issues regarding altered default settings. The
guidance in this document, and the associated script on GitHub will be maintained with respect to known issues,
if any arise. In addition you can report issues in a number of ways to Microsoft.
You can use your favorite search engine with the terms "start value" site:support.microsoft.com to bring up
known issues regarding default start values for services.
You might note that this document and the associated scripts on GitHub do not modify any default permissions.
If you are interested in increasing your security settings, start with the project known as AaronLocker . For
more information, see "AaronLocker" overview.
Virtual desktop optimization categories
Universal Windows Platform (UWP) app cleanup
Optional Features cleanup
Local policy settings
System services
Scheduled tasks
Apply Windows (and other) updates
Automatic Windows traces
Windows Defender optimization with VDI
Client network performance tuning by registry settings
Additional settings from the "Windows Restricted Traffic Limited Functionality Baseline" guidance.
Disk cleanup
Universal Windows Platform (UWP) application cleanup
One of the goals of a virtual desktop image is to be as light as possible with respect to persistent storage. One
way to reduce the size of the image is to remove UWP applications (apps) that won't be used in the
environment. With UWP apps, there are the main application files, also known as the payload. There is a small
amount of data stored in each user’s profile for application-specific settings. There is also a small amount of
data in the "All Users" profile.
In addition, all UWP apps are registered at either the user or machine level at some point after startup for the
device, and login for the user. The UWP apps, which include the Start Menu and the Windows Shell, perform
various tasks at or after installation, and again when a user logs in for the first time, and to a lesser extent at
subsequent logins. For all UWP apps, there are occasional evaluations that take place, such as:
Do you need to update the app to the latest version?
The app, if pinned to the Start Menu, might have live tile data to download
Does the app have a cache of data that needs to be updated, such as maps or weather?
Does the app have persistent data from the user's profile that needs to be presented at login (for example,
Sticky Notes)
With a default installation of Windows 10, not all UWP apps may be used by an organization. Therefore, if those
apps are removed, there are fewer evaluations that need to take place, less caching, and so on. The second
method here is to direct Windows to disable "consumer experiences." This reduces Store activity by having to
check for every user what apps are installed, what apps are available, and then to start downloading some UWP
apps. The performance savings can be significant when there are hundreds or thousands of users, all start work
at approximately the same time, or even starting work at rolling times across time zones.
Connectivity and timing are important factors when it comes to UWP app cleanup. If you deploy your base
image to a device with no network connectivity, Windows 10 cannot connect to the Microsoft Store and
download apps and try to install them while you are trying to uninstall them. This might be a good strategy to
allow you time to customize your image, and then update what remains at a later stage of the image creation
process.
If you modify your base .WIM that you use to install Windows 10 and remove unneeded UWP apps from the
.WIM before you install, the apps will not be installed from the beginning and your subsequent profile creation
times will be shorter. There is a link later in this section with information on how to remove UWP apps from
your installation .WIM file.
A good strategy for the virtual desktop environment is to provision the apps you want in the base image, then
limit or block access to the Microsoft Store afterward. Store apps are updated periodically in the background on
normal computers. The UWP apps can be updated during the maintenance window when other updates are
applied.
Delete the payload of UWP apps
UWP apps that are not needed are still in the file system consuming a small amount of disk space. For apps that
will never be needed, the payload of unwanted UWP apps can be removed from the base image using
PowerShell commands. If you delete UWP app payloads out of the installation .WIM file using the links provided
later in this section, you can start from the beginning with a very slim list of UWP apps.
Run the following command to enumerate provisioned UWP apps from a running OS, as in this truncated
example output from PowerShell:

Get-AppxProvisionedPackage -Online

DisplayName : Microsoft.3DBuilder
Version : 13.0.10349.0
Architecture : neutral
ResourceId : \~
PackageName : Microsoft.3DBuilder_13.0.10349.0_neutral_\~_8wekyb3d8bbwe
Regions :

DisplayName : Microsoft.Appconnector
Version : 2015.707.550
Architecture : neutral
ResourceId : \~
PackageName : Microsoft.Appconnector_2015.707.550.0_neutral_\~_8wekyb3d8bbwe
Regions :
...

UWP apps that are provisioned to a system can be removed during OS installation as part of a task sequence, or
later after the OS is installed. This may be the preferred method because it makes the overall process of creating
or maintaining an image modular. Once you develop the scripts, if something changes in a subsequent build you
edit an existing script rather than repeat the process from scratch.
If you want to learn more, here are some resources that can help you:
Removing Windows 10 in-box apps during a task sequence
Removing Built-in apps from Windows 10 WIM-File with PowerShell - Version 1.3
Windows 10 1607: Keeping apps from coming back when deploying the feature update
Removing Windows 10 in-box apps during a task sequence
Then run the following PowerShell command to remove UWP app payloads:

Remove-AppxProvisionedPackage -Online - PackageName MyAppxPackage

As a final note on this topic, each UWP app should be evaluated for applicability in each unique environment.
You will want to install a default installation of Windows 10, version 2004, then note which apps are running and
consuming memory. For example, you may want to consider removing apps that start automatically, or apps
that automatically display information on the Start Menu, such as Weather and News, and that may not be of
use in your environment.
NOTE
If you're using the scripts from GitHub, you can easily control which apps are removed before running the script. After
downloading the script files, locate the AppxPackage.json file, edit that file, and remove entries for apps that you want to
keep, such as Calculator, Sticky Notes, and so on.

Windows Optional Features cleanup


Managing Optional Features with PowerShell
Microsoft: Windows 10: Managing Optional Features with PowerShell
You can manage Windows Optional Features using PowerShell. To enumerate currently installed Windows
Features, run the following PowerShell command:

Get-WindowsOptionalFeature -Online

Using PowerShell, an enumerated Windows Optional Feature can be configured as enabled or disabled, as in the
following example:

Enabled-WindowsOptionalFeature -Online -FeatureName "DirectPlay" -All

Here's an example command that disables the Windows Media Player feature in the virtual desktop image:

Disable-WindowsOptionalFeature -Online -FeatureName "WindowsMediaPlayer"

Next, you may want to remove the Windows Media Player package. This example command will show you how
to do that:

PS C:\> Get-WindowsPackage -Online -PackageName *media*

PackageName : Microsoft-Windows-MediaPlayer-Package~31bf3856ad364e35~amd64~~10.0.19041.153
Applicable : True
Copyright : Copyright (c) Microsoft Corporation. All Rights Reserved
Company :
CreationTime :
Description : Play audio and video files on your local machine and on the Internet.
InstallClient : DISM Package Manager Provider
InstallPackageName : Microsoft-Windows-MediaPlayer-Package~31bf3856ad364e35~amd64~~10.0.19041.153.mum
InstallTime : 5/11/2020 5:43:37 AM
LastUpdateTime :
DisplayName : Windows Media Player
ProductName : Microsoft-Windows-MediaPlayer-Package
ProductVersion :
ReleaseType : OnDemandPack
RestartRequired : Possible
SupportInformation : http://support.microsoft.com/?kbid=777777
PackageState : Installed
CompletelyOfflineCapable : Undetermined
CapabilityId : Media.WindowsMediaPlayer~~~~0.0.12.0
Custom Properties :

Features : {}

If you want to remove the Windows Media Player package (to free up about 60 MB disk space), you can run this
command:
PS C:\Windows\system32> Remove-WindowsPackage -PackageName Microsoft-Windows-MediaPlayer-
Package~31bf3856ad364e35~amd64~~10.0.19041.153 -Online

Path :
Online : True
RestartNeeded : False

Enable of disabling Windows features using DISM


You can use the built-in Dism.exe tool to enumerate and control Windows Optional Features. A Dism.exe script
could be developed and run during an operating system installation task sequence. The Windows technology
involved is called Features on Demand. See the following article for more about Features on Demand in
Windows:
Microsoft: Features on Demand
Default user settings
You can customize the Windows registry file at C:\Users\Default\NTUSER.DAT . Any setting changes you make to
this file will be applied to any subsequent user profiles created from a machine running this image. You can
control which settings you wish to apply to the default user profile by editing the DefaultUserSettings.txt file.
To reduce transmission of graphical data over the virtual desktop infrastructure, you can set the default
background to a solid color instead of the default Windows 10 image. You can also set the sign-in screen to be a
solid color, as well as turn off the opaque blurring effect on sign-in.
The following settings are applied to the default user profile registry hive, mainly to reduce animations. If some
or all of these settings are not desired, delete out the settings that you do not wish to have applied to new user
profiles based on this image. The goal with these settings is to enable the following equivalent settings:
Show shadows under mouse pointer
Show shadows under windows
Smooth edges of screen fonts
And, new to this version of settings is a method to disable the following two privacy settings for any user profile
created after you run the optimization:
Let websites provide locally relevant content by accessing my language list
Show me suggested content in the Settings app
The following are the optimization settings applied to the default user profile registry hive to optimize
performance. Note that this operation is performed by first loading the default user profile registry hive
NTUser.dat , as the ephemeral key name Temp , and then making the below listed modifications:

Load HKLM\Temp C:\Users\Default\NTUSER.DAT


add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\Explorer" /v ShellState /t REG_BINARY /d
240000003C2800000000000000000000 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v IconsOnly /t REG_DWORD /d 1
/f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ListviewAlphaSelect /t
REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ListviewShadow /t REG_DWORD
/d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowCompColor /t REG_DWORD /d
1 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowInfoTip /t REG_DWORD /d 1
/f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarAnimations /t
REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v VisualFXSetting /t
REG_DWORD /d 3 /f
add "HKLM\Temp\Software\Microsoft\Windows\DWM" /v EnableAeroPeek /t REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\DWM" /v AlwaysHiberNateThumbnails /t REG_DWORD /d 0 /f
add "HKLM\Temp\Control Panel\Desktop" /v DragFullWindows /t REG_SZ /d 0 /f
add "HKLM\Temp\Control Panel\Desktop" /v FontSmoothing /t REG_SZ /d 2 /f
add "HKLM\Temp\Control Panel\Desktop" /v UserPreferencesMask /t REG_BINARY /d 9032078010000000 /f
add "HKLM\Temp\Control Panel\Desktop\WindowMetrics" /v MinAnimate /t REG_SZ /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy" /v 01 /t
REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-
338393Enabled /t REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-
353694Enabled /t REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-
353696Enabled /t REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-
338388Enabled /t REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-
338389Enabled /t REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v
SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f
add "HKLM\Temp\Control Panel\International\User Profile" /v HttpAcceptLanguageOptOut /t REG_DWORD /d 1 /f
add
"HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.Windows.Photos_8
wekyb3d8bbwe" /v Disabled /t REG_DWORD /d 1 /f
add
"HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.Windows.Photos_8
wekyb3d8bbwe" /v DisabledByUser /t REG_DWORD /d 1 /f
add
"HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.SkypeApp_kzf8qxf
38zg5c" /v Disabled /t REG_DWORD /d 1 /f
add
"HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.SkypeApp_kzf8qxf
38zg5c" /v DisabledByUser /t REG_DWORD /d 1 /f
add
"HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.YourPhone_8wekyb
3d8bbwe" /v Disabled /t REG_DWORD /d 1 /f
add
"HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.YourPhone_8wekyb
3d8bbwe" /v DisabledByUser /t REG_DWORD /d 1 /f
add
"HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.MicrosoftEdge_8w
ekyb3d8bbwe" /v Disabled /t REG_DWORD /d 1 /f
add
"HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.MicrosoftEdge_8w
ekyb3d8bbwe" /v DisabledByUser /t REG_DWORD /d 1 /f
add "HKLM\Temp\Software\Microsoft\InputPersonalization" /v RestrictImplicitInkCollection /t REG_DWORD /d 1
/f
add "HKLM\Temp\Software\Microsoft\InputPersonalization" /v RestrictImplicitTextCollection /t REG_DWORD /d 1
/f
add "HKLM\Temp\Software\Microsoft\Personalization\Settings" /v AcceptedPrivacyPolicy /t REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\InputPersonalization\TrainedDataStore" /v HarvestContacts /t REG_DWORD /d
0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v
ScoobeSystemSettingEnabled /t REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v
ScoobeSystemSettingEnabled /t REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v
ScoobeSystemSettingEnabled /t REG_DWORD /d 0 /f
Unload HKLM\Temp

Another series of default user settings recently added is to disable several Windows apps from starting and
running in the background. While not significant on a single device, Windows 10 starts up a number of
processes for each user session on a given device (host). The Skype app is one example, and Microsoft Edge is
another. The settings included turn off several apps from being able to run in the background. If this
functionality is desired as it is, just delete out the lines in the "DefaultUserSettings.txt" file that include the app
names "Windows.Photos ," "SkypeApp ," "YourPhone ," and/or "MicrosoftEdge ."
Local policy settings
Many optimizations for Windows 10 in a virtual desktop environment can be made using Windows policy. The
settings listed in the table in this section can be applied locally to the base/gold image. Then if the equivalent
settings are not specified in any other way, such as group policy, the settings would still apply.
Note that some decisions may be based on the specifics of the environment.
Is the virtual desktop environment allowed to access the Internet?
Is the virtual desktop solution persistent or non-persistent?
The following settings were chosen to not counter or conflict with any setting that has anything to do with
security. These settings were chosen to remove settings or disable functionality that may not be applicable to
virtual desktop environments.

P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Local Computer Policy \ N/A N/A N/A


Computer Configuration \
Windows Settings \ Security
Settings

Network List Manager All networks properties Network location User cannot change
policies location (This is set to
prevent the right-hand side
pop-up when a new
network is detected)

Local Computer Policy \ N/A N/A


Computer Configuration \
Administrative Templates \
Control Panel

Control Panel Allow Online Tips N/A Disabled (Settings will not
contact Microsoft content
services to retrieve tips and
help content)

Control Panel \ Force a specific default lock N/A Enabled (This setting allows
Personalization screen and logon image) you to force a specific
default lock screen and
logon image by entering
the path (location) of the
image file. The same image
will be used for both the
lock and logon screens.
The reason for this
recommendation is to
reduce bytes
transmitted over the
network for virtual
desktop environments.
This setting can be
removed or customized
for each environment.)

Control Panel\ Regional and Turn off automatic learning N/A Enabled (With this policy
Language setting enabled, automatic
Options\Handwriting learning stops, and any
personalization stored data is deleted.
Users cannot configure this
setting in Control Panel)

Local Computer Policy \ N/A N/A N/A


Computer Configuration \
Administrative Templates \
Network
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Background Intelligent Allow BITS Peercaching N/A Disabled (This policy


Transfer Service (BITS) setting determines if the
Background Intelligent
Transfer Service (BITS) peer
caching feature is enabled
on a specific computer.)

Background Intelligent Do not allow the BITS client N/A Enabled (With this policy
Transfer Service (BITS) to use Windows Branch setting enabled, the BITS
Cache client does not use
Windows Branch Cache.)
The reason for this
recommendation is so
that virtual desktop
devices are not used for
content caching, and
the devices will not be
allowed to use the
network bandwidth to
do so.

Background Intelligent Do not allow the computer N/A Enabled (With this policy
Transfer Service (BITS) to act as a BITS Peercaching setting enabled, the
client computer will no longer use
the BITS peer caching
feature to download files;
files will be downloaded
only from the origin server.)

Background Intelligent Do not allow the computer N/A Enabled (With this policy
Transfer Service (BITS) to act as a BITS Peercaching setting enabled, the
server computer will no longer
cache downloaded files and
offer them to its peers.)

BranchCache Turn on BranchCache N/A Disabled (With this


selection disabled,
BranchCache is turned off
for all client computers
where the policy is applied.)

*Fonts Enabled Font Providers N/A Disabled (With this setting


disabled, Windows does not
connect to an online font
provider and only
enumerates locally installed
fonts)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Hotspot Authentication Enable hotspot N/A Disabled (This policy


Authentication setting defines whether
WLAN hotspots are probed
for Wireless Internet Service
Provider roaming (WISPr)
protocol support. With this
policy setting disabled,
WLAN hotspots are not
probed for WISPr protocol
support, and users can only
authenticate with WLAN
hotspots using a web
browser.)

Microsoft Peer-to-Peer Turn off Microsoft Peer-to- N/A Enabled (This setting turns
Networking Services Peer Networking Services off Microsoft Peer-to-Peer
Networking Services in its
entirety and will cause all
dependent applications to
stop working. If you enable
this setting, peer-to-peer
protocols will be turned off.)

Network Connectivity Specify passive polling Disable passive poling Enabled (This Policy setting
Status Indicator (checkbox) enables you to specify
(There are other passive polling behavior.
settings in this section NCSI polls various
that can be used in measurements throughout
isolated networks) the network stack on a
frequent interval to
determine if network
connectivity has been lost.
Use the options to control
the passive polling
behavior.)
Disabling NCIS passive
polling can improve
CPU workload on
servers or other
machines whose
network connectivity is
static.

Offline Files Allow or Disallow use of the N/A Disabled (This policy
Offline Files feature setting determines whether
the Offline Files feature is
enabled. Offline Files saves
a copy of network files on
the user's computer for use
when the computer is not
connected to the
network.With this policy
setting disabled, Offline
Files feature is disabled and
users cannot enable it.)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

*TCPIP Settings\ IPv6 Set Teredo State Disabled State Enabled (With this setting
Transition Technologies enabled, and set to
"Disabled State", no Teredo
interfaces are present on
the host)

*WLAN Service\ WLAN Allow Windows to N/A Disabled (This policy


Settings automatically connect to setting determines whether
suggested open hot spots, users can enable the
to networks shared by following WLAN settings:
contacts, and to hot spots "Connect to suggested
offering paid services open hotspots," "Connect
to networks shared by my
contacts," and "Enable paid
services." With this policy
setting disabled, "Connect
to suggested open
hotspots," "Connect to
networks shared by my
contacts," and "Enable paid
services" will be turned off
and users on this device will
be prevented from enabling
them.)

WWAN Service\ Cellular Let Windows apps access Default for all apps: Force Enabled (If you choose the
Data Access cellular data Deny "Force Deny" option,
Windows apps are not
allowed to access cellular
data and users cannot
change it.)

Local Computer Policy \ N/A N/A


Computer Configuration \
Administrative Templates \
Start Menu and Taskbar

*Notifications Turn off notifications N/A Enabled (With this policy


network usage setting enabled,
applications and system
features will not be able
receive notifications from
the network from WNS or
via notification polling APIs)

Local Computer Policy \ N/A N/A N/A


Computer Configuration \
Administrative Templates \
System

Device Installation Do not send a Windows N/A Enabled (With this policy
error report when a generic setting enabled, an error
driver is installed on a report is not sent when a
device generic driver is installed.)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Device Installation Prevent creation of a N/A Enabled (With this policy


system restore point during setting enabled, Windows
device activity that would does not create a system
normally prompt creation of restore point when one
a restore point would normally be created.)

Device Installation Prevent device metadata N/A Enabled (This policy setting
retrieval from the Internet allows you to prevent
Windows from retrieving
device metadata from the
Internet. With this policy
setting enabled, Windows
does not retrieve device
metadata for installed
devices from the Internet.
This policy setting overrides
the setting in the Device
Installation Settings dialog
box (Control Panel >
System and Security >
System > Advanced System
Settings > Hardware tab).)

Device Installation Turn off "Found New N/A Enabled (This policy setting
Hardware" balloons during allows you to turn off
device installation "Found New Hardware"
balloons during device
installation. With this policy
setting enabled, "Found
New Hardware" balloons do
not appear while a device is
being installed.)

Filesystem\NTFS Short name creation Short name creation Enabled (These settings
options options: Disabled on all provide control over
volumes whether or not short
names are generated
during file creation. Some
applications require short
names for compatibility, but
short names have a
negative performance
impact on the system. With
short names disabled on all
volumes then they will
never be generated.)

*Group Policy Continue experiences on N/A Disabled (This policy


this device setting determines whether
the Windows device is
allowed to participate in
cross-device experiences
(continue experiences).
Disabling this policy
prevents this device from
being discoverable by other
devices, and thus cannot
participate in cross-device
experiences.)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Internet Communication Turn off Event Viewer N/A Enabled (This policy setting
Management\ Internet "Events.asp" links specifies whether
Communication settings "Events.asp" hyperlinks are
available for events within
the Event Viewer
application.)

Internet Communication Turn off handwriting N/A Enabled (Turns off data
Management\ Internet personalization data sharing sharing from the
Communication settings handwriting recognition
personalization tool.)

Internet Communication Turn off handwriting N/A Enabled (Turns off the
Management\ Internet recognition error reporting handwriting recognition
Communication settings error reporting tool.)

Internet Communication Turn off Help and Support N/A Enabled (This policy setting
Management\ Internet Center Microsoft specifies whether users can
Communication settings Knowledge Base search perform a Microsoft
Knowledge Base search
from the Help and Support
Center.)

Internet Communication Turn off Internet N/A Enabled (This policy setting
Management\ Internet Connection Wizard if URL specifies whether the
Communication settings connection is referring to Internet Connection Wizard
Microsoft.com can connect to Microsoft to
download a list of Internet
Service Providers (ISPs).)

Internet Communication Turn off Internet download N/A Enabled (This policy setting
Management\ Internet for Web publishing and specifies whether Windows
Communication settings online ordering wizards should download a list of
providers for the web
publishing and online
ordering wizards.)

Internet Communication Turn off Internet File N/A Enabled (This policy setting
Management\ Internet Association service specifies whether to use the
Communication settings Microsoft Web service for
finding an application to
open a file with an
unhandled file association.)

Internet Communication Turn off Registration if URL N/A Enabled (This policy setting
Management\ Internet connection is referring to specifies whether the
Communication settings Microsoft.com Windows Registration
Wizard connects to
Microsoft.com for online
registration.)

Internet Communication Turn off Search Companion N/A Enabled (This policy setting
Management\ Internet content file updates specifies whether Search
Communication settings Companion should
automatically download
content updates during
local and Internet searches.)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Internet Communication Turn off the "Order Prints" N/A Enabled (If you enable this
Management\ Internet picture task policy setting, the task
Communication settings "Order Prints Online" is
removed from Picture Tasks
in File Explorer folders.)

Internet Communication Turn off the "Publish to N/A *Enabled (This policy setting
Management\ Internet Web" task for files and specifies whether the tasks
Communication settings folders "Publish this file to the
Web," "Publish this folder to
the Web," and "Publish the
selected items to the Web"
are available from File and
Folder Tasks in Windows
folders.)

Internet Communication Turn off Windows Customer N/A Enabled (The Windows
Management\ Internet Experience Improvement Customer Experience
Communication settings Program Improvement Program
(CEIP) collects information
about your hardware
configuration and how you
use our software and
services to identify trends
and usage patterns. If you
enable this policy setting, all
users are opted out of the
Windows CEIP.)

Internet Communication Turn off Windows Error N/A Enabled (This policy setting
Management\ Internet Reporting controls whether or not
Communication settings errors are reported to
Microsoft. If you enable this
policy setting, users are not
given the option to report
errors.)

Internet Communication Turn off Windows Update N/A Enabled (This policy setting
Management\ Internet device driver searching specifies whether Windows
Communication settings searches Windows Update
for device drivers when no
local drivers for a device are
present. If you enable this
policy setting, Windows
Update is not searched
when a new device is
installed.)

Logon Do not display the Getting N/A Enabled (With this setting
Started welcome screen at enabled, the welcome
logon screen is hidden from the
user logging on to a
Windows device.)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Logon Do not enumerate N/A Enabled (With this setting


connected users on enabled, the Logon UI will
domain-joined computers not enumerate any
connected users on
domain-joined computers.)

Logon Enumerate local users on N/A Disabled (With this setting


domain-joined computers disabled, the Logon UI will
not enumerate local users
on domain-joined
computers.)

Logon Show clear logon N/A Enabled (This policy setting


background disables the acrylic blur
effect on logon background
image. With this setting
enabled, the logon
background image shows
without blur.)

Logon Show first sign-in animation N/A Disabled (This policy


setting allows you to
control whether users see
the first sign-in animation
when signing in to the
computer for the first time.
This applies to both the first
user of the computer who
completes the initial setup
and users who are added to
the computer later. It also
controls if Microsoft
account users will be
offered the opt-in prompt
for services during their first
sign-in.
With this setting
disabled, users will not
see the first logon
animation and
Microsoft account users
will not see the opt-in
prompt for services.)

Logon Turn off app notifications on N/A Enabled (This policy setting
the lock screen allows you to prevent app
notifications from appearing
on the lock screen. With
this setting enabled, no app
notifications are displayed
on the lock screen.)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Power Management Select an active power plan Active Power Plan: High Enabled (If you enable this
Performance policy setting, specify a
power plan from the Active
Power Plan list.)
With the "Power"
service disabled, the
Powercfg.cpl UI is not
able to display these
power options, and
instead returns an RPC
error.

Power Management \ Video Turn on desktop N/A Disabled (This policy


and Display Settings background slideshow setting allows you to specify
(plugged-in) if Windows should enable
the desktop background
slideshow.) With this setting
disabled, the desktop
background slideshow is
disabled. This setting likely
has no effect on a VM.

Recovery Allow restore of system to N/A Disabled (With this setting


default state disabled, the items "Use a
system image you created
earlier to recover your
computer" and "Reinstall
Windows" (or "Return your
computer to factory
condition") in Recovery (in
Control Panel) will be
unavailable.)

*Storage Health Allow downloading updates N/A Disabled (Updates would


to the Disk Failure not be downloaded for the
Prediction Model Disk Failure Prediction
Failure Model)

System Restore Turn off System Restore N/A Enabled (With this setting
enabled, System Restore is
turned off, and the System
Restore Wizard cannot be
accessed. The option to
configure System Restore or
create a restore point
through System Protection
is also disabled.).)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Troubleshooting and Configure Scheduled N/A Disabled (Determines


Diagnostics\ Scheduled Maintenance Behavior whether scheduled
Maintenance diagnostics will run to
proactively detect and
resolve system problems.
With this policy setting
disabled, Windows will not
be able to detect,
troubleshoot or resolve
problems on a scheduled
basis.)

Troubleshooting and Troubleshooting: Allow N/A Disabled (With this setting


Diagnostics\ Scripted users to access and run disabled, users cannot
Diagnostics Troubleshooting wizards access or run the
troubleshooting tools from
the Control Panel.)

Troubleshooting and Troubleshooting: Allow N/A Disabled (With this setting


Diagnostics\ Scripted users to access online disabled, users can only
Diagnostics troubleshooting content on access and search
Microsoft servers from the troubleshooting content
Troubleshooting Control that is available locally on
Panel (via the Windows their computers, even if
Online Troubleshooting they are connected to the
Service – WOTS) Internet. They are
prevented from connecting
to the Microsoft servers
that host the Windows
Online Troubleshooting
Service.
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Troubleshooting and Configure Scenario N/A Disabled (Determines the


Diagnostics\ Windows Boot Execution Level execution level for Windows
Performance Diagnostics Boot Performance
Diagnostics. If you disable
this policy setting, Windows
will not be able to detect,
troubleshoot or resolve any
Windows Boot Performance
problems that are handled
by the DPS.)
This setting can be very
useful during design,
test, development, or
maintenance phases.
This setting could be
enabled on an isolated
VM or session host,
measurements taken,
and results noted in
event logs under
"Microsoft-Windows-
Diagnostics-
Performance/Operation
al" Source: Diagnostics-
Performance, Task
Category "Boot
Performance
Monitoring."
ALSO : With the DPS
service disabled, this
setting has no effect, as
Windows will not be
logging performance
data.

Troubleshooting and Configure Scenario N/A Disabled (This policy


Diagnostics\ Windows Execution Level setting determines whether
Memory Leak Diagnostics Diagnostic Policy Service
(DPS) diagnoses memory
leak problems. With this
setting disabled, the DPS is
not able to diagnose
memory leak problems.)
Many diagnostics
modes can be enabled,
and tools used such as
WPT, though these are
usually done in
dev/test/maintenance
scenarios and not
enabled and used on
production VMs or
sessions
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Troubleshooting and Enable/Disable PerfTrack N/A Disabled (This policy


Diagnostics\ Windows setting specifies whether to
Performance PerfTrack enable or disable tracking of
responsiveness events. With
this setting disabled,
responsiveness events are
not processed.)

Troubleshooting and Configure Scenario N/A Disabled (Determines the


Diagnostics\ Windows Execution Level execution level for Windows
Resource Exhaustion Resource Exhaustion
Detection and Resolution Detection and Resolution.
With this setting disabled,
Windows will not be able to
detect, troubleshoot or
resolve any Windows
Resource Exhaustion
problems that are handled
by the DPS.)

Troubleshooting and Configure Scenario N/A Disabled (Determines the


Diagnostics\ Windows Execution Level execution level for Windows
Shutdown Performance Shutdown Performance
Diagnostics Diagnostics. With this
setting disabled, Windows
will not be able to detect,
troubleshoot or resolve any
Windows Shutdown
Performance problems that
are handled by the DPS.)

Troubleshooting and Configure Scenario N/A Disabled (Determines the


Diagnostics\ Windows Execution Level execution level for Windows
Standby/Resume Standby/Resume
Performance Diagnostics Performance Diagnostics.
With this setting disabled,
Windows will not be able to
detect, troubleshoot or
resolve any Windows
Standby/Resume
Performance problems that
are handled by the DPS.)

Troubleshooting and Configure Scenario N/A Disabled (Determines the


Diagnostics\ Windows Execution Level execution level for Windows
System Responsiveness System Responsiveness
Performance Diagnostics Diagnostics. With this
setting disabled, Windows
will not be able to detect,
troubleshoot or resolve any
Windows System
Responsiveness problems
that are handled by the
DPS.)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

*User Profiles Turn off the advertising ID N/A Enabled (With this setting
enabled, the advertising ID
is turned off. Apps can't use
the ID for experiences
across apps)

Local Computer Policy \ N/A N/A N/A


Computer Configuration \
Administrative Templates \
Windows Components

*App Privacy Let Windows apps access Default for all apps: Force Enabled (With this setting
diagnostic information Deny enabled, and using the
about other apps "Force Deny" option,
Windows apps are not
allowed to get diagnostic
information about other
apps and employees in your
organization cannot change
it.)

*App Privacy Let Windows apps access Default for all apps: Force Enabled (With this setting
location Deny enabled, and using the
"Force Deny" option,
Windows apps are not
allowed to access location
and users cannot change
the setting.

*App Privacy Let Windows apps access Default for all apps: Force Enabled (With this setting
motion Deny enabled, and using the
"Force Deny" option,
Windows apps are not
allowed to access motion
data and users cannot
change the setting.)

*App Privacy Let Windows apps access Default for all apps: Force Enabled (With this setting
notifications Deny enabled, and using the
"Force Deny" option,
Windows apps are not
allowed to access
notifications and users
cannot change the setting)

*App Privacy Let Windows apps activate Default for all apps: Force Enabled (This policy setting
with voice Deny specifies whether Windows
apps can be activated by
voice.)

*App Privacy Let Windows apps activate Default for all apps: Force Enabled (This policy setting
with voice while the system Deny specifies whether Windows
is locked apps can be activated by
voice while the system is
locked.)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

*App Privacy Let Windows apps control Default for all apps: Force Enabled (If you choose the
radios Deny "Force Deny" option,
Windows apps will not have
access to control radios and
employees in your
organization cannot change
it)

Application Compatibility Turn off Inventory Collector N/A Enabled (This policy setting
controls the state of the
Inventory Collector. The
Inventory Collector
inventories applications,
files, devices, and drivers on
the system and sends the
information to Microsoft.
With this policy setting
enabled, the Inventory
Collector will be turned off
and data will not be sent to
Microsoft. Collection of
installation data through
the Program Compatibility
Assistant is also disabled.)

AutoPlay Policies Set the default behavior for Do not execute any autorun Enabled (This policy setting
AutoRun commands sets the default behavior for
Autorun commands.)

*AutoPlay Policies Turn off Autoplay All drives Enabled (If you enable this
policy setting, Autoplay is
disabled on all drives.)

*Cloud Content Do not show Windows tips N/A Enabled (This policy setting
prevents Windows tips from
being shown to users)

*Cloud Content Turn off Microsoft consumer N/A Enabled (With this policy
experiences setting enabled, users will
no longer see personalized
recommendations from
Microsoft and notifications
about their Microsoft
account)

*Data Collection and Allow Telemetry 0 – Security [Enterprise Enabled (Setting a value of
Preview Builds Only] 0 applies to devices running
Enterprise, Education, IoT,
or Windows Server editions
only, and reduces telemetry
sent to the most basic level
supported)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Data Collection and Preview Configure collection of Configure telemetry Enabled (You can configure
Builds browsing data for Desktop collection: Do not allow Microsoft Edge to send
Analytics sending intranet or internet intranet history only,
history internet history only, or
both to Desktop Analytics
for enterprise devices with a
configured Commercial ID.
If disabled or not
configured, Microsoft Edge
does not send browsing
history data to Desktop
Analytics.)

*Data Collection and Do not show feedback N/A Enabled (This policy setting
Preview Builds notifications allows an organization to
prevent its devices from
showing feedback questions
from Microsoft.)

Delivery Optimization Download Mode Download Mode: Simple Enabled (99 = Simple
(99) download mode with no
peering. Delivery
Optimization downloads
using HTTP only and does
not attempt to contact the
Delivery Optimization cloud
services.)

Desktop Window Manager Do not allow window N/A Enabled (This policy setting
animations controls the appearance of
window animations such as
those found when
restoring, minimizing, and
maximizing windows. With
this policy setting enabled,
window animations are
turned off.)

Desktop Window Manager Use solid color for Start N/A Enabled ((This policy
background setting controls the Start
background visuals. With
this policy setting enabled,
the Start background will
use a solid color.)

Edge UI Allow edge swipe N/A Disabled (If you disable


this policy setting, users will
not be able to invoke any
system UI by swiping in
from any screen edge.)

Edge UI Disable help tips N/A Enabled (If this setting is


enabled, Windows will not
show any help tips to the
user.)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

File Explorer Do not show the "new N/A Enabled (This policy
application installed" removes the end-user
notification notification for new
application associations.
These associations are
based on file types (for
example, TXT files) or
protocols (for example,
HTTP). If this policy is
enabled, no notifications will
be shown to the end-user)

File History Turn off File History N/A Enabled (With this policy
setting enabled, File History
cannot be activated to
create regular, automatic
backups.)

*Find My Device Turn On/Off Find My Device N/A Disabled (When Find My
Device is off, the device and
its location are not
registered, and the "Find
My Device" feature will not
work. The user will also not
be able to view the location
of the last use of their
active digitizer on their
device.)

Homegroup Prevent the computer from N/A Enabled (If you enable this
joining a homegroup policy setting, users cannot
add computers to a
homegroup. This policy
setting does not affect
other network sharing
features.)

*Internet Explorer Allow Microsoft services to N/A Disabled (users won't


provide enhanced receive enhanced
suggestions as the user suggestions while typing in
types in the Address bar the Address bar. In addition,
users won't be able to
change the Suggestions
setting)

Internet Explorer Disable Periodic Check for N/A Enabled (Prevents Internet
Internet Explorer software Explorer from checking
updates whether a new version of
the browser is available.)

Internet Explorer Disable showing the splash N/A Enabled (Prevents the
screen Internet Explorer splash
screen from appearing
when users start the
browser.)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Internet Explorer Install new versions of N/A Disabled (This policy


Internet Explorer setting configures Internet
automatically Explorer to automatically
install new versions of
Internet Explorer when they
are available.)

Internet Explorer Prevent participation in the N/A Enabled (This policy setting
Customer Experience prevents the user from
Improvement Program participating in the
Customer Experience
Improvement Program
(CEIP).)

Internet Explorer Prevent running First Run Go directly to home page Enabled (This policy setting
wizard prevents Internet Explorer
from running the First Run
wizard the first time a user
starts the browser after
installing Internet Explorer
or Windows.)

Internet Explorer Set tab process growth Low Enabled (This policy setting
allows you to set the rate at
which Internet Explorer
creates new tab processes.)

Internet Explorer Turn off add-on N/A Enabled (This policy setting
performance notifications prevents Internet Explorer
from displaying a
notification when the
average time to load all the
user's enabled add-ons
exceeds the threshold.)

Internet Explorer Turn off Automatic Crash N/A Enabled (This policy setting
Recovery turns off Automatic Crash
Recovery. With this policy
setting enabled, Automatic
Crash Recovery does not
prompt the user to recover
his or her data after a
program stops responding.)

*Internet Explorer Turn off browser N/A Enabled (With this policy
geolocation setting enabled, browser
geolocation support is
turned off)

*Internet Explorer Turn on Suggested Sites N/A Disabled (With this policy
setting disabled, the entry
points and functionality
associated with this feature
are turned off.)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Internet Explorer\ Internet Play animations in web N/A Disabled (This policy
Control Panel\ Advanced pages setting allows you to
Page manage whether Internet
Explorer will display
animated pictures found in
Web content. Generally
only animated GIF files are
affected by this setting;
active Web content such as
java applets are not.)

Internet Explorer\ Internet Play sounds in web pages N/A Disabled (With this policy
Control Panel\ Advanced setting disabled, Internet
Page Explorer will not play or
download sounds in Web
content, helping pages
display more quickly.)

Internet Explorer\ Internet Play videos in web pages N/A Disabled (If you disable
Control Panel\ Advanced this policy setting, Internet
Page Explorer will not play or
download videos, helping
pages display more quickly.)

Internet Explorer\ Internet Turn off loading websites N/A Enabled (With this policy
Control Panel\ Advanced and content in the setting enabled, IE doesn’t
Page background to optimize load any websites or
performance content in the background.)

*Internet Explorer\ Internet Turn off the flip ahead with N/A Enabled (Microsoft collects
Control Panel\ Advanced page prediction features your browsing history to
Page improve how flip ahead
with page prediction works.
If you enable this policy
setting, flip ahead with page
prediction is turned off and
the next webpage isn't
loaded into the
background.)

Internet Explorer\ Internet Turn off phone number N/A Enabled (This policy setting
Settings\ Advanced detection determines whether phone
Settings\ Browsing numbers are recognized
and turned into hyperlinks,
which can be used to
invoke the default phone
application on the system. If
you disable this policy
setting, phone number
detection is turned on.
Users won't be able to
modify this setting.)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Internet Information Prevent IIS installation N/A Enabled (With this policy
Services setting enabled, IIS cannot
be installed, and you will
not be able to install
Windows components or
applications that require
IIS.)

*Location and Sensors Turn off location N/A Enabled (With this setting
enabled, the location
feature is turned off, and all
programs on this device are
prevented from using
location information from
the location feature)

Location and Sensors Turn off sensors N/A Enabled (This policy setting
turns off the sensor feature
for this device. With this
policy setting enabled, the
sensor feature is turned off,
and all programs on this
computer cannot use the
sensor feature.)

Locations and Sensors / Turn off Windows Location N/A Enabled (This policy setting
Windows Location Provider Provider turns off the Windows
Location Provider feature
for this device.)

*Maps Turn off Automatic N/A Enabled (With this setting


Download and Update of enabled, the automatic
Map Data download and update of
map data is turned off.)

*Maps Turn off unsolicited network N/A Enabled (With this setting
traffic on the Offline Maps enabled, features that
settings page generate network traffic on
the Offline Maps settings
page are turned off. Note:
This may turn off the entire
settings page)

*Messaging Allow Message Service N/A Disabled (This policy


Cloud Sync setting allows backup and
restore of cellular text
messages to Microsoft's
cloud services.)

*Microsoft Edge Allow configuration updates N/A Disabled (With this setting
for the Books Library disabled, Microsoft Edge
won't automatically
download updated
configuration data for the
Books Library.)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

*Microsoft Edge Allow extended telemetry N/A Disabled (With this setting
for the Books tab disabled, Microsoft Edge
only sends basic telemetry
data, depending on your
device configuration.)

Microsoft Edge Allow Microsoft Edge to Configure pre-launch: Enabled (With this setting
pre-launch at Windows Prevent pre-launching enabled and configured to
startup, when the system is prevent pre-launch,
idle, and each time Microsoft Edge won’t pre-
Microsoft Edge is closed launch during Windows
sign in, when the system is
idle, or each time Microsoft
Edge is closed.)

Microsoft Edge Allow Microsoft Edge to Configure tab preloading: Enabled (This policy setting
start and load the Start and Prevent tab-preloading lets you decide whether
New Tab page at Windows Microsoft Edge can load the
startup and each time Start and New Tab page
Microsoft Edge is closed during Windows sign in and
each time Microsoft Edge is
closed. By default this
setting is to allow
preloading. With preloading
disabled, Microsoft Edge
won’t load the Start or New
Tab page during Windows
sign in and each time
Microsoft Edge is closed.)

Microsoft Edge Allow web content on New N/A Disabled (With this setting
Tab page disabled, Edge opens a new
tab with a blank page. If
this setting is configured,
users cannot change the
setting.)

*Microsoft Edge Prevent the First Run N/A Enabled (users won’t see
webpage from opening on the First Run page when
Microsoft Edge opening Microsoft Edge for
the first time)

OneDrive Prevent OneDrive from N/A Enabled (Enable this


generating network traffic setting to prevent the
until the user signs in to OneDrive sync client
OneDrive (OneDrive.exe) from
generating network traffic
(checking for updates, and
so on.) until the user signs
in to OneDrive or starts
syncing files to the local
computer)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Online Assistance Turn off Active Help N/A Enabled (With this policy
setting enabled, active
content links are not
rendered. The text is
displayed, but there are no
clickable links for these
elements.)

OOBE Don’t launch privacy N/A Enabled (When logging


settings experience on user into a new user account for
logon the first time or after an
upgrade in some scenarios,
that user may be presented
with a screen or series of
screens that prompts the
user to choose privacy
settings for their account.
Enable this policy to
prevent this experience
from launching.)

RSS Feeds Prevent automatic N/A Enabled (This policy setting


discovery of feeds and Web prevents users from having
Slices Internet Explorer
automatically discover
whether a feed or Web Slice
is available for an associated
webpage.)

*RSS Feeds Turn off background N/A Enabled (With this policy
synchronization for feeds setting enabled, the ability
and Web Slices to synchronize feeds and
Web Slices in the
background is turned off.)

*Search Allow Cortana N/A Disabled (This policy


setting specifies whether
Cortana is allowed on the
device. When Cortana is off,
users will still be able to use
search to find things on the
device.)

Search Allow Cortana above lock N/A Disabled (This policy


screen setting determines whether
or not the user can interact
with Cortana using speech
while the system is locked.)

*Search Allow search and Cortana N/A Disabled (This policy


to use location setting specifies whether
search and Cortana can
provide location aware
search and Cortana results.)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Search Control rich previews for Control Rich Previews for Enabled (Enabling this
attachments Attachments:.docx;.xlsx;.tx policy defines a semicolon-
t;.xls delimited list of file
extensions which will be
allowed to have rich
attachment previews.)
NOTE : This setting can
be used to limit what
types of attachments
are previewed, which
can also help prevent
automatically
previewing some
potentially dangerous
contents types.

Search Do not allow web search N/A Enabled (Enabling this


policy removes the option
of searching the Web from
Windows Desktop Search.)

*Search Don’t search the web or N/A Enabled (With this policy
display web results in setting enabled, queries
Search won't be performed on the
web and web results won't
be displayed when a user
performs a query in Search.)

Search Enable indexing uncached N/A Disabled (Enabling this


Exchange folders policy allows indexing of
mail items on a Microsoft
Exchange server when
Microsoft Outlook is not
running in cached mode.
The default behavior for
search is to not index
uncached Exchange folders.
Disabling this policy will
block any indexing of
uncached Exchange folders.)

Search Prevent indexing files in N/A Enabled (If enabled, files


offline files cache on network shares made
available offline are not
indexed. Otherwise they are
indexed. Disabled by
default.)

*Search Set what information is Anonymous info Enabled (Anonymous info:


shared in Search Share usage information
but don't share search
history, Microsoft account
info or specific location)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Search Stop indexing in the event MB Limit: 5000 Enabled (Enabling this
of limited hard drive space policy prevents indexing
from continuing after less
than the specified amount
of hard drive space is left on
the same drive as the index
location. Select between 0
and 2147483647 MB.)

Software Protection Turn off KMS Client Online N/A Enabled (With this setting
Platform AVS Validation enabled, the device does
not send data to Microsoft
regarding its activation
state)

*Speech Allow Automatic Update of N/A Disabled (Specifies


Speech Data whether the device will
receive updates to the
speech recognition and
speech synthesis models.)

Store Turn off the offer to update N/A Enabled (Enables or


to the latest version of disables the Store offer to
Windows update to the latest version
of Windows. If you enable
this setting, the Store
application will not offer
updates to the latest
version of Windows.)

Text Input Improve inking and typing N/A Disabled (This policy
recognition setting controls the ability
to send inking and typing
data to Microsoft to
improve the language
recognition and suggestion
capabilities of apps and
services running on
Windows.)

Windows Error Reporting Disable Windows Error N/A Enabled (With this policy
Reporting setting enabled, Windows
Error Reporting does not
send any problem
information to Microsoft.
Additionally, solution
information is not available
in Security and
Maintenance in Control
Panel.)

Windows Game Recording Enables or disables N/A Disabled (With this setting
and Broadcasting Windows Game Recording disabled, Windows Game
and Broadcasting Recording will not be
allowed.)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Windows Ink Workspace Allow Windows Ink Choose one of the following Enabled (With this setting
Workspace actions: Disabled enabled and sub-setting set
to disabled, Windows Ink
Workspace functionality is
unavailable.)

Windows Installer Control maximum size of 5 Enabled (This policy


baseline file cache controls the percentage of
disk space available to the
Windows Installer baseline
file cache. With this policy
setting enabled you can
modify the maximum size of
the Windows Installer
baseline file cache.)

Windows Installer Turn off creation of System N/A Enabled (With this policy
Restore checkpoints setting enabled, the
Windows Installer does not
generate System Restore
checkpoints when installing
applications.)

Windows Mobility Center Turn off Windows Mobility N/A Enabled (With this policy
Center setting enabled, the user is
unable to invoke Windows
Mobility Center. The
Windows Mobility Center
UI is removed from all shell
entry points and the .exe
file does not launch it.)

Windows Reliability Analysis Configure Reliability WMI N/A Disabled (With this policy
Providers setting disabled, Reliability
Monitor will not display
system reliability
information, and WMI-
capable applications will be
unable to access reliability
information from the listed
providers.)

Windows Security \ Hide non-critical N/A Enabled (With this setting


Notifications notifications enabled, local users will only
see critical notifications
from Windows Security.
They will not see other
types of notifications, such
as regular PC or device
health information.)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Windows Update Turn on Software N/A Disabled (This policy


Notifications setting allows you to
control whether users see
detailed enhanced
notification messages about
featured software from the
Microsoft Update service.
Enhanced notification
messages convey the value
and promote the
installation and use of
optional software. This
policy setting is intended
for use in loosely managed
environments in which you
allow the end user access to
the Microsoft Update
service.)

*Windows Update\ Manage preview builds Set the behavior for Enabled (Selecting "Disable
Windows Update for receiving preview builds: preview builds" will prevent
Business Disable preview builds preview builds from
installing on the device. This
will prevent users from
opting into the Windows
Insider Program, through
Settings -> Update and
Security)

*Windows Update\ Select when Preview Builds Select the Windows Enabled (Enable this policy
Windows Update for and Feature Updates are readiness level for the to specify the level of
Business received updates you want to Preview Build or Feature
receive: Updates to receive, and
Semi-Annual when. Semi-Annual
Channel Channel: Receive feature
updates when they are
After a Preview Build or released to the general
Feature Update is public.
released, defer receiving When Selecting Semi-
it for this many days: Annual Channel:
365
- You can defer
Pause Preview Builds or receiving Feature
Feature Updates Updates for up to 365
starting: yyyy-mm-dd days.
- To prevent Feature
Updates from being
received on their
scheduled time, you can
temporarily pause
them. The pause will
remain in effect for 35
days from the start
time provided.
- To resume receiving
Feature Updates which
are paused, clear the
start date field.)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Windows Update\ Windows Select when Quality After a quality update is Enabled (Enable this policy
Update for Business Updates are received released, defer receiving it to specify when to receive
for this many days: 30 quality updates.
Pause Quality Updates You can defer receiving
starting: yyyy-mm-dd quality updates for up
to 30 days.
To prevent quality
updates from being
received on their
scheduled time, you can
temporarily pause
quality updates. The
pause will remain in
effect for 35 days or
until you clear the start
date field.
To resume receiving
Quality Updates which
are paused, clear the
start date field.)
This recommendation is
to help control when
updates are applied,
and to ensure updates
don’t get offered and
installed unexpectedly

Local Computer Policy \ N/A N/A N/A


User Configuration \
Administrative Templates

Control Panel\ Regional and Turn off offer text N/A Enabled (This policy turns
Language Options predictions as I type off the offer text predictions
as I type option. This does
not, however, prevent the
user or an application from
changing the setting
programmatically. With this
policy setting enabled, the
option will be locked to not
offer text predictions.)

Desktop Do not add shares of N/A Enabled (With this setting


recently opened documents enabled, shared folders are
to Network Locations not added to Network
Locations automatically
when you open a document
in the shared folder.)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Desktop Turn off Aero Shake window N/A Enabled (Prevents


minimizing mouse gesture windows from being
minimized or restored when
the active window is shaken
back and forth with the
mouse. With this policy
enabled, application
windows will not be
minimized or restored when
the active window is shaken
back and forth with the
mouse.)

Desktop / Active Directory Maximum size of Active Number of objects Enabled (Specifies the
Directory searches returned:1500 maximum number of
objects the system displays
in response to a command
to browse or search Active
Directory. This setting
affects all browse displays
associated with Active
Directory, such as those in
Local Users and Groups,
Active Directory Users and
Computers, and dialog
boxes used to set
permissions for user or
group objects in Active
Directory.)

Start Menu and Taskbar Do not display or track N/A Enabled (This policy setting
items in Jump Lists from allows you to control
remote locations displaying or tracking items
in Jump Lists from remote
locations.)

Start Menu and Taskbar Do not search Internet N/A Enabled (With this policy
setting enabled, the Start
Menu search box will not
search for internet history
or favorites.)

Start Menu and Taskbar Do not use the search- N/A Enabled (This policy setting
based method when prevents the system from
resolving shell shortcuts conducting a
comprehensive search of
the target drive to resolve a
shortcut.)

Start Menu and Taskbar Turn off all balloon N/A Enabled (With this policy
notifications setting enabled, no
notification balloons are
shown to the user.)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Start Menu and Taskbar Turn off feature N/A Enabled (With this policy
advertisement balloon setting enabled, certain
notifications notification balloons that
are marked as feature
advertisements are not
shown.)

Start Menu and Taskbar Turn off user tracking N/A Enabled (With this policy
setting enabled, the system
does not track the
programs that the user
runs and does not display
frequently used programs
in the Start Menu.)

Start Menu and Taskbar / Turn off toast notifications N/A Enabled (With this policy
Notifications setting enabled,
applications will not be able
to raise toast notifications.)

*Start Menu and Taskbar / Turn off toast notifications N/A Enabled (With this policy
Notifications on the lock screen setting enabled,
applications will not be able
to raise toast notifications
on the lock screen.)

Local Computer Policy / N/A N/A N/A


User Configuration

Windows Components / Configure Windows N/A Disabled (With this policy


Cloud Content spotlight on lock screen disabled, Windows spotlight
will be turned off and users
will no longer be able to
select it as their lock screen.
Users will see the default
lock screen image and will
be able to select another
image, unless you have
enabled the "Prevent
changing lock screen image"
policy.)

*Windows Components / Do not suggest third-party N/A Enabled (With this policy
Cloud Content content in Windows enabled, Windows spotlight
spotlight features like lock screen
spotlight, suggested apps in
Start menu or Windows tips
will no longer suggest apps
and content from third-
party software publishers.
Users may still see
suggestions and tips to
make them more
productive with Microsoft
features and apps.)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Windows Components / Do not use diagnostic data N/A Enabled (With this policy
Cloud Content for tailored experiences setting enabled, Windows
will not use diagnostic data
from this device (this data
may include browser, app
and feature usage,
depending on the
"diagnostic data" setting
value) to customize content
shown on lock screen,
Windows tips, Microsoft
consumer features and
other related features.)

Windows Components / Turn off all Windows N/A Enabled (Windows


Cloud Content spotlight features spotlight on lock screen,
Windows tips, Microsoft
consumer features and
other related features will
be turned off. You should
enable this policy setting if
your goal is to minimize
network traffic from target
devices.)

Edge UI Turn off tracking of app N/A Enabled (This policy setting
usage prevents Windows from
keeping track of the apps
that are used and searched
most frequently. If you
enable this policy setting,
apps will be sorted
alphabetically in:
- search results
- the Search and Share
panes
- the drop-down app
list in the Picker)

File Explorer Turn off caching of N/A Enabled (With this policy
thumbnail pictures setting enabled, thumbnail
views are not cached.)

File Explorer Turn off common control N/A Enabled (Disabling


and window animations animations can improve
usability for users with
some visual disabilities as
well as improving
performance and battery
life in some scenarios.)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

File Explorer Turn off display of recent N/A Enabled (Disables


search entries in the File suggesting recent queries
Explorer search box for the Search Box and
prevents entries into the
Search Box from being
stored in the registry for
future references.)

File Explorer Turn off the caching of N/A Enabled (With this policy
thumbnails in hidden setting enabled, File
thumbs.db files Explorer does not create,
read from, or write to
thumbs.db files.)

* Comes from the Windows Restricted Traffic Limited Functionality Baseline.


System services
If you're considering disabling system services to conserve resources, make sure the service isn't a component
of some other service. In this paper and with the available GitHub scripts, some services are not in the list
because they cannot be disabled in a supported manner.
Most of these recommendations mirror recommendations for Windows Server 2016, installed with the Desktop
Experience, based on the instructions in Guidance on disabling system services on Windows Server 2016 with
Desktop Experience.
Many services that may seem like good candidates to disable are set to manual service start type. This means
that the service will not automatically start and is not started unless process or event triggers a request to the
service being considered for disabling. Services that are already set to start type manual are usually not listed
here.

NOTE
You can enumerate running services with this PowerShell sample code, outputting only the service short name:

Get-Service | Where-Object {$_.Status -eq 'Running'} | Select-Object -ExpandProperty Name

The following table contains some services that may be considered to disable in virtual desktop environments:

W IN DO W S SERVIC E SERVIC E N A M E IT EM C O M M EN T

Cellular Time autotimesvc This service sets time based Virtual desktop
on NITZ messages from a environments may not have
Mobile Network such devices available.
To learn more, see this
article.
W IN DO W S SERVIC E SERVIC E N A M E IT EM C O M M EN T

GameDVR and Broadcast BcastDVRUserService This (per-user) service is NOTE: This is a "per-user
user service used for Game Recordings service", and as such, the
and Live Broadcasts template service must be
disabled. This user service is
used for Game Recordings
and Live Broadcasts.
To learn more, see this
article.

CaptureService CaptureService Enables optional screen OneCore capture service:


capture functionality for enables optional screen
applications that call the capture functionality for
Windows.Graphics.Capture applications that call the
API. Windows.Graphics.Capture
API
For more information,
see this article.

Connected Devices Platform CDPSvc This service is used for Connected Devices Platform
Service Connected Devices Platform Service
scenarios To learn more, see this
article

CDP User Service CDPUserSvc N/A Connected Devices Platform


User Service. To learn more,
see this article.
This user service is used
for Connected Devices
Platform scenarios

This is a "per-user
service", and as such,
the template service
must be disabled
(CDPUserSvc).

Optimize drives defragsvc Helps the computer run Virtual desktop solutions
more efficiently by do not normally benefit
optimizing files on storage from disk optimization. The
drives. "drives" are often not
traditional drives and often
just a temporary storage
allocation.

Diagnostic Execution DiagSvc Executes diagnostic actions Disabling this service


Service for troubleshooting support disables the ability to run
Windows diagnostics
Diagnostic Execution
Service.
W IN DO W S SERVIC E SERVIC E N A M E IT EM C O M M EN T

Connected User Experiences DiagTrack This service enables Consider disabling if on


and Telemetry features that support in- disconnected network. To
application and connected learn more, see this article.
user experiences.
Additionally, this service
manages the event driven
collection and transmission
of diagnostic and usage
information (used to
improve the experience and
quality of the Windows
Platform) when the
diagnostics and usage
privacy option settings are
enabled under Feedback
and Diagnostics.

Diagnostic Policy Service DPS The Diagnostic Policy Disabling this service
Service enables problem disables the ability to run
detection, troubleshooting Windows diagnostics. For
and resolution for Windows more information, see this
components. If this service article.
is stopped, diagnostics will
no longer function.

Device Setup Manager DsmSvc Enables the detection, If this service is disabled,
download and installation devices may be configured
of device-related software. with outdated software, and
may not work correctly.
Virtual desktop
environments very
closely control what
software is installed and
maintain that
consistency across the
environment.

Data Usage service DusmSvc Network data usage, data For more information, see
limit, restrict background this article.
data, metered networks.

Windows Mobile Hotspot icssvc Provides the ability to share To learn more, see this
Service a cellular data connection article.
with another device.

Microsoft Store Install InstallService Provides infrastructure This service is started on


Service support for the Microsoft demand and if disabled
Store. then installations will not
function properly.
Consider disabling this
service on non-
persistent virtual
desktop, leave as-is for
persistent virtual
desktop solutions.
W IN DO W S SERVIC E SERVIC E N A M E IT EM C O M M EN T

Geolocation Service Lfsvc Monitors the current If you turn off this service,
location of the system and applications will be unable
manages geofences (a to use or receive
geographical location with notifications for geolocation
associated events). or geofences. To learn more,
see this article.

Downloaded Maps MapsBroker Windows service for Disabling this service will
Manager application access to prevent apps from
downloaded maps. This accessing maps. TO learn
service is started on- more, see this article.
demand by application
accessing downloaded
maps.

MessagingService MessagingService Service supporting text This is a "per-user service",


messaging and related and as such, the template
functionality. service must be disabled.

Sync Host OneSyncSvc This service synchronizes (UWP) Mail and other
mail, contacts, calendar and applications dependent on
various other user data. this functionality will not
work properly when this
service is not running.
This is a "per-user
service", and as such,
the template service
must be disabled.

Contact Data PimIndexMaintenanceSvc Indexes contact data for This is a "per-user service",
fast contact searching. If and as such, the template
you stop or disable this service must be disabled.
service, contacts might be
missing from your search
results.

Power Power Manages power policy and Virtual machines have


power policy notification virtually no influence on
delivery. power properties. If this
service is disabled, power
management and reporting
are not available. To learn
more, see this article.

Payments and NFC/SE SEMgrSvc Manages payments and May not need this service
Manager Near Field Communication for payments, in the
(NFC) based secure enterprise environment.
elements.

Microsoft Windows SMS SmsRouter Routes messages based on May not need this service, if
Router Service rules to appropriate clients. other tools are used for
messaging, such as Teams,
Skype, or other. To learn
more, see this article.
W IN DO W S SERVIC E SERVIC E N A M E IT EM C O M M EN T

Superfetch (SysMain) SysMain Maintains and improves Superfetch generally does


system performance over not improve performance in
time. virtual desktop
environments for various
reasons. The underlying
storage is often virtualized
and possibly striped across
multiple drives. In some
virtual desktop solutions
the accumulated user state
is discarded when the user
logs off. The SysMain
feature should be evaluated
in each environment.

Touch Keyboard and TabletInputService Enables Touch Keyboard


Handwriting Panel Service and Handwriting Panel pen
and ink functionality

Update Orchestrator UsoSvc Manages Windows Virtual desktop devices are


Service Updates. If stopped, your often carefully managed
devices will not be able to with respect to updates.
download and install the Servicing is usually
latest updates. performed during
maintenance windows. In
some cases, an update
client may be utilized, such
as SCCM. The exception
would be security signature
updates, that would be
applied at any time, to any
virtual desktop device, so as
to maintain up-to-date
signatures. If you disable
this service, test to ensure
that security signatures are
still able to be installed.

Volume Shadow Copy VSS Manages and implements If this service is stopped,
Volume Shadow Copies shadow copies will be
used for backup and other unavailable for backup and
purposes. the backup may fail. If this
service is disabled, any
services that explicitly
depend on it will fail to
start. To learn more, see this
article.

Diagnostic System Host WdiSystemHost The Diagnostic System Host Disabling this service
is used by the Diagnostic disables the ability to run
Policy Service to host Windows diagnostics
diagnostics that need to
run in a Local System
context. If this service is
stopped, any diagnostics
that depend on it will no
longer function.
W IN DO W S SERVIC E SERVIC E N A M E IT EM C O M M EN T

Windows Error Reporting WerSvc Allows errors to be With virtual desktop


reported when programs environments, diagnostics
stop working or responding are often performed in an
and allows existing "offline" scenario, and not in
solutions to be delivered. mainstream production. In
Also allows logs to be addition, some customers
generated for diagnostic disable WER anyway. WER
and repair services. If this incurs a tiny amount of
service is stopped, error resources for many different
reporting might not work things, including failure to
correctly, and results of install a device, or failure to
diagnostic services and install an update. To learn
repairs might not be more, see this article.
displayed.

Windows Search WSearch Provides content indexing, Disabling this service


property caching, and prevents indexing of e-mail
search results for files, e- and other things. Test
mail, and other content. before disabling this service.
To learn more, see this
article.

Xbox Live Auth Manager XblAuthManager Provides authentication and If this service is stopped,
authorization services for some applications may not
interacting with Xbox Live. operate correctly.

Xbox Live Game Save XblGameSave This service syncs save data If this service is stopped,
for Xbox Live save enabled game save data will not
games. upload to or download
from Xbox Live.

Xbox Accessory XboxGipSvc This service manages N/A


Management Service connected Xbox
Accessories.

Xbox Live Networking XboxNetApiSvc This service supports the N/A


Service Windows.Networking.XboxL
ive application
programming interface.

Per-user services in Windows


Per-user services are services that are created when a user signs into Windows or Windows Server and are
stopped and deleted when that user signs out. These services run in the security context of the user account -
this provides better resource management than the previous approach of running these kinds of services in
Explorer, associated with a preconfigured account, or as tasks. For more information, see Per-user services in
Windows.
If you intend to change a service start value, the preferred method is to open an elevated .CMD prompt and run
the Service Control Manager tool SC.EXE . For more information, see SC.
Scheduled tasks
Like other items in Windows, ensure an item is not needed before disabling a scheduled task. Some tasks in
virtual desktop environments, such as Star tComponentCleanup , may not be desirable to run in production,
but may be good to run during a maintenance window on the "gold image" (reference image).
The following list of tasks includes tasks that perform optimizations or data collections on computers that
maintain their state across reboots. When a virtual desktop device reboots and discards all changes since last
boot, optimizations intended for physical computers are not helpful.
You can get all the current scheduled tasks, including descriptions, with the following PowerShell code:

Get-ScheduledTask | Select-Object -Property TaskPath,TaskName,State,Description

NOTE
There are several tasks that can't be disabled with a script, even when run on an elevated command prompt. The
recommendations here, and in the GitHub scripts do not attempt to disable tasks that cannot be disabled with a script.

SC H EDUL ED TA SK N A M E DESC RIP T IO N

MNO Mobile broadband account experience metadata parser

AnalyzeSystem This task analyzes the system looking for conditions that
may cause high energy use

Cellular Related to cellular devices

Compatibility Collects program telemetry information if opted-in to the


Microsoft Customer Experience Improvement Program.

Consolidator If the user has consented to participate in the Windows


Customer Experience Improvement Program, this job collects
and sends usage data to Microsoft

Diagnostics (DiskFootprint in task path) 'DiskFootprint' is the combined


contribution of all processes that issue storage I/O in the
form of storage reads, writes, and flushes.

FamilySafetyMonitor Initializes Family Safety monitoring and enforcement.

FamilySafetyRefreshTask Synchronizes the latest settings with the Microsoft family


features service.

MapsToastTask This task shows various Map-related toasts

Microsoft-Windows-DiskDiagnosticDataCollector The Windows Disk Diagnostic reports general disk and


system information to Microsoft for users participating in
the Customer Experience Program.

NotificationTask Background task for performing per user and web


interactions

ProcessMemoryDiagnosticEvents Schedules a memory diagnostic in response to system


events

Proxy This task collects and uploads autochk SQM data if opted-in
to the Microsoft Customer Experience Improvement
Program.

QueueReporting Windows Error Reporting task to process queued reports.


SC H EDUL ED TA SK N A M E DESC RIP T IO N

RecommendedTroubleshootingScanner Check for recommended troubleshooting from Microsoft

RegIdleBackup Registry Idle Backup Task

RunFullMemoryDiagnostic Detects and mitigates problems in physical memory (RAM).

Scheduled The Windows Scheduled Maintenance Task performs periodic


maintenance of the computer system by fixing problems
automatically or reporting them through Security and
Maintenance.

ScheduledDefrag This task optimizes local storage drives.

SilentCleanup Maintenance task used by the system to launch a silent auto


disk cleanup when running low on free disk space.

SpeechModelDownloadTask

Sqm-Tasks This task gathers information about the Trusted Platform


Module (TPM), Secure Boot, and Measured Boot.

SR This task creates regular system protection points.

StartComponentCleanup Servicing task that may be better performed during


maintenance windows

StartupAppTask Scans startup entries and raises notification to the user if


there are too many startup entries.

SyspartRepair

WindowsActionDialog Location Notification

WinSAT Measures a system's performance and capabilities

XblGameSaveTask Xbox Live GameSave standby task

Apply Windows (and other) updates


Whether from Microsoft Update, or from your internal resources, apply available updates including Windows
Defender signatures. This is a good time to apply other available updates including Microsoft Office if installed,
and other software updates. If PowerShell will remain in the image you can download the latest available help
for PowerShell by running the command Update-Help .
Servicing OS and apps
At some point during the image optimization process available Windows updates should be applied. There is a
setting in Windows 10 update settings that can provide additional updates. You can find it at Settings >
Advanced options . Once there, set Give me updates for other uMirosoft products when I update
Windows to On .
This would be a good setting in case you are going to install Microsoft applications such as Microsoft Office to
the base image. That way Office is up to date when the image is put in service. There are also .NET updates and
certain third-party components such as Adobe that have updates available through Windows Update.
One very important consideration for non-persistent virtual desktop devices is security updates, including
security software definition files. These updates may be released once or more times per day.
For Windows Defender it may be best to allow the updates to occur, even on non-persistent virtual desktop
environments. The updates are going to apply nearly every time you sign in, but the updates are small and
should not be a problem. Plus, the device won’t be behind on updates because only the latest available will
apply. The same may be true for third-party definition files.

NOTE
Store apps (UWP apps) update through the Windows Store. Modern versions of Office such as Office 365 update through
their own mechanisms when directly connected to the Internet, or through management technologies when not.

Windows system startup event traces (AutoLoggers )


Windows is configured by default to collect and save diagnostic data. The purpose is to enable diagnostics, or to
record data if further troubleshooting is necessary. Automatic system traces can be found at the location
depicted in the following illustration:
Some of the traces displayed under Event Trace Sessions and Star tup Event Trace Sessions can't and
should not be stopped. Others, such as the WiFiSession trace can be stopped. To stop a running trace under
Event Trace Sessions , right-click the trace and then select Stop . Use the following procedure to prevent the
traces from starting automatically on startup:
1. Select the Star tup Event Trace Sessions folder.
2. Find and select the trace file you want to look at to open it.
3. Select the Trace Session tab.
4. Uncheck the box labeled Enabled .
5. Select Ok .
The following table lists some system traces that you should consider disabling in your virtual desktop
environments:

NAME C O M M EN T

Cellcore https://docs.microsoft.com/windows-
hardware/drivers/network/cellular-architecture-and-driver-
model

CloudExperienceHostOOBE Documented here.

DiagLog A log generated by the Diagnostic Policy Service, which is


documented here

RadioMgr Documented here


NAME C O M M EN T

ReadyBoot Documentation here.

WDIContextLog Wireless Local Area Network (WLAN) Device Driver Interface,


and is documented here.

WiFiDriverIHVSession Documented here.

WiFiSession Diagnostic log for WLAN technology. If Wi-Fi isn't


implemented, there's no need for this logger

WinPhoneCritical Diagnostic log for phone (Windows?). If not using phones,


no need for this logger

Windows Defender optimization in the virtual desktop environment


For greater details about how to optimize Windows Defender in a virtual desktop environment, check out the
Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment.
The above article contains procedures to service the "gold" virtual desktop image, and how to maintain the
virtual desktop clients as they are running. To reduce network bandwidth when virtual desktop devices need to
update their Windows Defender signatures, stagger reboots, and schedule reboots during off hours where
possible. The Windows Defender signature updates can be contained internally on file shares, and where
practical, have those files shares on the same or close networking segments as the virtual desktop devices.
Client network performance tuning by registry settings
There are some registry settings that can increase network performance. This is especially important in
environments where the virtual desktop device or physical computer has a workload that is primarily network-
based. The settings in this section are recommended to tune performance for the networking workload profile,
by setting up additional buffering and caching of things like directory entries and so on.

NOTE
Some settings in this section are registry-based only and should be incorporated in the base image before the image is
deployed for production use.

The following settings are documented in the Performance tuning guidelines for Windows Server 2016.
DisableBandwidthThrottling
HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\DisableBandwidthThrottling

Applies to Windows 10. The default is 0 . By default, the SMB redirector throttles throughput across high-latency
network connections, in some cases to avoid network-related timeouts. Setting this registry value to 1 disables
this throttling, enabling higher file transfer throughput over high-latency network connections. Consider setting
this value to 1 .
FileInfoCacheEntriesMax
HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\FileInfoCacheEntriesMax

Applies to Windows 10. The default is 64 , with a valid range of 1 to 65536. This value is used to determine the
amount of file metadata that can be cached by the client. Increasing the value can reduce network traffic and
increase performance when many files are accessed. Try increasing this value to 1024 .
DirectoryCacheEntriesMax
HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\DirectoryCacheEntriesMax
Applies to Windows 10. The default is 16 , with a valid range of 1 to 4096. This value is used to determine the
amount of directory information that can be cached by the client. Increasing the value can reduce network traffic
and increase performance when large directories are accessed. Consider increasing this value to 1024 .
FileNotFoundCacheEntriesMax
HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\FileNotFoundCacheEntriesMax

Applies to Windows 10. The default is 128 , with a valid range of 1 to 65536. This value is used to determine the
amount of file name information that can be cached by the client. Increasing the value can reduce network traffic
and increase performance when many file names are accessed. Consider increasing this value to 2048 .
DormantFileLimit
HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\DormantFileLimit

Applies to Windows 10. The default is 1023 . This parameter specifies the maximum number of files that should
be left open on a shared resource after the application has closed the file. Where many thousands of clients are
connecting to SMB servers, consider reducing this value to 256 .: Windows Server 2022, Windows Server 2019,
You can configure many of these SMB settings by using the Set-SmbClientConfiguration and Set-
SmbServerConfiguration Windows PowerShell cmdlets. Registry-only settings can be configured by using
Windows PowerShell as well, as in the following example:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters"


RequireSecuritySignature -Value 0 -Force

Additional settings from the Windows Restricted Traffic Limited Functionality Baseline guidance
Microsoft has released a baseline, created using the same procedures as the Windows Security Baselines, for
environments that are either not connected directly to the Internet, or wish to reduce data sent to Microsoft and
other services.
The Windows Restricted Traffic Limited Functionality Baseline settings are called out in the group policy table
with an asterisk.
Disk cleanup (including using the Disk Cleanup Wizard)
Disk cleanup can be especially helpful with gold/master image virtual desktop implementations. After the
gold/master image is prepared, updated, and configured, one of the last tasks to perform is disk cleanup. The
optimization scripts on Github.com have PowerShell code to perform common disk cleanup tasks

NOTE
Disk cleanup settings and are in the Settings category "System" called "Storage." By default, Storage Sense runs when a
low disk free space threshold is reached.
To learn more about how to use Storage Sense with Azure custom VHD images, see Prepare and customize a master VHD
image.
For Azure Virtual Desktop session host that use Windows 10 Enterprise or Windows 10 Enterprise multi-session, we
recommend disabling Storage Sense. You can disable Storage Sense in the Settings menu under Storage .

Here are suggestions for various disk cleanup tasks. These should all be tested before implementing:
1. Storage Sense may be utilized manually or automatically. For more information on Storage Sense, see
this article: Use OneDrive and Storage Sense in Windows 10 to manage disk space
2. Manually cleanup temporary files and logs. From an elevated command prompt, run these commands:
a. Del C:\*.tmp /s
b. C:\*.etl /s
c. C:\*.evtx /s

Get-ChildItem -Path c:\ -Include *.tmp, *.dmp, *.etl, *.evtx, thumbcache*.db, *.log -File -Recurse -
Force -ErrorAction SilentlyContinue | Remove-Item -ErrorAction SilentlyContinue

Remove-Item -Path $env:ProgramData\Microsoft\Windows\WER\Temp\* -Recurse -Force -ErrorAction


SilentlyContinue

Remove-Item -Path $env:ProgramData\Microsoft\Windows\WER\ReportArchive\* -Recurse -Force -ErrorAction


SilentlyContinue

Remove-Item -Path $env:ProgramData\Microsoft\Windows\WER\ReportQueue\* -Recurse -Force -ErrorAction


SilentlyContinue

Clear-RecycleBin -Force -ErrorAction SilentlyContinue

Clear-BCCache -Force -ErrorAction SilentlyContinue

3. Delete any unused profiles on the system by running the following command:
wmic path win32_UserProfile where LocalPath="C:\\users\\<users>" Delete

For any questions or concerns about the information in this paper, contact your Microsoft account team,
research the Microsoft virtual desktop IT Pro blog, post a message to Microsoft Virtual Desktop forums, or
contact Microsoft for questions or concerns.
Re -enable Windows Update
If you would like to enable the use of Windows Update after disabling it, as in the case of persistent virtual
desktop, follow these steps:
1. Re-enable group policy settings:
Go to Local Computer Policy > Computer Configuration > Administrative Templates >
System > Internet Communication Management > Internet Communication settings .
Turn off access to all Windows Update features by changing the setting from enabled to not
configured .
Go to Local Computer Policy > Computer Configuration > Administrative Templates >
Windows Components > Windows Update .
Remove access to all Windows Update features by changing the setting from enabled to not
configured .
Don't connect to any Windows Update Internet locations by changing the setting from enabled
to not configured .
Go to Local Computer Policy > Computer Configuration > Administrative Templates >
Windows Components > Windows Update > Windows Update for Business .
Select when Quality Updates are received (change from enabled to not configured )
Go to Local Computer Policy > Computer Configuration > Administrative Templates >
Windows Components > Windows Update > Windows Update for Business .
Select when Preview Builds and Feature Updates are received (change from enabled to not
configured )
2. Re-enable service(s):
Change Update Orchestrator ser vice from disabled to Automatic (Delayed Star t) .
3. Edit the Windows registry (warning, be careful when editing the registry).
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState .
Change DeferQualityUpdates from '1' to '0'.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings
Delete any existing value for PausedQualityDate .
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\WAU
Set to Disabled .
4. Re-enable scheduled tasks:
Go to Task Scheduler Librar y > Microsoft > Windows > InstallSer vice > ScanForUpdates .
Go to Task Scheduler Librar y > Microsoft > Windows > InstallSer vice >
ScanForUpdatesAsUser .
5. Restart your device to make all these settings take effect.
6. If you do not want this device offered Feature Updates, go to Settings > Windows Update >
Advanced options > Choose when updates are installed and manually set the option A feature
update includes new capabilities and improvements. It can be deferred for this many days to
any non-zero value, such as 180, 365, and so on.

Additional information
Learn more about Microsoft's VDI architecture at our Azure Virtual Desktop documentation.
If you need additional help with troubleshooting sysprep, check out Sysprep fails after you remove or update
Microsoft Store apps that include built-in Windows images.
Optimizing Windows 10, version 1909, for a Virtual
Desktop Infrastructure (VDI) role
7/29/2021 • 57 minutes to read • Edit Online

This article helps you choose settings for Windows 10, version 1909 (build 18363) that should result in the best
performance in a Virtualized Desktop Infrastructure (VDI) environment. All settings in this guide are
recommendations to be considered and are in no way requirements.
The key ways to optimize Windows 10 performance in a VDI environment are to minimize app graphic redraws,
background activities that have no major benefit to the VDI environment, and generally reduce running
processes to the bare minimum. A secondary goal is to reduce disk space usage in the base image to the bare
minimum. With VDI implementations, the smallest possible base, or "gold" image size, can slightly reduce
memory usage on the hypervisor, as well as a small reduction in overall network operations required to deliver
the desktop image to the consumer.

NOTE
These recommended settings can be applied to other Windows 10 1909 installations, including those on physical or other
virtual machines. No recommendations in this article should affect supportability of Windows 10 1909.

VDI Optimization Principles


A VDI environment presents a full desktop session, including applications, to a computer user over a network.
The network delivery vehicle can be an on-premises network or could be the Internet. VDI environments are a
"base" operating system image, which then becomes the basis for the desktops subsequently presented to the
users. There are variations of VDI implementations such as "persistent", "non-persistent", and "desktop session".
The persistent type preserves changes to the VDI desktop OS from one session to the next. The non-persistent
type does not preserve changes to the VDI desktop OS from one session to the next. To the user, this desktop
isn't much different to any other virtual or physical device, other than being accessed over a network.
The optimization settings would take place on a reference device. A VM would be an ideal place to build the
image, because the state can be saved, checkpoints can be made, and backups can be done. A default OS
installation is performed on the base VM. That base VM is then optimized by removing unnecessary apps,
installing Windows updates, installing other updates, deleting temporary files, and applying settings.
There are other types of VDI such as Remote Desktop Session (RDS) and the recently released Azure Virtual
Desktop. An in-depth discussion regarding these technologies is outside the scope of this article. This article
focuses on the Windows base image settings, without reference to other factors in the environment such as host
optimization.
Security and stability are top priorities for Microsoft when it comes to products and services. Enterprise
customers might choose to utilize the built-in Windows Security, a suite of services that work well with or
without Internet. For those VDI environments not connected to the Internet, security signatures can be
downloaded several times per day, as Microsoft might release more than one signature update per day. Those
signatures can then be provided to the VDI VMs and scheduled to be installed during production, regardless of
persistent or non-persistent. That way the VM protection is as current as possible.
There are some security settings that are not applicable to VDI environments that are not connected to the
Internet, and thus not able to participate in cloud-enabled security. There are other settings that "normal"
Windows devices might utilize such as Cloud Experience, The Windows Store, and so on. Removing access to
unused features reduces footprint, network bandwidth, and attack surface.
Regarding updates, Windows 10 utilizes a monthly update algorithm, so there is no need for clients to attempt
to update. In most cases VDI administrators control the process of updating through a process of shutting down
VMs based on a "master", or "gold" image, unseal that image which is read-only, patch the image, then reseal it
and bring it back into production. Therefore, there is no need to have VDI VMs checking Windows Update. In
certain instances, for example, persistent VDI VMs, normal patching procedures do take place. Windows Update
or Microsoft Intune can also be used. System Center Configuration Manager can be used to handle update and
other package delivery. It's up to each organization to determine the best approach to updating VDI.

TIP
A script that implements the optimizations discussed in this topic--as well as a GPO export file that you can import with
LGPO.exe --is available at The Virtual Desktop Team on GitHub.

This script was designed to suit your environment and requirements. The main code is PowerShell, and the work
is done by using input files (plain text), with Local Group Policy Object (LGPO) tool export files. These files
contain lists of apps to be removed, and services to be disabled. If you do not wish to remove a particular app or
disable a particular service, edit the corresponding text file and remove the item. Finally, there are local policy
settings that can be imported into your device. It is better to have some settings within the base image, than to
have the settings applied through the group policy, as some of the settings are effective on the next restart, or
when a component is first used.
Persistent VDI
Persistent VDI is, at the basic level, a VM that saves operating system states in between reboots. Other software
layers of the VDI solution provide the users easy and seamless access to their assigned VMs, often with a single
sign-on solution.
There are several different implementations of persistent VDI:
Traditional virtual machine, where the VM has its own virtual disk file, starts up normally, saves changes
from one session to the next. The difference is how the user accesses this VM. There might be a web
portal the user logs into that automatically directs the user to their one or more assigned VDI VMs.
Image-based persistent virtual machine, optionally with personal virtual disks. In this type of
implementation there is a base/gold image on one or more host servers. A VM is created, and one or
more virtual disks are created and assigned to this disk for persistent storage.
When the VM is started, a copy of the base image is read into the memory of that VM. At the same
time, a persistent virtual disk is assigned to that VM, with any previous operating system changes
merged through a complex process.
Changes such as event log writes, log writes, etc. are redirected to the read/write virtual disk
assigned to that VM.
In this circumstance, operating system and app servicing might operate normally, using traditional
servicing software such as Windows Server Update Services, or other management technologies.
The difference between a persistent VDI machine, and a "normal" virtual machine is the
relationship to the master/gold image. At some point updates must be applied to the master. This
is where implementations decide how the user persistent changes are handled. In some cases, the
disk with the changes are discarded and/or reset, thus setting a new checkpoint. It might also be
that the changes the user makes are kept through monthly quality updates, and the base is reset
following a Feature Update.
Non-Persistent VDI
When a non-persistent VDI implementation is based on a base or "gold" image, the optimizations are mostly
performed in the base image, and then through local settings and local policies.
With image-based non-persistent VDI, the base image is read-only. When a non-persistent VM is started, a copy
of the base image is streamed to the VM. Activity that occurs during startup and thereafter until the next reboot
is redirected to a temporary location. Users are usually provided network locations to store their data. In some
cases, the user's profile is merged with the standard VM to provide the user with their settings.
One important aspect of non-persistent VDI that is based on a single image is servicing. Updates to the
operating system and components are delivered usually once per month. With image-based VDI, there is a set
of processes that must be performed to get updates to the image:
On a given host, all the VMs on that host, that are derived from the base image must be shut down /
turned off. This means the users are redirected to other VMs.
The base image is then opened and started up. All maintenance activities are then performed, such as
operating system updates, .NET updates, app updates, etc.
Any new settings that need to be applied are applied at this time.
Any other maintenance is performed at this time.
The base image is then shut down.
The base image is sealed and set to go back into production.
Users can log back on.

NOTE
Windows 10 performs a set of maintenance tasks, automatically, on a periodic basis. There is a scheduled task that is set
to run at 3:00 AM every day by default. This scheduled task performs a list of tasks, including Windows Update cleanup.
You can view all the categories of maintenance that take place automatically with this PowerShell command:

Get-ScheduledTask | Where-Object {$_.Settings.MaintenanceSettings}

One of the challenges with non-persistent VDI is that when a user logs off, nearly all the operating system
activity is discarded. The user's profile and/or state might be saved to a centralized location, but the virtual
machine itself discards nearly all changes that were made since the last boot. Therefore, optimizations intended
for a Windows computer that saves state from one session to the next are not applicable.
Depending on the architecture of VDI VM, things like PreFetch and SuperFetch are not going to help from one
session to the next, as all the optimizations are discarded on VM restart. Indexing might be a partial waste of
resources, as would be any disk optimizations such as a traditional defragmentation.

NOTE
If preparing an image using virtualization, and if connected to the Internet during image creation process, on first logon
you should postpone Feature Updates by going to Settings , Windows Update .

To Sysprep or not Sysprep


Windows 10 has a built-in capability called the System Preparation Tool, (often abbreviated to "Sysprep"). The
Sysprep tool is used to prepare a customized Windows 10 image for duplication. The Sysprep process assures
the resulting operating system is properly unique to run in production.
There are reasons for and against running Sysprep. In the case of VDI, you might want the ability to customize
the default user profile which would be used as the profile template for subsequent users that log on using this
image. You might have apps that you want installed, but also able to control per-app settings.
The alternative is to use a standard .ISO to install from, possibly using an unattended installation answer file, and
a task sequence to install applications or remove applications. You can also use a task sequence to set local
policy settings in the image, perhaps using the Local Group Policy Object Utility (LGPO) tool.
Supportability
Anytime that Windows defaults are changed, questions arise regarding supportability. Once a VDI image (VM or
session) is customized, every change made to the image needs to be tracked in a change log. At
troubleshooting, often an image can be isolated in a pool and configured for problem analysis. Once a problem
has been tracked to the root cause, that change can then be rolled out to the test environment first, and
ultimately to the production workload.
This document intentionally avoids touching system services, policies, or tasks that affect security. After that
comes Windows servicing. The ability to service VDI images outside of maintenance windows is removed, as
maintenance windows are when most servicing events take place in VDI environments, except for security
software updates. Microsoft has published guidance for Windows Security in VDI environments. For more
information, see Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI)
environment.
Consider supportability when altering default Windows settings. Difficult problems can arise when altering
system services, policies, or scheduled tasks, in the name of hardening, "lightening", etc. Consult the Microsoft
Knowledge Base for current known issues regarding altered default settings. The guidance in this document, and
the associated script on GitHub will be maintained with regards to known issues, if any arise. In addition, you
can report issues in several ways to Microsoft.
You can use your favorite search engine with the terms ""start value" site:support.microsoft.com" to bring up
known issues regarding default start values for services.
You might note that this document and the associated scripts on GitHub do not modify any default permissions.
If you are interested in increasing your security settings, start with the project known as AaronLocker . For
more information, see "AaronLocker" overview.
VDI Optimization Categories
Global operating system setting categories:
UWP app cleanup
Optional Features cleanup
Local policy settings
System services
Scheduled tasks
Apply Windows (and other) updates
Automatic Windows traces
Disk cleanup prior to finalizing (sealing) image
User settings
Hypervisor / Host settings
Universal Windows Platform (UWP) application cleanup
One of the goals of a VDI image is to be as light as possible. One way to reduce the size of the image is to
remove UWP applications that won't be used in the environment. With UWP apps, there are the main
application files, also known as the payload. There is a small amount of data stored in each user's profile for
application specific settings. There is also a small amount of data in the 'All Users' profile.
Connectivity and timing are important factors when it comes to UWP app cleanup. If you deploy your base
image to a device with no network connectivity, Windows 10 can't connect to the Microsoft Store and download
apps and try to install them while you are trying to uninstall them. This might be a good strategy to allow you
time to customize your image, and then update what remains at a later stage of the image creation process.
If you modify your base .WIM that you use to install Windows 10 and remove unneeded UWP apps from the
.WIM before you install, the apps won't be installed to begin with and your profile creation times will be shorter.
Later in this section there is information on how to remove UWP apps from your installation .WIM file.
A good strategy for VDI is to provision the apps you want in the base image, then limit or block access to the
Microsoft Store afterward. Store apps are updated periodically in the background on normal computers. The
UWP apps can be updated during the maintenance window when other updates are applied. For more
information see Universal Windows Platform Apps
Delete the payload of UWP apps
UWP apps that are not needed are still in the file system consuming a small amount of disk space. For apps that
will never be needed, the payload of unwanted UWP apps can be removed from the base image using
PowerShell commands.
In fact, if you remove those from the installation .WIM file using the links provided later in this section, you
should be able to start from the beginning with a very slim list of UWP apps.
Run the following command to enumerate provisioned UWP apps from a running operating system, as in this
truncated example output from PowerShell:

Get-AppxProvisionedPackage -Online

DisplayName : Microsoft.3DBuilder
Version : 13.0.10349.0
Architecture : neutral
ResourceId : \~
PackageName : Microsoft.3DBuilder_13.0.10349.0_neutral_\~_8wekyb3d8bbwe
Regions :
...

UWP apps that are provisioned to a system can be removed during operating system installation as part of a
task sequence, or later after the operating system is installed. This might be the preferred method because it
makes the overall process of creating or maintaining an image modular. Once you develop the scripts, if
something changes in a subsequent build, you edit an existing script rather than repeat the process from
scratch. Here are some links to information on this topic:
Removing Windows 10 in-box apps during a task sequence
Removing Built-in apps from Windows 10 WIM-File with Powershell - Version 1.3
Windows 10 1607: Keeping apps from coming back when deploying the feature update
Then run the Remove-AppxProvisionedPackage PowerShell command to remove UWP app payloads:

Remove-AppxProvisionedPackage -Online -PackageName

Each UWP app should be evaluated for applicability in each unique environment. You'll want to install a default
installation of Windows 10 1909, then note which apps are running and consuming memory. For example, you
might want to consider removing apps that start automatically, or apps that automatically display information
on the Start Menu, such as Weather and News that might not be of use in your environment.

NOTE
If utilizing the scripts from GitHub, you can easily control which apps are removed before running the script. After
downloading the script files, locate the file 'AppxPackages.json', edit that file, and remove entries for apps that you want to
keep, such as Calculator, Sticky Notes, etc. See the section Customization for details.

Manage Windows Optional Features using PowerShell


You can manage Windows Optional Features using PowerShell. For more information, see the Windows Server
powershell forum. To enumerate currently installed Windows Features, run the following PowerShell command:

Get-WindowsOptionalFeature -Online

You can enable or disable a specific Windows optional feature, as shown in this example:

Enable-WindowsOptionalFeature -Online -FeatureName "DirectPlay" -All

You can disable features in the VDI image, as shown in this example:

Disable-WindowsOptionalFeature -Online -FeatureName "WindowsMediaPlayer"

Next, you might want to remove the Windows Media Player package. There are two Windows Media Player
packages in Windows 10 1909:

Get-WindowsPackage -Online -PackageName *media*

PackageName : Microsoft-Windows-MediaPlayer-Package~31bf3856ad364e35~amd64~~10.0.18362.1
Applicable : True
Copyright : Copyright (c) Microsoft Corporation. All Rights Reserved
Company :
CreationTime :
Description : Play audio and video files on your local device and on the Internet.
InstallClient : DISM Package Manager Provider
InstallPackageName : Microsoft-Windows-MediaPlayer-Package~31bf3856ad364e35~amd64~~10.0.18362.1.mum
InstallTime : 3/19/2019 6:20:22 AM
...

Features : {}

PackageName : Microsoft-Windows-MediaPlayer-Package~31bf3856ad364e35~amd64~~10.0.18362.449
Applicable : True
Copyright : Copyright (c) Microsoft Corporation. All Rights Reserved
Company :
CreationTime :
Description : Play audio and video files on your local device and on the Internet.
InstallClient : UpdateAgentLCU
InstallPackageName : Microsoft-Windows-MediaPlayer-Package~31bf3856ad364e35~amd64~~10.0.18362.449.mum
InstallTime : 10/29/2019 5:15:17 AM
...

If you want to remove the Windows Media Player package (to free up about 60 MB disk space):
Remove-WindowsPackage -PackageName Microsoft-Windows-MediaPlayer-
Package~31bf3856ad364e35~amd64~~10.0.18362.1 -Online

Remove-WindowsPackage -PackageName Microsoft-Windows-MediaPlayer-


Package~31bf3856ad364e35~amd64~~10.0.18362.449 -Online

Enable or disable Windows Features using DISM


You can use the built-in Dism.exe tool to enumerate and control Windows Optional Features. A Dism.exe script
could be developed and run during an operating system installation task sequence. The Windows technology
involved is called Features on Demand.
Default user settings
There are customizations that can be made to a Windows registry file called 'C:\Users\Default\NTUSER.DAT'.
Any settings made to this file will be applied to any subsequent user profiles created from a device running this
image. You can control which settings to apply to the default user profile, by editing the file
'DefaultUserSettings.txt'. One setting that you might want to consider carefully, new to this iteration of settings
recommendations, is a setting called TaskbarSmallIcons . You might want to check with your user base before
implementing this setting. TaskbarSmallIcons makes the Windows Task Bar smaller and consumes less screen
space, makes the icons more compact, minimizes the Search interface, and is depicted before and after in the
following illustrations:
Figure 1: Normal Windows 10, version 1909 taskbar

Figure 2: Taskbar using the small icons setting

Also, to reduce the transmitting of images over the VDI infrastructure, you can set the default background to a
solid color instead of the default Windows 10 image. You can also set the logon screen to be a solid color, as well
as turn off the opaque blurring effect on logon.
The following settings are applied to the default user profile registry hive, mainly in order to reduce animations.
If some or all of these settings are not desired, delete the settings not to be applied to the new user profiles
based on this image. The goal with these settings is to enable the following equivalent settings:
Figure 3: Optimized System Properties, Performance Options
For Windows 10, version 1909, the following are the optimization settings applied to the default user profile
registry hive to optimize performance:

add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\Explorer" /v ShellState /t REG_BINARY /d


240000003C2800000000000000000000 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v IconsOnly /t REG_DWORD /d 1
/f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ListviewAlphaSelect /t
REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ListviewShadow /t REG_DWORD
/d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowCompColor /t REG_DWORD /d
1 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowInfoTip /t REG_DWORD /d 1
/f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarAnimations /t
REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v VisualFXSetting /t
REG_DWORD /d 3 /f
add "HKLM\Temp\Software\Microsoft\Windows\DWM" /v EnableAeroPeek /t REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\DWM" /v AlwaysHiberNateThumbnails /t REG_DWORD /d 0 /f
add "HKLM\Temp\Control Panel\Desktop" /v DragFullWindows /t REG_SZ /d 0 /f
add "HKLM\Temp\Control Panel\Desktop" /v FontSmoothing /t REG_SZ /d 2 /f
add "HKLM\Temp\Control Panel\Desktop" /v UserPreferencesMask /t REG_BINARY /d 9032078010000000 /f
add "HKLM\Temp\Control Panel\Desktop\WindowMetrics" /v MinAnimate /t REG_SZ /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy" /v 01 /t
REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-
338393Enabled /t REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-
353694Enabled /t REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-
353696Enabled /t REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-
338388Enabled /t REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-
338389Enabled /t REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v
SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f
add "HKLM\Temp\Control Panel\International\User Profile" /v HttpAcceptLanguageOptOut /t REG_DWORD /d 1 /f
add
"HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.Windows.Photos_8
wekyb3d8bbwe" /v Disabled /t REG_DWORD /d 1 /f
add
"HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.Windows.Photos_8
wekyb3d8bbwe" /v DisabledByUser /t REG_DWORD /d 1 /f
add
"HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.SkypeApp_kzf8qxf
38zg5c" /v Disabled /t REG_DWORD /d 1 /f
add
"HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.SkypeApp_kzf8qxf
38zg5c" /v DisabledByUser /t REG_DWORD /d 1 /f
add
"HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.YourPhone_8wekyb
3d8bbwe" /v Disabled /t REG_DWORD /d 1 /f
add
"HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.YourPhone_8wekyb
3d8bbwe" /v DisabledByUser /t REG_DWORD /d 1 /f
add
"HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.MicrosoftEdge_8w
ekyb3d8bbwe" /v Disabled /t REG_DWORD /d 1 /f
add
"HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.MicrosoftEdge_8w
ekyb3d8bbwe" /v DisabledByUser /t REG_DWORD /d 1 /f
add
"HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.PPIProjection_cw
5n1h2txyewy" /v Disabled /t REG_DWORD /d 1 /f
add
"HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.PPIProjection_cw
5n1h2txyewy" /v DisabledByUser /t REG_DWORD /d 1 /f
add "HKLM\Temp\Software\Microsoft\InputPersonalization" /v RestrictImplicitInkCollection /t REG_DWORD /d 1
/f
add "HKLM\Temp\Software\Microsoft\InputPersonalization" /v RestrictImplicitTextCollection /t REG_DWORD /d 1
/f
add "HKLM\Temp\Software\Microsoft\Personalization\Settings" /v AcceptedPrivacyPolicy /t REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\InputPersonalization\TrainedDataStore" /v HarvestContacts /t REG_DWORD /d
0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v
ScoobeSystemSettingEnabled /t REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v
ScoobeSystemSettingEnabled /t REG_DWORD /d 0 /f
add "HKLM\Temp\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v
ScoobeSystemSettingEnabled /t REG_DWORD /d 0 /f
add "HKCU\Software\Microsoft\InputPersonalization" /v RestrictImplicitInkCollection /t REG_DWORD /d 1 /f
add "HKCU\Software\Microsoft\InputPersonalization" /v RestrictImplicitTextCollection /t REG_DWORD /d 1 /f

In the local policy settings, you might want to disable images for backgrounds in VDI. If you do want images,
you might want to create custom background images at a reduced color depth to limit network bandwidth used
for transmitting image information. If you decide to specify no background image in local policy, you might
want to set the background color before setting local policy, because once the policy is set, the user has no way
to change the background color. It might be better to specify "(null)" as the background image. There is another
policy setting in the next section on not using background over Remote Desktop Protocol sessions.
Local policy settings
Many optimizations for Windows 10 in a VDI environment can be made using Windows policy. The settings
listed in the table in this section can be applied locally to the base/gold image. If the equivalent settings are not
specified in any other way, such as group policy, the settings would still apply.
Some decisions might be based on the specifics of the environment for example:
Is the VDI environment allowed to access the Internet?
Is the VDI solution persistent or non-persistent?
The following settings were chosen to not counter or conflict with any setting that has anything to do with
security. These settings were chosen to remove settings or disable functionality that might not be applicable to
VDI environments.

P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Local Computer Policy \


Computer Configuration \
Windows Settings \ Security
Settings

Network List Manager All networks properties Network location User can't change location
policies

Local Computer Policy \


Computer Configuration \
Administrative Templates \
Control Panel

*Control Panel Allow online tips Disabled. Settings won't


contact Microsoft content
services to retrieve tips and
help content.

*Control Won't show the Lock screen Enabled. This setting


Panel\Personalization controls whether the lock
screen appears for users. If
you enable this policy
setting, users that are not
required to press CTRL +
ALT + DEL before signing in
will see their selected tile
after locking their PC.

*Control Force a specific default lock Enabled. This setting lets


Panel\Personalization screen and logon image you specify the default lock
screen and logon image
shown when no user is
signed in, and also sets the
specified image as the
default for all users--it
replaces the default image.
We recommend using a
low resolution, non-
complex image so less
data is transmitted over
the network each time
the image is rendered.

*Control Panel\Regional and Turn off automatic learning Enabled. If you enable this
Language policy setting, automatic
Options\Handwriting learning stops, and any
personalization stored data is deleted.
Users can't configure this
setting in Control Panel.
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Local Computer Policy \


Computer Configuration \
Administrative Templates \
Network

Background Intelligent Do not allow the BITS client Enabled


Transfer Service (BITS) to use Windows Branch
Cache

Background Intelligent Do not allow the computer Enabled


Transfer Service (BITS) to act as a BITS Peercaching
client

Background Intelligent Do not allow the computer Enabled


Transfer Service (BITS) to act as a BITS Peercaching
server

Background Intelligent Allow BITS Peercaching Disabled


Transfer Service (BITS)

BranchCache Turn on BranchCache Disabled

*Fonts Enable font providers Disabled. Windows doesn't


connect to an online font
provider and only
enumerates locally-installed
fonts.

Hotspot authentication Enable hotspot Disabled


authentication

Microsoft Peer-to-Peer Turn off Microsoft Peer-to- Enabled


Networking Services Peer Networking Services

Network connectivity status Specify passive polling. Disable passive polling Enabled. Use this setting if
indicator (check box) you're on an isolated
network or using a static IP
address.

Offline files Allow or disallow use of Disabled


Offline Files.

TCPIP Settings \ IPv6 Set Teredo state Disabled state Enabled. In the disabled
Transition Technologies state, no Teredo interfaces
are present on the host.
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

WLAN Service \ WLAN Allow Windows to Disabled. The Connect to


Settings automatically connect to suggested open
suggested open hotspots, hotspots , Connect to
to networks shared by networks shared by my
contacts, and to hotspots contacts , and Enable
offering paid services. paid ser vices are turned
off, but users on this device
can enable them.

Local Computer Policy \


Computer Configuration \
Administrative Templates \
Start Menu and Taskbar

*Notifications Turn off notifications Enabled. If you enable this


network usage setting, apps and system
features won't be able to
receive notifications from
the network from WNS or
by using notification-polling
APIs.

Local Computer Policy \


Computer Configuration \
Administrative Templates \
System

Device installation Do not send a Windows Enabled


error report when a generic
driver is installed on a
device

Device installation Prevent creation of a Enabled


system restore point during
device activity that would
normally prompt creation of
a restore point.

Device installation Prevent device metadata Enabled


retrieval from the Internet

Device installation Prevent Windows from Enabled


sending an error report
when a device driver
requests additional software
during installation

Device installation Turn off Found New Enabled


Hardware balloons
during device installation.

Filesystem \ NTFS Short name creation Disabled on all volumes Enabled


options
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

*Group policy Configure web-to-app Disabled. Turns off web-to-


linking with app URL app linking and http(s) URIs
handlers are opened in the default
browser instead of starting
the associated app.

*Group policy Continue experiences on Disabled. The Windows


this device. device is not discoverable
by other devices, and can't
participage in cross-device
experiences.

Internet Communication Turn off access to all Enabled. If you enable this
Management \ Internet Windows Update features policy setting, all Windows
Communication settings Update features are
removed. This includes
blocking access to the
Windows Update website at
https://windowsupdate.micr
osoft.com, from the
Windows Update hyperlink
on the Start menu, and also
on the Tools menu in
Internet Explorer. Windows
automatic updating is also
disabled; you'll neither be
notified about nor will you
receive critical updates from
Windows Update. This
policy setting also prevents
Device Manager from
automatically installing
driver updates from the
Windows Update website.

Internet Communication Turn off Automatic Root Enabled. If you enable this
Management \ Internet Certificates Update policy setting, when you are
Communication settings presented with a certificate
issued by an untrusted root
authority, your computer
won't contact the Windows
Update website to see if
Microsoft has added the CA
to its list of trusted
authorities. NOTE: Only use
this policy if you have an
alternate means to the
latest certificate revocation
list.

Internet Communication Turn off Event Viewer Enabled


Management \ Internet "Events.asp" links
Communication settings

Internet Communication Turn off handwriting Enabled


Management \ Internet personalization data sharing
Communication settings
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Internet Communication Turn off handwriting Enabled


Management \ Internet recognition error reporting
Communication settings

Internet Communication Turn off Help and Support Enabled


Management \ Internet Center "Did you know?"
Communication settings content

Internet Communication Turn off Help and Support Enabled


Management \ Internet Center Microsoft
Communication settings Knowledge Base search

Internet Communication Turn off Internet Enabled


Management \ Internet Connection wizard if URL
Communication settings connection is referring to
Microsoft.com

Internet Communication Turn off Internet download Enabled


Management \ Internet for Web publishing and
Communication settings online ordering wizards

Internet Communication Turn off Internet File Enabled


Management \ Internet Association service
Communication settings

Internet Communication Turn off Registration if URL Enabled


Management \ Internet connection is referring to
Communication settings Microsoft.com

Internet Communication Turn off the "Order Prints" Enabled


Management \ Internet picture task
Communication settings

Internet Communication Turn off the "Publish to Enabled


Management \ Internet Web" task for files and
Communication settings folders

Internet Communication Turn off the Windows Enabled


Management \ Internet Messenger Customer
Communication settings Experience Improvement
Program

Internet Communication Turn off Windows Customer Enabled


Management \ Internet Experience Improvement
Communication settings Program
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Internet Communication Turn off Windows Network Enabled. This policy setting
Management \ Internet Connectivity Status turns off the active tests
Communication settings indicator active tests performed by the Windows
Network Connectivity
Status Indicator (NCSI) to
determine whether your
computer is connected to
the Internet or to a more
limited network As part of
determining the
connectivity level, NCSI
performs one of two active
tests: downloading a page
from a dedicated Web
server or making a DNS
request for a dedicated
address. If you enable this
policy setting, NCSI does
not run either of the two
active tests. This might
reduce the ability of NCSI,
and of other components
that use NCSI, to determine
Internet access) NOTE:
There are other policies that
allow you to redirect NCSI
tests to internal resources, if
this functionality is desired.

Internet Communication Turn off Windows Error Enabled


Management \ Internet Reporting
Communication settings

Internet Communication Turn off Windows Update Enabled


Management \ Internet device driver searching
Communication settings

Logon Show first sign-in animation Disabled

Logon Turn off app notifications on Enabled


the lock screen

Logon Turn off Windows Startup Enabled


sound

Power Management Select an active power plan High Performance Enabled

Recovery Allow restore of system to Disabled


default state

*Storage Health Allow downloading updates Disabled. Updates aren't


to the Disk Failure downloaded for the Disk
Prediction Model Failure Prediction Failure
Model.
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

*Windows Time Services \ Enable Windows NTP Client Disabled. If you disable or
Time Providers do not configure this policy
setting, the local computer
clock doesn't synchronize
time with NTP servers.
NOTE: Consider this setting
very carefully. Windows
devices that are joined to a
domain should use NT5DS.
DC to parent domain DC
might use NTP. PDCe role
might use NTP. Virtual
machines sometimes use
"enhancements" or
"integration services".

Troubleshooting and Configure scheduled Disabled


Diagnostics \ Scheduled maintenance behavior
Maintenance

Troubleshooting and Configure Scenario Disabled


Diagnostics \ Windows Boot Execution Level
Performance Diagnostics

Troubleshooting and Configure Scenario Disabled


Diagnostics \ Windows Execution Level
Memory Leak Diagnostics

Troubleshooting and Configure Scenario Disabled


Diagnostics \ Windows Execution Level
Resource Exhaustion
Detection and Resolution

Troubleshooting and Configure Scenario Disabled


Diagnostics \ Windows Execution Level
Shutdown Performance
Diagnostics

Troubleshooting and Configure Scenario Disabled


Diagnostics \ Windows Execution Level
Standby/Resume
Performance Diagnostics

Troubleshooting and Configure Scenario Disabled


Diagnostics \ Windows Execution Level
System Responsiveness
Performance Diagnostics

*User Profiles Turn off the advertising ID Enabled. If you enable this
policy setting, the
advertising ID is turned off.
Apps can't use the ID for
experiences across apps.
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Local Computer Policy \


Computer Configuration \
Administrative Templates \
Windows Components

Add features to Windows Prevent the wizard from Enabled


10 running

*App privacy Prevent the wizard from Enabled


running

*App privacy Let Windows apps access Default for all apps: Force Enabled. If you choose the
account information Deny Force Deny option,
Windows apps are not
allowed to access account
information and employees
in your organization cannot
change it.

*App privacy Let Windows apps access Default for all apps: Force Enabled. If you choose the
call history Deny Force Deny option,
Windows apps are not
allowed to access the call
history and employees in
your organization cannot
change it.

*App privacy Let Windows apps access Default for all apps: Force Enabled. If you choose the
contacts Deny Force Deny option,
Windows apps are not
allowed to access contacts
and employees in your
organization cannot change
it.

*App privacy Let Windows apps access Default for all apps: Force Enabled. If you disable or
diagnostic information Deny do not configure this policy
about other apps setting, employees in your
organization can decide
whether Windows apps can
get diagnostic information
about other apps by using
Settings > Privacy on the
device.

*App privacy Let Windows apps access Default for all apps: Force Enabled. If you choose the
email Deny Force Allow option,
Windows apps are allowed
to access email and
employees in your
organization cannot change
it.
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

*App privacy Let Windows apps access Default for all apps: Force Enabled. If you choose the
location Deny Force Deny option,
Windows apps are not
allowed to access location
and employees in your
organization cannot change
it.

*App privacy Let Windows apps access Default for all apps: Force Enabled. If you choose the
messaging Deny Force Deny option,
Windows apps are not
allowed to access
messaging and employees
in your organization cannot
change it.

*App privacy Let Windows apps access Default for all apps: Force Enabled. If you choose the
motion Deny Force Deny option,
Windows apps are not
allowed to access motion
data and employees in your
organization cannot change
it.

*App privacy Let Windows apps access Default for all apps: Force Enabled. If you choose the
notifications Deny Force Deny option,
Windows apps are not
allowed to access
notifications and employees
in your organization cannot
change it.

*App privacy Let Windows apps access Default for all apps: Force Enabled. If you choose the
Tasks Deny Force Deny option,
Windows apps are not
allowed to access tasks and
employees in your
organization cannot change
it.

*App privacy Let Windows apps access Default for all apps: Force Enabled. If you choose the
the calendar Deny Force Deny option,
Windows apps are not
allowed to access the
calendar and employees in
your organization can't
change it.

*App privacy Let Windows apps access Default for all apps: Force Enabled. If you choose the
the camera Deny Force Deny option,
Windows apps are not
allowed to access the
camera and employees in
your organization can't
change it.
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

*App privacy Let Windows apps access Default for all apps: Force Enabled. If you choose the
the microphone Deny Force Deny option,
Windows apps are not
allowed to access the
microphone and employees
in your organization can't
change it.

*App privacy Let Windows apps access Default for all apps: Force Enabled. If you choose the
trusted devices Deny Force Deny option,
Windows apps are not
allowed to access trusted
devices and employees in
your organization can't
change it.

*App privacy Let Windows apps Default for all apps: Force Enabled. If you choose the
communicate with unpaired Deny Force Deny option,
devices Windows apps are not
allowed to communicate
with unpaired wireless
devices and employees in
your organization can't
change it.

*App privacy Let Windows apps access Default for all apps: Force Enabled. If you choose the
radios Deny Force Deny option,
Windows apps won't have
access to control radios and
employees in your
organization can't change it.

*App privacy Let Windows apps make Default for all apps: Force Enabled. If you choose the
phone calls Deny Force Deny option,
Windows apps are not
allowed to make phone calls
and employees in your
organization can't change it.

*App privacy Let Windows apps run in Default for all apps: Force Enabled. If you choose the
the background Deny Force Deny option,
Windows apps are not
allowed to run in the
background and employees
in your organization can't
change it.

AutoPlay policies Set the default behavior for Do not execute any autorun Enabled
AutoRun commands

*AutoPlay policies Turn off AutoPlay Enabled. If you enable this


policy setting, Autoplay is
disabled on CD-ROM and
removable media drives, or
disabled on all drives.
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

*Cloud content Do not show Windows tips Enabled. This policy setting
prevents Windows tips from
being shown to users.

*Cloud content Turn off Microsoft consumer Enabled. If you enable this
experiences policy setting, users will no
longer see personalized
recommendations from
Microsoft and notifications
about their Microsoft
account.

*Data Collection and Allow telemetry 0 - Security [Enterprise Enabled. Setting a value of
Preview Builds Only] 0 applies to devices running
Enterprise, Education, IoT,
or Windows Server editions
only.

*Data Collection and Do not show feedback Enabled


Preview Builds notifications

*Data Collection and Toggle user control over Disabled


Preview Builds Insider builds

Delivery Optimization Download Mode Download mode: Simple 99 = Simple download


(99) mode with no peering.
Delivery Optimization
downloads using HTTP only
and does not attempt to
contact the Delivery
Optimization cloud services.

Desktop Window Manager Do not allow Flip3D Enabled


invocation

Desktop Window Manager Do not allow window Enabled


animations

Desktop Window Manager Use solid color for Start Enabled


background

Edge UI Allow Edge swipe Disabled

Edge UI Disable Help tips Enabled

Edge UI Turn off tracking of app Enabled


usage
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

*File Explorer Configure Windows Disabled. SmartScreen will


Defender SmartScreen be turned off for all users.
Users will not be warned if
they try to run suspicious
apps from the Internet.
NOTE: If not connected to
the internet, this will
prevent the computers
from trying to contact
Microsoft for SmartScreen
information.

File Explorer Do not show the new Enabled


application installed
notification

*Find my device Turn On/Off Find My Device Disabled. When Find My


Device is off, the device and
its location are not
registered and the Find My
Device feature will not
work. The user will also not
be able to view the location
of the last use of their
active digitizer on their
device.

File Explorer Turn off caching of Enabled


thumbnail pictures

File Explorer Turn off display of recent Enabled


search entries in the File
Explorer search box

File Explorer Turn off the caching of Enabled


thumbnails in hidden
thumbs.db file

Game Explorer Turn off downloading of Enabled


game information

Game Explorer Turn off game updates Enabled

Game Explorer Turn off tracking of last play Enabled


time of games in the Games
folder

Homegroup Prevent the computer from Enabled


joining a homegroup
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

*Internet Explorer Allow Microsoft services to Disabled. Users won't


provide enhanced receive enhanced
suggestions as the user suggestions while typing in
types in the Address bar the Address bar. In addition,
users won't be able to
change the Suggestions
setting.

Internet Explorer Disable Periodic Check for Enabled


Internet Explorer software
updates

Internet Explorer Disable showing the splash Enabled


screen

Internet Explorer Install new versions of Disabled


Internet Explorer
automatically

Internet Explorer Prevent participation in the Enabled


Customer Experience
Improvement Program

Internet Explorer Prevent running First Run Go directly to home page Enabled
wizard

Internet Explorer Set tab process growth Low Enabled

Internet Explorer Specify default behavior for New tab page Enabled
a new tab

Internet Explorer Turn off add-on Enabled


performance notifications

*Internet Explorer Turn off the auto-complete Enabled. If you enable this
feature for web addresses policy setting, user won't be
suggested matches when
entering Web addresses.
The user can't change the
auto-complete for setting
web addresses.

*Internet Explorer Turn off browser Enabled. If you enable this


geolocation policy setting, browser
geolocation support is
turned off.

*Internet Explorer Turn off Reopen Last Enabled


Browsing Session

Internet Explorer Turn off Reopen Last Enabled


Browsing Session
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

*Internet Explorer Turn on Suggested Sites Disabled. If you disable this


policy setting, the entry
points and functionality
associated with this feature
are turned off.

*Internet Explorer \ Turn off Compatibility View Enabled. If you enable this
Compatibility View policy setting, the user
cannot use the
Compatibility View button
or manage the
Compatibility View sites list.

*Internet Explorer \ Internet Play animations in web Disabled


Control Panel \ Advanced pages
Page

*Internet Explorer \ Internet Play videos in web pages Disabled


Control Panel \ Advanced
Page

*Internet Explorer \ Internet Turn off the flip ahead with Enabled. Microsoft collects
Control Panel \ Advanced page prediction features your browsing history to
Page improve how flip ahead
with page prediction works.
This feature isn't available
for Internet Explorer for the
desktop. If you enable this
policy setting, flip ahead
with page prediction is
turned off and the next
webpage isn't loaded into
the background.

Internet Explorer \ Internet Turn off phone number Enabled


Settings \ Advanced detection
Settings \ Browsing

*Location and sensors Turn off location Enabled. If you enable this
policy setting, the location
feature is turned off, and all
programs on this computer
are prevented from using
location information from
the location feature.

Location and sensors Turn off sensors Enabled

Location and sensors \ Turn off Windows Location Enabled


Windows Location Provider Provider

*Maps Turn off Automatic Enabled. If you enable this


Download and Update of setting the automatic
Map Data download and update of
map data is turned off.
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

*Maps Turn off unsolicited network Enabled. If you enable this


traffic on the Offline Maps policy setting, features that
settings page generate network traffic on
the Offline Maps settings
page are turned off. Note:
This might turn off the
entire settings page.

*Messaging Allow Message Service Disabled. This policy setting


Cloud Sync allows backup and restore
of cellular text messages to
Microsoft's cloud services.

*Microsoft Edge Allow Address bar drop- Disabled


down list suggestions

*Microsoft Edge Allow configuration updates Disabled. Turns off


for the Books Library compatibility lists in
Microsoft Edge.

*Microsoft Edge Allow Microsoft Disabled. If you disable this


Compatibility List setting, the Microsoft
Compatibility List isn't used
during browser navigation.

*Microsoft Edge Allow web content on New Disabled. Directs Edge to


Tab page open with blank content
when a new tab is opened.

*Microsoft Edge Configure Autofill Disabled. Disables autofill


on address bar.

*Microsoft Edge Configure Do Not Track Enabled. If you enable this


setting, Do Not Track
requests are always sent to
websites asking for tracking
info.

*Microsoft Edge Configure Password Disabled. If you disable this


Manager setting, employees can't use
Password Manager to save
their passwords locally.

*Microsoft Edge Configure search Disabled. Users can't see


suggestions in Address bar search suggestions in the
Address bar of Microsoft
Edge.
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

*Microsoft Edge Configure Start pages Enabled. If you enable this


setting, you can configure
one or more Start pages. If
this setting is enabled, you
must also include URLs to
the pages, separating
multiple pages by using
angle brackets in this
format:
<support.contoso.com>
<support.microsoft.com>
Windows 10, version 1703
or later: If you don't want
to send traffic to Microsoft,
you can use the
about:blank value, which is
honored for devices
whether joined to a domain
or not, when it's the only
configured URL.

*Microsoft Edge Configure Windows Disabled. Windows


Defender SmartScreen Defender SmartScreen is
turned off and employees
can't turn it on. NOTE:
Consider this setting within
the environment. If not
connected to the Internet,
this will prevent the
computers from trying to
contact Microsoft for
SmartScreen information.

*Microsoft Edge Prevent the First Run web Enabled. Users won't see
page from opening on the First Run page when
Microsoft Edge opening Microsoft Edge for
the first time.

OneDrive Prevent OneDrive from Enabled. Enable this setting


generating network traffic to prevent the OneDrive
until the user signs in to sync client (OneDrive.exe)
OneDrive from generating network
traffic (checking for updates,
etc.) until the user signs in
to OneDrive or starts
syncing files to the local
computer.

*OneDrive Prevent the usage of Enabled. Unless OneDrive is


OneDrive for file storage used on- or off-premises.

OneDrive Save documents to Disabled. Unless OneDrive


OneDrive by default is used on- or off-premises.

RSS Feeds Prevent automatic Enabled


discovery of feeds and Web
Slices
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

*RSS Feeds Turn off background Enabled. If you enable this


synchronization for feeds policy setting, the ability to
and Web Slices synchronize feeds and Web
Slices in the background is
turned off.

*Search Allow Cortana Disabled. When Cortana is


off, users will still be able to
use search to find things on
the device.

Search Allow Cortana above lock Disabled


screen

*Search Allow search and Cortana Disabled


to use location

Search Do not allow web search Enabled

*Search Do not search the web or Enabled. If you enable this


display web results in policy setting, queries won't
Search be performed on the web
and web results won't be
displayed when a user
performs a query in Search.

Search Prevent adding UNC Enabled


locations to index from
Control Panel

Search Prevent indexing files in Enabled


offline files cache

*Search Set what information is Enabled. Share usage


shared in Search information but don't share
Anonymous info search history, Microsoft
account info or specific
location.

*Software Protection Turn off KMS Client Online Enabled. Enabling this
Platform AVC Validation setting prevents this
computer from sending
data to Microsoft regarding
its activation state.

*Speech Allow Automatic Update of Disabled. Will not


Speech Data periodically check for
updated speech models.

*Store Turn off Automatic Enabled. If you enable this


Download and Install of setting, the automatic
updates download and installation
of app updates is turned off.
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

*Store Turn off Automatic Enabled. If you enable this


Download of updates on setting, the automatic
Win8 devices download of app updates is
turned off.

Store Turn off the offer to update Enabled


to the latest version of
Windows

*Sync your settings Do not sync Allow users to turn syncing Enabled. If you enable this
on (not selected) policy setting, "sync your
settings" will be turned off,
and none of the "sync your
setting" groups will be
synced on this device.

Text Input Improve inking and typing Disabled


recognition

Windows Defender Join Microsoft MAPS Disabled. If you disable or


Antivirus \ MAPS do not configure this
setting, you will not join
Microsoft MAPS.

Windows Defender Send file samples when Never send Enabled. Only if not opted-
Antivirus \ MAPS further analysis is required in for MAPS diagnostic
data.

Windows Defender Turn off enhanced Enabled. If you enable this


Antivirus \ Reporting notifications setting, Windows Defender
Antivirus enhanced
notifications will not display
on clients.

Windows Defender Define the order of sources FileShares Enabled. If you enable this
Antivirus \ Signature for downloading definition setting, definition update
Updates updates sources will be contacted in
the order specified. Once
definition updates have
been successfully
downloaded from one
specified source, the
remaining sources in the list
will not be contacted.

Windows Error Reporting Automatically send memory Disabled


dumps for operating
system-generated error
reports

Windows Error Reporting Disable Windows Error Enabled


Reporting

Windows Game Recording Enables or disables Disabled


and Broadcasting Windows Game Recording
and Broadcasting
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Windows Installer Control maximum size of 5 Enabled


baseline file cache

Windows Installer Turn off creation of System Enabled


Restore checkpoints

Windows Mail Turn off the communities Enabled


feature

Windows Media Player Do Not Show First Use Enabled


Dialog Boxes

Windows Media Player Prevent Media Sharing Enabled

Windows Mobility Center Turn off Windows Mobility Enabled


Center

Windows Reliability Analysis Configure Reliability WMI Disabled


Providers

Windows Update Allow Automatic Updates Enabled


immediate installation

Windows Update Do not connect to any Enabled. Enabling this policy


Windows Update Internet will disable that
locations functionality, and might
cause connection to public
services such as the
Windows Store to stop
working. NOTE: This policy
applies only when this
device is configured to
connect to an intranet
update service using the
"Specify intranet Microsoft
update service location"
policy.

Windows Update Remove access to all Enabled


Windows Update features

*Windows Update \ Manage preview builds Set the behavior for Enabled. Selecting Disable
Windows Update for receiving preview builds: preview builds will prevent
Business preview builds from
installing on the device. This
will prevent users from
opting into the Windows
Insider Program, through
Settings -> Update and
Security.
Disabled. Disables preview
builds.
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

*Windows Update \ Select when Preview Builds Semi-Annual Channel Enabled. Enable this policy
Windows Update for and Feature Updates are Deferment: 365 days to specify the level of
Business received Pause start: yyy-mm-dd. Preview Build or feature
updates to receive, and
when.

Windows Update \ Select when Quality 1. 30 days Enabled


Windows Update for Updates are received 2. Pause quality updates
Business starting yyyy-mm-dd

Windows Restricted Traffic Prevent OneDrive from Enabled. Enable this setting
Custom Policy Settings generating network traffic if you would like to prevent
until the user signs in to the OneDrive sync client
OneDrive (OneDrive.exe) from
generating network traffic
(checking for updates, etc.)
until the user signs in to
OneDrive or starts syncing
files to the local computer.

Windows Restricted Traffic Turn off Windows Defender Enabled. If you enable this
Custom Policy Settings Notifications policy setting, Windows
Defender will not send
notifications with critical
information about the
health and security of your
device.

Local Computer Policy \


User Configuration \
Administrative Templates

Control Panel \ Regional Turn off offer text Enabled


and Language Options predictions as I type

Desktop Do not add shares of Enabled


recently opened documents
to Network Locations

Desktop Turn off Aero Shake window Enabled


minimizing mouse gesture

Desktop \ Active Directory Maximum size of Active 2500 Enabled


Directory searches

Start Menu and Taskbar Do not allow pinning Store Enabled


app to the Taskbar

Start Menu and Taskbar Do not display or track Enabled


items in Jump Lists from
remote locations
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Start Menu and Taskbar Do not use the search- Enabled. The system does
based method when not conduct the final drive
resolving shell shortcuts search. It just displays a
message explaining that the
file is not found.

Start Menu and Taskbar Remove the People Bar Enabled. The people icon
from the taskbar will be removed from the
taskbar, the corresponding
settings toggle is removed
from the taskbar settings
page, and users will not be
able to pin people to the
taskbar.

Start Menu and Taskbar Turn off feature Enabled. Users cannot pin
advertisement balloon the Store app to the
notifications Taskbar. If the Store app is
already pinned to the
Taskbar, it will be removed
from the Taskbar on next
sign in.

Start Menu and Taskbar Turn off user tracking Enabled

Start Menu and Taskbar \ Turn off toast notifications Enabled


Notifications

Windows Components \ Turn off all Windows Enabled


Cloud Content spotlight features

Notes about Network Connectivity Status Indicator


The group policy settings above include settings to turn off checking to see if the system is connected to the
Internet. If your environment does not connect to the Internet at all, or connects indirectly, you can set a group
policy setting to remove the Network icon from the Taskbar. The reason you might want to remove the Network
icon from the Taskbar is if you turn off Internet connectivity checks, there will be a yellow flag on the Network
icon, even though the network might be functioning normally. If you would like to remove the network icon as a
group policy setting, you can find that in this location:

P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Windows Update or Select when Quality 1. 30 days Enabled


Windows Update for Updates are received 2. Pause quality updates
Business starting yyyy-mm-dd

Local Computer Policy \


User Configuration \
Administrative Templates

Start Menu and Taskbar Remove the networking Enabled. The networking
icon icon isn't displayed in the
system notification area.

For more information about the Network Connection Status Indicator (NCSI), see Manage connection endpoints
for Windows 10 Enterprise, version 1903 and Manage connections from Windows 10 operating system
components to Microsoft services.
System services
If you're considering disabling your system services to conserve resources, great care should be taken that the
service being considered isn't in some way a component of some other service. Note that some services are not
in the list because they can't be disabled in a supported manner.
Most of these recommendations mirror recommendations for Windows Server 2016, installed with the Desktop
Experience in Guidance on disabling system services on Windows Server 2016 with Desktop Experience
Many services that might seem like good candidates to disable are set to manual service start type. This means
that the service won't automatically start and isn't started unless a process or event triggers a request to the
service being considered for disabling. Services that are already set to start type Manual are usually not listed
here.

NOTE
You can enumerate running services with this PowerShell sample code, outputting only the service short name:

Get-Service | Where-Object {$_.Status -eq "Running"} | Select-Object -ExpandProperty Name

W IN DO W S SERVIC E IT EM C O M M EN T S

CDPUserService This user service is used for Connected This is a per-user service, and as such,
Devices Platform scenarios the template service must be disabled.

Connected User Experiences and Enables features that support in- Consider disabling if on disconnected
Telemetry application and connected user network.
experiences. Additionally, this service
manages the event-driven collection
and transmission of diagnostic and
usage information (used to improve
the experience and quality of the
Windows Platform) when the
diagnostics and usage privacy option
settings are enabled under Feedback
and Diagnostics.

Contact Data Indexes contact data for fast contact This is a per-user service, and as such,
searching. If you stop or disable this the template service must be disabled.
service, contacts might be missing
from your search results.

Diagnostic Policy Service Enables problem detection,


troubleshooting and resolution for
Windows components. If this service is
stopped, diagnostics will no longer
function.

Downloaded Maps Manager Windows service for application access


to downloaded maps. This service is
started on-demand by application
accessing downloaded maps. Disabling
this service will prevent apps from
accessing maps.
W IN DO W S SERVIC E IT EM C O M M EN T S

Geolocation Service Monitors the current location of the


system and manages geofences

GameDVR and Broadcast user service This user service is used for Game This is a per-user service, and as such,
Recordings and Live Broadcasts the template service must be disabled.

MessagingService Service supporting text messaging and This is a per-user service, and as such,
related functionality. the template service must be disabled.

Optimize drives Helps the computer run more VDI solutions do not normally benefit
efficiently by optimizing files on from disk optimization. These "drives"
storage drives. are not traditional drives and often just
a temporary storage allocation.

Superfetch Maintains and improves system Generally doesn't improve


performance over time. performance on VDI, especially non-
persistent, given that the operating
system state is discarded each reboot.

Touch Keyboard and Handwriting Enables Touch Keyboard and


Panel Service Handwriting Panel pen and ink
functionality

Windows Error Reporting Allows errors to be reported when With VDI, diagnostics are often
programs stop working or responding performed in an offline scenario, and
and allows existing solutions to be not in mainstream production. And in
delivered. Also allows logs to be addition, some customers disable WER
generated for diagnostic and repair anyway. WER incurs a tiny amount of
services. If this service is stopped, error resources for many different things,
reporting might not work correctly, including failure to install a device, or
and results of diagnostic services and failure to install an update.
repairs might not be displayed.

Windows Media Player Network Shares Windows Media Player libraries Not needed unless customers are
Sharing Service to other networked players and media sharing WMP libraries on the network.
devices using Universal Plug and Play

Windows Mobile Hotspot Service Provides the ability to share a cellular


data connection with another device.

Windows Search Provides content indexing, property Probably not needed especially with
caching, and search results for files, e- non-persistent VDI
mail, and other content.

Per-user services in Windows


Per-user services are services that are created when a user signs into Windows or Windows Server and are
stopped and deleted when that user signs out. These services run in the security context of the user account -
this provides better resource management than the previous approach of running these kinds of services in
Explorer, associated with a preconfigured account, or as tasks.
Per-user services in Windows 10 and Windows Server
If you intend to change a service start value, the preferred method is to open an elevated .cmd prompt and run
the Service Control Manager tool 'Sc.exe'. For more information on using 'Sc.exe' see Sc.
Scheduled tasks
Like other items in Windows, ensure an item isn't needed before you consider disabling it.
The following list of tasks are those that perform optimizations or data collections on computers that maintain
their state across reboots. When a VDI VM task reboots and discards all changes since last boot, optimizations
intended for physical computers are not helpful.
You can get all the current scheduled tasks, including descriptions, with the following PowerShell code:

Get-ScheduledTask | Select-Object -Property TaskPath,TaskName,State,Description

NOTE
There are several tasks that can't be disabled via script, even if you're running elevated. We recommend that you don't
disable tasks that can't be disabled using a script.

Scheduled Task Name:


Cellular
Consolidator
Diagnostics
FamilySafetyMonitor
FamilySafetyRefreshTask
MaintenanceTasks
MapsToastTask
Compatibility
Microsoft-Windows-DiskDiagnosticDataCollector
MNO
NotificationTask
PerformRemediation
ProactiveScan
ProcessMemoryDiagnosticEvents
ProgramDataUpdater
Proxy
QueueReporting
RecommendedTroubleshootingScanner
ReconcileFeatures
ReconcileLanguageResources
RefreshCache
RegIdleBackup
ResPriStaticDbSync
RunFullMemoryDiagnostic
ScanForUpdates
ScanForUpdatesAsUser
Scheduled
ScheduledDefrag
sihpostreboot
SilentCleanup
SmartRetry
SpaceAgentTask
SpaceManagerTask
SpeechModelDownloadTask
Sqm-Tasks
SR
StartComponentCleanup
StartupAppTask
StorageSense
SyspartRepair
Sysprep
UninstallDeviceTask
UpdateLibrary
UpdateModelTask
UsbCeip
Usb-Notifications
USO_UxBroker
WiFi
WIM-Hash-Management
WindowsActionDialog
WinSAT
Folders
WsSwapAssessmentTask
XblGameSaveTask
Apply Windows (and other) updates
Whether from Microsoft Update, or from your internal resources, apply the available updates including
Windows Defender signatures. This is a good time to apply other available updates including Microsoft Office if
installed, and other software updates. If PowerShell will remain in the image you can download the latest
available help for PowerShell by running the command Update-Help.
Servicing the operating system and apps
At some point during the image optimization process available Windows updates should be applied. There is a
setting in Windows 10 Update Settings that can provide additional updates:
This would be a good setting in case you are going to install Microsoft applications such as Microsoft Office to
the base image. That way Office is up to date when the image is put in service. There are also .NET updates and
certain third-party components such as Adobe that have updates available through Windows Update.
One very important consideration for non-persistent VDI VMs are security updates, including security software
definition files. These updates might be released once or more than once per day. There might be a way to retain
these updates, including Windows Defender and third-party components.
For Windows Defender it might be best to allow the updates to occur, even on non-persistent VDI. The updates
are going to apply nearly every logon session, but the updates are small and should not be a problem.
Additionally, the VM won't be behind on updates because only the latest available updates will apply. The same
might be true for third-party definition files.

NOTE
Store apps (UWP apps) update through the Windows Store. Modern versions of Office such as Microsoft 365 update
through their own mechanisms when directly connected to the Internet, or via management technologies when not.

Windows system startup event traces


Windows is configured, by default, to collect and save limited diagnostic data. The purpose is to enable
diagnostics, or to record data if further troubleshooting is necessary. Automatic system traces can be found at
the location shown in the following illustration:

Some of the traces displayed under Event Trace Sessions and Star tup Event Trace Sessions can't and
should not be stopped. Others, such as the 'WiFiSession' trace can be stopped. To stop a running trace under
Event Trace Sessions right-click the trace and then click 'Stop'. Use the following procedure to prevent the
traces from starting automatically on startup:
1. Click the Star tup Event Trace Sessions folder.
2. Locate the trace of interest, and then double-click that trace.
3. Click the Trace Session tab.
4. Click the box labeled Enabled to remove the check mark.
5. Click Ok .
The following are some system traces to consider disabling for VDI use:

NAME C O M M EN T

AppModel A collection of traces, one of which is phone

CloudExperienceHostOOBE

DiagLog

NtfsLog

TileStore

UBPM

WiFiDriverIHVSession If not using a WiFi device

WiFiSession

WinPhoneCritical

Windows Defender optimization with VDI


Microsoft has recently published documentation regarding Windows Defender in a VDI environment. See
Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment for
more information.
The above article contains procedures to service the 'gold' VDI image, and how to maintain the VDI clients as
they are running. To reduce network bandwidth when VDI computers need to update their Windows Defender
signatures, stagger reboots, and schedule reboots during off hours where possible. The Windows Defender
signature updates can be contained internally on file shares, and where practical, have those files shares on the
same or close networking segments as the VDI virtual machines.
Client network performance tuning by registry settings
There are some registry settings that can increase network performance. This is especially important in
environments where the VDI or computer has a workload that is primarily network-based. The settings in this
section are recommended to bias performance toward networking, by setting up additional buffering and
caching of things like directory entries.

NOTE
Some settings in this section are registry-based only and should be incorporated in the base image before the image is
deployed for production use.

The following settings are documented in the Windows Server 2016 Performance Tuning Guideline, published
on Microsoft.com by the Windows Product Group.
DisableBandwidthThrottling
HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\DisableBandwidthThrottling

Applies to Windows 10. The default is 0 . By default, the SMB redirector throttles throughput across high-latency
network connections, in some cases to avoid network-related timeouts. Setting this registry value to 1 disables
this throttling, enabling higher file transfer throughput over high-latency network connections. Consider setting
this value to 1 .
FileInfoCacheEntriesMax
HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\FileInfoCacheEntriesMax Applies to
Windows 10. The default is 64 , with a valid range of 1 to 65536. This value is used to determine the amount of
file metadata that can be cached by the client. Increasing the value can reduce network traffic and increase
performance when many files are accessed. Try increasing this value to 1024 .
DirectoryCacheEntriesMax
HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\DirectoryCacheEntriesMax

Applies to Windows 10. The default is 16 , with a valid range of 1 to 4096. This value is used to determine the
amount of directory information that can be cached by the client. Increasing the value can reduce network traffic
and increase performance when large directories are accessed. Consider increasing this value to 1024 .
FileNotFoundCacheEntriesMax
HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\FileNotFoundCacheEntriesMax

Applies to Windows 10. The default is 128 , with a valid range of 1 to 65536. This value is used to determine the
amount of file name information that can be cached by the client. Increasing the value can reduce network traffic
and increase performance when many file names are accessed. Consider increasing this value to 2048 .
DormantFileLimit
HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\DormantFileLimit

Applies to Windows 10. The default is 1023 . This parameter specifies the maximum number of files that should
be left open on a shared resource after the application has closed the file. Where many thousands of clients are
connecting to SMB servers, consider reducing this value to 256 .: Windows Server 2022, Windows Server 2019,
You can configure many of these SMB settings by using the Set-SmbClientConfiguration and Set-
SmbServerConfiguration Windows PowerShell cmdlets. Registry-only settings can be configured by using
Windows PowerShell as well, as in the following example:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters"


RequireSecuritySignature -Value 0 -Force

Additional settings from the Windows Restricted Traffic Limited Functionality Baseline guidance.
Microsoft has released a baseline, created using the same procedures as the Windows Security Baselines, for
environments that are either not connected directly to the Internet, or wish to reduce data sent to Microsoft and
other services.
The Windows Restricted Traffic Limited Functionality Baseline settings are called out in the group policy table
with an asterisk.
Disk cleanup (including using the Disk Cleanup Wizard)
Disk cleanup can be especially helpful with gold/master image VDI implementations. After the image is
prepared, updated, and configured, one of the last tasks to perform is disk cleanup. There is a built-in tool called
the "Disk Cleanup Wizard" that can help clean up most potential areas of disk space savings. On a VM that has
very little installed, but was fully patched you can usually get about 4GB disk space freed up running Disk
Cleanup.
Here are suggestions for various disk cleanup tasks. These should all be tested before implementing:
1. Run (elevated) Disk Cleanup Wizard after applying all updates. Include the categories 'Delivery
Optimization' and 'Windows Update Cleanup'. This process can be automated, using command line
Cleanmgr.exe with the /SAGESET:11 option. The /SAGESET option sets registry values that can be used
later to automate disk cleanup, that uses every available option in the Disk Cleanup Wizard.
a. On a test VM, from a clean installation, running Cleanmgr.exe /SAGESET:11 reveals that there are
only two automatic disk cleanup options enabled by default:
Downloaded Program Files
Temporary Internet Files
b. If you set more options, or all options, those options are recorded in the registry, according to the
Index value provided in the previous command ( Cleanmgr.exe /SAGESET:11 ). In this case, we are
going to use the value 11 as our index, for a subsequent automated disk cleanup procedure.
c. After running Cleanmgr.exe /SAGESET:11 you'll see several categories of disk cleanup options. You
can check every option, and then click OK . The Disk Cleanup Wizard disappears and your settings
are saved in the registry.
2. Cleanup your Volume Shadow Copy storage, if any is in use.
Open an elevated command prompt and run the vssadmin list shadows command and then the
vssadmin list shadowstorage command.

If output from these commands is No items found that satisfy the quer y , then there is no VSS
storage in use.
3. Cleanup temporary files and logs. From an elevated command prompt, run the Del C:\*.tmp /s
command, the Del C:\Windows\Temp\. command, and the Del %temp%\. command.
4. Delete any unused profiles on the system by running,
wmic path win32_UserProfile where LocalPath="c:\users\<user>" Delete .
Remove OneDrive Components
Removing OneDrive involves removing the package, uninstalling, and removing *.lnk files. The following sample
PowerShell code can be used to assist in removing OneDrive from the image, and is included in the GitHub VDI
optimization scripts:
Get-Process -Name OneDrive | Stop-Process -Force -Confirm:$false
Get-Process -Name explorer | Stop-Process -Force -Confirm:$false
if (Test-Path "C:\\Windows\\System32\\OneDriveSetup.exe")`
{ Start-Process "C:\\Windows\\System32\\OneDriveSetup.exe"`
-ArgumentList "/uninstall"`
-Wait }
if (Test-Path "C:\\Windows\\SysWOW64\\OneDriveSetup.exe")`
{ Start-Process "C:\\Windows\\SysWOW64\\OneDriveSetup.exe"`
-ArgumentList "/uninstall"`
-Wait }
Remove-Item -Path "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Roaming\\Microsoft\\Windows\\Start
Menu\\Programs\\OneDrive.lnk" -Force
Remove-Item -Path "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Roaming\\Microsoft\\Windows\\Start
Menu\\Programs\\OneDrive.lnk" -Force

# Remove the automatic start item for OneDrive from the default user profile registry hive

Start-Process C:\\Windows\\System32\\Reg.exe -ArgumentList "Load HKLM\\Temp C:\\Users\\Default\\NTUSER.DAT"


-Wait
Start-Process C:\\Windows\\System32\\Reg.exe -ArgumentList "Delete
HKLM\\Temp\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v OneDriveSetup /f" -Wait
Start-Process C:\\Windows\\System32\\Reg.exe -ArgumentList "Unload HKLM\\Temp" -Wait Start-Process -FilePath
C:\\Windows\\Explorer.exe -Wait

Turn Windows Update back on


If you would like to turn Windows Update back on, as in the case of persistent VDI, follow these steps:
Re-enable these group policy settings:
Local Computer Policy \ Computer Configuration \ Administrative Templates \ System \ Internet
Communication Management \ Internet Communication settings
Turn off access to all Windows Update features (change from enabled to not configured ).
Local Computer Policy \ Computer Configuration \ Administrative Templates \ Windows
Components \ Windows Update
Remove access to all Windows Update features (change from enabled to not configured )
Do not connect to any Windows Update Internet locations (change from enabled to not
configured ).
Local Computer Policy \ Computer Configuration \ Administrative Templates \ Windows
Components \ Windows Update \ Windows Update for Business
Select when Quality Updates are received (change from 'enabled' to 'not configured')
Local Computer Policy \ Computer Configuration \ Administrative Templates \ Windows
Components \ Windows Update \ Windows Update for Business
Select when Preview Builds and Feature Updates are received (change from enabled to not
configured )
Re-enable service(s)
Update the Orchestrator service (change from disabled to Automatic (Delayed Star t) ).
Edit the following Windows registry settings:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState
DeferQualityUpdates (change from 1 to 0 )
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings
PausedQualityDate (delete any existing value)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\
WAU
Disabled
Re-enable scheduled tasks
Task Scheduler Library \ Microsoft \ Windows \ InstallService\ ScanForUpdates
Task Scheduler Library \ Microsoft \ Windows \ InstallService \ ScanForUpdatesAsUser
To make all these settings take effect, restart the device. If you don't want this device offered Feature Updates, go
to Settings \ Windows Update \ Advanced options \ Choose when updates are installed, and then manually set
the option, A feature update includes new capabilities and improvements. It can be deferred for this
many days to some non-zero value, such as 180, 365, etc.
For any questions or concerns about the information in this paper, contact your Microsoft account team,
research the Microsoft VDI blog, post a message to Microsoft forums, or contact Microsoft for questions or
concerns.
References
What is VDI (virtual desktop infrastructure)
Sysprep fails after you remove or update Microsoft Store apps that include built-in Windows images.
Optimizing Windows 10, version 1803, for a Virtual
Desktop Infrastructure (VDI) role
7/29/2021 • 47 minutes to read • Edit Online

This article helps you choose settings for Windows 10, version 1803 (build 17134) that should result in the best
performance in a Virtualized Desktop Infrastructure (VDI) environment. All settings in this guide are
recommendations to be considered and are in no way requirements.
In a VDI environment the key ways to optimize Windows 10 performance are to minimize app graphic redraws,
background activities that have no major benefit to the VDI environment, and generally reduce running
processes to the bare minimum. A secondary goal is to reduce disk space usage in the base image to the bare
minimum. With VDI implementations, the smallest possible base, or “gold” image size, can slightly reduce
memory usage on the hypervisor, as well as a small reduction in overall network operations required to deliver
the desktop image to the consumer.

NOTE
Settings recommended here can be applied to other installation of Windows 10, version 1803, including those on physical
or other virtual devices. No recommendations in this topic should affect the supportability of Windows 10, version 1803.

TIP
A script that implements the optimizations discussed in this topic--as well as a GPO export file that you can import with
LGPO.exe --is available at TheVDIGuys on GitHub.

VDI optimization principles


A VDI environment presents a full desktop session, including applications, to a computer user over a network.
VDI environments usually use a base operating system image, which then becomes the basis for the desktops
subsequently presented to the users for work. There are variations of VDI implementations such as “persistent”,
“non-persistent”, and “desktop session.” The persistent type preserves changes to the VDI desktop operating
system from one session to the next. The non-persistent type does not preserve changes to the VDI desktop
operating system from one session to the next. To the user this desktop is little different than other virtual or
physical device, other than it is accessed over a network.
The optimization settings would take place on a reference device. A VM is an ideal place to build the image,
because you can save the state, make checkpoints and backups can be made, and other useful tasks. Start by
installing default operating system on the base VM, and then optimize the base VM for VDI use by removing
unneeded apps, installing Windows updates, installing other updates, deleting temporary files, applying settings,
etc.
There are other types of VDI such as persistent and Remote Desktop Services (RDS). An in-depth discussion
regarding these technologies is outside the scope of this topic, which focuses on the Windows base image
settings with reference to other factors in the environment such as host optimization.
Persistent VDI
Persistent VDI is, at the basic level, a VM that saves operating system state in between restarts. Other software
layers of the VDI solution provide the users easy and seamless access to their assigned VMs, often with a single
sign-on solution.
There are several different implementations of persistent VDI:
Traditional virtual machine, where the VM has its own virtual disk file, starts up normally, saves changes
from one session to the next, and is essentially just a normal VM. The difference is how the user accesses
this VM. There might be a web portal the user logs into that automatically directs the user to their one or
more assigned VDI VMs.
Image-based persistent virtual machine, with personal virtual disks. In this type of implementation there
is a base/gold image on one or more host servers. A VM is created, and one or more virtual disks are
created and assigned to this disk for persistent storage.
When the VM is started, a copy of the base image is read into the memory of the VM. At the same
time, a persistent virtual disk assigned to that VM, with any previous operating system changes
merged through a complex process.
Changes such as event log writes, log writes, etc. are redirected to the read/write virtual disk
assigned to that VM.
In this circumstance, operating system and app servicing might operate normally, using traditional
servicing software such as Windows Server Update Services or other management technologies.
Non-Persistent VDI
When a non-persistent VDI implementation is based on a base or “gold” image, the optimizations are mostly
performed in the base image, and then through local settings and local policies.
With image-based non-persistent VDI, the base image is read-only. When a non-persistent VDI VM is started, a
copy of the base image is streamed to the VM. Activity that occurs during startup and thereafter until the next
reboot is redirected to a temporary location. Usually the users are provided network locations to store their
data. In some cases, the user's profile is merged with the standard VM to provide the user their settings.
One important aspect of non-persistent VDI that is based on a single image is servicing. Updates to the
operating system are delivered usually once per month. With image-based VDI, there is a set of processes to
perform in order to get updates to the image:
On a given host, all the VMs on that host that are derived from the base image must be shut down or
turned off. This means the users are redirected to other VMs.
The base image is then opened and started up. All maintenance activities are then performed, such as
operating system updates, .NET updates, app updates, etc.
Any new settings that need to be applied are applied at this time.
Any other maintenance is performed at this time.
The base image is then shut down.
The base image is sealed and set to go back into production.
-Users are allowed to log back on.
NOTE
Windows 10 performs a set of maintenance tasks automatically, on a periodic basis. There is a scheduled task that is set to
run at 3:00 AM local time every day by default. This scheduled task performs a list of tasks, including Windows Update
cleanup. You can view all the categories of maintenance that take place automatically with this PowerShell command:

Get-ScheduledTask | ? {$_.Settings.MaintenanceSettings}

One of the challenges with non-persistent VDI is that when a user logs off, nearly all the operating system
activity is discarded. The user's profile and or state might be saved, but the virtual machine itself discards nearly
all changes that were made since the last boot. Therefore, optimizations intended for a Windows computer that
saves state from one session to the next are not applicable.
Depending on the architecture of VDI VM, things like PreFetch and SuperFetch are not going to help from one
session to the next, as all the optimizations are discarded on VM restart. Indexing might be a partial waste of
resources, as would be any disk optimizations such as a traditional defragmentation.
To Sysprep or not Sysprep
Windows 10 has a built-in capability called the System Preparation Tool, (often abbreviated to "Sysprep"). The
Sysprep tool is used to prepare a customized Windows 10 image for duplication. The Sysprep process assures
the resulting operating system is properly unique to run in production. There are reasons for and against
running Sysprep. In the case of VDI, you might want the ability to customize the default user profile which would
be used as the profile template for subsequent users that log on using this image. You might have apps that you
want installed, but also able to control per-app settings.
The alternative is to use a standard .ISO to install from, possibly using an unattended installation answer file, and
a task sequence to install applications or remove applications. You can also use a task sequence to set local
policy settings in the image, perhaps using the Local Group Policy Object Utility (LGPO) tool.
VDI Optimization Categories
Global operating system settings
UWP app cleanup
Optional Features cleanup
Local policy settings
System services
Scheduled tasks
Apply Windows updates
Automatic Windows traces
Disk cleanup prior to finalizing (sealing) image
User settings
Hypervisor/Host settings
Tuning Windows 10 network performance by using registry settings
Additional settings from the Windows Restricted Traffic Limited Functionality Baseline guidance.
Disk cleanup
Universal Windows Platform app cleanup
One of the goals of a VDI image is to be as small as possible. One way to reduce the size of the image is to
remove UWP applications that will not be used in the environment. With UWP apps, there are the main
application files, also known as the payload. There is a small amount of data stored in each user's profile for
application specific settings. There is also a small amount of data in the All Users profile.
Connectivity and timing are everything when it comes to UWP app cleanup. If you deploy your base image to
either a device with no network connectivity, Windows 10 cannot connect to the Microsoft Store and download
apps and try to install them while you are trying to uninstall them.
If you modify your base .WIM that you use to install Windows 10 and remove unneeded UWP apps from the
.WIM before you install, the apps will not be installed to begin with and your profile creation times should be
shorter. Later in this section, you'll find information on how to remove UWP apps from your installation .WIM
file.
A good strategy for VDI is to provision the apps you want in the base image, then limit or block access to the
Microsoft Store afterward. Store apps are updated periodically in the background on normal computers. The
UWP apps can be updated during the maintenance window when other updates are applied.
Delete the payload of UWP apps
UWP apps that are not needed are still in the file system consuming a small amount of disk space. For apps that
will never be needed, the payload of unwanted UWP apps can be removed from the base image using
PowerShell commands.
In fact, if you remove those from the installation .WIM file using the links provided later in this section, you
should be able to start from the beginning with a very slim list of UWP apps.
Run the following command to enumerate provisioned UWP apps from a running Windows 10 operating
system, as in this truncated example output from PowerShell:

Get-AppxProvisionedPackage -Online

DisplayName : Microsoft.3DBuilder
Version : 13.0.10349.0
Architecture : neutral
ResourceId : \~
PackageName : Microsoft.3DBuilder_13.0.10349.0_neutral_\~_8wekyb3d8bbwe
Regions :

UWP apps that are provisioned to a system can be removed during operating system installation as part of a
task sequence, or later after the operating system is installed. This might be the preferred method because it
makes the overall process of creating or maintaining an image modular. Once you develop the scripts, if
something changes in a subsequent build you edit an existing script rather than repeat the process from scratch.
Here are some links to information on this topic:
Removing Windows 10 in-box apps during a task sequence
Removing Built-in apps from Windows 10 WIM-File with Powershell - Version 1.3
Windows 10 1607: Keeping apps from coming back when deploying the feature update
Then run the Remove-AppxProvisionedPackage PowerShell command to remove UWP app payloads:

Remove-AppxProvisionedPackage -Online -PackageName

Each UWP app should be evaluated for applicability in each unique environment. You will want to install a
default installation of Windows 10, version 1803, then note which apps are running and consuming memory.
For example, you might want to consider removing apps that start automatically, or apps that automatically
display information on the Start menu, such as Weather and News, and that might not be of use in your
environment.
One of the "inbox" UWP apps called Photos, has a default setting called Show a notification when new
albums are available . The Photos app can use approximately 145 MB of memory; specifically private working
set memory, even if not being used. Changing the Show a notification when new albums are available
setting for all users is not practical at this time, hence the recommendation to remove the Photos app if it is not
needed or desired.
Clean up optional features
Managing optional features with PowerShell
To enumerate currently installed Windows Features, run this PowerShell command:

Get-WindowsOptionalFeature -Online

You can enable or disable a specific Windows optional feature as in this example:

Enable-WindowsOptionalFeature -Online -FeatureName "DirectPlay"

For more about this, see the Windows a PowerShell forum.


Enable or disable Windows features by using DISM
You can use the built-in Dism.exe tool to enumerate and control Windows optional features. You can set up a
Dism.exe script to run during a task sequence that installs the operating system.
Local policy settings
Many optimizations for Windows 10 in a VDI environment can be made using Windows policy. The settings
listed here can be applied locally to the base image. Then if the equivalent settings are not specified in any other
way such as by group policy, the settings would still apply.
Some decisions might be based on the specifics of the environment, for example:
Is the VDI environment allowed to access the Internet?
Is the VDI solution persistent or non-persistent?
The following settings specifically do not counter or conflict with any setting that has anything to do with
security. These settings were chosen to remove settings that might not be applicable to VDI environments.

NOTE
In this table of group policy settings, items marked with an asterisk are from the Windows Restricted Traffic Limited
Functionality Baseline.

P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Local Computer Policy \


Computer Configuration
\ Windows Settings \
Security Settings

Network List Manager All Networks Properties Network Location User cannot change
Policies location
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Local Computer Policy \


Computer Configuration
\ Administrative
Templates \ Control
Panel

*Control Panel Allow Online Tips Disabled (Settings will not


contact Microsoft content
services to retrieve tips and
help content)

*Control Panel\ Do not display the lock Enabled (This policy setting
Personalization screen controls whether the lock
screen appears for users. If
you enable this policy
setting, users that are not
required to press CTRL +
ALT + DEL before signing in
will see their selected tile
after locking their PC.)

*Control Panel\ Force a specific default lock Enabled (This setting lets
Personalization screen and logon image you specify the default lock
screen and logon image
shown when no user is
signed in, and also sets the
specified image as the
default for all users--it
replaces the default image.)
A low resolution, non-
complex image would cause
less data transmitted over
the network each time the
image is rendered.

*Control Panel\ Regional Turn off automatic learning Enabled (If you enable this
and Language policy setting, automatic
Options\Handwriting learning stops, and any
personalization stored data is deleted.
Users cannot configure this
setting in Control Panel)

Local Computer Policy \


Computer Configuration
\ Administrative
Templates \ Network

Background Intelligent Do not allow the BITS client Enabled


Transfer Ser vice (BITS) to use Windows Branch
Cache

Background Intelligent Do not allow the computer Enabled


Transfer Ser vice (BITS) to act as a BITS Peercaching
client
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Background Intelligent Do not allow the computer Enabled


Transfer Ser vice (BITS) to act as a BITS Peercaching
server

Background Intelligent Allow BITS Peercaching Disabled


Transfer Ser vice (BITS)

BranchCache Turn on BranchCache Disabled

*Fonts Enable Font Providers Disabled (Windows does


not connect to an online
font provider and only
enumerates locally installed
fonts.)

Hotspot Authentication Enable hotspot Disabled


authentication

Microsoft Peer-to-Peer Turn off Microsoft Peer-to- Enabled


Networking Ser vices Peer Networking Services

Network Connectivity Specify passive polling Disable passive polling Enabled (Use this setting if
Status Indicator (Note (checkbox) on an isolated network, or
that there are other using static IP addresses.)
settings in this section that
can be used in isolated
networks)

Offline Files Allow or Disallow use of the Disabled


Offline Files feature

*TCPIP Settings \ IPv6 Set Teredo State Disabled State Enabled (In the disabled
Transition Technologies state no Teredo interfaces
are present on the host.)

*WL AN Ser vice \ WLAN Allow Windows to Disabled (Connect to


Settings automatically connect to suggested open
suggested open hotspots, hotspots , Connect to
to networks shared by networks shared by my
contacts, and to hotspots contacts , and Enable
offering paid services paid ser vices will be
turned off and users on this
device will be prevented
from enabling them.)

Local Computer Policy \


Computer Configuration
\ Administrative
Templates \ Star t Menu
and Taskbar
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

*Notifications Turn off notifications Enabled (If you enable this


network usage policy setting, applications
and system features will not
be able to receive
notifications from the
network from WNS or by
using notification-polling
APIs.)

Local Computer Policy \


Computer Configuration
\ Administrative
Templates \ System

Device Installation Do not send a Windows Enabled


error report when a generic
driver is installed on a
device

Device Installation Prevent creation of a Enabled


system restore point during
device activity that would
normally prompt creation of
a restore point

Device Installation Prevent device metadata Enabled


retrieval from the Internet

Device Installation Prevent Windows from Enabled


sending an error report
when a device driver
requests additional software
during installation

Device Installation Turn off Found New Enabled


Hardware balloons during
device installation

Filesystem \NTFS Short name creation Disabled on all volumes Enabled


options

*Group Policy Configure web-to-app Disabled (Disables web-to-


linking with app URL app linking and http(s) URIs
handlers will be opened in the
default browser instead of
starting the associated
app.)

*Group Policy Continue experiences on Disabled (The Windows


this device device is not discoverable
by other devices, and
cannot participate in cross-
device experiences.)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Internet Communication Turn off access to all Enabled (If you enable this
Management \ Internet Windows Update features policy setting, all Windows
Communication settings Update features are
removed. This includes
blocking access to the
Windows Update website at
https://windowsupdate.micr
osoft.com, from the
Windows Update hyperlink
on the Start menu, and also
on the Tools menu in
Internet Explorer. Windows
automatic updating is also
disabled; you will neither be
notified about nor will you
receive critical updates from
Windows Update. This
policy setting also prevents
Device Manager from
automatically installing
driver updates from the
Windows Update website.)

Internet Communication Turn off Automatic Root Enabled (If you enable this
Management \ Internet Certificates Update policy setting, when you are
Communication settings presented with a certificate
issued by an untrusted root
authority, your computer
will not contact the
Windows Update website to
see if Microsoft has added
the CA to its list of trusted
authorities.) NOTE: Only
use this policy if you have
an alternate means to the
latest certificate revocation
list.

Internet Communication Turn off Event Viewer Enabled


Management \ Internet "Events.asp" links
Communication settings

Internet Communication Turn off handwriting Enabled


Management \ Internet personalization data sharing
Communication settings

Internet Communication Turn off handwriting Enabled


Management \ Internet recognition error reporting
Communication settings

Internet Communication Turn off Help and Support Enabled


Management \ Internet Center "Did you know?"
Communication settings content

Internet Communication Turn off Help and Support Enabled


Management \ Internet Center Microsoft
Communication settings Knowledge Base search
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Internet Communication Turn off Internet Enabled


Management \ Internet Connection wizard if URL
Communication settings connection is referring to
Microsoft.com

Internet Communication Turn off Internet download Enabled


Management \ Internet for Web publishing and
Communication settings online ordering wizards

Internet Communication Turn off Internet File Enabled


Management \ Internet Association service
Communication settings

Internet Communication Turn off Registration if URL Enabled


Management \ Internet connection is referring to
Communication settings Microsoft.com

Internet Communication Turn off the "Order Prints" Enabled


Management \ Internet picture task
Communication settings

Internet Communication Turn off the "Publish to Enabled


Management \ Internet Web" task for files and
Communication settings folders

Internet Communication Turn off the Windows Enabled


Management \ Internet Messenger Customer
Communication settings Experience Improvement
Program

Internet Communication Turn off Windows Customer Enabled


Management \ Internet Experience Improvement
Communication settings Program
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

*Internet Turn off Windows Network Enabled (This policy setting


Communication Connectivity Status turns off the active tests
Management \ Internet indicator active tests performed by the Windows
Communication settings Network Connectivity
Status Indicator (NCSI) to
determine whether your
computer is connected to
the Internet or to a more
limited network As part of
determining the
connectivity level, NCSI
performs one of two active
tests: downloading a page
from a dedicated Web
server or making a DNS
request for a dedicated
address. If you enable this
policy setting, NCSI does
not run either of the two
active tests. This might
reduce the ability of NCSI,
and of other components
that use NCSI, to determine
Internet access) NOTE:
There are other policies that
allow you to redirect NCSI
tests to internal resources, if
this functionality is desired.

Internet Communication Turn off Windows Error Enabled


Management \ Internet Reporting
Communication settings

Internet Communication Turn off Windows Update Enabled


Management \ Internet device driver searching
Communication settings

Logon Show first sign-in animation Disabled

Logon Turn off app notifications on Enabled


the lock screen

Logon Turn off Windows Startup Enabled


sound

Power Management Select an active power plan High Performance Enabled

Recover y Allow restore of system to Disabled


default state

*Storage Health Allow downloading updates Disabled (Updates would


to the Disk Failure not be downloaded for the
Prediction Model Disk Failure Prediction
Failure Model)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

*Windows Time Enable Windows NTP Client Disabled (If you disable or
Ser vices \ Time Providers do not configure this policy
setting, the local computer
clock does not synchronize
time with NTP servers)
NOTE : Consider this setting
very carefully. Windows
devices that are joined to a
domain should use NT5DS.
DC to parent domain DC
might use NTP. PDCe role
might use NTP. Virtual
machines sometimes use
“enhancements” or
“integration services”.

Troubleshooting and Configure Scheduled Disabled


Diagnostics \ Scheduled Maintenance Behavior
Maintenance

Troubleshooting and Configure Scenario Disabled


Diagnostics \ Windows Execution Level
Boot Performance
Diagnostics

Troubleshooting and Configure Scenario Disabled


Diagnostics \ Windows Execution Level
Memory Leak Diagnostics

Troubleshooting and Configure Scenario Disabled


Diagnostics \ Windows Execution Level
Resource Exhaustion
Detection and Resolution

Troubleshooting and Configure Scenario Disabled


Diagnostics \ Windows Execution Level
Shutdown Performance
Diagnostics

Troubleshooting and Configure Scenario Disabled


Diagnostics \ Windows Execution Level
Standby/Resume
Performance Diagnostics

Troubleshooting and Configure Scenario Disabled


Diagnostics \ Windows Execution Level
System Responsiveness
Performance Diagnostics

*User Profiles Turn off the advertising ID Enabled (If you enable this
policy setting, the
advertising ID is turned off.
Apps can't use the ID for
experiences across apps.)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Local Computer Policy \


Computer Configuration
\ Administrative
Templates \ Windows
Components

Add features to Prevent the wizard from Enabled


Windows 10 running

*App Privacy Let Windows apps access Default for all apps: Force Enabled (If you choose the
account information Deny Force Deny option,
Windows apps are not
allowed to access account
information and employees
in your organization cannot
change it)

*App Privacy Let Windows apps access Default for all apps: Force Enabled (If you choose the
call history Deny Force Deny option,
Windows apps are not
allowed to access the call
history and employees in
your organization cannot
change it.)

*App Privacy Let Windows apps access Default for all apps: Force Enabled (If you choose the
contacts Deny Force Deny option,
Windows apps are not
allowed to access contacts
and employees in your
organization cannot change
it.)

*App Privacy Let Windows apps access Default for all apps: Force Enabled (If you disable or
diagnostic information Deny do not configure this policy
about other apps setting, employees in your
organization can decide
whether Windows apps can
get diagnostic information
about other apps by using
Settings > Privacy on the
device)

*App Privacy Let Windows apps access Default for all apps: Force Enabled (If you choose the
email Deny "Force Allow" option,
Windows apps are allowed
to access email and
employees in your
organization cannot change
it)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

*App Privacy Let Windows apps access Default for all apps: Force Enabled (If you choose the
location Deny Force Deny option,
Windows apps are not
allowed to access location
and employees in your
organization cannot change
it.)

*App Privacy Let Windows apps access Default for all apps: Force Enabled (If you choose the
messaging Deny Force Deny option,
Windows apps are not
allowed to access location
and employees in your
organization cannot change
it.)

*App Privacy Let Windows apps access Default for all apps: Force Enabled (If you choose the
motion Deny Force Deny option,
Windows apps are not
allowed to access motion
data and employees in your
organization cannot change
it.)

*App Privacy Let Windows apps access Default for all apps: Force Enabled (If you choose the
notifications Deny Force Deny option,
Windows apps are not
allowed to access
notifications and employees
in your organization cannot
change it)

*App Privacy Let Windows apps access Default for all apps: Force Enabled (If you choose the
Tasks Deny Force Deny option,
Windows apps are not
allowed to access tasks and
employees in your
organization cannot change
it.)

*App Privacy Let Windows apps access Default for all apps: Force Enabled (If you choose the
the calendar Deny Force Deny option,
Windows apps are not
allowed to access the
calendar and employees in
your organization cannot
change it.)

*App Privacy Let Windows apps access Default for all apps: Force Enabled (If you choose the
the camera Deny Force Deny option,
Windows apps are not
allowed to access the
camera and employees in
your organization cannot
change it.)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

*App Privacy Let Windows apps access Default for all apps: Force Enabled (If you choose the
the microphone Deny Force Deny option,
Windows apps are not
allowed to access the
microphone and employees
in your organization cannot
change it.)

*App Privacy Let Windows apps access Default for all apps: Force Enabled (If you choose the
trusted devices Deny Force Deny option,
Windows apps are not
allowed to access trusted
devices and employees in
your organization cannot
change it.)

*App Privacy Let Windows apps Default for all apps: Force Enabled (If you choose the
communicate with unpaired Deny Force Deny option,
devices Windows apps are not
allowed to communicate
with unpaired wireless
devices and employees in
your organization cannot
change it.)

*App Privacy Let Windows apps access Default for all apps: Force Enabled (If you choose the
radios Deny Force Deny option,
Windows apps will not have
access to control radios and
employees in your
organization cannot change
it.)

App Privacy Let Windows apps make Default for all apps: Force Enabled (Windows apps are
phone calls Deny not allowed to make phone
calls and employees in your
organization cannot change
it.)

*App Privacy Let Windows apps run in Default for all apps: Force Enabled (If you choose the
the background Deny Force Deny option,
Windows apps are not
allowed to run in the
background and employees
in your organization cannot
change it.)

AutoPlay Policies Set the default behavior for Do not execute any autorun Enabled
AutoRun commands

*AutoPlay Policies Turn off Autoplay Enabled (If you enable this
policy setting, Autoplay is
disabled on CD-ROM and
removable media drives, or
disabled on all drives.)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

*Cloud Content Do not show Windows tips Enabled (This policy setting
prevents Windows tips from
being shown to users.)

*Cloud Content Turn off Microsoft consumer Enabled (If you enable this
experiences policy setting, users will no
longer see personalized
recommendations from
Microsoft and notifications
about their Microsoft
account.)

*Data Collection and Allow Telemetry 0 – Security [Enterprise Enabled (Setting a value of
Preview Builds Only] 0 applies to devices running
Enterprise, Education, IoT,
or Windows Server editions
only.)

*Data Collection and Do not show feedback Enabled


Preview Builds notifications

*Data Collection and Toggle user control over Disabled


Preview Builds Insider builds

Deliver y Optimization Download Mode Download Mode: Simple 99 = Simple download


(99) mode with no peering.
Delivery Optimization
downloads using HTTP only
and does not attempt to
contact the Delivery
Optimization cloud services.

Desktop Window Do not allow Flip3D Enabled


Manager invocation

Desktop Window Do not allow window Enabled


Manager animations

Desktop Window Use solid color for Start Enabled


Manager background

Edge UI Allow edge swipe Disable

Edge UI Disable help tips Enabled

*File Explorer Configure Windows Disabled (SmartScreen will


Defender SmartScreen be turned off for all users.
Users will not be warned if
they try to run suspicious
apps from the Internet.)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

NOTE : If not connected to


the internet, this will
prevent the computers
from trying to contact
Microsoft for SmartScreen
information.

File Explorer Do not show the new Enabled


application installed
notification

*Find My Device Turn On/Off Find My Device Disabled (When Find My


Device is off, the device and
its location are not
registered and the Find My
Device feature will not
work. The user will also not
be able to view the location
of the last use of their
active digitizer on their
device.)

Game Explorer Turn off downloading of Enabled


game information

Game Explorer Turn off game updates Enabled

Game Explorer Turn off tracking of last play Enabled


time of games in the Games
folder

Homegroup Prevent the computer from Enabled


joining a homegroup

*Internet Explorer Allow Microsoft services to Disabled (users won't


provide enhanced receive enhanced
suggestions as the user suggestions while typing in
types in the Address bar the Address bar. In addition,
users won't be able to
change the Suggestions
setting.)

Internet Explorer Disable Periodic Check for Enabled


Internet Explorer software
updates

Internet Explorer Disable showing the splash Enabled


screen

Internet Explorer Install new versions of Disabled


Internet Explorer
automatically

Internet Explorer Prevent participation in the Enabled


Customer Experience
Improvement Program
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Internet Explorer Prevent running First Run Go directly to home page Enabled
wizard

Internet Explorer Set tab process growth Low Enabled

Internet Explorer Specify default behavior for New tab page Enabled
a new tab

Internet Explorer Turn off add-on Enabled


performance notifications

*Internet Explorer Turn off the auto-complete Enabled (If you enable this
feature for web addresses policy setting, user will not
be suggested matches
when entering Web
addresses. The user cannot
change the auto-complete
for setting web addresses.)

*Internet Explorer Turn off browser Enabled (If you enable this
geolocation policy setting, browser
geolocation support is
turned off.)

Internet Explorer Turn off Reopen Last Enabled


Browsing Session

*Internet Explorer Turn on Suggested Sites Disabled (If you disable this
policy setting, the entry
points and functionality
associated with this feature
are turned off.)

*Internet Explorer \ Turn off Compatibility View Enabled (If you enable this
Compatibility View policy setting, the user
cannot use the
Compatibility View button
or manage the
Compatibility View sites
list.)

Internet Explorer \ Play animations in web Disabled


Internet Control Panel\ pages
Advanced Page

Internet Explorer \ Play videos in web pages Disabled


Internet Control Panel\
Advanced Page
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

*Internet Explorer \ Turn off the flip ahead with Enabled (Microsoft collects
Internet Control Panel\ page prediction features your browsing history to
Advanced Page improve how flip ahead
with page prediction works.
This feature isn't available
for Internet Explorer for the
desktop. If you enable this
policy setting, flip ahead
with page prediction is
turned off and the next
webpage isn't loaded into
the background.)

Internet Explorer \ Turn off phone number Enabled


Internet Settings\ Advanced detection
Settings\ Browsing

Internet Explorer \ Allow Internet Explorer to Disabled


Internet Settings\ Advanced play media files that use
Settings\ Multimedia alternative codecs

*Location and Sensors Turn off location Enabled (f you enable this
policy setting, the location
feature is turned off, and all
programs on this computer
are prevented from using
location information from
the location feature.)

Location and Sensors Turn off sensors Enabled

Locations and Sensors / Turn off Windows Location Enabled


Windows Location Provider Provider

*Maps Turn off Automatic Enabled (If you enable this


Download and Update of setting the automatic
Map Data download and update of
map data is turned off.)

*Maps Turn off unsolicited network Enabled (If you enable this
traffic on the Offline Maps policy setting, features that
settings page generate network traffic on
the Offline Maps settings
page are turned off. Note:
This might turn off the
entire settings page.)

*Messaging Allow Message Service Disabled (This policy setting


Cloud Sync allows backup and restore
of cellular text messages to
Microsoft's cloud services.)

*Microsoft Edge Allow Address bar drop- Disabled


down list suggestions
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

*Microsoft Edge Allow configuration updates Disabled (Turns off


for the Books Library compatibility lists in
Microsoft Edge.)

*Microsoft Edge Allow Microsoft Disabled (If you disable this


Compatibility List setting, the Microsoft
Compatibility List isn't used
during browser navigation.)

*Microsoft Edge Allow web content on New Disabled (Directs Edge to


Tab page open with blank content
when a new tab is opened.)

*Microsoft Edge Configure Autofill Disabled (Disables autofill


on address bar.)

*Microsoft Edge Configure Do Not Track Enabled (If you enable this
setting, Do Not Track
requests are always sent to
websites asking for tracking
info.)

*Microsoft Edge Configure Password Disabled (If you disable this


Manager setting, employees can't use
Password Manager to save
their passwords locally.)

*Microsoft Edge Configure search Disabled (Users can't see


suggestions in Address bar search suggestions in the
Address bar of Microsoft
Edge.)

*Microsoft Edge Configure Start pages Enabled (If you enable this
setting, you can configure
one or more Start pages. If
this setting is enabled, you
must also include URLs to
the pages, separating
multiple pages by using
angle brackets in this
format:
<support.contoso.com>
<support.microsoft.com>
Windows 10, version 1703
or later: If you don't want
to send traffic to Microsoft,
you can use the
<about:blank> value, which
is honored for devices
whether joined to a domain
or not, when it's the only
configured URL.

*Microsoft Edge Configure Windows Disabled (Windows


Defender SmartScreen Defender SmartScreen is
turned off and employees
can't turn it on.)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

NOTE : Consider this setting


within the environment. If
not connected to the
Internet, this will prevent
the computers from trying
to contact Microsoft for
SmartScreen information.

*Microsoft Edge Prevent the First Run web Enabled (Users won't see
page from opening on the First Run page when
Microsoft Edge opening Microsoft Edge for
the first time.)

OneDrive Prevent OneDrive from Enabled (Enable this


generating network traffic setting to prevent the
until the user signs in to OneDrive sync client
OneDrive (OneDrive.exe) from
generating network traffic
(checking for updates, etc.)
until the user signs in to
OneDrive or starts syncing
files to the local computer.)

*OneDrive Prevent the usage of Enabled (unless OneDrive


OneDrive for file storage is used on- or off-premises.)

OneDrive Save documents to Disabled (unless OneDrive


OneDrive by default is used on- or off-premises.)

RSS Feeds Prevent automatic Enabled


discovery of feeds and Web
Slices

*RSS Feeds Turn off background Enabled (If you enable this
synchronization for feeds policy setting, the ability to
and Web Slices synchronize feeds and Web
Slices in the background is
turned off.)

*Search Allow Cortana Disabled (When Cortana is


off, users will still be able to
use search to find things on
the device.)

Search Allow Cortana above lock Disabled


screen

*Search Allow search and Cortana Disabled


to use location

Search Do not allow web search Enabled


P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

*Search Don't search the web or Enabled (If you enable this
display web results in policy setting, queries won't
Search be performed on the web
and web results won't be
displayed when a user
performs a query in Search.)

Search Prevent adding UNC Enabled


locations to index from
Control Panel

Search Prevent indexing files in Enabled


offline files cache

*Search Set what information is Anonymous info Enabled (Share usage


shared in Search information but don't share
search history, Microsoft
account info or specific
location.)

*Software Protection Turn off KMS Client Online Enabled (Enabling this
Platform AVC Validation setting prevents this
computer from sending
data to Microsoft regarding
its activation state.)

*Speech Allow Automatic Update of Disabled (will not


Speech Data periodically check for
updated speech models)

*Store Turn off Automatic Enabled (If you enable this


Download and Install of setting, the automatic
updates download and installation
of app updates is turned
off.)

*Store Turn off Automatic Enabled (If you enable this


Download of updates on setting, the automatic
Win8 devices download of app updates is
turned off.)

Store Turn off the offer to update Enabled


to the latest version of
Windows

*Sync your settings Do not sync Allow users to turn syncing Enabled (If you enable this
on (not selected) policy setting, "sync your
settings" will be turned off,
and none of the "sync your
setting" groups will be
synced on this device.

Text Input Improve inking and typing Disabled


recognition
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Windows Defender Join Microsoft MAPS Disabled (If you disable or


Antivirus \ MAPS do not configure this
setting, you will not join
Microsoft MAPS.)

Windows Defender Send file samples when Never send Enabled (only if not opted-
Antivirus \ MAPS further analysis is required in for MAPS diagnostic
data)

Windows Defender Turn off enhanced Enabled (If you enable this
Antivirus \ Reporting notifications setting, Windows Defender
Antivirus enhanced
notifications will not display
on clients.)

Windows Defender Define the order of sources FileShares Enabled (If you enable this
Antivirus \ Signature for downloading definition setting, definition update
Updates updates sources will be contacted in
the order specified. Once
definition updates have
been successfully
downloaded from one
specified source, the
remaining sources in the list
will not be contacted.)

Windows Error Automatically send memory Disabled


Repor ting dumps for operating
system-generated error
reports

Windows Error Disable Windows Error Enabled


Repor ting Reporting

Windows Game Enables or disables Disabled


Recording and Windows Game Recording
Broadcasting and Broadcasting

Windows Installer Control maximum size of 5 Enabled


baseline file cache

Windows Installer Turn off creation of System Enabled


Restore checkpoints

Windows Mail Turn off the communities Enabled


feature

Windows Media Player Do Not Show First Use Enabled


Dialog Boxes

Windows Media Player Prevent Media Sharing Enabled

Windows Mobility Turn off Windows Mobility Enabled


Center Center
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Windows Reliability Configure Reliability WMI Disabled


Analysis Providers

Windows Update Allow Automatic Updates Enabled


immediate installation

Windows Update Do not connect to any Enabled (Enabling this


Windows Update Internet policy will disable that
locations functionality, and might
cause connection to public
services such as the
Windows Store to stop
working. Note: This policy
applies only when this
device is configured to
connect to an intranet
update service using the
"Specify intranet Microsoft
update service location"
policy.

Windows Update Remove access to all Enabled


Windows Update features

*Windows Update \ Manage preview builds Set the behavior for Enabled (Selecting Disable
Windows Update for receiving preview builds: preview builds will
Business prevent preview builds from
installing on the device. This
will prevent users from
opting into the Windows
Insider Program, through
Settings -> Update and
Security.)

Disable preview builds

*Windows Update \ Select when Preview Builds Semi-Annual Channel Enabled (Enable this policy
Windows Update for and Feature Updates are to specify the level of
Business received Preview Build or feature
updates to receive, and
when.)

Deferment: 365 days,

Pause start: yyyy-mm-dd

Windows Update \ Select when Quality 1. 30 days 2. Pause quality Enabled


Windows Update for Updates are received updates starting yyyy-mm-
Business dd
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Windows Restricted Prevent OneDrive from Enabled (Enable this


Traffic Custom Policy generating network traffic setting if you would like to
Settings until the user signs in to prevent the OneDrive sync
OneDrive client (OneDrive.exe) from
generating network traffic
(checking for updates, etc.)
until the user signs in to
OneDrive or starts syncing
files to the local computer.)

Windows Restricted Turn off Windows Defender Enabled (If you enable this
Traffic Custom Policy Notifications policy setting, Windows
Settings Defender will not send
notifications with critical
information about the
health and security of your
device.)

Local Computer Policy \


User Configuration \
Administrative
Templates

Control Panel\ Regional Turn off offer text Enabled


and Language Options predictions as I type

Desktop Do not add shares of Enabled


recently opened documents
to Network Locations

Desktop Turn off Aero Shake window Enabled


minimizing mouse gesture

Desktop / Active Directory Maximum size of Active 2500 Enabled


Directory searches

Star t Menu and Taskbar Do not allow pinning Store Enabled


app to the Taskbar

Star t Menu and Taskbar Do not display or track Enabled


items in Jump Lists from
remote locations

Star t Menu and Taskbar Do not use the search- Enabled (The system does
based method when not conduct the final drive
resolving shell shortcuts search. It just displays a
message explaining that the
file is not found.)
P O SSIB L E SET T IN G A N D
P O L IC Y SET T IN G IT EM SUB - IT EM C O M M EN T S

Star t Menu and Taskbar Remove the People Bar Enabled (The people icon
from the taskbar will be removed from the
taskbar, the corresponding
settings toggle is removed
from the taskbar settings
page, and users will not be
able to pin people to the
taskbar.)

Star t Menu and Taskbar Turn off feature Enabled (Users cannot pin
advertisement balloon the Store app to the
notifications Taskbar. If the Store app is
already pinned to the
Taskbar, it will be removed
from the Taskbar on next
sign in.)

Star t Menu and Taskbar Turn off user tracking Enabled

Star t Menu and Taskbar Turn off toast notifications Enabled


/ Notifications

Windows Components / Turn off all Windows Enabled


Cloud Content spotlight features

Edge UI Turn off tracking of app Enabled


usage

File Explorer Turn off caching of Enabled


thumbnail pictures

File Explorer Turn off display of recent Enabled


search entries in the File
Explorer search box

File Explorer Turn off the caching of Enabled


thumbnails in hidden
thumbs.db file

Notes about Network Connectivity Status indicator


The group policy settings above include settings to turn off checking to see if the system is connected to the
Internet. If your environment does not connect to the Internet at all, or connects indirectly, you can set a group
policy setting to remove the Network icon from the Taskbar. The reason you might want to remove the Network
icon from the Taskbar is if you turn off Internet connectivity checks, there will be a yellow flag on the Network
icon, even though the network might be functioning normally. If you would like to remove the network icon as a
group policy setting, you can find that in this location:
W IN DO W S UP DAT E O R 1. 30 DAY S 2. PA USE
W IN DO W S UP DAT E F O R SEL EC T W H EN Q UA L IT Y Q UA L IT Y UP DAT ES
B USIN ESS UP DAT ES A RE REC EIVED STA RT IN G Y Y Y Y - M M - DD EN A B L ED

Local Computer Policy \


User Configuration \
Administrative
Templates

Star t Menu and Taskbar Remove the networking Enabled (the networking
icon icon is not displayed in the
system notification area.)

For more about the Network Connection Status Indicator (NCSI), see: The Network Connection Status icon
System services
If you are considering disabling system services to conserve resources, take great care that the service being
considered is not in some way a component of some other service.
Also, most of these recommendations mirror recommendations for Windows Server 2016 with Desktop
Experience; for more information, see Guidance on disabling system services in Windows Server 2016 with
Desktop Experience.
Note that a lot of services that might seem to be good candidates to disable are set to manual service start type.
This means that the service will not automatically start and is not started unless a specific application or service
triggers a request to the service being consider for disabling. Services that are already set to start type manual
are usually not listed here.

W IN DO W S SERVIC E IT EM C O M M EN T

CDPUserService This user service is used for Connected NOTE: This is a per-user service, and as
Devices Platform scenarios such, the template service must be
disabled.

Connected User Experiences and Enables features that support in- Consider disabling if on disconnected
Telemetry application and connected user network
experiences. Additionally, this service
manages the event-driven collection
and transmission of diagnostic and
usage information (used to improve
the experience and quality of the
Windows Platform) when the
diagnostics and usage privacy option
settings are enabled under Feedback
and Diagnostics.

Contact Data Indexes contact data for fast contact (PimIndexMaintenanceSvc) NOTE: This
searching. If you stop or disable this is a per-user service, and as such, the
service, contacts might be missing template service must be disabled.
from your search results.

Diagnostic Policy Service Enables problem detection,


troubleshooting and resolution for
Windows components. If this service is
stopped, diagnostics will no longer
function.
W IN DO W S SERVIC E IT EM C O M M EN T

Downloaded Maps Manager Windows service for application access


to downloaded maps. This service is
started on-demand by application
accessing downloaded maps. Disabling
this service will prevent apps from
accessing maps.

Geolocation Service Monitors the current location of the


system and manages geofences

GameDVR and Broadcast user service This user service is used for Game NOTE: This is a per-user service, and as
Recordings and Live Broadcasts such, the template service must be
disabled.

MessagingService Service supporting text messaging and NOTE: This is a per-user service, and as
related functionality. such, the template service must be
disabled.

Optimize drives Helps the computer run more VDI solutions do not normally benefit
efficiently by optimizing files on from disk optimization. These “drives”
storage drives. are not traditional drives and often just
a temporary storage allocation.

Superfetch Maintains and improves system Generally doesn't improve


performance over time. performance on VDI, especially non-
persistent, given that the operating
system state is discarded each reboot.

Touch Keyboard and Handwriting Enables Touch Keyboard and


Panel Service Handwriting Panel pen and ink
functionality

Windows Error Reporting Allows errors to be reported when With VDI, diagnostics are often
programs stop working or responding performed in an offline scenario, and
and allows existing solutions to be not in mainstream production. And in
delivered. Also allows logs to be addition, some customers disable WER
generated for diagnostic and repair anyway. WER incurs a tiny amount of
services. If this service is stopped, error resources for many different things,
reporting might not work correctly, including failure to install a device, or
and results of diagnostic services and failure to install an update.
repairs might not be displayed.

Windows Media Player Network Shares Windows Media Player libraries Not needed unless customers are
Sharing Service to other networked players and media sharing WMP libraries on the network.
devices using Universal Plug and Play

Windows Mobile Hotspot Service Provides the ability to share a cellular


data connection with another device.

Windows Search Provides content indexing, property Probably not needed especially with
caching, and search results for files, e- non-persistent VDI
mail, and other content.

Per-user services in Windows


Per-user services are services that are created when a user signs into Windows or Windows Server and are
stopped and deleted when that user signs out. These services run in the security context of the user account -
this provides better resource management than the previous approach of running these kinds of services in
Explorer, associated with a preconfigured account, or as tasks.
Scheduled tasks
Like other items in Windows, ensure that an item is not needed before you consider disabling it.
The following list of tasks are those that perform optimizations or data collections on computers that maintain
their state across reboots. When a VDI VM task reboots and discards all changes since last boot, optimizations
intended for physical computers are not helpful.
You can get all of the current scheduled tasks, including descriptions, with the following PowerShell code:
Get-ScheduledTask | Select-Object -Property TaskPath,TaskName,State,Description |Export-CSV -Path
C:\Temp\W10_1803_SchTasks.csv -NoTypeInformation

Valid Scheduled Task Name values include:


OneDrive Standalone Update Task v2
Microsoft Compatibility Appraiser
ProgramDataUpdater
StartupAppTask
CleanupTemporaryState
Proxy
UninstallDeviceTask
ProactiveScan
Consolidator
UsbCeip
Data Integrity Scan
Data Integrity Scan for Crash Recovery
ScheduledDefrag
SilentCleanup
Microsoft-Windows-DiskDiagnosticDataCollector
Diagnostics
StorageSense
DmClient
DmClientOnScenarioDownload
File History (maintenance mode)
ScanForUpdates
ScanForUpdatesAsUser
SmartRetry
Notifications
WindowsActionDialog
WinSAT Cellular
MapsToastTask
ProcessMemoryDiagnosticEvents
RunFullMemoryDiagnostic
MNO Metadata Parser
LPRemove
GatherNetworkInfo
WiFiTask
Sqm-Tasks
AnalyzeSystem
MobilityManager
VerifyWinRE
RegIdleBackup
FamilySafetyMonitor
FamilySafetyRefreshTask
IndexerAutomaticMaintenance
SpaceAgentTask
SpaceManagerTask
HeadsetButtonPress
SpeechModelDownloadTask
ResPriStaticDbSync
WsSwapAssessmentTask
SR
SynchronizeTimeZone
Usb-Notifications
QueueReporting
UpdateLibrary
Scheduled Start
sih
XblGameSaveTask
Apply Windows and other updates
Whether from Microsoft Update, or from your internal resources, apply available updates including Windows
Defender signatures. This is a good time to apply other available updates including those for Microsoft Office if
installed.
Automatic Windows traces
Windows is configured, by default, to collect and save limited diagnostic data. The purpose is to enable
diagnostics, or to record data in the event that further troubleshooting is necessary. You can find automatic
system traces by starting the Computer Management app, and then expanding System Tools , Performance ,
Data Collector Sets , and then selecting Event Trace Sessions .
Some of the traces displayed under Event Trace Sessions and Star tup Event Trace Sessions cannot and
should not be stopped. Others, such as the WiFiSession trace can be stopped. To stop a running trace under
Event Trace Sessions right-click the trace and then select Stop . To prevent the traces from starting
automatically on startup, follow these steps:
1. Select the Star tup Event Trace Sessions folder
2. Locate the trace of interest, and then double-click that trace.
3. Select the Trace Session tab.
4. Clear the box labeled Enabled .
5. Select OK .
Here are some system traces to consider disabling for VDI use:

NAME C O M M EN T

AppModel A collection of traces, one of which is phone


NAME C O M M EN T

CloudExperienceHostOOBE

DiagLog

NtfsLog

TileStore

UBPM

WiFiDriverIHVSession If not using a WiFi device

WiFiSession

Servicing the operating system and apps


At some point during the image optimization process available Windows updates should be applied. You can set
Windows Update to install updates for other Microsoft products as well as Windows. To set this, open Windows
Settings , then select Update & Security , and then select Advanced options . Select Give me updates for
other Microsoft products when I update Windows to set it to On .
This would be a good setting in case you are going to install Microsoft applications such as Microsoft Office to
the base image. That way Office is up to date when the image is put in service. There are also .NET updates and
certain non-Microsoft components such as Adobe that have updates available through Windows Update.
One very important consideration for non-persistent VDI VMs are security updates, including security software
definition files. These updates might be released once or even more than once per day. There might be a way to
retain these updates, including Windows Defender and non-Microsoft components.
For Windows Defender it might be best to allow the updates to occur, even on non-persistent VDI. The updates
are going to apply nearly every logon session, but the updates are small and should not be a problem. Plus, the
VM won't be behind on updates because only the latest available will apply. The same might be true for non-
Microsoft definition files.

NOTE
Store apps (UWP apps) update through the Windows Store. Modern versions of Office such as Microsoft 365 update
through their own mechanisms when directly connected to the Internet, or via management technologies when not.

Windows Defender optimization with VDI


Microsoft has recently published documentation regarding Windows Defender in a VDI environment. See
Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment for
details.
The above article contains procedures to service the gold VDI image, and how to maintain the VDI clients as
they are running. To reduce network bandwidth when VDI computers need to update their Windows Defender
signatures, stagger reboots, and schedule reboots during off hours where possible. The Windows Defender
signature updates can be contained internally on file shares, and where practical, have those files shares on the
same or close networking segments as the VDI virtual machines.
See the paper listed at the beginning of this section for much more information about optimizing Windows
Defender with VDI.
Tuning Windows 10 network performance by using registry settings
This is especially important in environments where the VDI or physical computer has a workload that is
primarily network based. The settings in this section bias performance to favor networking, by setting up
additional buffering and caching of things like directory entries and so on.
Note that some settings in this section are registry-based only and should be incorporated in the base image
before the image is deployed for production use.
The following settings are documented in the Windows Server 2016 Performance Tuning Guideline information,
published on Microsoft.com by the Windows Product Group.
DisableBandwidthThrottling
HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\DisableBandwidthThrottling
Applies to Windows 10. The default is 0 . By default, the SMB redirector throttles throughput across high-latency
network connections, in some cases to avoid network-related timeouts. Setting this registry value to 1 disables
this throttling, enabling higher file transfer throughput over high-latency network connections, so you should
consider this setting.
FileInfoCacheEntriesMax
HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\FileInfoCacheEntriesMax
Applies to Windows 10. The default is 64 , with a valid range of 1 to 65536. This value is used to determine the
amount of file metadata that can be cached by the client. Increasing the value can reduce network traffic and
increase performance when many files are accessed. Try increasing this value to 1024 .
DirectoryCacheEntriesMax
HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\DirectoryCacheEntriesMax
Applies to Windows 10. The default is 16 , with a valid range of 1 to 4096. This value is used to determine the
amount of directory information that can be cached by the client. Increasing the value can reduce network traffic
and increase performance when large directories are accessed. Consider increasing this value to 1024 .
FileNotFoundCacheEntriesMax
HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\FileNotFoundCacheEntriesMax
Applies to Windows 10. The default is 128 , with a valid range of 1 to 65536. This value is used to determine the
amount of file name information that can be cached by the client. Increasing the value can reduce network traffic
and increase performance when many file names are accessed. Consider increasing this value to 2048 .
DormantFileLimit
HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\DormantFileLimit
Applies to Windows 10. The default is 1023 . This parameter specifies the maximum number of files that should
be left open on a shared resource after the application has closed the file. Where many thousands of clients are
connecting to SMB servers, consider reducing this value to 256 .: Windows Server 2022, Windows Server 2019,
You can configure many of these SMB settings by using the Set-SmbClientConfiguration and Set-
SmbServerConfiguration Windows PowerShell cmdlets. You can configure registry-only settings by using
Windows PowerShell as well, as in the following example:
Set-ItemProperty -Path "HKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters"
RequireSecuritySignature -Value 0 -Force

Additional settings from the Windows Restricted Traffic Limited Functionality Baseline guidance
Microsoft has released a baseline created using the same procedures as the Windows Security Baselines, for
environments that are either not connected directly to the Internet, or want to reduce data sent to Microsoft and
other services.
The Windows Restricted Traffic Limited Functionality Baseline settings are marked in the Group Policy table with
an asterisk.
Disk cleanup (including using the Disk Cleanup wizard)
Disk cleanup can be especially helpful with master image VDI implementations. After the master image is
prepared, updated, and configured, one of the last tasks to perform is disk cleanup. The Disk Cleanup wizard
built into Windows can help clean up most potential areas of disk space savings.

NOTE
The Disk Cleanup wizard is no longer being developed. Windows will use other methods to provide disk cleanup functions.

Here are suggestions for various disk cleanup tasks. You should test these before implementing any of them:
1. Run the Disk Cleanup wizard (elevated) after applying all updates. Include the categories Deliver y
Optimization and Windows Update Cleanup . You can automate this process with Cleanmgr.exe
with the /SAGESET:11 option. This option sets registry values that can be used later to automate disk
cleanup, using every available option in the Disk Cleanup wizard.
a. On a test VM, from a clean installation, running Cleanmgr.exe /SAGESET:11 reveals that there are
only two automatic disk cleanup options enabled by default:
Downloaded Program Files
Temporary Internet Files
b. If you set more options, or all options, those options are recorded in the registry, according to the
index value provided in the previous command (Cleanmgr.exe /SAGESET:11 ). In this example,
we use the value 11 as our index, for a subsequent automated disk cleanup procedure.
c. After running Cleanmgr.exe /SAGESET:11 you will see a number of categories of disk cleanup
options. You can select every option, and then select OK . You will notice that the Disk Cleanup
wizard just disappears. However, the settings you selected are saved in the registry, and can be
invoked by running Cleanmgr.exe /SAGERUN:11 .
2. Clean up Volume Shadow Copy storage, if any is in use. To do this, run the following commands in an
elevated prompt:
vssadmin list shadows
vssadmin list shadowstorage
If the output from these commands is No items found that satisfy the query., then there is no VSS
storage in use.
3. Cleanup temporary files and logs. From an elevated command prompt, run these commands:
Del C:\*.tmp /s
Del C:\Windows\Temp\.
Del %temp%\.
4. Delete any unused profiles on the system with this command:
wmic path win32_UserProfile where LocalPath="c:\\users\\<user>" Delete
Remove OneDrive
Removing OneDrive involves removing the package, uninstalling, and removing *.lnk files. You can use following
sample PowerShell code to assist in removing OneDrive from the image:
Taskkill.exe /F /IM "OneDrive.exe"
Taskkill.exe /F /IM "Explorer.exe"`
if (Test-Path "C:\\Windows\\System32\\OneDriveSetup.exe")`
{ Start-Process "C:\\Windows\\System32\\OneDriveSetup.exe"`
-ArgumentList "/uninstall"`
-Wait }
if (Test-Path "C:\\Windows\\SysWOW64\\OneDriveSetup.exe")`
{ Start-Process "C:\\Windows\\SysWOW64\\OneDriveSetup.exe"`
-ArgumentList "/uninstall"`
-Wait }
Remove-Item -Path
"C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Roaming\\Microsoft\\Windows\\Start
Menu\\Programs\\OneDrive.lnk" -Force
Remove-Item -Path "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Roaming\\Microsoft\\Windows\\Start
Menu\\Programs\\OneDrive.lnk" -Force \# Remove the automatic start item for OneDrive from the default user
profile registry hive
Start-Process C:\\Windows\\System32\\Reg.exe -ArgumentList "Load HKLM\\Temp C:\\Users\\Default\\NTUSER.DAT"
-Wait
Start-Process C:\\Windows\\System32\\Reg.exe -ArgumentList "Delete
HKLM\\Temp\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v OneDriveSetup /f" -Wait
Start-Process C:\\Windows\\System32\\Reg.exe -ArgumentList "Unload HKLM\\Temp" -Wait Start-Process -FilePath
C:\\Windows\\Explorer.exe -Wait

For any questions or concerns about the information in this paper, contact your Microsoft account team,
research the Microsoft VDI blog, post a message to Microsoft forums, or contact Microsoft for questions or
concerns.
Manage users in your RDS collection
7/29/2021 • 4 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

As an admin, you can directly manage which users have access to specific collections. This way, you can create
one collection with standard applications for information workers, but then create a separate collection with
graphics-intensive modeling applications for engineers. There are two primary steps to managing user access in
a Remote Desktop Services (RDS) deployment:
1. Create users and groups in Active Directory
2. Assign users and groups to collections

Create your users and groups in Active Directory


In an RDS deployment, Active Directory Domain Services (AD DS) is the source of all users, groups, and other
objects in the domain. You can manage Active Directory directly with PowerShell, or you can use built in UI tools
that add ease and flexibility. The following steps will guide you to install those tools — if you do not have them
already installed — and then use those tools to manage users and groups.
Install AD DS tools
The following steps detail how to install the AD DS tools on a server already running AD DS. Once installed, you
can then create users or create groups.
1. Connect to the server running Active Directory Domain Services. For Azure deployments:
a. In the Azure portal, click Browse > Resource groups , and then click the resource group for the
deployment
b. Select the AD virtual machine.
c. Click Connect > Open to open the Remote Desktop client. If Connect is grayed out, the virtual
machine might not have a public IP address. To give it one perform the following steps, then try this
step again.
a. Click Settings > Network interfaces , and then click the corresponding network interface.
b. Click Settings > IP address .
c. For Public IP address , select Enabled , and then click IP address .
d. If you have an existing public IP address you want to use, select it from the list. Otherwise, click
Create new , enter a name, and then click OK and Save .
d. In the client, click Connect , and then click Use another account . Enter the user name and password
for a domain administrator account.
e. Click Yes when asked about the certificate.
2. Install the AD DS tools:
a. In Server Manager click Manage > Add Roles and Features .
b. Click Role-based or feature-based installation , and then click the current AD server. Follow the
steps until you get to the Features tab.
c. Expand Remote Ser ver Administration Tools > Role Administration Tools > AD DS and AD
LDS Tools , and then select AD DS Tools .
d. Select Restar t the destination ser ver automatically if required , and then click Install .
Create a group
You can use AD DS groups to grant access to a set of users that need to use the same remote resources.
1. In Server Manager on the server running AD DS, click Tools > Active Director y Users and Computers .
2. Expand the domain in the left-hand pane to view its subfolders.
3. Right-click the folder where you want to create the group, and then click New > Group .
4. Enter an appropriate group name, then select Global and Security .
Create a user and add to a group
1. In Server Manager on the server running AD DS, click Tools > Active Director y Users and Computers .
2. Expand the domain in the left-hand pane to view its subfolders.
3. Right-click Users , and then click New > User .
4. Enter, at minimum, a first name and a user logon name.
5. Enter and confirm a password for the user. Set appropriate user options, like User must change password
at next logon .
6. Add the new user to a group:
a. In the Users folder right-click the new user.
b. Click Add to a group .
c. Enter the name of the group to which you want to add the user.

Assign users and groups to collections


Now that you've created the users and groups in Active Directory, you can add some granularity regarding who
has access to the Remote Desktop collections in your deployment.
1. Connect to the server running the Remote Desktop Connection Broker (RD Connection Broker) role,
following the steps described earlier.
2. Add the other Remote Desktop servers to the RD Connection Broker's pool of managed servers:
a. In Server Manager click Manage > Add Ser vers .
b. Click Find Now .
c. Click each server in your deployment that is running a Remote Desktop Services role, and then click
OK .
3. Edit a collection to assign access to specific users or groups:
a. In Server Manager click Remote Desktop Ser vices > Over view , and then click a specific collection.
b. Under Proper ties , click Tasks > Edit proper ties .
c. Click User groups .
d. Click Add and enter the user or group that you want to have access to the collection. You can also
remove users and groups from this window by selecting the user or group you want to remove, and
then clicking Remove .

NOTE
The User groups window can never be empty. To narrow the scope of users who have access to the collection, you
must first add specific users or groups before removing broader groups.
Customize the RDS title “Work Resources” using
PowerShell on Windows Server
3/5/2021 • 2 minutes to read • Edit Online

When using Windows Server to access RemoteApps or desktops through RD WebAccess or the new Remote
Desktop app, you may have noticed that the workspace is titled “Work Resources" by default. You can easily
change the title by using PowerShell cmdlets.
To change the title, open up a new PowerShell window on the connection broker server and import the
RemoteDesktop module with the following command.

Import-Module RemoteDesktop

Next, use the Set-RDWorkspace command to change the workspace name.

Set-RDWorkspace [-Name] <string> [-ConnectionBroker <string>] [<CommonParameters>]

For example, you can use the following command to change the workpsace name to "Contoso RemoteApps":

Set-RDWorkspace -Name "Contoso RemoteApps" -ConnectionBroker broker01.contoso.com

If you are running multiple Connection Brokers in High Availability mode, you must run this against the active
broker. You can use this command:

Set-RDWorkspace -Name "Contoso RemoteApps" -ConnectionBroker (Get-


RDConnectionBrokerHighAvailability).ActiveManagementServer

For more information about the Set-RDWorkspace cmdlet, see the Set-RDSWorkspace reference.
Use performance counters to diagnose app
performance problems on Remote Desktop Session
Hosts
7/29/2021 • 5 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows 10

One of the most difficult problems to diagnose is poor application performance—the applications are running
slow or don't respond. Traditionally, you start your diagnosis by collecting CPU, memory, disk input/output, and
other metrics and then use tools like Windows Performance Analyzer to try to figure out what's causing the
problem. Unfortunately, in most situations this data doesn't help you identify the root cause because resource
consumption counters have frequent and large variations. This makes it hard to read the data and correlate it
with the reported issue.

NOTE
The User Input Delay counter is only compatible with:
Windows Server 2019 or later
Windows 10, version 1809 or later

The User Input Delay counter can help you quickly identify the root cause for bad end user RDP experiences.
This counter measures how long any user input (such as mouse or keyboard usage) stays in the queue before it
is picked up by a process, and the counter works in both local and remote sessions.
The following image shows a rough representation of user input flow from client to application.

The User Input Delay counter measures the max delta (within an interval of time) between the input being
queued and when it's picked up by the app in a traditional message loop, as shown in the following flow chart:
One important detail of this counter is that it reports the maximum user input delay within a configurable
interval. This is the longest time it takes for an input to reach the application, which can impact the speed of
important and visible actions like typing.
For example, in the following table, the user input delay would be reported as 1,000 ms within this interval. The
counter reports the slowest user input delay in the interval because the user's perception of "slow" is
determined by the slowest input time (the maximum) they experience, not the average speed of all total inputs.

N UM B ER 0 1 2

Delay 16 ms 20 ms 1,000 ms

Enable and use the new performance counters


To use these new performance counters, you must first enable a registry key by running this command:

reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v "EnableLagCounter" /t REG_DWORD /d 0x1 /f

NOTE
If you're using Windows 10, version 1809 or later or Windows Server 2019 or later, you won't need to enable the registry
key.

Next, restart the server. Then, open the Performance Monitor, and select the plus sign (+), as shown in the
following screen shot.
After doing that, you should see the Add Counters dialog, where you can select User Input Delay per Process
or User Input Delay per Session .
If you select User Input Delay per Process , you'll see the Instances of the selected object (in other words,
the processes) in SessionID:ProcessID <Process Image> format.
For example, if the Calculator app is running in a Session ID 1, you'll see 1:4232 <Calculator.exe> .

NOTE
Not all processes are included. You won't see any processes that are running as SYSTEM.

The counter starts reporting user input delay as soon as you add it. Note that the maximum scale is set to 100
(ms) by default.
Next, let's look at the User Input Delay per Session . There are instances for each session ID, and their
counters show the user input delay of any process within the specified session. In addition, there are two
instances called "Max" (the maximum user input delay across all sessions) and "Average" (the average acorss all
sessions).
This table shows a visual example of these instances. (You can get the same information in Perfmon by switching
to the Report graph type.)

T Y P E O F C O UN T ER IN STA N C E N A M E REP O RT ED DEL AY ( M S)

User Input Delay per process 1:4232 <Calculator.exe> 200

User Input Delay per process 2:1000 <Calculator.exe> 16

User Input Delay per process 1:2000 <Calculator.exe> 32

User Input Delay per session 1 200

User Input Delay per session 2 16

User Input Delay per session Average 108

User Input Delay per session Max 200

Counters used in an overloaded system


Now let's look at what you'll see in the report if performance for an app is degraded. The following graph shows
readings for users working remotely in Microsoft Word. In this case, the RDSH server performance degrades
over time as more users log in.
Here's how to read the graph's lines:
The pink line shows the number of sessions signed in on the server.
The red line is the CPU usage.
The green line is the maximum user input delay across all sessions.
The blue line (displayed as black in this graph) represents average user input delay across all sessions.
You'll notice that there's a correlation between CPU spikes and user input delay—as the CPU gets more usage,
the user input delay increases. Also, as more users get added to the system, CPU usage gets closer to 100%,
leading to more frequent user input delay spikes. While this counter is very useful in cases where the server
runs out of resources, you can also use it to track user input delay related to a specific application.

Configuration Options
An important thing to remember when using this performance counter is that it reports user input delay on an
interval of 1,000 ms by default. If you set the performance counter sample interval property (as shown in the
following screenshot) to anything different, the reported value will be incorrect.
To fix this, you can set the following registry key to match the interval (in milliseconds) that you want to use. For
example, if we change Sample every x seconds to 5 seconds, we need to set this key to 5000 ms.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]

"LagCounterInterval"=dword:00005000

NOTE
If you're using Windows 10, version 1809 or later or Windows Server 2019 or later, you don't need to set
LagCounterInterval to fix the performance counter.

We've also added a couple of keys you might find helpful under the same registry key:
LagCounterImageNameFirst — set this key to DWORD 1 (default value 0 or key does not exist). This changes
the counter names to "Image Name SessionID:ProcessId." For example, "explorer <1:7964>." This is useful if you
want to sort by image name.
LagCounterShowUnknown — set this key to DWORD 1 (default value 0 or key does not exist). This shows any
processes that are running as services or SYSTEM. Some processes will show up with their session set as "?."
This is what it looks like if you turn both keys on:
Using the new counters with non-Microsoft tools
Monitoring tools can consume this counter by Using Performance Counters.

Share your feedback


You can submit feedback for this feature through the Feedback Hub. Select Apps > All other apps and include
"RDS performance counters—performance monitor" in your post's title.
Remote Desktop clients
7/29/2021 • 2 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows 10, Windows 8.1, Windows Server 2019, Windows Server
2016, Windows Server 2012 R2

Microsoft Remote Desktop clients let you use and control a remote PC. With a Remote Desktop client, you can
do all the things with a remote PC that you can do with a physical PC, such as:
Use apps installed on the remote PC.
Access files and network resources on the remote PC.
Leave the apps open when you turn off the client.
You can also use a Remote Desktop client to access your remote PC from almost any device. There are even
clients for mobile smartphones! Here's a list of the latest versions of the client apps and where you can
download them:

C L IEN T GET T H E A P P DO C UM EN TAT IO N L AT EST VERSIO N

Windows Desktop Windows Desktop client Get started, What's new 1.2.2222

Microsoft Store Windows 10 client in the Get started, What's new 1.2.1810
Microsoft Store

Android Android client in Google Get started, What's new 10.0.11


Play

iOS iOS client in the App Store Get started, What's new 10.3.1

macOS macOS client in the App Get started, What's new 10.6.7
Store

Before you start using the client of your choice, there are a few things you'll need to do first.

Configure your remote PC


Just as you would with a local computer, you'll need to configure your remote computer before you start
accessing it with the client.
To configure your remote PC:
1. Check the supported configuration article to make sure your local PC is compatible with the Remote Desktop
client.
2. Follow the instructions in Allow access to your PC to set up your remote PC and give you the necessary
permissions to access the remote PC with the client.

Remote Desktop client Uniform Resource Identifier (URI) scheme


You can also use features of Remote Desktop clients across platforms by enabling a Uniform Resource Identifier
(URI) scheme. The Supported URI attributes article will tell you about URIs you can use with the iOS, Mac, and
Android clients.
Other resources
If you have any other questions that this article didn't answer, check out the Remote Desktop client FAQ.
Get started with the Windows Desktop client
7/29/2021 • 7 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows 10, Windows 10 IoT Enterprise, and
Windows 7

You can use the Remote Desktop client for Windows Desktop to access Windows apps and desktops remotely
from a different Windows device.

NOTE
This documentation is not for the Remote Desktop Connection (MSTSC) client that ships with Windows. It's for the
new Remote Desktop (MSRDC) client.
This client currently only supports accessing remote apps and desktops from Azure Virtual Desktop and Windows 365.
Curious about the new releases for the Windows Desktop client? Check out What's new in the Windows Desktop client

Install the client


Choose the client that matches the version of Windows. The new Remote Desktop client (MSRDC) supports
Windows 10, Windows 10 IoT Enterprise, and Windows 7 client devices.
Windows 64-bit
Windows 32-bit
Windows ARM64
You can install the client for the current user, which doesn't require admin rights, or your admin can install and
configure the client so that all users on the device can access it.
Once you've installed the client, you can launch it from the Start menu by searching for Remote Desktop .

Update the client


You'll be notified whenever a new version of the client is available as long as your admin hasn't disabled
notifications. The notification will appear in either the Connection Center or the Windows Action Center. To
update your client, just select the notification.
You can also manually search for new updates for the client:
1. From the Connection Center, tap the overflow menu (...) on the command bar at the top of the client.
2. Select About from the drop-down menu.
3. The client automatically searches for updates.
4. If there's an update available, tap Install update to update the client.

Workspaces
Get the list of managed resources you can access, such as apps and desktops, by subscribing to the Workspace
your admin provided you. When you subscribe, the resources become available on your local PC. The Windows
Desktop client currently supports resources published from Azure Virtual Desktop and Windows 365.
Subscribe to a Workspace
There are two ways you can subscribe to a Workspace. The client can try to discover the resources available to
you from your work or school account or you can directly specify the URL where your resources are for cases
where the client is unable to find them. Once you've subscribed to a Workspace, you can launch resources with
one of the following methods:
Go to the Connection Center and double-click a resource to launch it.
You can also go to the Start menu and look for a folder with the Workspace name or enter the resource name
in the search bar.
Subscribe with a user account
1. From the main page of the client, tap Subscribe .
2. Sign in with your user account when prompted.
3. The resources will appear in the Connection Center grouped by Workspace.
Subscribe with URL
1. From the main page of the client, tap Subscribe with URL .
2. Enter the Workspace URL or your email address:
If you use the Workspace URL , use the one your admin gave you. If you're accessing resources from
Azure Virtual Desktop or Windows 365, you can use one of the following URLs:
Azure Virtual Desktop (classic):
https://rdweb.wvd.microsoft.com/api/feeddiscovery/webfeeddiscovery.aspx
Azure Virtual Desktop: https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery
If you're using Windows 365, use: https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery .
To use email , enter your email address. This tells the client to search for a URL associated with your
email address if your admin has setup email discovery.
3. Tap Next .
4. Sign in with your user account when prompted.
5. The resources will appear in the Connection Center grouped by Workspace.
Workspace details
After subscribing, you can view additional information about a Workspace on the Details panel:
The name of the Workspace
The URL and username used to subscribe
The number of apps and desktops
The date/time of the last refresh
The status of the last refresh
Accessing the Details panel:
1. From the Connection Center, tap the overflow menu (...) next to the Workspace.
2. Select Details from the drop-down menu.
3. The Details panel appears on the right side of the client.
After you've subscribed, the Workspace will refresh automatically on a regular basis. Resources may be added,
changed, or removed based on changes made by your admin.
You can also manually look for updates to the resources when needed by selecting Refresh from the Details
panel.
Refreshing a Workspace
You can manually refresh a Workspace by selecting Refresh from the overflow menu (...) next to the
Workspace.
Unsubscribe from a Workspace
This section will teach you how to unsubscribe from a Workspace. You can unsubscribe to either subscribe again
with a different account or remove your resources from the system.
1. From the Connection Center, tap the overflow menu (...) next to the Workspace.
2. Select Unsubscribe from the drop-down menu.
3. Review the dialog box and select Continue .

Managed desktops
Workspaces can contain multiple managed resources, including desktops. When accessing a managed desktop,
you have access to all the apps installed by your admin.
Desktop settings
You can configure some of the settings for desktop resources to ensure the experience meets your needs. To
access the list of available settings right-click on the desktop resource and select Settings .
The client will use the settings configured by your admin unless you turn off the Use default settings option.
Doing so allows you to configure the following options:
Display configuration selects which displays to use for the desktop session and impacts which additional
settings are available.
All displays ensures the session always uses all your local displays even when some of them are
added or removed later.
Single display ensures the session always uses a single display and allows you to configure its
properties.
Select displays allows you to choose which displays to use for the session and provides an option to
dynamically change the list of displays during the session.
Select the displays to use for the session specifies which local displays to use for the session. All
selected displays must be adjacent to each other. This setting is only available in Select display mode.
Maximize to current displays determines which displays the sessions will use when going full screen.
When enabled, the session goes full screen on the displays touched by the session window. This allows you
to change displays during the session. When disabled, the session goes full screen on the same displays it
was on the last time it was full screen. This setting is only available in Select display mode and is disabled
otherwise.
Single display when windowed determines which displays are available in the session when exiting full
screen. When enabled, the session switches to a single display in windowed mode. When disabled, the
session retains the same displays in windowed mode as in full screen. This setting is only available in All
displays and Select display modes and is disabled otherwise.
Star t in full screen determines whether the session will launch in full-screen or windowed mode. This
setting is only available in Single display mode and is enabled otherwise.
Fit session to window determines how the session is displayed when the resolution of the remote desktop
differs from the size of the local window. When enabled, the session content will be resized to fit inside the
window while preserving the aspect ratio of the session. When disabled, scrollbars or black areas will be
shown when the resolution and window size don't match. This setting is available in all modes.
Update the resolution on resize makes the remote desktop resolution automatically update when you
resize the session in windowed mode. When disabled, the session always remains at whichever resolution
you specify in Resolution . This setting is only available in Single display mode and is enabled otherwise.
Resolution lets you specify the resolution of the remote desktop. The session will retain this resolution for
its entire duration. This setting is only available in Single display mode and when Update the resolution
on resize is disabled.
Change the size of the text and apps specifies the size of the content of the session. This setting only
applies when connecting to Windows 8.1 and later or Windows Server 2012 R2 and later. This setting is only
available in Single display mode and when Update the resolution on resize is disabled.

Give us feedback
Have a feature suggestion or want to report a problem? Tell us with the Feedback Hub.
You can also give us feedback by selecting the button that looks like a smiley face emoticon in the client app, as
shown in the following image:

NOTE
To best help you, we need you to give us as detailed information about the issue as possible. For example, you can include
screenshots or a recording of the actions you took leading up to the issue. For more tips about how to provide helpful
feedback, see Feedback.

Access client logs


You might need the client logs when investigating a problem.
To retrieve the client logs:
1. Ensure no sessions are active and the client process isn't running in the background by right-clicking on the
Remote Desktop icon in the system tray and selecting Disconnect all sessions .
2. Open File Explorer .
3. Navigate to the %temp%\DiagOutputDir\RdClientAutoTrace folder.
Windows Desktop client for admins
7/29/2021 • 2 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows 10 and Windows 7

This topic has additional information about the Windows Desktop client that admins will find useful. For basic
usage information, see Get started with the Windows Desktop client.

Installation options
Although your users can install the client directly after downloading it, if you're deploying to multiple devices,
you may want to also deploy the client to them through other means. Deploying using group policies or the
Microsoft Endpoint Configuration Manager lets you run the installer silently using a command line. Run the
following commands to deploy the client per-device or per-user.
Per-device installation

msiexec.exe /I <path to the MSI> /qn ALLUSERS=1

Per-user installation

msiexec.exe /i `<path to the MSI>` /qn ALLUSERS=2 MSIINSTALLPERUSER=1

Configuration options
This section describes the new configuration options for this client.
Configure update notifications
By default, the client notifies you whenever there's an update and automatically updates itself when the client is
closed and has no active connections. Even with no active connections, the msrdc.exe process runs in the
background to allow you to reconnect quickly when you reopen the client. You can stop msrdc.exe by right-
clicking on the Azure Virtual Desktop icon in the system tray area and selecting Disconnect all sessions in the
drop-down menu.
To turn notifications off, set the following registry information:
Key: HKLM\Software\Microsoft\MSRDC\Policies
Type: REG_DWORD
Name: AutomaticUpdates
Data: 0 = Disable notifications and turn off auto-update. 1 = Show notifications and turn off auto-update. 2
= Show notifications and auto-update on close.

NOTE
The client doesn't automatically update for per-machine installations.

Configure user groups


You can configure the client for one of the following types of user groups, which determines when the client
receives updates.
Insider group
The Insider group is for early validation, and consists of admins and their selected users. The Insider group
serves as a test run to detect any issues in the update that can impact performance before it's released to the
Public group.

NOTE
We recommend each organization have some users in the Insider group to test updates and catch issues early.

In the Insider group, a new version of the client is released to the users on the second Tuesday of each month for
early validation. If the update doesn't have issues, it gets released to the Public group two weeks later. Users in
the Insider group will receive update notifications automatically whenever updates are ready. You can find more
detailed information about changes to the client at What's new with the Windows Desktop client.
To configure the client for the Insider group, set the following registry information:
Key: HKLM\Software\Microsoft\MSRDC\Policies
Type: REG_SZ
Name: ReleaseRing
Data: insider
Public group
This group is for all users and is the most stable version. You don't need to do anything to configure this group.
The Public group receives the version of the client that was tested by the Insider group every fourth Tuesday of
each month. All users in the Public group will receive an update notification if that setting is enabled.
What's new in the Windows Desktop client
7/27/2021 • 13 minutes to read • Edit Online

You can find more detailed information about the Windows Desktop client at Get started with the Windows
Desktop client. You'll find the latest updates to client in this article.

Supported client versions


The client can be configured for different user groups. The following table lists the current versions available for
each user group:

USER GRO UP L AT EST VERSIO N M IN IM UM SUP P O RT ED VERSIO N

Public 1.2.2222 1.2.1672

Insider 1.2.2222 1.2.1672

Updates for version 1.2.2222


Date published: 07/27/2021
Download: Windows 64-bit, Windows 32-bit, Windows ARM64
The client also updates in the background when the auto-update feature is enabled, no remote connection is
active, and MSRDCW.exe isn't running.
Improved client logging, diagnostics, and error classification to help admins troubleshoot connection and
feed issues.
Fixed an ICE inversion parameter issue that prevented some Teams calls from connecting.

Updates for version 1.2.2130


Date published: 06/22/2021
Download: Windows 64-bit, Windows 32-bit, Windows ARM64
Azure Virtual Desktop has been renamed to Azure Virtual Desktop. Learn more about the name change at
our announcement on our blog.
Fixed an issue where the client would ask for authentication after the user ended their session and closed the
window.
Improved client logging, diagnostics, and error classification to help admins troubleshoot connection and
feed issues.
Fixed an issue with Logitech C270 cameras where Teams only showed a black screen in the camera settings
and while sharing images during calls.

Updates for version 1.2.2061


Date published: 05/25/2021
Improved client logging, diagnostics, and error classification to help admins troubleshoot connection and
feed issues.
Updates to Teams on Azure Virtual Desktop, including the following:
Resolved a black screen video issue that also fixed a mismatch in video resolutions with Teams Server.
Teams on Azure Virtual Desktop now changes resolution and bitrate in accordance with what Teams
Server expects.

Updates for version 1.2.1954


Date published: 05/13/2021
Fixed the vulnerability known as CVE-2021-31186.

Updates for version 1.2.1953


Date published: 05/06/2021
Fixed an issue that caused the client to crash when users selected "Disconnect all sessions" in the system tray.
Fixed an issue where the client wouldn't switch to full screen on a single monitor with a docking station.
Improved client logging, diagnostics, and error classification to help admins troubleshoot connection and
feed issues.
Updates to Teams on Azure Virtual Desktop, including the following:
Added hardware acceleration for video processing outgoing video streams for Windows 10-based
clients.
When joining a meeting with both a front-facing and rear-facing or external camera, the front-facing
camera will be selected by default.
Fixed an issue that made Teams on Azure Virtual Desktop crash while loading on x86-based machines.
Fixed an issue that caused striations during screen sharing.
Fixed an issue that prevented some people in meetings from seeing incoming video or screen sharing.

Updates for version 1.2.1844


Date published: 03/23/2021
Updated background installation functionality to perform silently for the client auto-update feature.
Fixed an issue where the client forwarded multiple attempts to launch a desktop to the same session.
Depending on your group policy configuration, the session host can now allow the creation of multiple
sessions for the same user on the same session host or disconnect the previous connection by default. This
behavior wasn't consistent before version 1.2.1755.
Improved client logging, diagnostics, and error classification to help admins troubleshoot connection and
feed issues.
Updates for Teams on Azure Virtual Desktop, including the following:
We've offloaded video processing (XVP) to reduce CPU utilization by 5-10% (depending on CPU
generation). Combined with the hardware decode feature from February's update, we've now reduced
the total CPU utilization by 10-20% (depending on CPU generation).
We've added XVP and hardware decode, which allows older machines to display more incoming video
streams smoothly in 2x2 mode.
We've also updated the WebRTC stack from version M74 to M88. M88 has better reliability, AV sync
performance, and fewer transient issues.
We've replaced our software H264 encoder with OpenH264. OpenH264 is an open-source codec that
increases video quality of the outgoing camera stream.
The client now has simultaneous shipping with 2x2 mode. 2x2 mode shows up to four incoming video
streams simultaneously.
Updates for version 1.2.1755
Date published: 02/23/2021
Added the Experience Monitor access point to the system tray icon.
Fixed an issue where entering an email address into the "Subscribe to a Workplace" tab caused the
application to stop responding.
Fixed an issue where the client sometimes didn't send EventHub and Diagnostics events.
Updates to Teams on Azure Virtual Desktop, including:
Improved audio and video sync performance and added hardware accelerated decode that decreases
CPU utilization on the client.
Addressed the most prevalent causes of black screen issues when a user joins a call or meeting with
their video turned on, when a user performs screen sharing, and when a user toggles their camera on
and off.
Improved quality of active speaker switching in single video view by reducing the time it takes for the
video to appear and reducing intermittent black screens when switching video streams to another
user.
Fixed an issue where hardware devices with special characters would sometimes not be available in
Teams.

Updates for version 1.2.1672


Date published: 01/26/2021
Added support for the screen capture protection feature for Windows 10 endpoints. To learn more, see
Session host security best practices.
Added support for proxies that require authentication for feed subscription.
The client now shows a notification with an option to retry if an update didn't successfully download.
Addressed some accessibility issues with keyboard focus and high-contrast mode.

Updates for version 1.2.1525


Date published: 12/01/2020
Added List view for remote resources so that longer app names are readable.
Added a notification icon that appears when an update for the client is available.

Updates for version 1.2.1446


Date published: 10/27/2020
Added the auto-update feature, which allows the client to install the latest updates automatically.
The client now distinguishes between different feeds in the Connection Center.
Fixed an issue where the subscription account doesn't match the account the user signed in with.
Fixed an issue where some users couldn't access remote apps through a downloaded file.
Fixed an issue with Smartcard redirection.

Updates for version 1.2.1364


Date published: 09/22/2020
Fixed an issue where single sign-on (SSO) didn't work on Windows 7.
Fixed the connection failure that happened when calling or joining a Teams call while another app has an
audio stream opened in exclusive mode and when media optimization for Teams is enabled.
Fixed a failure to enumerate audio or video devices in Teams when media optimization for Teams is enabled.
Added a "Need help with settings?" link to the desktop settings page.
Fixed an issue with the "Subscribe" button that happened when using high-contrast dark themes.

Updates for version 1.2.1275


Date published: 08/25/2020
Added functionality to auto-detect sovereign clouds from the user’s identity.
Added functionality to enable custom URL subscriptions for all users.
Fixed an issue with app pinning on the feed taskbar.
Fixed a crash when subscribing with URL.
Improved experience when dragging remote app windows with touch or pen.
Fixed an issue with localization.

Updates for version 1.2.1186


Date published: 07/28/2020
You can now be subscribed to Workspaces with multiple user accounts, using the overflow menu (...) option
on the command bar at the top of the client. To differentiate Workspaces, the Workspace titles now include
the username, as do all app shortcuts titles.
Added additional information to subscription error messages to improve troubleshooting.
The collapsed/expanded state of Workspaces is now preserved during a refresh.
Added a Send Diagnostics and Close button to the Connection information dialog.
Fixed an issue with the CTRL + SHIFT keys in remote sessions.

Updates for version 1.2.1104


Date published: 06/23/2020
Updated the automatic discovery logic for the Subscribe option to support the Azure Resource Manager-
integrated version of Azure Virtual Desktop. Customers with only Azure Virtual Desktop resources should no
longer need to provide consent for Azure Virtual Desktop (classic).
Improved support for high-DPI devices with scale factor up to 400%.
Fixed an issue where the disconnect dialog didn't appear.
Fixed an issue where command bar tooltips would remain visible longer than expected.
Fixed a crash when you tried to subscribe immediately after a refresh.
Fixed a crash from incorrect parsing of date and time in some languages.

Updates for version 1.2.1026


Date published: 05/27/2020
When subscribing, you can now choose your account instead of typing your email address.
Added a new Subscribe with URL option that allows you to specify the URL of the Workspace you are
subscribing to or leverage email discovery when available in cases where we can't automatically find your
resources. This is similar to the subscription process in the other Remote Desktop clients. This can be used to
subscribe directly to Azure Virtual Desktop workspaces.
Added support to subscribe to a Workspace using a new URI scheme that can be sent in an email to users or
added to a support website.
Added a new Connection information dialog that provides client, network, and server details for desktop
and app sessions. You can access the dialog from the connection bar in full screen mode or from the System
menu when windowed.
Desktop sessions launched in windowed mode now always maximize instead of going full screen when
maximizing the window. Use the Full screen option from the system menu to enter full screen.
The Unsubscribe prompt now displays a warning icon and shows the workspace names as a bulleted list.
Added the details section to additional error dialogs to help diagnose issues.
Added a timestamp to the details section of error dialogs.
Fixed an issue where the RDP file setting desktop size ID didn't work properly.
Fixed an issue where the Update the resolution on resize display setting didn't apply after launching the
session.
Fixed localization issues in the desktop settings panel.
Fixed the size of the focus box when tabbing through controls on the desktop settings panel.
Fixed an issue causing the resource names to be difficult to read in high contrast mode.
Fixed an issue causing the update notification in the action center to be shown more than once a day.

Updates for version 1.2.945


Date published: 04/28/2020
Added new display settings options for desktop connections available when right-clicking a desktop icon on
the Connection Center.
There are now three display configuration options: All displays , Single display and Select
displays .
We now only show available settings when a display configuration is selected.
In Select display mode, a new Maximize to current displays option allows you to dynamically
change the displays used for the session without reconnecting. When enabled, maximizing the session
causes it to go full screen on all displays touched by the session window.
We've added a new Single display when windowed option for all displays and select displays
modes. This option switches your session automatically to a single display when you exit full screen
mode, and automatically returns to multiple displays when you maximize the window.
We've added a new Display settings group to the system menu that appears when you right-click the title
bar of a windowed desktop session. This will let you change some settings dynamically during a session. For
example, you can change the new Single display mode when windowed and Maximize to current
displays settings.
When you exit full screen, the session window will return to its original location when you first entered full
screen.
The background refresh for Workspaces has been changed to every four hours instead of every hour. A
refresh now happens automatically when launching the client.
Resetting your user data from the About page now redirects to the Connection Center when completed
instead of closing the client.
The items in the system menu for desktop connections were reordered and the Help topic now points to the
client documentation.
Addressed some accessibility issues with tab navigation and screen readers.
Fixed an issue where the Azure Active Directory authentication dialog appeared behind the session window.
Fixed a flickering and shrinking issue when dragging a desktop session window between displays of different
scale factors.
Fixed an error that occurred when redirecting cameras.
Fixed multiple crashes to improve reliability.
Updates for version 1.2.790
Date published: 03/24/2020
Renamed the "Update" action for Workspaces to "Refresh" for consistency with other Remote Desktop clients.
You can now refresh a Workspace directly from its context menu.
Manually refreshing a Workspace now ensures all local content is updated.
You can now reset the client's user data from the About page without needing to uninstall the app.
You can also reset the client's user data using msrdcw.exe /reset with an optional /f parameter to skip the
prompt.
We now automatically look for a client update when navigating to the About page.
Updated the color of the buttons for consistency.

Updates for version 1.2.675


Date published: 02/25/2020
Connections to Azure Virtual Desktop are now blocked if the RDP file is missing the signature or one of the
signscope properties has been modified.
When a Workspace is empty or has been removed, the Connection Center no longer appears to be empty.
Added the activity ID and error code on disconnect messages to improve troubleshooting. You can copy the
dialog message with Ctrl+C .
Fixed an issue that caused the desktop connection settings to not detect displays.
Client updates no longer automatically restart the PC.
Windowless icons should no longer appear on the taskbar.

Updates for version 1.2.605


Date published: 01/29/2020
You can now select which displays to use for desktop connections. To change this setting, right-click the icon
of the desktop connection and select Settings .
Fixed an issue where the connection settings didn't display the correct available scale factors.
Fixed an issue where Narrator couldn't read the dialogue shown while the connection initiated.
Fixed an issue where the wrong user name displayed when the Azure Active Directory and Active Directory
names didn't match.
Fixed an issue that made the client stop responding when initiating a connection while not connected to a
network.
Fixed an issue that caused the client to stop responding when attaching a headset.

Updates for version 1.2.535


Date published: 12/04/2019
You can now access information about updates directly from the more options button on the command bar
at the top of the client.
You can now report feedback from the command bar of the client.
The Feedback option is now only shown if the Feedback Hub is available.
Ensured the update notification is not shown when notifications are disabled through policy.
Fixed an issue that prevented some RDP files from launching.
Fixed a crash on startup of the client caused by corruption of some persistent settings.
Updates for version 1.2.431
Date published: 11/12/2019
The 32-bit and ARM64 versions of the client are now available!
The client now saves any changes you make to the connection bar (such as its position, size, and pinned
state) and applies those changes across sessions.
Updated gateway information and connection status dialogs.
Addressed an issue that caused two credentials to prompt at the same time while trying to connect after the
Azure Active Directory token expired.
On Windows 7, users are now properly prompted for credentials if they had saved credentials when the
server disallows it.
The Azure Active Directory prompt now appears in front of the connection window when reconnecting.
Items pinned to the taskbar are now updated during a feed refresh.
Improved scrolling on the Connection Center when using touch.
Removed the empty line from the resolution drop-down menu.
Removed unnecessary entries in Windows Credential Manager.
Desktop sessions are now properly sized when exiting full screen.
The RemoteApp disconnection dialog now appears in the foreground when you resume your session after
entering sleep mode.
Addressed accessibility issues like keyboard navigation.

Updates for version 1.2.247


Date published: 09/17/2019
Improved the fallback languages for localized version. (For example, FR-CA will properly display in French
instead of English.)
When removing a subscription, the client now properly removes the saved credentials from Credential
Manager.
The client update process is now unattended once started and the client will relaunch once completed.
The client can now be used on Windows 10 in S mode.
Fixed an issue that caused the update process to fail for users with a space in their username.
Fixed a crash that happened when authenticating during a connection.
Fixed a crash that happened when closing the client.
Get started with the Microsoft Store Client
7/29/2021 • 10 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows 10

You can use the Remote Desktop client for Windows to work with Windows apps and PCs remotely from a
different Windows device.
Use the following information to get started. Be sure to check out the FAQ if you have any questions.

NOTE
Curious about the new releases for the Microsoft Store Client? Check out What's new in the Microsoft Store Client
You can run the client on any supported version of Windows 10.

Get the RD client and start using it


Follow these steps to get started with Remote Desktop on your Windows 10 device:
1. Download the Remote Desktop client from Microsoft Store.
2. Set up your PC to accept remote connections.
3. Add a Remote PC connection or a workspace. You use a connection to connect directly to a Windows PC and
a workspace to use a RemoteApp program, session-based desktop, or virtual desktop published by your
admin.
4. Pin items so you can get to Remote Desktop quickly.
Add a Remote PC connection
To create a Remote PC connection:
1. In the Connection Center, tap + Add , and then tap PCs .
2. Enter the following information for the computer you want to connect to:
PC name – the name of the computer. The PC name can be a Windows computer name, an Internet
domain name, or an IP address. You can also append port information to the PC name (for example,
MyDesktop:3389 or 10.0.0.1:3389 ).
User account – The user account to use to access the remote PC. Tap + to add a new account or
select an existing account. You can use the following formats for the username: user_name,
domain\user_name, or [email protected]. You can also specify whether to prompt for
credentials during the connection by selecting Ask me ever y time .
3. You can also set additional options by tapping on Show more :
Display name – An easy-to-remember name for the PC you're connecting to. You can use any string,
but if you don't specify a friendly name, the PC name is displayed.
Group – Specify a group to make it easier to find your connections later. You can add a new group by
tapping + or select one from the list.
Gateway – The Remote PC gateway that you want to use to connect to virtual PCs, RemoteApp
programs, and session-based PCs on an internal corporate network. Get the information about the
gateway from your system administrator.
Connect to admin session - Use this option to connect to a console session to administrate a
Windows server.
Swap mouse buttons – Use this option to swap the left mouse button functions for the right mouse
button. Swapping mouse buttons is necessary when you use a PC configured for a left-handed user
but you only have a right-handed mouse.
Set my remote session resolution to: – Select the resolution you want to use in the session.
Choose for me will set the resolution based on the size of the client.
Change the size of the display: – When selecting a high static resolution for the session, you can
use this setting to make items on the screen appear larger to improve readability. This setting only
applies when connecting to Windows 8.1 or later.
Update the remote session resolution on resize – When enabled, the client will dynamically
update the session resolution based on the size of the client. This setting only applies when connecting
to Windows 8.1 or later.
Clipboard – When enabled, allows you to copy text and images to/from the remote PC.
Audio Playback – Select the device to use for audio during your remote session. You can choose to
play sound on the local devices, the remote PC, or not at all.
Audio Recording – When enabled, allows you to use a local microphone with applications on the
remote PC.
4. Tap Save .
Need to edit these settings? Tap the overflow menu (...) next to the name of the PC, and then tap Edit .
Want to delete the connection? Again, tap the overflow menu (...), and then tap Remove .
Add a workspace
Workspaces are RemoteApp programs, session-based desktops, and virtual desktops published by your admin
using Remote Desktop Services.
To add a workspace:
1. On the Connection Center screen, tap + Add , and then tap Workspaces .
2. Enter the Feed URL provided by your admin and tap Find feeds .
3. When prompted, provide the credentials to subscribe to the feed.
The workspaces will be displayed in the Connection Center.
To delete workspaces:
1. In the Connection Center, tap the overflow menu (...) next to the workspace.
2. Tap Remove .
Pin a saved PC to your Start menu
To pin a connection to your Start menu, tap the overflow menu (...) next to the name of the PC, and then tap Pin
to Star t .
Now you can start the PC connection directly from your Start menu by tapping it.

Connect to an RD Gateway to access internal assets


A Remote Desktop Gateway (RD Gateway) lets you connect to a remote computer on a corporate network from
anywhere on the Internet. You can create and manage your gateways using the Remote Desktop client.
To set up a new gateway:
1. In the Connection Center, tap Settings .
2. Next to Gateway, tap + to add a new gateway.
NOTE
You can also add a gateway when you add a new connection.

3. Enter the following information:


Ser ver name – The name of the computer you want to use as a gateway. The server name can be a
Windows computer name, an Internet domain name, or an IP address. You can also add port
information to the server name (for example: RDGateway:443 or 10.0.0.1:443 ).
User account - Select or add a user account to use with the Remote PC Gateway you're connecting
to. You can also select Use desktop user account to use the same credentials that you used for the
remote PC connection.
4. Tap Save .

Global app settings


You can set the following global settings in your client by tapping Settings :
Managed items
User account - Allows you to add, edit, and delete user accounts saved in the client. You can also update the
password for an account after it's changed.
Gateway - Allows you to add, edit, and delete gateway servers saved in the client.
Group - Allows you to add, edit, and delete groups saved in the client. You can also group connections here.
Session settings
Star t connections in full screen - When enabled, anytime a connection is launched, the client will use the
entire screen of the current monitor.
Star t each connection in a new window - When enabled, each connection is launched in a separate
window, allowing you to place them on different monitors and switch between them using the taskbar.
When resizing the app: - Allows you control over what happens when the client window is resized.
Defaults to Stretch the content, preser ving aspect ratio .
Use keyboard commands with: - Lets you specify where keyboard commands like WIN or ALT+TAB are
used. The default is to only send them to the session when the connection is in full screen.
Prevent the screen from timing out - Allows you to keep the screen from timing out when a session is
active. Preventing timeout is helpful when the connection doesn't need interaction for long periods of time.
App settings
Show PC Previews - Lets you see a preview of a PC in the Connection Center before you connect to it. This
setting is on by default.
Help improve Remote Desktop - Sends anonymous data to Microsoft. We use this data to improve the
client. To learn more about how we treat this anonymous and private data, see the Microsoft Privacy
Statement. This setting is on by default.
Manage your user accounts
When you connect to a PC or workspace, you can save the account's information to connect to it later. You can
also define user accounts within the client instead of saving the user data when you connect to a PC.
To create a new user account:
1. In the Connection Center, tap Settings .
2. Next to User account, tap + to add a new user account.
3. Enter the following information:
Username - The name of the user to save for use with a remote connection. You can enter the user
name in any of the following formats: user_name, domain\user_name, or [email protected].
Password - The password for the user you specified. This field can be left blank to be prompted for a
password during the connection.
4. Tap Save .
To delete a user account:
1. In the Connection Center, tap Settings .
2. Select the account to delete from the list under User account.
3. Next to User account, tap the edit icon.
4. Tap Remove this account at the bottom to delete the user account.
5. You can also edit the user account and tap Save .

Navigate your remote session


This section describes the tools available to help you navigate your remote session once you've connected to the
service.
Start a remote session
1. Tap the name of the connection you want to use to start the session.
2. If you haven't saved credentials for the connection, you'll be prompted to provide a Username and
Password .
3. If you're asked to verify the certificate for your workspace or PC, review the information and ensure you trust
this PC before tapping Connect . You can also select Don't ask about this cer tificate again to always
accept this certificate.
Connection bar
The connection bar gives you access to additional navigation controls. By default, the connection bar is placed in
the middle of the top of the screen. Tap and drag the bar to the left or right to move it.
Pan Control - The pan control enables the screen to be enlarged and moved around. Pan control is only
available on touch-enabled devices and using the direct touch mode.
To enable or disable the pan control, tap the pan icon in the connection bar to display the pan control.
The screen will zoom in while the pan control is active. Tap the pan icon in the connection bar again to
hide the control and return the screen to its original resolution.
To use the pan control, tap and hold the pan control and then drag in the direction you want to move
the screen.
To move the pan control, double-tap and hold the pan control to move the control on the screen.
Additional options - Tap the additional options icon to display the session selection bar and command bar.
Keyboard - Tap the keyboard icon to display or hide the on-screen keyboard. The pan control is displayed
automatically when the keyboard is displayed.
Command bar
Tap the ... on the connection bar to display the command bar on the right side of the screen.
Home - Use the Home button to return to the connection center from the command bar.
You can also use the back button for the same action. If you use the back button, your active session
won't be disconnected, allowing you to launch additional connections.
Disconnect - Use the Disconnect button to disconnect from the session. Your apps will remain active as long
as the session is still active on the remote PC.
Full-screen - Enters or exits full screen mode.
Touch or Mouse - You can switch between the mouse modes (Direct Touch and Mouse Pointer).
Use direct touch gestures and mouse modes
You can interact with your session with two available mouse modes:
Direct touch : Passes all of the touch contacts to the session to be interpreted remotely.
Used in the same way you would use Windows with a touch screen.
Mouse pointer : Transforms your local touch screen into a large touchpad, letting you move a mouse
pointer in the session.
Used in the same way you would use Windows with a touchpad.

NOTE
In Windows 8 or later, the native touch gestures are supported in Direct Touch mode.

M O USE M O DE M O USE O P ERAT IO N GEST URE

Direct touch Left-click Tap with one finger

Direct touch Right-click Tap and hold with one finger

Mouse pointer Left-click Tap with one finger

Mouse pointer Left-click and drag Double-tap and hold with one finger,
then drag

Mouse pointer Right-click Tap with two fingers

Mouse pointer Right-click and drag Double-tap and hold with two fingers,
then drag

Mouse pointer Mouse wheel Tap and hold with two fingers, then
drag up or down

Mouse pointer Zoom With two fingers, pinch to zoom out


and move fingers apart to zoom in

Give us feedback
Have a feature suggestion or want to report a problem? Tell us with the Feedback Hub.
You can also give us feedback by selecting the ellipsis button (...) in the client app, then selecting Feedback , as
shown in the following image.
NOTE
To best help you, we need you to give us as detailed information about the issue as possible. For example, you can include
screenshots or a recording of the actions you took leading up to the issue. For more tips about how to provide helpful
feedback, see Feedback.
What's new in the Microsoft Store client
7/2/2021 • 2 minutes to read • Edit Online

We regularly update the Microsoft Store client, adding new features and fixing issues. Here's where you'll find
the latest updates.

Updates for version 10.2.1810


Date published: 03/29/2021
Fixed an issue that caused crashes during clipboard scenarios.
Fixed an issue that happened when using the client with HoloLens.
Fixed an issue where the lock screen wasn't appearing in the remote session.
Fixed issues that happened when the client tried to connect to devices with the “Always prompt for password
upon connection” group policy set.
Added several stability improvements to the client.

Updates for version 10.2.1534


Date published: 08/26/2020
Rewrote the client to use the same underlying RDP core engine as the iOS, macOS, and Android clients.
Added support for the Azure Resource Manager-integrated version of Azure Virtual Desktop.
Added support for x64 and ARM64.
Updated the side panel design to full screen.
Added support for light and dark modes.
Added functionality to subscribe and connect to sovereign cloud deployments.
Added functionality to enable backup and restore of workspaces (bookmarks) in release to manufacturing
(RTM).
Updated functionality to use existing Azure Active Directory (Azure AD) tokens during the subscription
process to reduce the number of times users must sign in.
Updated subscription can now detect whether you're using Azure Virtual Desktop or Azure Virtual Desktop
(classic).
Fixed issue with copying files to remote PCs.
Fixed commonly reported accessibility issues with buttons.
A limit of up to 20 credentials per app is allowed.

Updates for version 10.1.1215


Date published: 04/20/2020
Updated the user agent string for Azure Virtual Desktop.

Updates for version 10.1.1195


Date published: 03/06/2020
Audio from the session now continues to play even when the app is minimized or in the background.
Fixed an issue where the toggle keys (caps lock, num lock, and so on) went out of sync between the local and
remote PCs.
Performance improvements on 64-bit devices.
Fixed a crash that occurred whenever the app was suspended.

Updates for version 10.1.1107


Date published: 09/04/2019
You can now copy files between local and remote PCs.
You can now use your email address to access remote resources (if enabled by your admin).
You can now change user account assignments for remote resource feeds.
The app now shows the proper icon for .rdp files assigned to this app in File Explorer instead of a blank
default icon.

Updates for version 10.1.1098


Date published: 03/15/2019
You can now set a display name for user accounts so you can save the same username with different
passwords.
It's now possible to select an existing user account when adding Remote Resources.
Fixed an issue where the client wasn't terminating correctly.
The client now properly handles being suspended when secondary windows are open.
Additional bug fixes.

Updates for version 10.1.1088


Date published: 11/06/2018
Connection display name is now more discoverable.
Fixed a crash when closing the client window while a connection is still active.
Fix a hang when reconnecting after the client is minimized.
Allow desktops to be dragged anywhere in a group.
Ensure launching a connection from the jump list results in a separate window when needed.
Additional bug fixes.

Updates for version 10.1.1060


Date published: 09/14/2018
Addressed an issue where double-clicking a desktop connection caused two sessions to be launched.
Fixed a crash when switching between virtual desktops locally.
Moving a session to a different monitor now also updates the session scale factor.
Handle additional system keys like AltGr.
Additional bug fixes.

Updates for version 10.1.1046


Date published: 06/20/2018
Bug fixes.

Updates for version 10.1.1042


Date published: 04/02/2018
Updates to address CredSSP encryption oracle remediation described in CVE-2018-0886.
Additional bug fixes.
Get started with the Android client
7/29/2021 • 11 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Android 7.0 and later

You can use the Remote Desktop client for Android to work with Windows apps and desktops directly from your
Android device or a Chromebook that supports the Google Play Store.
This article will show you how to get started using the client. If you have any additional questions, make sure to
check our FAQ.

NOTE
Curious about the new releases for the Android client? Check out What's new for the Android client.
The Android client supports devices running Android 6.0 and later, as well as Chromebooks with ChromeOS 53 and
later. Learn more about Android applications on Chrome at Chrome OS Systems Supporting Android Apps.

Download the Remote Desktop client


Here's how to set up the Remote Desktop client on your Android device:
1. Download the Microsoft Remote Desktop client from Google Play.
2. Launch RD client from your list of apps.
3. Add a Remote Desktop connection or remote resources. Remote Desktop connections let you connect
directly to a Windows PC and remote resources to access apps and desktops published to you by an admin.

Add a Remote Desktop connection


Now that you have the client on your device, you can add Remote Desktop connections to access your remote
resources.
Before you add a connection, if you haven't done so already, set up your PC to accept remote connections.
To add a Remote Desktop connection:
1. In the Connection Center, tap + , and then tap Desktop .
2. Enter the name of the remote PC into PC name . This name can be a Windows computer name, an
Internet domain name, or an IP address. You can also append port information to the PC name (for
example, MyDesktop:3389 or 10.0.0.1:3389). This field is the only required field.
3. Select the User name you use to access the Remote PC.
Select Enter ever y time for the client to ask for your credentials every time you connect to the
remote PC.
Select Add user account to save an account that you use frequently so you don't have to enter
credentials every time you sign in. To learn more about user accounts, see Manage your user accounts.
4. You can also tap on Show additional options to set the following optional parameters:
In Friendly name , you can enter an easy-to-remember name for the PC you're connecting to. If you
don't specify a friendly name, the PC name is displayed instead.
The Gateway is the Remote Desktop gateway you'll use to connect to a computer from an external
network. Contact your system administrator for more information.
Sound selects the device your remote session uses for audio. You can choose to play sound on your
local device, the remote device, or not at all.
Customize display resolution sets the resolution for the remote session. When turned off, the
resolution specified in global settings is used.
Swap mouse buttons switches the commands sent by right and left mouse gestures. Ideal for left-
handed users.
Connect to admin session lets you connect to an admin session on the remote PC.
Redirect local storage enables local storage redirection. This setting is disabled by default.
5. When you're done, tap Save .
Need to edit these settings? Tap the More options menu (...) next to the name of the desktop, and then tap
Edit .
Want to remove the connection? Again, tap the More options menu (...), and then tap Remove .

TIP
If you get an error name "0xf07" that says something like "We couldn't connect to the remote PC because the password
associated with the user account has expired," try again with a new password.

Add remote resources


Remote resources are RemoteApp programs, session-based desktops, and virtual desktops published by your
admin. The Android client supports resources published from Remote Desktop Services, Windows 365, and
Azure Virtual Desktop deployments.
To add remote resources:
1. In the Connection Center, tap + , and then tap Remote Resource Feed .
2. Enter the Feed URL . This URL can be a URL or an email address:
The URL is the RD Web Access server provided to you by your admin. If you're accessing resources
from Azure Virtual Desktop or Windows 365, you can use one of the following URLs:
If you're using Azure Virtual Desktop (classic), use:
https://rdweb.wvd.microsoft.com/api/feeddiscovery/webfeeddiscovery.aspx .
If you're using Azure Virtual Desktop, use:
https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery .
If you're using Windows 365, use: https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery .
If you plan to use Email , enter your email address in this field. Filling out this field tells the client to
search for an RD Web Access server associated with your email address if it was configured by your
admin.
3. Tap Next .
4. Provide your sign-in information when prompted. The credentials you should use can vary based on the
deployment and can include:
The User name that has permission to access the resources.
The Password associated with the user name.
Additional factor , which you may be prompted for a if authentication was configured that way by
your admin.
5. When you're done, tap Save .
The remote resources will be displayed in the Connection Center.

Remove remote resources


To remove remote resources:
1. In the Connection Center, tap the overflow menu (...) next to the remote resource.
2. Tap Remove .
3. Confirm you've removed the resource.

Pin a connection to your home screen


The Remote Desktop client supports using the Android widget feature to pin connections to your home screen.
The widget adding process depends on which type of Android device and Android OS version you're using.
To add a widget:
1. Tap Apps to launch the apps menu.
2. Tap Widgets .
3. Swipe through the widgets and look for the Remote Desktop icon with the description: Pin Remote Desktop.
4. Tap and hold that Remote Desktop widget and move it to the home screen.
5. When you release the icon, you'll see the saved remote desktops. Choose the connection that you want to
save to your home screen.
Now you can start the remote desktop connection directly from your home screen by tapping it.

NOTE
If you rename the desktop connection in the Remote Desktop client, its pinned label won't update.

Manage general app settings


To change the general app settings, go to the Connection Center, tap Settings , and then tap General .
You can set the following general settings:
Show desktop previews lets you see a preview of a desktop in the Connection Center before you connect
to it. This setting is enabled by default.
Pinch to zoom remote session lets you use pinch-to-zoom gestures. If the app you're using through
Remote Desktop supports multi-touch (introduced in Windows 8), disable this feature.
Enable Use scancode input when available if your remote app doesn't respond properly to keyboard
input sent as scancode. Input is sent as unicode when disabled.
Help improve Remote Desktop sends anonymous data about how you use Remote Desktop for Android
to Microsoft. We use this data to improve the client. To learn more about our privacy policy and what kinds of
data we collect, see the Microsoft Privacy Statement. This setting is enabled by default.

Manage display settings


To change the display settings tap Settings , and then tap Display from the Connection Center.
You can set the following display settings:
Orientation sets the preferred orientation (landscape or portrait) for your session.
NOTE
If you connect to a PC running Windows 8 or earlier, the session won't scale correctly if the orientation of the
device changes. To make the client scale correctly, disconnect from the PC, then reconnect in the orientation you
want to use. You can also ensure correct scaling by using a PC with Windows 10 instead.

Resolution sets the remote resolution you want to use for desktop connections globally. If you have
already set a custom resolution for an individual connection, this setting won't change that.

NOTE
When you change the display settings, the changes only apply to new connections you make after the you
changed the setting. To apply your changes to the session you're currently connected to, refresh your session by
disconnecting and reconnecting.

Manage your RD Gateways


A Remote Desktop Gateway (RD Gateway) lets you connect to a remote computer on a private network from
anywhere on the Internet. You can create and manage your gateways using the Remote Desktop client.
To set up a new RD Gateway:
1. In the Connection Center, tap Settings , and then tap Gateways .
2. Tap + to add a new gateway.
3. Enter the following information:
Enter the name of the computer you want to use as a gateway into Ser ver name . This name can be a
Windows computer name, an Internet domain name, or an IP address. You can also add port
information to the server name (for example: RDGateway:443 or 10.0.0.1:443).
Select the User account you'll use to access the RD Gateway.
Select Use desktop user account to use the same credentials that you specified for the
remote PC.
Select Add user account to save an account that you use frequently so you don't have to
enter credentials every time you sign in. For more information, see Manage your user accounts.
To delete an RD Gateway:
1. In the Connection Center, tap Settings , and then tap Gateways .
2. Tap and hold a gateway in the list to select it. You can select multiple gateways at once.
3. Tap the trash can to delete the selected gateway.

Manage your user accounts


You can save user accounts to use whenever you connect to a remote desktop or remote resources.
To save a user account:
1. In the Connection Center, tap Settings , and then tap User accounts .
2. Tap + to add a new user account.
3. Enter the following information:
The User Name to save for use with a remote connection. You can enter the user name in any of the
following formats: user_name, domain\user_name, or [email protected].
The Password for the user you specified. Every user account that you want to save to use for remote
connections needs to have a password associated with it.
4. When you're done, tap Save .
To delete a saved user account:
1. In the Connection Center, tap Settings , and then tap User accounts .
2. Tap and hold a user account in the list to select it. You can select multiple users at the same time.
3. Tap the trash can to delete the selected user.

Start a Remote Desktop connection


Now that you've set up your Remote Desktop Android client, let's learn how to start a Remote Desktop session.
To start a session:
1. Tap the name of your Remote Desktop connection to start the session.
2. If you're asked to verify the certificate for the remote desktop, tap Connect . You can also select Don't ask
me again for connections to this computer to always accept the certificate by default.

Use the connection bar


The connection bar gives you access to additional navigation controls. By default, the connection bar is placed in
the middle at the top of the screen. Drag the bar to the left or right to move it.
Pan Control : The pan control enables the screen to be enlarged and moved around. Pan control is only
available for direct touch.
To show the pan control, tap the pan icon in the connection bar to display the pan control and zoom
the screen. Tap the pan icon again to hide the control and return the screen to its original size.
To use the pan control, tap and hold it, then drag it in the direction you want to move the screen.
To move the pan control, double-tap and hold it to move the control around on the screen.
Additional options : Tap the additional options icon to display the session selection bar and command bar.
Keyboard : Tap the keyboard icon to display or hide the keyboard. The pan control is displayed automatically
when the keyboard is displayed.

Use the session selection bar


You can have multiple connections open to different PCs at the same time. Tap the connection bar to display the
session selection bar on the left side of the screen. The session selection bar lets you view your open
connections and switch between them.
When you're connected to remote resources, you can switch between apps within that session by tapping the
expander menu ( > ) and choosing from the list of available items.
To start a new session within your current connection, tap Star t New , then choose from the list of available
items.
To disconnect a session, tap X in the left side of the session tile.

Use the command bar


Tap the connection bar to display the command bar on the right side of the screen. On the command bar, you
can switch between mouse modes (direct touch and mouse pointer) or tap the Home button to return to the
Connection Center. You can also tap the Back button to return to the Connection Center. Returning to the
Connection Center won't disconnect your active session.

Touch gestures and mouse modes


The Remote Desktop for Android client uses standard touch gestures. You can also use touch gestures to
replicate mouse actions on the remote desktop. The following table explains which gestures match which mouse
actions in each mouse mode.

NOTE
Native touch gestures are supported in Direct Touch mode in Windows 8 or later.

M O USE M O DE M O USE A C T IO N GEST URE

Direct touch Left-click Tap with one finger

Direct touch Right-click Tap with one finger and hold, then
release

Mouse pointer Zoom Use two fingers and pinch to zoom out
or move fingers apart to zoom in.

Mouse pointer Left-click Tap with one finger

Mouse pointer Left-click and drag Double-tap and hold with one finger,
then drag

Mouse pointer Right-click Tap with two fingers

Mouse pointer Right-click and drag Double-tap and hold with two fingers,
then drag

Mouse pointer Mouse wheel Tap and hold with two fingers, then
drag up or down

Join the Beta channel


If you want to help us test new builds or find issues in upcoming version updates before they're released, you
should join our Beta channel. Enterprise admins can use the Beta channel to validate new versions of the
Android client for their users.
To join the Beta, download our Beta client and give consent to access preview versions and download the client.
You'll receive preview versions directly through the Google Play Store.
What's new in the Android client
7/19/2021 • 2 minutes to read • Edit Online

We regularly update the Remote Desktop client for Android, adding new features and fixing issues. Here's where
you'll find the latest updates.

Updates for version 10.0.11


Date published: July 13, 2021
In this version, we made bug fixes and performance improvements.

Updates for version 10.0.10


Date published: 3/24/2021
Added support for client-side IMEs when using built-in and onscreen keyboards.
Added a prompt for credentials when subscribing to a workflow.
Improved Azure Virtual Desktop workspace download performance to prevent throttling.
Fixed an issue where incorrect command icons would appear in the UI.

Updates for version 10.0.9


Date published: 2/2/2021
Support for dark mode on Android 10 and later.
Fixed clipboard redirection synchronization issues.
Added clipboard redirection to the Add/Edit PC UI.
The Android client now supports the DEL key on external keyboards.
Fixed a bug that caused workspace URL auto-complete to stop responding.
Addressed keyboard and screen reader-related accessibility bugs.
Addressed reliability issues identified by user reports.

Updates for version 10.0.8


Date published: 12/04/2020
Client now supports microphone redirection.
New UI for subscribing to and editing workspaces.
Cleaned up existing UI throughout the client.
Fixed Samsung DeX keyboard input.
Addressed an issue where clients would report a 0x5000007 error when connecting using an RD Gateway
server.
Addressed several reliability issues identified by users through crash reporting.
Minimum required version of Android is now Android 6.
Fixed an issue where the client stopped responding while saving a file to redirected storage.

Updates for version 10.0.7


Date Published: 07/24/2020
Implemented full support for Azure Virtual Desktop.
Rewrote the client to use the same underlying RDP core engine as the iOS and macOS clients.
New Connection Center experience.
New Connection Progress UI.
New in-session Connection Bar.
Added support for Android TV devices.
Integration with Microsoft Authenticator to enable conditional access when subscribing to Azure Virtual
Desktop feeds.
Enabled the transfer of connections and settings from Remote Desktop 8.

Updates for version 8.1.80


Date Published: 05/26/2020
Changed the client icon to distinguish it from the new client currently in preview.
Prepared the client to support settings and connections transfer to the new client.

Updates for version 8.1.79


Date published: 03/24/2020
Fixed an issue where barcode scanners didn't work.

Updates for version 8.1.77


Date published: 02/11/2020
Improved accessibility for users of keyboard-only navigation.
Get started with the iOS client
7/29/2021 • 9 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows 10, Windows 8.1, Windows Server 2019, Windows Server
2016, Windows Server 2012 R2

You can use the Remote Desktop client for iOS to work with Windows apps, resources, and desktops from your
iOS device (iPhones and iPads).
Use the following information to get started. Be sure to check out the FAQ if you have any questions.

NOTE
Curious about the new releases for the iOS client? Check out What's new for Remote Desktop on iOS?.
The iOS client supports devices running iOS 6.x and newer.

Get the Remote Desktop client and start using it


This section will tell you how to download and set up the Remote Desktop client for iOS.
Download the Remote Desktop client from the iOS store
First you'll need to download the client and configure your PC to connect to remote resources.
To download the client:
1. Download the Microsoft Remote Desktop client from the iOS App Store or iTunes.
2. Set up your PC to accept remote connections.
Add a PC
After you've downloaded the client and configured your PC to accept remote connections, it's time to actually
add a PC.
To add a PC:
1. In the Connection Center, tap + , then tap Add PC .
2. Enter the following information:
PC name – the name of the computer. The PC name can be a Windows computer name, an Internet
domain name, or an IP address. You can also append port information to the PC name (for example,
MyDesktop:3389 or 10.0.0.1:3389 ).
User name – The user name you'll use to access the remote PC. You can use the following formats:
user_name, domain\user_name, or [email protected] . You can also select Ask when required to
be prompted for a user name and password when necessary.
3. You can also set the following additional options:
Friendly name (optional) – An easy-to-remember name for the PC you're connecting to. You can
use any string, but if you don't specify a friendly name, the PC name is displayed instead.
Gateway (optional) – The Remote Desktop gateway that you want to use to connect to virtual
desktops, RemoteApp programs, and session-based desktops on an internal corporate network. Get
the information about the gateway from your system administrator.
Sound – Select the device to use for audio during your remote session. You can choose to play sound
on the local devices, the remote device, or not at all.
Swap mouse buttons – Whenever a mouse gesture would send a command with the left mouse
button, it sends the same command with the right mouse button instead. Swapping mouse buttons is
necessary if the remote PC is configured for left-handed mouse mode.
Admin Mode - Connect to an administration session on a server running Windows Server 2003 or
later.
Clipboard - Choose whether to redirect text and images in your clipboard to your PC.
Storage - Choose whether to redirect storage to your PC.
4. Tap Save .
Need to edit these settings? Press and hold the desktop you want to edit, then tap the settings icon.
Add a workspace
To get a list of managed resources you can access on your iOS, add a workspace by subscribing to the feed
provided by your admin.
To add a workspace:
1. On the Connection Center screen, tap + , and then tap Add workspace .
2. In the Feed URL field, enter the URL for the feed you want to add. This URL can be either a URL or an email
address.
If you use a URL, use the one your admin gave you.
If you're accessing resources from Azure Virtual Desktop or Windows 365, you can use one of
the following URLs:
For Azure Virtual Desktop (classic), use
https://rdweb.wvd.microsoft.com/api/feeddiscovery/webfeeddiscovery.aspx .
For Azure Virtual Desktop, use https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery .
If you're using Windows 365, use:
https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery .
If you use an email address, enter your email address. Entering your email address tells the client to
search for a URL associated with your email address if your admin configured the server that way.
3. Tap Next .
4. Provide your credentials when prompted.
For User name , give the user name of an account with permission to access resources.
For Password , give the password for the account.
You may also be prompted to give additional information depending on the settings your admin
configured authentication with.
5. Tap Save .
After you've finished, the Connection Center should display the remote resources.
Once subscribed to a feed, the feed content will update automatically on a regular basis. Resources may be
added, changed, or removed based on changes made by your administrator.

Manage your user accounts


When you connect to a PC or workspace, you can save the user accounts to select from again.
To create a new user account:
1. In the Connection Center, tap Settings , and then tap User Accounts .
2. Tap Add User Account .
3. Enter the following information:
User Name - The name of the user to save for use with a remote connection. You can enter the user
name in any of the following formats: user_name , domain\user_name , or [email protected] .
Password - The password for the user you specified.
4. Tap Save .
To delete a user account:
1. In the Connection Center, tap Settings , and then tap User Accounts .
2. Select the account you would like to delete.
3. Tap Delete .

Connect to an RD Gateway to access internal assets


A Remote Desktop Gateway (RD Gateway) lets you connect to a remote computer on a corporate network from
anywhere on the Internet. You can create and manage your gateways using the Remote Desktop client.
To set up a new gateway:
1. In the Connection Center, tap Settings > Gateways .
2. Tap Add gateway .
3. Enter the following information:
Gateway name – The name of the computer you want to use as a gateway. The gateway name can be
a Windows computer name, an Internet domain name, or an IP address. You can also add port
information to the server name (for example, RDGateway:443 or 10.0.0.1:443 ).
User name - The user name and password to be used for the Remote Desktop gateway you're
connecting to. You can also select Use connection credentials to use the same user name and
password that you used for the remote desktop connection.

Navigate the Remote Desktop session


This section describes tools you can use to help navigate your Remote Desktop session.
Start a Remote Desktop connection
1. Tap the remote desktop connection to start the remote desktop session.
2. If you're asked to verify the certificate for the remote desktop, tap Accept . To accept by default, set Don't ask
me again for connections to this computer to On .
Connection bar
The connection bar gives you access to additional navigation controls.
Pan Control : The pan control enables the screen to be enlarged and moved around. Pan control is only
available using direct touch.
To enable or disable the pan control, tap the pan icon in the connection bar to display the pan control.
The screen will zoom in while the pan control is active. the pan icon in the connection bar again to
hide the control and return the screen to its original resolution.
To use the pan control, tap and hold the pan control. While holding, drag your fingers in the direction
you want to move the screen.
To move the pan control, double-tap and hold the pan control to move the control on the screen.
Connection name : The current connection name is displayed. Tap the connection name to display the
session selection bar.
Keyboard : Tap the keyboard icon to display or hide the keyboard. The pan control is displayed automatically
when the keyboard is displayed.
Move the connection bar : Tap and hold the connection bar. While holding the bar, drag it over to its new
location. Let go of the bar to place it at the new location.
Session selection
You can have multiple connections open to different PCs at the same time. Tap the connection bar to display the
session selection bar on the left-hand side of the screen. The session selection bar enables you to view your
open connections and switch between them.
Here's what you can do with the session selection bar:
To switch between apps in an open remote resource session, tap the expander menu and choose an app from
the list.
Tap Star t New to start a new session, then choose a session from the list of available sessions.
Tap the X icon on the left side of the session tile to disconnect from your session.
Command bar
The command bar replaced the Utility bar starting in version 8.0.1. You can use the command bar to switch
between mouse modes and return to the connection center.

Use touch gestures and mouse modes in a remote session


The client uses standard touch gestures. You can also use touch gestures to replicate mouse actions on the
remote desktop. The mouse modes available are defined in the table below.

NOTE
In Windows 8 or later, the native touch gestures are supported in Direct Touch mode. For more information on Windows
8 gestures, see Touch: Swipe, tap, and beyond.

M O USE M O DE M O USE O P ERAT IO N GEST URE

Direct touch Left-click Tap with one finger

Direct touch Right-click Tap and hold with one finger

Mouse pointer Left-click Tap with one finger

Mouse pointer Left-click and drag Tap and hold with one finger, then
drag

Mouse pointer Right-click Tap with two fingers

Mouse pointer Right-click and drag Double-tap and hold with two fingers,
then drag

Mouse pointer Mouse wheel Double-tap and hold with two fingers,
then drag up or down

Mouse pointer Zoom With two fingers, pinch to zoom out


and spread fingers apart to zoom in

Supported input devices


The client has Bluetooth mouse support for iOS 13 and iPadOS as an accessibility feature. You can use
Swiftpoint GT or ProPoint mice for deeper mouse integration. The client also supports external keyboards that
are compatible with iOS and iPadOS.
For more information about device support, see What's new in the iOS client and the iOS App Store.

TIP
Swiftpoint is offering an exclusive discount on the ProPoint mouse for iOS client users.

Use a keyboard in a remote session


You can use either an on-screen keyboard or physical keyboard in your remote session.
For on-screen keyboards, use the button on the right edge of the bar above the keyboard to switch between the
standard and additional keyboard.
If Bluetooth is enabled on your iOS device, the client automatically detects the Bluetooth keyboard.
While certain key combinations might not work as expected in a remote session, many of the common
Windows key combinations, such as CTRL+C, CTRL+V, and ALT+TAB will work.

TIP
Questions and comments are always welcome. However, if you post support requests or product feedback in this article's
comments section, we won't be able to respond to your feedback. If you need help or want to troubleshoot your client,
we highly recommend you go to the Remote Desktop client forum and start a new thread. If you have a feature
suggestion, you can tell us using the client user voice forum.
What's new in the iOS client
7/19/2021 • 13 minutes to read • Edit Online

We regularly update the Remote Desktop client for iOS, adding new features and fixing issues. You'll find the
latest updates on this page.

How to report issues


We're committed to making the Remote Desktop client for iOS the best it can be, so we value your feedback. You
can report any issues at Help > Repor t an Issue .

Updates for version 10.3.1


Date published: June 28, 2021
In this release we worked around a 0x907 (mismatched certificate) error code that was caused by third-party
infrastructure returning an incorrect certificate in redirection scenarios. We also made some updates to improve
compatibility and performance metrics when connecting to Azure Virtual Desktop (formerly known as Windows
Virtual Desktop).

Updates for version 10.3.0


Date published: May 27, 2021
In this release, we've made some significant updates to the shared underlying code that powers the Remote
Desktop experience across all our clients. We've also added some new features and addressed bugs and crashes
that were showing up in error reporting.
You can now drag IME candidate window in the client.
Integrated Kerberos support in the CredSSP security protocol sequence.
Added support for HTTP proxies in Azure Virtual Desktop and on-prem scenarios.
Made updates to improve interoperability with current and upcoming features in the Azure Virtual Desktop
service.

Updates for version 10.2.5


Date published: 03/29/2021
It's time for a small update to address some reported bugs. In this version, we made the following updates:
Fixed NETBIOS name resolution on iOS 14.
Updated the app to proactively request local network access to enable connections to PCs around you.
Fixed an issue where an RD Gateway connection would fail with a 0x3000064 error code.
Fixed a bug where workspace discovery and download would fail if the port number was included in HTTP
GET requests.
Added examples of PC host names to the PC Name page in the Add/Edit PC UX.
Addressed some VoiceOver accessibility issues.

Updates for version 10.2.4


Date published: 02/01/2021
In this release, we've made the following changes to the connection bar and in-session user experience:
You can now collapse the connection bar by moving it into one of the four corners of the screen.
On iPads and large iPhones you can dock the connection bar to the left or right edge of the screen.
You can now see the zoom slider panel by pressing and holding the connection bar magnification button. The
new zoom slider controls the magnification level of the session in both touch and mouse pointer mode.
We also addressed some accessibility bugs and the following two issues:
The client now validates the PC name in the Add/Edit PC UI to make sure the name doesn't contain illegal
characters.
Addressed an issue where the UI would stop resolving a workspace name during subscription.

Updates for version 10.2.3


Date published: 12/15/2020
In this release, we've fixed issues that caused crashes and interfered with the "Display Zoom View" setting. We've
also tweaked the "Use Full Display" setting to only appear on applicable iPads and adjusted the available
resolutions for iPhones and iPads.

Updates for version 10.2.2


Date published: 11/23/2020
In this release, we've addressed some bugs affecting users running iOS 14 and iPadOS 14.

Updates for version 10.2.1


Date published: 11/11/2020
It's time for a quick update. In this version, we made the following fixes:
Added support for newly released iPhone and iPad devices.
Addressed an issue where the client would return a 0x30000066 error when connecting using an RD
Gateway server.

Updates for version 10.2.0


Date published: 11/06/2020
In this version, we addressed some compatibility issues with iOS and iPadOS 14. In addition, we made the
following fixes and feature updates:
Addressed crashes on iOS and iPadOS 14 that happened when entering input on keyboard.
Added the Cmd+S and Cmd+N shortcuts to access the "Add Workspace" and "Add PC" processes,
respectively.
Added the Cmd+F shortcut to invoke Search UI in the Connection Center.
Added the "Expand All" and "Collapse All" commands to the Workspaces tab.
Resolved a bug that caused a 0xD06 protocol error to happen while running Outlook as a remote app.
The on-screen keyboard will now disappear when you scroll through search results in the Connection Center.
Updated the animation used when hovering over workspace icons with a mouse or trackpad pointer on
iPadOS 14.

Updates for version 10.1.4


Date published: 11/06/2020
We've put together some bug fixes and small feature updates for this 10.1.4 release. Here's what's new:
Addressed an issue where the client would report a 0x5000007 error message when trying to connect to an
RD Gateway server.
User account passwords updated in the credential UI are now saved after successfully signing in.
Addressed an issue where range and multi-select with the mouse or trackpad (Shift+click and Ctrl+click)
didn't work consistently.
Addressed a bug where apps displayed in the in-session switcher UI were out of sync with the remote
session.
Made some cosmetic changes to the layout of Connection Center workspace headers.
Improved visibility of the on-screen keyboard buttons for dark backdrops.
Fixed a localization bug in the disconnect dialog.

Updates for version 10.1.3


Date published: 11/06/2020
We've put together some bug fixes and feature updates for the 10.1.3 release. Here's what's new:
The input mode (Mouse Pointer or Touch mode) is now global across all active PC and remote app
connections.
Fixed an issue that prevented microphone redirection from working consistently.
Fixed a bug that caused audio output to play from the iPhone earpiece instead of the internal speaker.
The client now supports automatically switching audio output between the iPhone or iPad internal speakers,
bluetooth speakers, and Airpods.
Audio now continues to play in the background when switching away from the client or locking the device.
The input mode automatically switches to Touch mode when using a SwiftPoint mouse on iPhones or iPads
(not running iPadOS, version 13.4 or later).
Addressed graphics output issues that occurred when the server was configured to use AVC444 full screen
mode.
Fixed some VoiceOver bugs.
Panning around a zoomed in session works when using an external mouse or trackpad now works
differently. To pan in a zoomed-in session with an external mouse or trackpad, select the pan knob, then drag
your mouse cursor away while still holding the mouse button. To pan around in Touch mode, press on the
pan knob, then move your finger. The session will stick to your finger and follow it around. In Mouse Pointer
mode, push the virtual mouse cursor against the sides of the screen.

Updates for version 10.1.2


Date published 8/17/2020
In this update, we've addressed issues that were reported in the version 10.1.1 update.
Fixed a crash that occurred for some users when subscribing to a Azure Virtual Desktop feed using non-
brokered authentication.
Fixed the layout of workspace icons on the iPhone X, iPhone XS, and iPhone 11 Pro.

Updates for version 10.1.1


Date published: 11/06/2020
Here’s what we've included in this release:
Fixed a bug that prevented typing in Korean.
Added support for F1 through F12, Home, End, PgUp and PgDn keys on hardware keyboards.
Resolved a bug that made it difficult to move the mouse cursor to the top of the screen in letterboxed mode
on iPadOS devices.
Addressed an issue where pressing backspace after space deleted two characters.
Fixed a bug that caused the iPadOS mouse cursor to appear on top of the Remote Desktop client mouse
cursor in "Tap to Click" mode.
Resolved an issue that prevented connections to some RD Gateway servers (error code 0x30000064).
Fixed a bug that caused the mouse cursor to be shown in the in-session switcher UI on iOS devices when
using a SwiftPoint mouse.
Resized the RD client mouse cursor to be consistent with the current client scale factor.
The client now checks for network connectivity before launching a workspace resource or PC connection.
Hitting the remapped Escape button or Cmd+. now cancels out of any credential prompt.
We've added some animations and polish that appear when you move the mouse cursor around on iPads
running iPadOS 13.4 or later.

Updates for version 10.1.0


Date published: 11/06/2020
Here's what's new for this version:
If you're using iPadOS 13.4 or later, can now control the remote session with a mouse or trackpad.
The client now supports the following Apple Magic Mouse 2 and Apple Magic Trackpad 2 gestures: left-click,
left-drag, right-click, right-drag, horizontal and vertical scrolling, and local zooming.
For external mice, the client now supports left-click, left-drag, right-click, right-drag, middle-click, and vertical
scrolling.
The client now supports keyboard shortcuts that use Ctrl, Alt, or Shift keys with the mouse or trackpad,
including multi-select and range-select.
The client now supports the "Tap-to-Click" feature for the trackpad.
We've updated the Mouse Pointer mode's right-click gesture to press-and-hold (not press-and-hold-and-
release). On the iPhone client we've thrown in some taptic feedback when we detect the right-click gesture.
Added an option to disable NLA enforcement under iOS Settings > RD Client .
Mapped Control+Shift+Escape to Ctrl+Shift+Esc, where Escape is generated using a remapped key on
iPadOS or Command+.
Mapped Command+F to Ctrl+F.
Fixed an issue where the SwiftPoint middle mouse button didn't work in iPadOS version 13.3.1 or earlier and
iOS.
Fixed some bugs that prevented the client from recognizing the "rdp:" URI.
Addressed an issue where the in-session Immersive Switcher UI showed outdated app entries if a disconnect
was server-initiated.
The client now supports the Azure Resource Manager-integrated version of Azure Virtual Desktop.

Updates for version 10.0.7


Date published: 4/29/2020
In this update we've added the ability to sort the PC list view (available on iPhone) by name or time last
connected.

Updates for version 10.0.6


Date published: 3/31/2020
It's time for a quick update with some bug fixes. Here’s what's new for this release:
Fixed a number of VoiceOver accessibility issues.
Fixed an issue where users couldn't connect with Turkish credentials.
Sessions displayed in the switcher UI are now ordered by when they were launched.
Selecting the Back button in the Connection Center now takes you back to the last active session.
Swiftpoint mice are now released when switching away from the client to another app.
Improved interoperability with the Azure Virtual Desktop service.
Fixed crashes that were showing up in error reporting.
We appreciate all the comments sent to us through the App Store, in-app feedback, and email. In addition,
special thanks to everyone who worked with us to diagnose issues.

Updates for version 10.0.5


Date published: 03/09/20
We've put together some bug fixes and feature updates for this 10.0.5 release. Here's what's new:
Launched RDP files are now automatically imported (look for the toggle in General settings).
You can now launch iCloud-based RDP files that haven't been downloaded in the Files app yet.
The remote session can now extend underneath the Home indicator on iPhones (look for the toggle in
Display settings).
Added support for typing composite characters with multiple keystrokes, such as é.
Added support for the iPad on-screen floating keyboard.
Added support for adjusting properties of redirected cameras from a remote session.
Fixed a bug in the gesture recognizer that caused the client to become unresponsive when connected to a
remote session.
You can now enter App Switching mode with a single swipe up (except when you're in Touch mode with the
session extended into the Home indicator area).
The Home indicator will now automatically hide when connected to a remote session, and will reappear
when you tap the screen.
Added a keyboard shortcut to get to app settings in the Connection Center (Command + ,).
Added a keyboard shortcut to refresh all workspaces in the Connection Center (Command + R ).
Hooked up the system keyboard shortcut for Escape when connected to a remote session (Command + .).
Fixed scenarios where the Windows on-screen keyboard in the remote session was too small.
Implemented auto-keyboard focus throughout the Connection Center to make data entry more seamless.
Pressing Enter at a credential prompt now results in the prompt being dismissed and the current flow
resuming.
Fixed a scenario where the client would crash when pressing Shift + Option + Left, Up, or Down arrow key.
Fixed a crash that occurred when removing a SwiftPoint device.
Fixed other crashes reported to us by users since the last release.
We'd like to thank everyone who reported bugs and worked with us to diagnose issues.

Updates for version 10.0.4


Date published: 02/03/20
It's time for another update! We want to thank everyone who reported bugs and worked with us to diagnose
issues. Here's what's new in this version:
Confirmation UI is now shown when deleting user accounts and gateways.
The search UI in the Connection Center has been slightly reworked.
The username hint, if it exists, is now shown in the credential prompt UI when launching from an RDP file or
URI.
Fixed an issue where the extended on-screen keyboard would extend underneath the iPhone notch.
Fixed a bug where external keyboards would stop working after being disconnected and reconnected.
Added support for the Esc key on external keyboards.
Fixed a bug where English characters appeared when entering Chinese characters.
Fixed a bug where some Chinese input would remain in the remote session after deletion.
Fixed other crashes reported to us by users since the last release.
We appreciate all your comments sent to us through the App Store, in-app feedback, and email. We'll continue
focusing on making this app better with each release.

Updates for version 10.0.3


Date published: 01/16/20
It's 2020 and time for our first release of the year, which means new features and bug fixes. Here's what is
included in this update:
Support for launching connections from RDP files and RDP URIs.
Workspace headers are now collapsible.
Zooming and panning at the same time is now supported in Mouse Pointer mode.
A press-and-hold gesture in Mouse Pointer mode will now trigger a right-click in the remote session.
Removed force-touch gesture for right-click in Mouse Pointer mode.
The in-session switcher screen now supports disconnecting, even if no apps are connected.
Light dismiss is now supported in the in-session switcher screen.
PCs and apps are no longer automatically reordered in the in-session switcher screen.
Enlarged the hit test area for the PC thumbnail view ellipses menu.
The Input Devices settings page now contains a link to supported devices.
Fixed a bug that caused the Bluetooth permissions UI to repeatedly appear at launch for some users.
Fixed other crashes reported to us by users since the last release.

Updates for version 10.0.2


Date published: 12/20/19
We've been working hard to fix bugs and add useful features. Here's what's new in this release:
Support for Japanese and Chinese input on hardware keyboards.
The PC list view now shows the friendly name of the associated user account, if one exists.
The permissions UI in the first-run experience is now rendered correctly in Light mode.
Fixed a crash that happened whenever someone pressed the Option and Up or Down arrow keys at the same
time on a hardware keyboard.
Updated the on-screen keyboard layout used in the password prompt UI to make finding the Backslash key
easier.
Fixed other crashes reported to us by users since the last release.

Updates for version 10.0.1


Date published: 12/15/19
Here's what new in this release:
Support for the Azure Virtual Desktop service.
Updated Connection Center UI.
Updated in-session UI.

Updates for version 10.0.0


Date published: 12/13/19
It's been well over a year since we last updated the Remote Desktop Client for iOS. However, we're back with an
exciting new update, and there will be many more updates to come on a regular basis from here on out. Here's
what's new in version 10.0.0:
Support for the Azure Virtual Desktop service.
A new Connection Center UI.
A new in-session UI that can switch between connected PCs and apps.
New layout for the auxiliary on-screen keyboard.
Improved external keyboard support.
SwiftPoint Bluetooth mouse support.
Microphone redirection support.
Local storage redirection support.
Camera redirection support (only available for Windows 10, version 1809 or later).
Support for new iPhone and iPad devices.
Dark and light theme support.
Control whether your phone can lock when connected to a remote PC or app.
You can now collapse the in-session connection bar by pressing and holding the Remote Desktop logo
button.

Updates for version 8.1.42


Date published: 06/20/2018
Bug fixes and performance improvements.

Updates for version 8.1.41


Date published: 03/28/2018
Updates to address CredSSP encryption oracle remediation described in CVE-2018-0886.
Get started with the macOS client
7/29/2021 • 7 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows 10, Windows 8.1, Windows Server 2012
R2, Windows Server 2016

You can use the Remote Desktop client for Mac to work with Windows apps, resources, and desktops from your
Mac computer. Use the following information to get started - and check out the FAQ if you have questions.

NOTE
Curious about the new releases for the macOS client? Check out What's new for Remote Desktop on Mac?
The Mac client runs on computers running macOS 10.10 and newer.
The information in this article applies primarily to the full version of the Mac client - the version available in the Mac
AppStore. Test-drive new features by downloading our preview app here: beta client release notes.

Get the Remote Desktop client


Follow these steps to get started with Remote Desktop on your Mac:
1. Download the Microsoft Remote Desktop client from the Mac App Store.
2. Set up your PC to accept remote connections. (If you skip this step, you can't connect to your PC.)
3. Add a Remote Desktop connection or a remote resource. You use a connection to connect directly to a
Windows PC and a remote resource to use a RemoteApp program, session-based desktop, or a virtual
desktop published on-premises using RemoteApp and Desktop Connections. This feature is typically
available in corporate environments.

What about the Mac beta client?


We're testing new features on our preview channel on AppCenter. Want to check it out? Go to Microsoft Remote
Desktop for Mac and select Download . You don't need to create an account or sign into AppCenter to download
the beta client.
If you already have the client, you can check for updates to ensure you have the latest version. In the beta client,
select Microsoft Remote Desktop Beta at the top, and then select Check for updates .

Add a workspace
Subscribe to the feed your admin gave you to get the list of managed resources available to you on your macOS
device.
To subscribe to a feed:
1. Select Add feed on the main page to connect to the service and retrieve your resources.
2. Enter the feed URL. This can be a URL or email address:
If you're accessing resources from Azure Virtual Desktop or Windows 365, you can use one of the
following URLs:
For Azure Virtual Desktop (classic), use
https://rdweb.wvd.microsoft.com/api/feeddiscovery/webfeeddiscovery.aspx .
For Azure Virtual Desktop, use https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery .
If you're using Windows 365, use: https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery .
To use email, enter your email address. This tells the client to search for a URL associated with your
email address if your admin configured the server that way.
3. Select Subscribe .
4. Sign in with your user account when prompted.
After you've signed in, you should see a list of available resources.
Once you've subscribed to a feed, the feed's content will update automatically on a regular basis. Resources may
be added, changed, or removed based on changes made by your administrator.
Export and import connections
You can export a remote desktop connection definition and use it on a different device. Remote desktops are
saved in separate RDP files.
To export an RDP file:
1. In the Connection Center, right-click the remote desktop.
2. Select Expor t .
3. Browse to the location where you want to save the remote desktop RDP file.
4. Select OK .
To import an RDP file:
1. In the menu bar, select File > Impor t .
2. Browse to the RDP file.
3. Select Open .

Add a remote resource


Remote resources are RemoteApp programs, session-based desktops, and virtual desktops published using
RemoteApp and Desktop Connections.
The URL displays the link to the RD Web Access server that gives you access to RemoteApp and Desktop
Connections.
The configured RemoteApp and Desktop Connections are listed.
To add a remote resource:
1. In the Connection Center select + , and then select Add Remote Resources .
2. Enter information for the remote resource:
Feed URL - The URL of the RD Web Access server. You can also enter your corporate email account in
this field – this tells the client to search for the RD Web Access Server associated with your email
address.
User name - The user name to use for the RD Web Access server you are connecting to.
Password - The password to use for the RD Web Access server you are connecting to.
3. Select Save .
The remote resources will be displayed in the Connection Center.

Connect to an RD Gateway to access internal assets


A Remote Desktop Gateway (RD Gateway) lets you connect to a remote computer on a corporate network from
anywhere on the Internet. You can create and manage your gateways in the preferences of the app or while
setting up a new desktop connection.
To set up a new gateway in preferences:
1. In the Connection Center, select Preferences > Gateways .
2. Select the + button at the bottom of the table Enter the following information:
Ser ver name – The name of the computer you want to use as a gateway. This can be a Windows
computer name, an Internet domain name, or an IP address. You can also add port information to the
server name (for example: RDGateway:443 or 10.0.0.1:443 ).
User name - The user name and password to be used for the Remote Desktop gateway you are
connecting to. You can also select Use connection credentials to use the same user name and
password as those used for the remote desktop connection.

Manage your user accounts


When you connect to a desktop or remote resources, you can save the user accounts to select from again. You
can manage your user accounts by using the Remote Desktop client.
To create a new user account:
1. In the Connection Center, select Settings > Accounts .
2. Select Add User Account .
3. Enter the following information:
User Name - The name of the user to save for use with a remote connection. You can enter the user
name in any of the following formats: user_name, domain\user_name, or [email protected].
Password - The password for the user you specified. Every user account that you want to save to use
for remote connections needs to have a password associated with it.
Friendly Name - If you are using the same user account with different passwords, set a friendly
name to distinguish those user accounts.
4. Select Save , then select Settings .

Customize your display resolution


You can specify the display resolution for the remote desktop session.
1. In the Connection Center, select Preferences .
2. Select Resolution .
3. Select + .
4. Enter a resolution height and width, and then select OK.
To delete the resolution, select it, and then select - .

Displays have separate spaces


If you're running macOS X 10.9 and have disabled Displays have separate spaces in Mavericks (System
Preferences > Mission Control ), you need to configure this setting in the Remote Desktop client using the
same option.
Drive redirection for remote resources
Drive redirection is supported for remote resources, so that you can save files created with a remote application
locally to your Mac. The redirected folder is always your home directory displayed as a network drive in the
remote session.
NOTE
In order to use this feature, the administrator needs to set the appropriate settings on the server.

Use a keyboard in a remote session


Mac keyboard layouts differ from the Windows keyboard layouts.
The Command key on the Mac keyboard equals the Windows key.
To perform actions that use the Command button on the Mac, you will need to use the control button in
Windows (for example Copy = Ctrl+C).
The function keys can be activated in the session by pressing additionally the FN key (for example, FN+F1).
The Alt key to the right of the space bar on the Mac keyboard equals the Alt Gr/right Alt key in Windows.
By default, the remote session will use the same keyboard locale as the OS you're running the client on. (If your
Mac is running an en-us OS, that will be used for the remote sessions as well.) If the OS keyboard locale is not
used, check the keyboard setting on the remote PC and change it manually. See the Remote Desktop Client FAQ
for more information about keyboards and locales.

Support for Remote Desktop gateway pluggable authentication and


authorization
Windows Server 2012 R2 introduced support for a new authentication method, Remote Desktop Gateway
pluggable authentication and authorization, which provides more flexibility for custom authentication routines.
You can now try this authentication model with the Mac client.

IMPORTANT
Custom authentication and authorization models before Windows 8.1 aren't supported, although the article above
discusses them.

To learn more about this feature, check out https://aka.ms/paa-sample.

TIP
Questions and comments are always welcome. However, please do NOT post a request for troubleshooting help by using
the comment feature at the end of this article. Instead, go to the Remote Desktop client forum and start a new thread.
Have a feature suggestion? Tell us in the client user voice forum.
What's new in the macOS client
7/19/2021 • 22 minutes to read • Edit Online

We regularly update the Remote Desktop client for macOS, adding new features and fixing issues. Here's where
you'll find the latest updates.
If you encounter any issues, you can always contact us by navigating to Help > Repor t an Issue .

Updates for version 10.6.7


Date published: Jun 21, 2021
In this release, we addressed three connectivity errors that users reported to us:
Worked around a 0x907 (mismatched certificate) error code that was caused by third-party infrastructure
returning an incorrect certificate in redirection scenarios.
Fixed the root cause of a 0x207 (handshake failure) error code that appeared when users accidentally tried to
connect with an incorrect password to a pre-Windows 8 server with Network Level Authentication (NLA)
enabled.
Resolved a 0x1107 (invalid workstation) error code that appeared when Active Directory workstation logon
restrictions were set.
We also updated the default icon for published desktops and worked around an issue that caused smart card
redirection to stop working with recently patched versions of Windows.
Finally, we made some updates to improve compatibility and performance metrics when connecting to Azure
Virtual Desktop (formerly known as Windows Virtual Desktop).

Updates for version 10.6.6


Date published: May 4, 2021
In this release, we enabled connections to Windows Server 2003 servers that have Transport Layer Security
(TLS) enabled for Remote Desktop connections. We also addressed a 0x3000066 error message that appeared
in gateway scenarios, and aligned TLS version usage with the Windows Remote Desktop client.

Updates for version 10.6.5


Date published: 04/29/2021
In this release, we fixed an issue that made the client return a 0x907 error code when connecting to a server
endpoint with a certificate that had a Remote Desktop Authentication EKU property of 1.3.6.1.4.1.311.54.1.2. We
also updated the client to address a 0x2407 error code that prevented the client from authorizing users for
remote access.

Updates for version 10.6.4


Date published: 04/22/2021
In this release, we fixed an issue that caused the client to return a 0x907 error code when processing a server
authentication certificate with a validity lifetime of over 825 days.
Updates for version 10.6.3
Date published: 04/20/2021
In this release, we fixed an issue that caused the client to return a 0x507 error code.
In addition, we enabled the following features on Apple Silicon:
Support for the AVC420 codec
Smart card redirection (requires macOS 11.2 or later)

Updates for version 10.6.2


Date published: 04/19/2021
In this release, we removed a double prompt for credentials that occurred in some scenarios when users tried to
connect with an RD Gateway.

Updates for version 10.6.1


Date published: 04/20/2021
In this update, we fixed an issue that caused the client to stop responding when connecting to an RD gateway.

Updates for version 10.6.0


Date published: 04/20/2021
In this release we've made some significant updates to the shared underlying code that powers the Remote
Desktop experience across all our clients. We've also added some new features and addressed bugs and crashes
that were showing up in error reports.
Added native support for Apple Silicon.
Added client-side IME support when using Unicode keyboard mode.
Integrated Kerberos support in the CredSSP security protocol sequence.
Addressed macOS 11 compatibility issues.
Made updates to improve interoperability with current and upcoming features in the Azure Virtual Desktop
service.
Fixed issues that caused mis-paints when decoding AVC data generated by a server-side hardware encoder.
Addressed an issue that made remote Office app windows invisible even though they appeared in the app
switcher.

IMPORTANT
As of this update, the macOS client requires macOS version 10.14 or later to run.

Updates for version 10.5.2


Date published: 02/15/2021
In this release, we've refreshed the application icon and made the following changes:
Added HTTP proxy support for RD Gateway connections.
Fixed an issue where an RD Gateway connection would disconnect and a message with error code
0x3000064 would appear.
Addressed a bug where workspace discovery and download wouldn't work if you included the port number
in HTTP GET requests.
This release is the last release that will be compatible with macOS version 10.13. If you're interested in trying out
the latest pre-release builds of the macOS client, you can install beta updates from the Microsoft Remote
Desktop Beta.

Updates for version 10.5.1


Date published: 1/29/2021
It's time for our first release of the year! In this version, we made the following changes:
Addressed an issue where the UI would stop resolving a workspace name during subscription.
Fixed an in-session bug where graphics updates would stall while the client continued to send input.
Resolved reliability issues identified through crash reporting.

Updates for version 10.5.0


Date published: 12/02/2020
It's time for another update. Thanks to everyone who reported bugs and worked with us to diagnose and fix
issues. In this version, we made the following changes:
You can now edit the display, device, and folder redirection settings of published PC connections.
Remote app windows now shrink to the dock when minimized.
Added a Connection Information dialog that displays the current bandwidth and round-trip time.
Added support for RD Gateway consent and admin messages.
Fixed an issue where an RDP file specifying a gatewayusagemethod value of 0 or 4 was incorrectly imported.
The Edit Workspace sheet now shows the exact time at which the workspace was last updated.
Removed trace spew that was output when using the --script parameter.
Addressed an issue where the client would return a 0x30000066 error when connecting using an RD
Gateway server.
Fixed an issue that caused the client to repeatedly prompt users for credentials if Extended Protection for
Authentication was set on the server.
Addressed reliability issues that users identified through crash reporting.
Addressed keyboard and VoiceOver-related accessibility bugs.

Updates for version 10.4.1


Date published: 11/06/2020
We've put together some bug fixes and small feature updates for this 10.4.1 release. Here's what's new:
Addressed several reliability issues identified through crash reporting.
Addressed keyboard and VoiceOver-related accessibility bugs.
Fixed an issue where the client would hang on reconnect when resuming from sleep.
Fixed an audio artifact heard when playing back the first chunk of a redirected audio stream.
Addressed an issue where the client would report a 0x5000007 error message when connecting using an RD
Gateway server.
Corrected the aspect ratio of PC thumbnails displayed in the Connection Center.
Improved smart card redirection heuristics to better handle nested transactions.
Fixed a bug that prevented bookmark export if the bookmark's display name contained the "/" character.
Resolved a bug that caused a 0xD06 protocol error when running Outlook as a remote app.
Added support for a new integer RDP file property (ForceHiDpiOptimizations) to enable Retina display
optimization.

Updates for version 10.4.0


Date published: 8/20/20
In this release, we've made substantial updates to the underlying code that powers the Remote Desktop
experience across all our clients. We've also added some new features and addressed bugs and crashes that
were showing up in error reporting. Here are some changes you may notice:
PC Quick Connect (Cmd+K) allows you to connect to a PC without creating a bookmark.
Auto-reconnect now recovers from transient network glitches for PC connections.
When resuming a suspended MacBook, you can use auto-reconnect to reconnect to any disconnected PC
connections.
Added support for HTTP proxies when subscribing and connecting to Azure Virtual Desktop resources.
Implemented support for HTTP proxy automatic configuration with PAC files.
Integrated support for NETBIOS name resolution so you can connect to PCs on your local network more
easily.
Fixed an issue where the system menu bar wouldn't respond while the app was in focus.
Fixed a client-side race condition that could cause decryption errors on the server.
Made improvements to monitor layout and geometry heuristics for multimon scenarios involving Retina-
class monitors.
Multimon layout configurations are now maintained across session redirection scenarios.
Addressed an issue that prevented the menu bar from dropping in multimon scenarios.
User account UI that interacts with the macOS keychain will now surface keychain access errors.
Hitting cancel during workspace subscription will now result in nothing being added to the Connection
Center.
Added key mappings for Cmd+Z and Cmd+F to map to Ctrl+Z and Ctrl+F respectively.
Fixed a bug that caused remote apps to open behind the Connection Center when launched.
Worked around an issue in macOS 10.15 where AAC audio playback caused the client to stall.
Shift+left-click now works in Unicode mode.
Fixed a bug where using the Shift key triggered the Sticky Keys alert in Unicode mode.
Added a check for network availability before connection initiation.
Addressed pulsing of PC thumbnails that sometimes happened during the connection sequence.
Fixed a bug where the password field in the Add/Edit User Account sheet become multiline.
The "Collapse All" option is now greyed out if all workspaces are collapsed.
The "Expand All" option is now greyed out if all workspaces are expanded.
The first-run permissions UI is no longer shown on High Sierra.
Fixed an issue where users were unable to connect to Azure Virtual Desktop endpoints using saved
credentials in the DOMAIN\USERNAME format.
The username field in the credential prompt is now always prepopulated for Azure Virtual Desktop
connections.
Fixed a bug that clipped the Edit, Delete, and Refresh buttons for workspaces if the Connection Center wasn't
wide enough.
The "email or workspace URL" field in the Add Workspace sheet is no longer case-sensitive.
Fixed accessibility issues that impacted VoiceOver and keyboard navigation scenarios.
Lots of updates to improve interoperability with current and upcoming features in the Azure Virtual Desktop
service.
You can now configure the AVC support level advertised by the client from a terminal prompt. Here are the
support levels you can configure:
Don't advertise AVC support to the server:
defaults write com.microsoft.rdc.macos AvcSupportLevel disabled
Advertise AVC420 support to the server:
defaults write com.microsoft.rdc.macos AvcSupportLevel avc420
Advertise support for AVC444 support to the server:
defaults write com.microsoft.rdc.macos AvcSupportLevel avc444

Thanks again to everyone who reported bugs and took the time to help us diagnose problems!

Updates for version 10.3.9


Date published: 4/6/20
In this release, we've made some changes to improve interoperability with the Azure Virtual Desktop service. In
addition, we've included the following updates:
Control+Option+Delete now triggers the Ctrl+Alt+Del sequence (previously required pressing the Fn key).
Fixed the keyboard mode notification color scheme for Light mode.
Addressed scenarios where connections initiated using the GatewayAccessToken RDP file property didn't
work.

NOTE
This is the last release that will be compatible with macOS 10.12.

Updates for version 10.3.8


Date published: 2/12/20
It's time for our first release of 2020!
With this update, you can switch between Scancode (Ctrl+Command+K) and Unicode (Ctrl+Command+U)
modes when entering keyboard input. Unicode mode allows extended characters to be typed using the Option
key on a Mac keyboard. For example, on a US Mac keyboard, Option+2 will enter the trademark (™) symbol.
You can also enter accented characters in Unicode mode. For example, on a US Mac keyboard, entering
Option+E and the "A" key at the same time will enter the character "á" on your remote session.
Other updates in this release include:
Cleaned up the workspace refresh experience and UI.
Addressed a smart card redirection issue that caused the remote session to stop responding at the sign-in
screen when the "Checking Status" message appeared.
Reduced time to create temporary files used for clipboard-based file copy and paste.
Temporary files used for clipboard file copy and paste are now deleted automatically when you exit the app,
instead of relying on macOS to delete them.
PC bookmark actions are now rendered at the top-right corner of thumbnails.
Made fixes to address issues reported through crash telemetry.

Updates for version 10.3.7


Date published: 1/6/20
In our final update of the year, we fine-tuned some code and fixed the following behaviors:
Copying things from the remote session to a network share or USB drive no longer creates empty files.
Specifying an empty password in a user account no longer causes a double certificate prompt.

Updates for version 10.3.6


Date published: 1/6/20
In this release, we addressed an issue that created zero-length files whenever you copied a folder from the
remote session to the local machine using file copy and paste.

Updates for version 10.3.5


Date published: 1/6/20
We made this update with the help of everyone who reported issues. In this version, we've made the following
changes:
Redirected folders can now be marked as read-only to prevent their contents from being changed in the
remote session.
We addressed a 0x607 error that appeared when connecting using RPC over HTTPS RD Gateway scenarios.
Fixed cases where users were double-prompted for credentials.
Fixed cases where users received the certificate warning prompt twice.
Added heuristics to improve trackpad-based scrolling.
The client no longer shows the "Saved Desktops" group if there are no user-created groups.
Updated UI for the tiles in PC view.
Fixes to address crashes sent to us via application telemetry.

NOTE
In this release, we now accept feedback for the Mac client only through UserVoice.

Updates for version 10.3.4


Date published: 11/18/19
We've been hard at work listening to your feedback and have put together a collection of bug fixes and feature
updates.
When connecting via an RD Gateway with multifactor authentication, the gateway connection will be held
open to avoid multiple MFA prompts.
All the client UI is now fully keyboard-accessible with Voiceover support.
Files copied to the clipboard in the remote session are now only transferred when pasting to the local
computer.
URLs copied to the clipboard in the remote session now paste correctly to the local computer.
Scale factor remoting to support Retina displays is now available for multimonitor scenarios.
Addressed a compatibility issue with FreeRDP-based RD servers that was causing connectivity issues in
redirection scenarios.
Addressed smart card redirection compatibility with future releases of Windows 10.
Addressed an issue specific to macOS 10.15 where the incorrect available space was reported for redirected
folders.
Published PC connections are represented with a new icon in the Workspaces tab.
"Feeds" are now called "Workspaces," and "Desktops" are now called "PCs."
Fixed inconsistencies and bugs in user account handling in the preferences UI.
Lots of bug fixes to make things run smoother and more reliably.

Updates for version 10.3.3


Date published: 11/18/19
We've put together a feature update and fixed bugs for the 10.3.3 release.
First, we've added user defaults to disable smart card, clipboard, microphone, camera, and folder redirection:
ClientSettings.DisableSmartcardRedirection
ClientSettings.DisableClipboardRedirection
ClientSettings.DisableMicrophoneRedirection
ClientSettings.DisableCameraRedirection
ClientSettings.DisableFolderRedirection
Next, the bug fixes:
Resolved an issue that was causing programmatic session window resizes to not be detected.
Fixed an issue where the session window contents appeared small when connecting in windowed mode
(with dynamic display enabled).
Addressed initial flicker that occurred when connecting to a session in windowed mode with dynamic display
enabled.
Fixed graphics mispaints that occurred when connected to Windows 7 after toggling fit-to-window with
dynamic display enabled.
Fixed a bug that caused an incorrect device name to be sent to the remote session (breaking licensing in
some third-party apps).
Resolved an issue where remote app windows would occupy an entire monitor when maximized.
Addressed an issue where the access permissions UI appeared underneath local windows.
Cleaned up some shutdown code to ensure the client closes more reliably.

Updates for version 10.3.2


Date published: 11/18/19
In this release, we fixed a bug that made the display low resolution while connecting to a session

Updates for version 10.3.1


Date published: 11/18/19
We've put together some fixes to address regressions that managed to sneak into the 10.3.0 release.
Addressed connectivity issues with RD Gateway servers that were using 4096-bit asymmetric keys.
Fixed a bug that caused the client to randomly stop responding when downloading feed resources.
Fixed a bug that caused the client to crash while opening.
Fixed a bug that caused the client to crash while importing connections from Remote Desktop, version 8.

Updates for version 10.3.0


Date published: 8/27/19
It's been a few weeks since we last updated, but we've been hard at work during that time. Version 10.3.0 brings
some new features and lots of under-the-hood fixes.
Camera redirection is now possible when connecting to Windows 10 1809, Windows Server 2019 and later.
On Mojave and Catalina we've added a new dialog that requests your permission to use the microphone and
camera for device redirection.
The feed subscription flow has been rewritten to be simpler and faster.
Clipboard redirection now includes the Rich Text Format (RTF).
When entering your password, can now choose to reveal it by selecting the "Show password" checkbox.
Addressed scenarios where the session window was jumping between monitors.
The Connection Center displays high-resolution remote app icons (when available).
Cmd+A maps to Ctrl+A when Mac clipboard shortcuts are being used.
Cmd+R now refreshes all of your subscribed feeds.
Added new secondary click options to expand or collapse all groups or feeds in the Connection Center.
Added a new secondary click option to change the icon size in the Feeds tab of the Connection Center.
A new, simplified, and clean app icon.

Updates for version 10.2.13


Date published: 5/8/2019
Fixed a hang that occurred when connecting via an RD Gateway.
Added a privacy notice to the "Add Feed" dialog.

Updates for version 10.2.12


Date published: 4/16/2019
Resolved random disconnects (with error code 0x904) that took place when connecting via an RD Gateway.
Fixed a bug that caused the resolutions list in application preferences to be empty after installation.
Fixed a bug that caused the client to crash if certain resolutions were added to the resolutions list.
Addressed an ADAL authentication prompt loop when connecting to Azure Virtual Desktop deployments.

Updates for version 10.2.10


Date published: 3/30/2019
In this release, we addressed instability caused by the recent macOS 10.14.4 update. We also fixed mispaints
that appeared when decoding AVC codec data encoded by a server using NVIDIA hardware.

Updates for version 10.2.9


Date published: 3/6/2019
In this release, we fixed an RD gateway connectivity issue that can occur when server redirection takes place.
We also addressed an RD gateway regression caused by the 10.2.8 update.

Updates for version 10.2.8


Date published: 3/1/2019
Resolved connectivity issues that surfaced when using an RD Gateway.
Fixed incorrect certificate warnings that were displayed when connecting.
Addressed some cases where the menu bar and dock would needlessly hide when launching remote apps.
Reworked the clipboard redirection code to address crashes and hangs that have been plaguing some users.
Fixed a bug that caused the Connection Center to needlessly scroll when launching a connection.

Updates for version 10.2.7


Date published: 2/6/2019
In this release, we addressed graphics mispaints (caused by a server encoding bug) that appeared when using
AVC444 mode.

Updates for version 10.2.6


Date published: 1/28/2019
Added support for the AVC (420 and 444) codec, available when connecting to current versions of Windows
10.
In Fit to Window mode, a window refresh now occurs immediately after a resize to ensure that content is
rendered at the correct interpolation level.
Fixed a layout bug that caused feed headers to overlap for some users.
Cleaned up the Application Preferences UI.
Polished the Add/Edit Desktop UI.
Made lots of fit and finish adjustments to the Connection Center tile and list views for desktops and feeds.

NOTE
There is a bug in macOS 10.14.0 and 10.14.1 that can cause the ".com.microsoft.rdc.application-
data_SUPPORT/_EXTERNAL_DATA" folder (nested deep inside the ~/Library folder) to consume a large amount of disk
space. To resolve this issue, delete the folder content and upgrade to macOS 10.14.2. Note that a side-effect of deleting
the folder contents is that snapshot images assigned to bookmarks will be deleted. These images will be regenerated
when reconnecting to the remote PC.

Updates for version 10.2.4


Date published: 12/18/2018
Added dark mode support for macOS Mojave 10.14.
An option to import from Microsoft Remote Desktop 8 now appears in the Connection Center if it is empty.
Addressed folder redirection compatibility with some third-party enterprise applications.
Resolved issues where users were getting a 0x30000069 Remote Desktop Gateway error due to security
protocol fallback issues.
Fixed progressive rendering issues some users were experiencing with fit to window mode.
Fixed a bug that prevented file copy and paste from copying the latest version of a file.
Improved mouse-based scrolling for small scroll deltas.

Updates for version 10.2.3


Date published: 11/06/2018
Added support for the "remoteapplicationcmdline" RDP file setting for remote app scenarios.
The title of the session window now includes the name of the RDP file (and server name) when launched
from an RDP file.
Fixed reported RD gateway performance issues.
Fixed reported RD gateway crashes.
Fixed issues where the connection would hang when connecting through an RD gateway.
Better handling of full-screen remote apps by intelligently hiding the menu bar and dock.
Fixed scenarios where remote apps remained hidden after being launched.
Addressed slow rendering updates when using "Fit to Window" with hardware acceleration disabled.
Handled database creation errors caused by incorrect permissions when the client starts up.
Fixed an issue where the client was consistently crashing at launch and not starting for some users.
Fixed a scenario where connections were incorrectly imported as full-screen from Remote Desktop 8.

Updates for version 10.2.2


Date published: 10/09/2018
A brand new Connection Center that supports drag and drop, manual arrangement of desktops, resizable
columns in list view mode, column-based sorting, and simpler group management.
The Connection Center now remembers the last active pivot (Desktops or Feeds) when closing the app.
The credential prompting UI and flows have been overhauled.
RD Gateway feedback is now part of the connecting status UI.
Settings import from the version 8 client has been improved.
RDP files pointing to RemoteApp endpoints can now be imported into the Connection Center.
Retina display optimizations for single monitor Remote Desktop scenarios.
Support for specifying the graphics interpolation level (which affects blurriness) when not using Retina
optimizations.
256-color support to enable connectivity to Windows 2000.
Fixed clipping of the right and bottom edges of the screen when connecting to Windows 7, Windows Server
2008 R2 and earlier.
Copying a local file into Outlook (running in a remote session) now adds the file as an attachment.
Fixed an issue that was slowing down pasteboard-based file transfers if the files originated from a network
share.
Addressed a bug that was causing to Excel (running in a remote session) to hang when saving to a file on a
redirected folder.
Fixed an issue that was causing no free space to be reported for redirected folders.
Fixed a bug that caused thumbnails to consume too much disk storage on macOS 10.14.
Added support for enforcing RD Gateway device redirection policies.
Fixed an issue that prevented session windows from closing when disconnecting from a connection using RD
Gateway.
If Network Level Authentication (NLA) is not enforced by the server, you will now be routed to the sign-in
screen if your password has expired.
Fixed performance issues that surfaced when lots of data was being transferred over the network.
Smart card redirection fixes.
Support for all possible values of the "EnableCredSspSupport" and "Authentication Level" RDP file settings if
the ClientSettings.EnforceCredSSPSupport user default key (in the com.microsoft.rdc.macos domain) is set to
0.
Support for the "Prompt for Credentials on Client" RDP file setting when NLA is not negotiated.
Support for smart card-based sign in using smart card redirection at the Winlogon prompt when NLA is not
negotiated.
Fixed an issue that prevented downloading feed resources that have spaces in the URL.
Updates for version 10.2.1
Date published: 08/06/2018
Enabled connectivity to Azure Active Directory (Azure AD) joined PCs. To connect to an Azure AD joined PC,
your username must be in one of the following formats: "AzureAD\user" or "AzureAD\user@domain".
Addressed some bugs affecting the usage of smart cards in a remote session.

Updates for version 10.2.0


Date published: 07/24/2018
Incorporated updates for GDPR compliance.
MicrosoftAccount\username@domain is now accepted as a valid username.
Clipboard sharing has been rewritten to be faster and support more formats.
Copy and pasting text, images, or files between sessions now bypasses the local machine's clipboard.
You can now connect via an RD Gateway server with an untrusted certificate (if you accept the warning
prompts).
Metal hardware acceleration is now used (where supported) to speed up rendering and optimize battery
usage.
When using Metal hardware acceleration, we try to work some magic to make the session graphics appear
sharper.
Got rid of some instances where windows would hang around after being closed.
Fixed bugs that were preventing the launch of RemoteApp programs in some scenarios.
Fixed an RD Gateway channel synchronization error that was resulting in 0x204 errors.
The mouse cursor shape now updates correctly when moving out of a session or RemoteApp window.
Fixed a folder redirection bug that was causing data loss when copy and pasting folders.
Fixed a folder redirection issue that caused incorrect reporting of folder sizes.
Fixed a regression that was preventing logging into an Azure AD-joined machine using a local account.
Fixed bugs that were causing the session window contents to be clipped.
Added support for RD endpoint certificates that contain elliptic-curve asymmetric keys.
Fixed a bug that was preventing the download of managed resources in some scenarios.
Addressed a clipping issue with the pinned connection center.
Fixed the checkboxes in the Display tab of the Add a Desktop window to work better together.
Aspect ratio locking is now disabled when dynamic display change is in effect.
Addressed compatibility issues with F5 infrastructure.
Updated handling of blank passwords to ensure the correct messages are shown at connect-time.
Fixed mouse scrolling compatibility issues with MapInfra Pro.
Fixed some alignment issues in the Connection Center when running on Mojave.

Updates for version 10.1.8


Date published: 05/04/2018
Added support for changing the remote resolution by resizing the session window!
Fixed scenarios where remote resource feed download would take an excessively long time.
Resolved the 0x207 error that could occur when connecting to servers not patched with the CredSSP
encryption oracle remediation update (CVE-2018-0886).

Updates for version 10.1.7


Date published: 04/05/2018
Made security fixes to incorporate CredSSP encryption oracle remediation updates as described in CVE-
2018-0886.
Improved RemoteApp icon and mouse cursor rendering to address reported mispaints.
Addressed issues where RemoteApp windows appeared behind the Connection Center.
Fixed a problem that occurred when you edit local resources after importing from Remote Desktop 8.
You can now start a connection by pressing ENTER on a desktop tile.
When you're in full screen view, Cmd+M now correctly maps to WIN+M.
The Connection Center, Preferences, and About windows now respond to Cmd+M.
You can now start discovering feeds by pressing ENTER on the **Adding Remote Resources*- page.
Fixed an issue where a new remote resources feed showed up empty in the Connection Center until after you
refreshed.

Updates for version 10.1.6


Date published: 03/26/2018
Fixed an issue where RemoteApp windows would reorder themselves.
Resolved a bug that caused some RemoteApp windows to get stuck behind their parent window.
Addressed a mouse pointer offset issue that affected some RemoteApp programs.
Fixed an issue where starting a new connection gave focus to an existing session, instead of opening a new
session window.
We fixed an error with an error message - you'll see the correct message now if we can't find your gateway.
The Quit shortcut (⌘ + Q) is now consistently shown in the UI.
Improved the image quality when stretching in "fit to window" mode.
Fixed a regression that caused multiple instances of the home folder to show up in the remote session.
Updated the default icon for desktop tiles.
Get started with the web client
4/22/2021 • 4 minutes to read • Edit Online

The Remote Desktop web client lets you use a compatible web browser to access your organization's remote
resources (apps and desktops) published to you by your admin. You'll be able to interact with the remote apps
and desktops like you would with a local PC no matter where you are, without having to switch to a different
desktop PC. Once your admin sets up your remote resources, all you need are your domain, user name,
password, the URL your admin sent you, and a supported web browser, and you're good to go.

NOTE
Curious about the new releases for the web client? Check out What's new for Remote Desktop web client?

What you'll need to use the web client


For the web client, you'll need a PC running Windows, macOS, ChromeOS, or Linux. Mobile devices are not
supported at this time.
A modern browser like Microsoft Edge, Internet Explorer 11, Google Chrome, Safari, or Mozilla Firefox (v55.0
and later).
The URL your admin sent you.

NOTE
The Internet Explorer version of the web client does not have audio at this time. Safari may display a gray screen if the
browser is resized or enters fullscreen multiple times.

Start using the Remote Desktop client


To sign in to the client, go to the URL your admin sent you. At the sign in page, enter your domain and user
name in the format DOMAIN\username , enter your password, and then select Sign in .

NOTE
By signing in to the web client, you agree that your PC complies with your organization's security policy.

After you sign in, the client will take you to the All Resources tab, which contains all items published to you
under one or more collapsible groups, such as the "Work Resources" group. You'll see several icons representing
the apps, desktops, or folders containing more apps or desktops that the admin has made available to the work
group. You can come back to this tab at any time to launch additional resources.
To start using an app or desktop, select the item you want to use, enter the same user name and password you
used to sign in to the web client if prompted, and then select Submit . You might also be shown a consent dialog
to access local resources, like clipboard and printer. You can choose to not redirect either of these, or select
Allow to use the default settings. Wait for the web client to establish the connection, and then start using the
resource as you would normally.
When you're finished, you can end your session by either selecting the Sign Out button in the toolbar at the top
of your screen or closing the browser window.
Web client keyboard shortcuts
The following table describes alternate key combinations to inject standard Windows shortcut keys in the
remote session.

SH O RTC UT K EY DESC RIP T IO N

(Windows) Ctrl+Alt+End Inject Ctrl+Alt+Del in the remote session.


(MacOS) fn+control+option+delete

Alt+F3 Injects Windows key in the remote session.

Printing from the Remote Desktop web client


Follow these steps to print from the web client:
1. Start the printing process as you would normally for the app you want to print from.
2. When prompted to choose a printer, select Remote Desktop Vir tual Printer .
3. After choosing your preferences, select Print .
4. Your browser will generate a PDF file of your print job.
5. You can choose to either open the PDF and print its contents to your local printer or save it to your PC for
later use.

Transfer files with the web client


To learn how to enable web client file transfer, check out Configure device redirections.
Follow these steps to transfer files from your local computer to the remote session:
1. Connect to the remote session.
2. Select the file upload icon in the web client menu.
3. When prompted, select the files you want to upload using the local file explorer.
4. Open the file explorer in your remote session. Your files will be uploaded to Remote Desktop Vir tual
Drive > Uploads .
To download files from the remote session to your local computer:
1. Connect to the remote session.
2. Open the file explorer in your remote session.
3. Copy the files you want to download to Remote Desktop Vir tual Drive > Downloads .
4. Your files will be downloaded to your local default downloads folder.

Copy and paste from the Remote Desktop web client


The web client currently supports copying and pasting text only. Files can't be copied or pasted to and from the
web client. Additionally, you can only use Ctrl+C and Ctrl+V to copy and paste text.

Use an Input Method Editor (IME) in the remote session


The web client supports using an Input Method Editor (IME) in the remote session in version 1.0.21.16 or later.
Before you can use the IME, you must install the language pack for the keyboard you want to use in the remote
session on the host virtual machine. To learn more about setting up language packs in the remote session, check
out Add language packs to a Windows 10 multi-session image.
To enable IME input using the web client:
1. Before you connect to the remote session, go to the web client Settings panel.
2. Toggle the Enable Input Method Editor setting to On .
3. In the drop-down menu, select the keyboard you want to use in the remote session.
4. Connect to the remote session.
The web client will suppress the local IME window when you are focused on the remote session. If you change
the IME settings after you've already connected to the remote session, the setting changes won't have any effect.
The web client doesn't support IME input while using a private browsing window.

NOTE
If the language pack isn't installed on the host virtual machine, the remote session will default to the English (United
States) keyboard.

Get help with the web client


If you've encountered an issue that can't be solved by the information in this article, you can get help with the
web client by raising feedback on the web client's Feedback page.
What's new in the web client
7/26/2021 • 4 minutes to read • Edit Online

We regularly update the Remote Desktop web client, adding new features and fixing issues. Here's where you'll
find the latest updates.

NOTE
We've changed the versioning system for the web client. Starting with version 1.0.18.0, all web client release versions will
contain numbers (in the format of "W.X.Y.Z"). Release numbers for the Remote Desktop web client will always end with a 0
(for example, W.X.Y.0). Each Azure Virtual Desktop web client release will change the last digit until the next Remote
Desktop web client release (for example, 1.0.18.1).

Updates for version 1.0.25.0


Date published: 7/22/2021
Client now has web assembly on supported browsers.
Added file transfer support.
Bug fixes.

Updates for 1.0.24.0


Date published: 1/6/2021

IMPORTANT
Version 1.0.24.0 includes an important security fix. We have removed earlier versions of the web client containing this
bug.

Added support for redirecting local microphone input to the remote session.
Fixed issues with AltGr and several other keyboard bugs.
Accessibility improvements.

Updates for 1.0.22.0


Date published: 9/2/2020

IMPORTANT
In version 1.0.22.0, we introduced a regression that impacts some Chromebook operating systems. Users on impacted
operating systems won't be able to connect to a remote session using the web client. We're currently investigating this
issue and will release a new version of the web client as soon as we fix this regression.

Users can now move the minimized menu.


Improved support for 4K and ultra-wide monitors and fixed an issue where copying large amounts of data
caused sessions to crash.
Improved support for using an Input Method Editor in the remote session. To learn more about using an
Input Method Editor with the web client, check out Connect to Azure Virtual Desktop with the web client.
Changed the All Resources page UI.
Fixed several connection sequence failures where web client returned a General Protocol Error.
Fixed keyboard input issues where specific key sequences were not handled appropriately.
Accessibility improvements.

Updates for version 1.0.21.0


Date published: 11/15/2019
Added support for using an Input Method Editor (IME) in the remote session to input complex characters.
Fixed a regression where users could not copy and paste into the remote session on macOS devices.
Fixed a regression where local Windows Key was sent to the remote session on Firefox.
Added link to RDWeb password change when enabled by your administrator.

Updates for version 1.0.20.0


Date published: 10/18/2019
Added support for connections to Windows 7 and Windows Server 2008 R2 hosts.
Fixed an issue where certain app icons were shown as transparent tiles.
Fixed connection issues for Internet Explorer browser on Windows 7.
Fixed unexpected disconnects that happened when the browser was resized.
Accessibility improvements.
Updated third-party libraries.

Updates for version 1.0.18.0


Date published: 5/14/2019
Added Resource Launch Method configuration in the Settings tab, enabling users to either open resources in
the browser or download an .rdp file to handle with another client. This setting may be configured by your
admin. Details regarding admin configurations for this feature can be found in the web client setup
documentation.
Fixed color rendering issues, enabling more vivid colors in your remote session.
Revised error messages related to remote resource feed errors.
Added support for more office shortcuts, such as paste special (Ctrl+Alt+V).
Added keyboard shortcut for users to invoke the Windows Key in the remote session (Alt+F3)
Updated error message for users attempting to authenticate using an expired password.
Refreshed feed UI on the All Resources page.
Resolved overlapping dialogues that occurred during session reconnect.
Fixed remote resource icon sizing in the resource taskbar.

Updates for version 1.0.11


Date published: 2/22/2019
Enabled connection to RD Broker without an RD Gateway in Windows Server 2019.
Sorted feeds alphabetically (i.e., RemoteApps first, Desktops second).
Fixed multiple accessibility bugs improving screen reader compatibility.
Updated our build tools.
Various bug fixes.
Updates for version 1.0.7
Date published: 1/24/2019
Offline use on internal networks is now supported.
Improved rendering on non-Microsoft Edge browsers.
Implemented limit for feed retrieval retry attempts to prevent DoS.
Fixed accessibility bugs, enabling users with visual disabilities to use the web client.
Improved error messages displayed to the user for feed errors.
Added Ctrl + Alt + End (Windows) and fn + control + option + delete (Mac) shortcuts to invoke Ctrl + Alt +
Del in remote machine.
Improved telemetry for crash events.
Improved our build pipeline and build tools.
Various bug fixes.

Updates for version 1.0.1


Date published: 10/29/2018
Added an option to Capture suppor t information on the About page to diagnose issues.
InPrivate mode is now supported.
Improved support for non-English keyboards.
Fixed an issue where tooltips with non-English characters showed incorrectly.
Fixed graphics rendering issue which affected Chrome users.
Updated time zone redirection with full DST support.
Improved the error message for out-of-memory error.
Various bug fixes.

Updates for version 1.0.0


Date published: 07/16/2018
Remote Desktop web client is now generally available.
Admins can globally turn off telemetry for the web client.
Various bug fixes.

Updates for version 0.9.0


Date published: 07/05/2018
New sign in experience within the web client.
No longer prompted for credentials when launching a desktop or app connection (Single sign on).
Moved the web client to a new URL: https://server_FQDN/RDWeb/webclient/index.html
Added time zone redirection.
Various bug fixes.

Updates for version 0.8.1


Date published: 05/17/2018
Updates to address CredSSP encryption oracle remediation described in CVE-2018-0886.
Fixed connection failures for some languages when printing is enabled.
Improved error message when a gateway is not part of the deployment.
Help and Feedback options were added.

Updates for version 0.8.0


Date published: 03/28/2018
Initial public preview release of the web client.
Copy/paste text through the clipboard with CTRL+C and CTRL+V .
Print to a PDF file.
Localized in 18 languages.
Remote Desktop client - supported configuration
11/2/2020 • 2 minutes to read • Edit Online

Supported PCs
You can connect to PCs that are running the following Windows operating systems:
Windows 10 Pro
Windows 10 Enterprise
Windows 8 Enterprise
Windows 8 Professional
Windows 7 Professional
Windows 7 Enterprise
Windows 7 Ultimate
Windows 7 Ultimate
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Multipoint Server 2011
Windows Multipoint Server 2012
Windows Small Business Server 2008
Windows Small Business Server 2011
The following computers can run the Remote Desktop gateway:
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Small Business Server 2011
The following operating systems can serve as RD Web Access or RemoteApp servers:
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016

Unsupported Windows Versions and Editions


The Remote Desktop client will not connect to these Windows Versions and Editions:
Windows 7 Starter
Windows 7 Home
Windows 8 Home
Windows 8.1 Home
Windows 10 Home
If you want to access computers that have one of these Windows versions installed, we recommend you
upgrade to a Windows version that supports RDP.

RD Gateway messaging is not supported


Remote Desktop Client does not support RD Gateway messaging. Verify that the Remote Desktop Resource
Access Policy (RD RAP) for your RD Gateway server does not specify Only allow computers with suppor t
for RD Gateway Messaging or you will not be able to connect.
Remote Desktop - Allow access to your PC
7/29/2021 • 3 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows 10, Windows 8.1, Windows Server 2019, Windows Server
2016, Windows Server 2012 R2

You can use Remote Desktop to connect to and control your PC from a remote device by using a Microsoft
Remote Desktop client (available for Windows, iOS, macOS and Android). When you allow remote connections
to your PC, you can use another device to connect to your PC and have access to all of your apps, files, and
network resources as if you were sitting at your desk.

NOTE
You can use Remote Desktop to connect to Windows 10 Pro and Enterprise, Windows 8.1 and 8 Enterprise and Pro,
Windows 7 Professional, Enterprise, and Ultimate, and Windows Server versions newer than Windows Server 2008. You
can't connect to computers running a Home edition (like Windows 10 Home).

To connect to a remote PC, that computer must be turned on, it must have a network connection, Remote
Desktop must be enabled, you must have network access to the remote computer (this could be through the
Internet), and you must have permission to connect. For permission to connect, you must be on the list of users.
Before you start a connection, it's a good idea to look up the name of the computer you're connecting to and to
make sure Remote Desktop connections are allowed through its firewall.

How to enable Remote Desktop


The simplest way to allow access to your PC from a remote device is using the Remote Desktop options under
Settings. Since this functionality was added in the Windows 10 Fall Creators update (1709), a separate
downloadable app is also available that provides similar functionality for earlier versions of Windows. You can
also use the legacy way of enabling Remote Desktop, however this method provides less functionality and
validation.
Windows 10 Fall Creator Update (1709) or later
You can configure your PC for remote access with a few easy steps.
1. On the device you want to connect to, select Star t and then click the Settings icon on the left.
2. Select the System group followed by the Remote Desktop item.
3. Use the slider to enable Remote Desktop.
4. It is also recommended to keep the PC awake and discoverable to facilitate connections. Click Show
settings to enable.
5. As needed, add users who can connect remotely by clicking Select users that can remotely access this
PC .
a. Members of the Administrators group automatically have access.
6. Make note of the name of this PC under How to connect to this PC . You'll need this to configure the
clients.
Windows 7 and early version of Windows 10
To configure your PC for remote access, download and run the Microsoft Remote Desktop Assistant. This
assistant updates your system settings to enable remote access, ensures your computer is awake for
connections, and checks that your firewall allows Remote Desktop connections.
All versions of Windows (Legacy method)
To enable Remote Desktop using the legacy system properties, follow the instructions to Connect to another
computer using Remote Desktop Connection.

Should I enable Remote Desktop?


If you only want to access your PC when you are physically using it, you don't need to enable Remote Desktop.
Enabling Remote Desktop opens a port on your PC that is visible to your local network. You should only enable
Remote Desktop in trusted networks, such as your home. You also don't want to enable Remote Desktop on any
PC where access is tightly controlled.
Be aware that when you enable access to Remote Desktop, you are granting anyone in the Administrators
group, as well as any additional users you select, the ability to remotely access their accounts on the computer.
You should ensure that every account that has access to your PC is configured with a strong password.

Why allow connections only with Network Level Authentication?


If you want to restrict who can access your PC, choose to allow access only with Network Level Authentication
(NLA). When you enable this option, users have to authenticate themselves to the network before they can
connect to your PC. Allowing connections only from computers running Remote Desktop with NLA is a more
secure authentication method that can help protect your computer from malicious users and software. To learn
more about NLA and Remote Desktop, check out Configure NLA for RDS Connections.
If you're remotely connecting to a PC on your home network from outside of that network, don't select this
option.
Remote Desktop - Allow access to your PC from
outside your PC's network
7/29/2021 • 2 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server 2019, Windows 10, Windows Server 2016

When you connect to your PC by using a Remote Desktop client, you're creating a peer-to-peer connection. This
means you need direct access to the PC (sometimes called "the host"). If you need to connect to your PC from
outside of the network your PC is running on, you need to enable that access. You have a couple of options: use
port forwarding or set up a VPN.

Enable port forwarding on your router


Port forwarding simply maps the port on your router's IP address (your public IP) to the port and IP address of
the PC you want to access.
Specific steps for enabling port forwarding depend on the router you're using, so you'll need to search online
for your router's instructions. For a general discussion of the steps, check out wikiHow to Set Up Port
Forwarding on a Router.
Before you map the port you'll need the following:
PC internal IP address: Look in Settings > Network & Internet > Status > View your network
proper ties . Find the network configuration with an "Operational" status and then get the IPv4 address .

Your public IP address (the router's IP). There are many ways to find this - you can search (in Bing or
Google) for "my IP" or view the Wi-Fi network properties (for Windows 10).
Port number being mapped. In most cases this is 3389 - that's the default port used by Remote Desktop
connections.
Admin access to your router.

WARNING
You're opening your PC up to the internet, which is not recommended. If you must, make sure you have a strong
password set for your PC. It is preferable to use a VPN.

After you map the port, you'll be able to connect to your host PC from outside the local network by connecting
to the public IP address of your router (the second bullet above).
The router's IP address can change - your internet service provider (ISP) can assign you a new IP at any time. To
avoid running into this issue, consider using Dynamic DNS - this lets you connect to the PC using an easy to
remember domain name, instead of the IP address. Your router automatically updates the DDNS service with
your new IP address, should it change.
With most routers you can define which source IP or source network can use port mapping. So, if you know
you're only going to connect from work, you can add the IP address for your work network - that lets you avoid
opening the port to the entire public internet. If the host you're using to connect uses dynamic IP address, set the
source restriction to allow access from the whole range of that particular ISP.
You might also consider setting up a static IP address on your PC so the internal IP address doesn't change. If
you do that, then the router's port forwarding will always point to the correct IP address.

Use a VPN
If you connect to your local area network by using a virtual private network (VPN), you don't have to open your
PC to the public internet. Instead, when you connect to the VPN, your RD client acts like it's part of the same
network and be able to access your PC. There are a number of VPN services available - you can find and use
whichever works best for you.
Change the listening port for Remote Desktop on
your computer
7/29/2021 • 2 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows
Server 2016, Windows Server 2012 R2, Windows Server 2008 R2

When you connect to a computer (either a Windows client or Windows Server) through the Remote Desktop
client, the Remote Desktop feature on your computer "hears" the connection request through a defined listening
port (3389 by default). You can change that listening port on Windows computers by modifying the registry.
1. Start the registry editor. (Type regedit in the Search box.)
2. Navigate to the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Ser ver\WinStations\RDP-
Tcp
3. Find Por tNumber
4. Click Edit > Modify , and then click Decimal .
5. Type the new port number, and then click OK .
6. Close the registry editor, and restart your computer.
The next time you connect to this computer by using the Remote Desktop connection, you must type the new
port. If you're using a firewall, make sure to configure your firewall to permit connections to the new port
number.
You can check the current port by running the following PowerShell command:

Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name


"PortNumber"

For example:

PortNumber : 3389
PSPath :
Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-Tcp
PSParentPath :
Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations
PSChildName : RDP-Tcp
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry

You can also change the RDP port by running the following PowerShell command. In this command, we'll
specify the new RDP port as 3390 .
To add a new RDP Port to the registry:
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name
"PortNumber" -Value 3390
New-NetFirewallRule -DisplayName 'RDPPORTLatest' -Profile 'Public' -Direction Inbound -Action Allow -
Protocol TCP -LocalPort 3390
Deploy the RD Gateway role
7/2/2021 • 2 minutes to read • Edit Online

This article will tell you how to use the Remote Desktop Gateway (RD Gateway) role to deploy Remote Desktop
Gateway servers in your Azure Virtual Desktop or Remote Desktop environment. You can install the server roles
on physical machines or virtual machines depending on whether you are creating an on-premises, cloud-based,
or hybrid environment.

Install the RD Gateway role


1. Sign into the target server with administrative credentials.
2. In Ser ver Manager , select Manage , then select Add Roles and Features . The Add Roles and
Features installer will open.
3. In Before You Begin , select Next .
4. In Select Installation Type , select Role-Based or feature-based installation , then select Next .
5. For Select destination ser ver , select Select a ser ver from the ser ver pool . For Ser ver Pool , select
the name of your local computer. When you're done, select Next .
6. In Select Ser ver Roles > Roles , select Remote Desktop Ser vices . When you're done, select Next .
7. In Remote Desktop Ser vices , select Next.
8. For Select role ser vices , select only Remote Desktop Gateway When you're prompted to add
required features, select Add Features . When you're done, select Next .
9. For Network Policy and Access Ser vices , select Next .
10. For Web Ser ver Role (IIS) , select Next .
11. For Select role ser vices , select Next .
12. For Confirm installation selections , select Install . Don't close the installer while the installation
process is happening.

Configure the RD Gateway role


Once the RD Gateway role is installed, you'll need to configure it.
To configure the RD Gateway role:
1. Open the Ser ver Manager , then select Remote Desktop Ser vices .
2. Go to Ser vers , right-click the name of your server, then select RD Gateway Manager .
3. In the RD Gateway Manager, right-click the name of your gateway, then select Proper ties .
4. Open the SSL Cer tificate tab, select the Impor t a cer tificate into the RD Gateway bubble, then
select Browse and Impor t Cer tificate… .
5. Select the name of your PFX file, then select Open .
6. Enter the password for the PFX file when prompted.
7. After you've imported the certificate and its private key, the display should show the certificate’s key
attributes.

NOTE
Because the RD Gateway role is supposed to be public, we recommend you use a publicly issued certificate. If you use a
privately issued certificate, you'll need to make sure to configure all clients with the certificate's trust chain beforehand.

Next steps
If you want to add high availability to your RD Gateway role, see Add high availability to the RD Web and
Gateway web front.
Compare the clients: features
7/2/2021 • 2 minutes to read • Edit Online

We're often asked how the different Remote Desktop clients compare to each other. The following table lists the
features currently available in each of our clients.

Client features
The following table compares the features of each client.

W IN DO W
W IN DO W S M IC RO SO DESC RIP T
F EAT URE S IN B O X DESK TO P F T STO RE A N DRO ID IO S MAC OS W EB IO N

Remote X X X X X X X Desktop
Desktop of a
sessions remote
computer
presented
in a full
screen or
windowe
d mode.

Integrate X X X Individual
d remote
RemoteA apps
pp integrate
sessions d into the
local
desktop
as if they
are
running
locally.

Immersiv X X X X Individual
e remote
RemoteA apps
pp presented
sessions in a
window
or
maximize
d to a full
screen.

Multiple 16 16 16 Lets the


monitors monitor monitor monitor user run
limit limit limit Remote
Desktop
or remote
apps on
all local
monitors.
W IN DO W
W IN DO W S M IC RO SO DESC RIP T
F EAT URE S IN B O X DESK TO P F T STO RE A N DRO ID IO S MAC OS W EB IO N

Dynamic X X X X X Resolutio
resolutio n and
n orientatio
n of local
monitors
is
dynamical
ly
reflected
in the
remote
session. If
the client
is running
in
windowe
d mode,
the
remote
desktop
is resized
dynamical
ly to the
size of
the client
window.

Smart X X X X Remote
sizing Desktop
in
Windowe
d mode is
dynamical
ly scaled
to the
window's
size.

Localizati X X X English X X X Client


on only user
interface
is
available
in
multiple
language
s.

Multi- X X X X X X Supports
factor multi-
authentic factor
ation authentic
ation for
remote
connectio
ns.
W IN DO W
W IN DO W S M IC RO SO DESC RIP T
F EAT URE S IN B O X DESK TO P F T STO RE A N DRO ID IO S MAC OS W EB IO N

Teams X Media
optimizati optimizati
on for ons for
Azure Microsoft
Virtual Teams to
Desktop provide
high
quality
calls and
screen
sharing
experienc
es. Learn
more at
Use
Microsoft
Teams on
Azure
Virtual
Desktop.

Other resources
If you're looking for information about device redirections, check out Compare the clients: redirections.
Compare the clients: redirections
7/29/2021 • 2 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows 10, Windows 8.1, Windows Server 2019, Windows Server
2016, Windows Server 2012 R2

We're often asked how the different Remote Desktop clients compare to each other. Do they all do the same
thing? Here are the answers to those questions.

Redirection support
The following tables compare support for device and other redirections across the different clients. These tables
cover the redirections that you can access once in a remote session.
If you remote into your personal desktop, there are additional redirections that you can configure in the
Additional Settings for the session. If your remote desktop or apps are managed by your organization, your
admin can enable or disable redirections through Group Policy settings or RDP properties.
Input redirection
M IC RO SO F
W IN DO W S W IN DO W S T STO RE
REDIREC T I IN B O X DESK TO P C L IEN T W EB
ON ( M ST SC ) ( M SRDC ) ( URDC ) A N DRO ID IO S MAC OS C L IEN T

Keyboard X X X X X X X

Mouse X X X X X* X X

Touch X X X X X X (except
IE)

Pen X X X (as touch) X (as touch)

*View the list of supported input devices for the Remote Desktop iOS client.
Port redirection
M IC RO SO F
W IN DO W S W IN DO W S T STO RE
REDIREC T I IN B O X DESK TO P C L IEN T W EB
ON ( M ST SC ) ( M SRDC ) ( URDC ) A N DRO ID IO S MAC OS C L IEN T

Serial port X X

USB X X

When you enable USB port redirection, any USB devices attached to the USB port are automatically recognized
in the remote session.
Other redirection (devices, etc.)
M IC RO SO F
W IN DO W S W IN DO W S T STO RE
REDIREC T I IN B O X DESK TO P C L IEN T W EB
ON ( M ST SC ) ( M SRDC ) ( URDC ) A N DRO ID IO S MAC OS C L IEN T

Cameras X X X X

Clipboard X X X Text Text, X text


images

Local X X X X X
drive/stora
ge

Location X X

Microphon X X X X X X
es

Printers X X X (CUPS PDF print


only)

Scanners X X

Smart X X X (Windows
Cards logon not
supported)

Speakers X X X X X X X (except
IE)

*For printer redirection - the macOS app supports the Publisher Imagesetter printer driver by default. They do
not support redirecting native printer drivers.

Other resources
If you're looking for feature comparisons, check out Compare the clients: features.
Supported Remote Desktop RDP file settings
7/2/2021 • 10 minutes to read • Edit Online

The following table includes the list of supported RDP file settings that you can use with the Remote Desktop
clients. When configuring settings, check Client comparisons to see which redirections each client supports.
The table also highlights which settings are supported as custom properties with Azure Virtual Desktop. You can
refer to this documentation detailing how to use PowerShell to customize RDP properties for Azure Virtual
Desktop host pools.

Connection information
A Z URE VIRT UA L
RDP SET T IN G DESC RIP T IO N VA L UES DEFA ULT VA L UE DESK TO P SUP P O RT

full address:s:value PC Name: A valid name, IPv4 No


This setting specifies address, or IPv6
the name or IP address.
address of the
remote computer
that you want to
connect to.

This is the only


required setting in an
RDP file.

alternate full Specifies an alternate A valid name, IPv4 No


address:s:value name or IP address address, or IPv6
of the remote address.
computer.

username:s:value Specifies the name of Any valid username. No


the user account that
will be used to sign in
to the remote
computer.

domain:s:value Specifies the name of A valid domain name, No


the domain in which such as "CONTOSO".
the user account that
will be used to sign in
to the remote
computer is located.

gatewayhostname:s:v Specifies the RD A valid name, IPv4 No


alue Gateway host name. address, or IPv6
address.
A Z URE VIRT UA L
RDP SET T IN G DESC RIP T IO N VA L UES DEFA ULT VA L UE DESK TO P SUP P O RT

gatewaycredentialsso Specifies the RD - 0: Ask for password 0 No


urce:i:value Gateway (NTLM)
authentication - 1: Use smart card
method. - 2: Use the
credentials for the
currently logged on
user.
- 3: Prompt the user
for their credentials
and use basic
authentication
- 4: Allow user to
select later
- 5: Use cookie-
based authentication

gatewayprofileusage Specifies whether to - 0: Use the default 0 No


method:i:value use default RD profile mode, as
Gateway settings. specified by the
administrator
- 1: Use explicit
settings, as specified
by the user

gatewayusagemetho Specifies when to use - 0: Don't use an RD 0 No


d:i:value an RD Gateway for Gateway
the connection. - 1: Always use an
RD Gateway
- 2: Use an RD
Gateway if a direct
connection cannot be
made to the RD
Session Host
- 3: Use the default
RD Gateway settings
- 4: Don't use an RD
Gateway, bypass
gateway for local
addresses
Setting this property
value to 0 or 4 are
effectively equivalent,
but setting this
property to 4
enables the option to
bypass local
addresses.

promptcredentialonc Determines whether - 0: Remote session 1 No


e:i:value a user's credentials will not use the same
are saved and used credentials
for both the RD - 1: Remote session
Gateway and the will use the same
remote computer. credentials
A Z URE VIRT UA L
RDP SET T IN G DESC RIP T IO N VA L UES DEFA ULT VA L UE DESK TO P SUP P O RT

authentication Defines the server - 0: If server 3 No


level:i:value authentication level authentication fails,
settings. connect to the
computer without
warning (Connect
and don't warn me)
- 1: If server
authentication fails,
don't establish a
connection (Don't
connect)
- 2: If server
authentication fails,
show a warning and
allow me to connect
or refuse the
connection (Warn
me)
- 3: No
authentication
requirement
specified.

enablecredsspsuppor Determines whether - 0: RDP will not use 1 Yes


t:i:value the client will use the CredSSP, even if the
Credential Security operating system
Support Provider supports CredSSP
(CredSSP) for - 1: RDP will use
authentication if it is CredSSP if the
available. operating system
supports CredSSP

disableconnectionsha Determines whether - 0: Reconnect to any 0 No


ring:i:value the client reconnects existing session
to any existing - 1: Initiate new
disconnected session connection
or initiate a new
connection when a
new connection is
launched.

alternate shell:s:value Specifies a program Valid path to an Yes


to be started executable file, such
automatically in the as
remote session as "C:\ProgramFiles\Offi
the shell instead of ce\word.exe"
explorer.

Session behavior
A Z URE VIRT UA L
RDP SET T IN G DESC RIP T IO N VA L UES DEFA ULT VA L UE DESK TO P SUP P O RT
A Z URE VIRT UA L
RDP SET T IN G DESC RIP T IO N VA L UES DEFA ULT VA L UE DESK TO P SUP P O RT

autoreconnection Determines whether - 0: Client does not 1 Yes


enabled:i:value the client will automatically try to
automatically try to reconnect
reconnect to the - 1: Client
remote computer if automatically tries to
the connection is reconnect
dropped, such as
when there's a
network connectivity
interruption.

bandwidthautodetect Determines whether - 0: Disable 1 Yes


:i:value or not to use automatic network
automatic network type detection
bandwidth detection. - 1: Enable automatic
Requires network type
bandwidthautodetect detection
to be set to 1.

networkautodetect:i:v Determines whether - 0: Don't use 1 Yes


alue automatic network automatic network
type detection is bandwidth detection
enabled - 1: Use automatic
network bandwidth
detection

compression:i:value Determines whether - 0: Disable RDP bulk 1 Yes


bulk compression is compression
enabled when it is - 1: Enable RDP bulk
transmitted by RDP compression
to the local computer.

videoplaybackmode:i: Determines if the - 0: Don't use RDP 1 Yes


value connection will use efficient multimedia
RDP-efficient streaming for video
multimedia playback
streaming for video - 1: Use RDP-efficient
playback. multimedia
streaming for video
playback when
possible

Device redirection
A Z URE VIRT UA L
RDP SET T IN G DESC RIP T IO N VA L UES DEFA ULT VA L UE DESK TO P SUP P O RT

audiocapturemode:i:v Microphone - 0: Disable audio 0 Yes


alue redirection: capture from the
Indicates whether local device
audio input - 1: Enable audio
redirection is capture from the
enabled. local device and
redirection to an
audio application in
the remote session
A Z URE VIRT UA L
RDP SET T IN G DESC RIP T IO N VA L UES DEFA ULT VA L UE DESK TO P SUP P O RT

encode redirected Enables or disables - 0: Disable encoding 1 Yes


video capture:i:value encoding of of redirected video
redirected video. - 1: Enable encoding
of redirected video

redirected video Controls the quality - 0: High 0 Yes


capture encoding of encoded video. compression video.
quality:i:value Quality may suffer
when there is a lot of
motion.
- 1: Medium
compression.
- 2: Low compression
video with high
picture quality.

audiomode:i:value Audio output - 0: Play sounds on 0 Yes


location: the local computer
Determines whether (Play on this
the local or remote computer)
machine plays audio. - 1: Play sounds on
the remote computer
(Play on remote
computer)
- 2: Do not play
sounds (Do not play)

camerastoredirect:s:v Camera redirection: - * : Redirect all Don't redirect any Yes


alue Configures which cameras cameras
cameras to redirect. - List of cameras,
This setting uses a such as
semicolon-delimited camerastoredirect:s:\?
list of \usb#vid_0bda&pid_
KSCATEGORY_VIDEO 58b0&mi
_CAMERA interfaces - One can exclude a
of cameras enabled specific camera by
for redirection. prepending the
symbolic link string
with "-"

devicestoredirect:s:val Plug and play device - *: Redirect all Don't redirect any Yes
ue redirection: supported devices, devices
Determines which including ones that
devices on the local are connected later
computer will be - Valid hardware ID
redirected and for one or more
available in the devices
remote session. - DynamicDevices:
Redirect all
supported devices
that are connected
later
A Z URE VIRT UA L
RDP SET T IN G DESC RIP T IO N VA L UES DEFA ULT VA L UE DESK TO P SUP P O RT

drivestoredirect:s:valu Drive/storage - No value specified: Don't redirect any Yes


e redirection: don't redirect any drives
Determines which drives
disk drives on the - * : Redirect all disk
local computer will be drives, including
redirected and drives that are
available in the connected later
remote session. - DynamicDrives:
redirect any drives
that are connected
later
- The drive and labels
for one or more
drives, such as
"drivestoredirect:s:C:;
E:;": redirect the
specified drive(s)

keyboardhook:i:value Determines when - 0: Windows key 2 Yes


Windows key combinations are
combinations (WIN applied on the local
key, ALT+TAB) are computer
applied to the - 1: Windows key
remote session for combinations are
desktop connections. applied on the
remote computer
when in focus
- 2: Windows key
combinations are
applied on the
remote computer in
full screen mode only

redirectclipboard:i:val Clipboard redirection: - 0: Clipboard on 1 Yes


ue Determines whether local computer isn't
clipboard redirection available in remote
is enabled. session
- 1: Clipboard on
local computer is
available in remote
session

redirectcomports:i:val COM ports - 0: COM ports on 0 Yes


ue redirection: the local computer
Determines whether are not available in
COM (serial) ports the remote session
on the local - 1: COM ports on
computer will be the local computer
redirected and are available in the
available in the remote session
remote session.
A Z URE VIRT UA L
RDP SET T IN G DESC RIP T IO N VA L UES DEFA ULT VA L UE DESK TO P SUP P O RT

redirectprinters:i:valu Printer redirection: - 0: The printers on 1 Yes


e Determines whether the local computer
printers configured are not available in
on the local the remote session
computer will be - 1: The printers on
redirected and the local computer
available in the are available in the
remote session remote session

redirectsmartcards:i:v Smart card - 0: The smart card 1 Yes


alue redirection: device on the local
Determines whether computer is not
smart card devices available in the
on the local remote session
computer will be - 1: The smart card
redirected and device on the local
available in the computer is available
remote session. in the remote session

usbdevicestoredirect: USB redirection - *: Redirect all USB Don't redirect any Yes
s:value devices that are not USB devices
already redirected by
another high-level
redirection
- {Device Setup Class
GUID}: Redirect all
devices that are
members of the
specified device setup
class
- USBInstanceID:
Redirect a specific
USB device identified
by the instance ID

Display settings
A Z URE VIRT UA L
RDP SET T IN G DESC RIP T IO N VA L UES DEFA ULT VA L UE DESK TO P SUP P O RT

use multimon:i:value Determines whether - 0: Don't enable 1 Yes


the remote session multiple display
will use one or support
multiple displays - 1: Enable multiple
from the local display support
computer.
A Z URE VIRT UA L
RDP SET T IN G DESC RIP T IO N VA L UES DEFA ULT VA L UE DESK TO P SUP P O RT

selectedmonitors:s:va Specifies which local Comma separated All displays Yes


lue displays to use from list of machine-
the remote session. specific display IDs.
The selected displays IDs can be retrieved
must be contiguous. by calling mstsc.exe
Requires use /l. The first ID listed
multimon to be set will be set as the
to 1. primary display in
Only available on the the session.
Windows Inbox
(MSTSC) and
Windows Desktop
(MSRDC) clients.

maximizetocurrentdis Determines which - 0: Session goes full 0 Yes


plays:i:value display the remote screen on the
session goes full displays initially
screen on when selected when
maximizing. Requires maximizing
use multimon to be - 1: Session
set to 1. dynamically goes full
Only available on the screen on the
Windows Desktop displays touched by
(MSRDC) client. the session window
when maximizing

singlemoninwindowe Determines whether - 0: Session retains all 0 Yes


dmode:i:value a multi display displays when exiting
remote session full screen
automatically - 1: Session switches
switches to single to single display
display when exiting when exiting full
full screen. Requires screen
use multimon to be
set to 1.
Only available on the
Windows Desktop
(MSRDC) client.

screen mode Determines whether - 1: The remote 2 Yes


id:i:value the remote session session will appear in
window appears full a window
screen when you - 2: The remote
launch the session will appear
connection. full screen

smart sizing:i:value Determines whether - 0: The local window 0 Yes


or not the local content won't scale
computer scales the when resized
content of the - 1: The local window
remote session to fit content will scale
the window size. when resized
A Z URE VIRT UA L
RDP SET T IN G DESC RIP T IO N VA L UES DEFA ULT VA L UE DESK TO P SUP P O RT

dynamic Determines whether - 0: Session 1 Yes


resolution:i:value the resolution of the resolution remains
remote session is static for the
automatically duration of the
updated when the session
local window is - 1: Session
resized. resolution updates as
the local window
resizes

desktop size id:i:value Specifies the -0: 640×480 1 Yes


dimensions of the - 1: 800×600
remote session - 2: 1024×768
desktop from a set of - 3: 1280×1024
pre-defined options. - 4: 1600×1200
This setting is
overridden if
desktopheight and
desktopwidth are
specified.

desktopheight:i:value Specifies the Numerical value Match the local Yes


resolution height (in between 200 and computer
pixels) of the remote 8192
session.

desktopwidth:i:value Specifies the Numerical value Match the local Yes


resolution width (in between 200 and computer
pixels) of the remote 8192
session.

desktopscalefactor:i:v Specifies the scale Numerical value from 100 Yes


alue factor of the remote the following list:
session to make the 100, 125, 150, 175,
content appear 200, 250, 300, 400,
larger. 500

RemoteApp
A Z URE VIRT UA L
RDP SET T IN G DESC RIP T IO N VA L UES DEFA ULT VA L UE DESK TO P SUP P O RT

remoteapplicationcm Optional command- Valid command-line No


dline:s:value line parameters for parameters.
the RemoteApp.

remoteapplicationexp Determines whether - 0: Environment 1 No


andcmdline:i:value environment variables should be
variables contained in expanded to the
the RemoteApp values of the local
command-line computer
parameter should be - 1: Environment
expanded locally or variables should be
remotely. expanded to the
values of the remote
computer
A Z URE VIRT UA L
RDP SET T IN G DESC RIP T IO N VA L UES DEFA ULT VA L UE DESK TO P SUP P O RT

remoteapplicationexp Determines whether - 0: Environment 1 No


andworkingdir:i:value environment variables should be
variables contained in expanded to the
the RemoteApp values of the local
working directory computer
parameter should be - 1: Environment
expanded locally or variables should be
remotely. expanded to the
values of the remote
computer.
The RemoteApp
working directory is
specified through the
shell working
directory parameter.

remoteapplicationfile: Specifies a file to be Valid file path. No


s:value opened on the
remote computer by
the RemoteApp.
For local files to be
opened, you must
also enable drive
redirection for the
source drive.

remoteapplicationico Specifies the icon file Valid file path. No


n:s:value to be displayed in the
client UI while
launching a
RemoteApp. If no file
name is specified, the
client will use the
standard Remote
Desktop icon. Only
".ico" files are
supported.

remoteapplicationmo Determines whether - 0: Don't launch a 1 No


de:i:value a connection is RemoteApp session
launched as a - 1: Launch a
RemoteApp session. RemoteApp session

remoteapplicationna Specifies the name of App display name. No


me:s:value the RemoteApp in For example, "Excel
the client interface 2016."
while starting the
RemoteApp.

remoteapplicationpro Specifies the alias or Valid alias or name. No


gram:s:value executable name of For example, "EXCEL."
the RemoteApp.
Remote Desktop URI scheme
7/29/2021 • 2 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows Server, version 1803, Windows Server 2019, Windows Server
2016, Windows Server 2012 R2

This document defines the format of Uniform Resource Identifiers (URIs) for Remote Desktop. These URI
schemes allow for Remote Desktop clients to be invoked with various commands.

ms-rd URI scheme


NOTE
The ms-rd URI scheme is currently only supported with the Windows Desktop client (MSRDC).

The ms-rd URI provides the option to specify a command for the client and a set of parameters specific to the
command using the following format:

ms-rd:command?parameters

Parameters uses the query string format of key=value pair separated by & to provide additional information for
the given command:

param1=value1&param2=value2&…

Commands and parameters


Here is the list of currently supported commands and their corresponding parameters.
Using ms-rd: without any commands launches the client.
Subscribe
This command launches the client and starts the subscription process.
Command name: subscribe
Command parameters:

PA RA M ET ER DESC RIP T IO N VA L UES

url Specifies the Workspace URL. A valid URL, such as


https://contoso.com.

Example: ms-rd:subscribe?url=https://contoso.com

Legacy rdp URI scheme


NOTE
The following URI scheme is only supported with the clients for macOS, iOS, and Android devices. It is being replaced by
the new ms-rd URI above.

Microsoft Remote Desktop uses the URI scheme rdp://query_string to store preconfigured attribute settings that
are used when launching the client. The query strings represent a single or set of RDP attributes provided in the
URL.
The RDP attributes are separated by the ampersand symbol (&). For example, when connecting to a PC, the
string is:

rdp://full%20address=s:mypc:3389&audiomode=i:2&disable%20themes=i:1

This table gives a complete list of supported attributes that may be used with the iOS, Mac, and Android Remote
Desktop clients. (An "x" in the platform column indicates the attribute is supported. The values denoted by
chevrons (<>) represent the values that are supported by the Remote Desktop clients.)

RDP AT T RIB UT E A N DRO ID MAC IO S

allow desktop x x x
composition=i:<0 or 1>

allow font smoothing=i:<0 x x x


or 1>

alternate shell=s:<string> x x x

audiomode=i:<0, 1, or 2> x x x

authentication level=i:<0 or x x x
1>

connect to console=i:<0 or x x x
1>

disable cursor settings=i:<0 x x x


or 1>

disable full window drag=i: x x x


<0 or 1>

disable menu anims=i:<0 or x x x


1>

disable themes=i:<0 or 1> x x x

disable wallpaper=i:<0 or x x x
1>

drivestoredirect=s:* (this is x x
the only supported value)
RDP AT T RIB UT E A N DRO ID MAC IO S

desktopheight=i:<value in x
pixels>

desktopwidth=i:<value in x
pixels>

domain=s:<string> x x x

full address=s:<string> x x x

gatewayhostname=s: x x x
<string>

gatewayusagemethod=i:<1 x x x
or 2>

prompt for credentials on x


client=i:<0 or 1>

loadbalanceinfo=s:<string> x x x

redirectprinters=i:<0 or 1> x

remoteapplicationcmdline= x x x
s:<string>

remoteapplicationmode=i: x x x
<0 or 1>

remoteapplicationprogram x x x
=s:<string>

shell working directory=s: x x x


<string>

Use redirection server x x x


name=i:<0 or 1>

username=s:<string> x x x

screen mode id=i:<1 or 2> x

session bpp=i:<8, 15, 16, x


24, or 32>

use multimon=i:<0 or 1> x


Privacy settings for managed apps and desktops
7/29/2021 • 2 minutes to read • Edit Online

Applies to: Windows Server 2022, Windows 10, Windows 7, Windows Server 2012 R2, Windows Server
2016, Windows Server 2019

When accessing managed resources (apps or desktops) provided by your IT administrator, the privacy settings
for the remote system have been preconfigured by your IT administrator. These settings may be different than
the privacy settings on your local system. If you have questions, contact your IT administrator.

NOTE
Using managed resources in regions other than the United States may result in data transfer to the United States.

These are some of the Windows 10 privacy settings you can configure in your managed desktop:
Speech recognition
Find my device
Inking & typing
Advertising ID
Location
Diagnostic data
Tailored experiences
You can always review the information collected and sent to Microsoft by accessing your Privacy Dashboard.

Learn more about privacy settings


If your IT administrator has provided you with a managed desktop, you can follow the instructions in the next
section to learn more about these settings and change any settings not locked by your IT Administrator.
How to change privacy settings in Windows 10 remote desktops
To change privacy settings in a Windows 10 remote desktop:
1. From the remote desktop, select the Windows button on the taskbar or press the Windows key on your
keyboard to open the Start menu.
2. Select the gear icon to open Settings.
3. Search for the names of the configurable privacy settings listed earlier in this topic to learn more about it.

NOTE
If your IT Administrator has configured the managed desktop to not retain user configuration settings between
connections, any changes you make to these settings won't be saved.
General Remote Desktop connection
troubleshooting
3/5/2021 • 8 minutes to read • Edit Online

Use these steps when a Remote Desktop client can't connect to a remote desktop but doesn't provide messages
or other symptoms that would help identify the cause.

Check the status of the RDP protocol


Check the status of the RDP protocol on a local computer
To check and change the status of the RDP protocol on a local computer, see How to enable Remote Desktop.

NOTE
If the remote desktop options are not available, see Check whether a Group Policy Object is blocking RDP.

Check the status of the RDP protocol on a remote computer

IMPORTANT
Follow this section's instructions carefully. Serious problems can occur if the registry is modified incorrectly. Before you
start modifying the registry, back up the registry so you can restore it in case something goes wrong.

To check and change the status of the RDP protocol on a remote computer, use a network registry connection:
1. First, go to the Star t menu, then select Run . In the text box that appears, enter regedt32 .
2. In the Registry Editor, select File , then select Connect Network Registr y .
3. In the Select Computer dialog box, enter the name of the remote computer, select Check Names , and then
select OK .
4. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Ser ver .

If the value of the fDenyTSConnections key is 0 , then RDP is enabled.


If the value of the fDenyTSConnections key is 1 , then RDP is disabled.
5. To enable RDP, change the value of fDenyTSConnections from 1 to 0 .
Check whether a Group Policy Object (GPO ) is blocking RDP on a local computer
If you can't turn on RDP in the user interface or the value of fDenyTSConnections reverts to 1 after you've
changed it, a GPO may be overriding the computer-level settings.
To check the group policy configuration on a local computer, open a Command Prompt window as an
administrator, and enter the following command:
gpresult /H c:\gpresult.html

After this command finishes, open gpresult.html. In Computer Configuration\Administrative


Templates\Windows Components\Remote Desktop Ser vices\Remote Desktop Session
Host\Connections , find the Allow users to connect remotely by using Remote Desktop Ser vices
policy.
If the setting for this policy is Enabled , Group Policy is not blocking RDP connections.
If the setting for this policy is Disabled , check Winning GPO . This is the GPO that is blocking RDP
connections.

Check whether a GPO is blocking RDP on a remote computer


To check the Group Policy configuration on a remote computer, the command is almost the same as for a local
computer:

gpresult /S <computer name> /H c:\gpresult-<computer name>.html

The file that this command produces (gpresult-<computer name>.html ) uses the same information format
as the local computer version (gpresult.html ) uses.
Modifying a blocking GPO
You can modify these settings in the Group Policy Object Editor (GPE) and Group Policy Management Console
(GPM). For more information about how to use Group Policy, see Advanced Group Policy Management.
To modify the blocking policy, use one of the following methods:
In GPE, access the appropriate level of GPO (such as local or domain), and navigate to Computer
Configuration > Administrative Templates > Windows Components > Remote Desktop Ser vices
> Remote Desktop Session Host > Connections > Allow users to connect remotely by using
Remote Desktop Ser vices .
1. Set the policy to either Enabled or Not configured .
2. On the affected computers, open a command prompt window as an administrator, and run the
gpupdate /force command.
In GPM, navigate to the organizational unit (OU) in which the blocking policy is applied to the affected
computers and delete the policy from the OU.

Check the status of the RDP services


On both the local (client) computer and the remote (target) computer, the following services should be running:
Remote Desktop Services (TermService)
Remote Desktop Services UserMode Port Redirector (UmRdpService)
You can use the Services MMC snap-in to manage the services locally or remotely. You can also use PowerShell
to manage the services locally or remotely (if the remote computer is configured to accept remote PowerShell
cmdlets).
On either computer, if one or both services are not running, start them.

NOTE
If you start the Remote Desktop Services service, click Yes to automatically restart the Remote Desktop Services
UserMode Port Redirector service.

Check that the RDP listener is functioning


IMPORTANT
Follow this section's instructions carefully. Serious problems can occur if the registry is modified incorrectly. Before you
starty modifying the registry, back up the registry so you can restore it in case something goes wrong.

Check the status of the RDP listener


For this procedure, use a PowerShell instance that has administrative permissions. For a local computer, you can
also use a command prompt that has administrative permissions. However, this procedure uses PowerShell
because the same cmdlets work both locally and remotely.
1. To connect to a remote computer, run the following cmdlet:

Enter-PSSession -ComputerName <computer name>

2. Enter qwinsta .
3. If the list includes rdp-tcp with a status of Listen , the RDP listener is working. Proceed to Check the RDP
listener port. Otherwise, continue at step 4.
4. Export the RDP listener configuration from a working computer.
a. Sign in to a computer that has the same operating system version as the affected computer has, and
access that computer's registry (for example, by using Registry Editor).
b. Navigate to the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Ser ver\WinStations\RDP-Tcp
c. Export the entry to a .reg file. For example, in Registry Editor, right-click the entry, select Expor t , and
then enter a filename for the exported settings.
d. Copy the exported .reg file to the affected computer.
5. To import the RDP listener configuration, open a PowerShell window that has administrative permissions
on the affected computer (or open the PowerShell window and connect to the affected computer
remotely).
a. To back up the existing registry entry, enter the following cmdlet:
cmd /c 'reg export "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-tcp"
C:\Rdp-tcp-backup.reg'

b. To remove the existing registry entry, enter the following cmdlets:

Remove-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-tcp'


-Recurse -Force

c. To import the new registry entry and then restart the service, enter the following cmdlets:

cmd /c 'regedit /s c:\<filename>.reg'


Restart-Service TermService -Force

Replace <filename> with the name of the exported .reg file.


6. Test the configuration by trying the remote desktop connection again. If you still can't connect, restart the
affected computer.
7. If you still can't connect, check the status of the RDP self-signed certificate.
Check the status of the RDP self-signed certificate
1. If you still can't connect, open the Certificates MMC snap-in. When you are prompted to select the certificate
store to manage, select Computer account , and then select the affected computer.
2. In the Cer tificates folder under Remote Desktop , delete the RDP self-signed certificate.

3. On the affected computer, restart the Remote Desktop Services service.


4. Refresh the Certificates snap-in.
5. If the RDP self-signed certificate has not been recreated, check the permissions of the MachineKeys folder.
Check the permissions of the MachineKeys folder
1. On the affected computer, open Explorer, and then navigate to C:\ProgramData\Microsoft\Cr ypto\RSA\ .
2. Right-click MachineKeys , select Proper ties , select Security , and then select Advanced .
3. Make sure that the following permissions are configured:
Builtin\Administrators: Full control
Everyone: Read, Write
Check the RDP listener port
On both the local (client) computer and the remote (target) computer, the RDP listener should be listening on
port 3389. No other applications should be using this port.

IMPORTANT
Follow this section's instructions carefully. Serious problems can occur if the registry is modified incorrectly. Before you
starty modifying the registry, back up the registry so you can restore it in case something goes wrong.

To check or change the RDP port, use the Registry Editor:


1. Go to the Start menu, select Run , then enter regedt32 into the text box that appears.
To connect to a remote computer, select File , and then select Connect Network Registr y .
In the Select Computer dialog box, enter the name of the remote computer, select Check Names ,
and then select OK .
2. Open the registry and navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Ser ver\WinStations\
<listener> .

3. If Por tNumber has a value other than 3389 , change it to 3389 .

IMPORTANT
You can operate Remote Desktop services using another port. However, we don't recommend you do this. This
article doesn't cover how to troubleshoot that type of configuration.

4. After you change the port number, restart the Remote Desktop Services service.
Check that another application isn't trying to use the same port
For this procedure, use a PowerShell instance that has administrative permissions. For a local computer, you can
also use a command prompt that has administrative permissions. However, this procedure uses PowerShell
because the same cmdlets work locally and remotely.
1. Open a PowerShell window. To connect to a remote computer, enter Enter-PSSession -
ComputerName <computer name> .
2. Enter the following command:

cmd /c 'netstat -ano | find "3389"'

3. Look for an entry for TCP port 3389 (or the assigned RDP port) with a status of Listening .
NOTE
The process identifier (PID) for the process or service using that port appears under the PID column.

4. To determine which application is using port 3389 (or the assigned RDP port), enter the following
command:

cmd /c 'tasklist /svc | find "<pid listening on 3389>"'

5. Look for an entry for the PID number that is associated with the port (from the netstat output). The
services or processes that are associated with that PID appear on the right column.
6. If an application or service other than Remote Desktop Services (TermServ.exe) is using the port, you can
resolve the conflict by using one of the following methods:
Configure the other application or service to use a different port (recommended).
Uninstall the other application or service.
Configure RDP to use a different port, and then restart the Remote Desktop Services service (not
recommended).
Check whether a firewall is blocking the RDP port
Use the psping tool to test whether you can reach the affected computer by using port 3389.
1. Go to a different computer that isn't affected and download psping from
https://live.sysinternals.com/psping.exe.
2. Open a command prompt window as an administrator, change to the directory in which you installed
psping , and then enter the following command:

psping -accepteula <computer IP>:3389

3. Check the output of the psping command for results such as the following:
Connecting to <computer IP> : The remote computer is reachable.
(0% loss) : All attempts to connect succeeded.
The remote computer refused the network connection : The remote computer is not reachable.
(100% loss) : All attempts to connect failed.
4. Run psping on multiple computers to test their ability to connect to the affected computer.
5. Note whether the affected computer blocks connections from all other computers, some other
computers, or only one other computer.
6. Recommended next steps:
Engage your network administrators to verify that the network allows RDP traffic to the affected
computer.
Investigate the configurations of any firewalls between the source computers and the affected
computer (including Windows Firewall on the affected computer) to determine whether a firewall is
blocking the RDP port.
Credential limit per app
4/5/2021 • 2 minutes to read • Edit Online

Windows only allows up to 20 credentials per app. If you need to have more than 20 credentials per app, follow
the instructions in this article.

Bypass the 20 credential limit


To bypass the 20 credential limit:
1. Open PowerShell as an administrator.
2. Set the
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Vault\MaxPerAppCredentialNumber
DWORD registry entry value to a number greater than 20.
3. Restart your machine.
4. Test out your settings by creating a new set of credentials in the Remote Desktop client.

Potential risks
When changing this registry setting, it's important to keep these things in mind:
This is an admin operation. Any errors introduced into the registry could cause your machine to become
unstable. Users should change the registry entries at their own risk.
This registry change will affect all apps on your machine.
Clients can't connect and get the "Class not
registered" error
4/7/2020 • 2 minutes to read • Edit Online

When you try to connect to a remote computer using a client running Windows 10, version 1709 or later, the
client may not connect while the Remote Desktop Session Host server reports a message that contains the
"Class not registered (0x80040154)" error code.
This issue occurs when the user who's trying to connect has a mandatory user profile. To resolve this issue,
install the July 24, 2018—KB4338817 (OS Build 16299.579) Windows 10 update.
Clients can't connect and see "No licenses available"
error
4/7/2020 • 2 minutes to read • Edit Online

This situation applies to deployments that include an RDSH server and a Remote Desktop Licensing server.
First, identify which behavior the users are seeing:
The session was disconnected because no licenses are available or no license server is available.
Access was denied because of a security error.
Sign in to the RD Session Host as a domain administrator and open the RD License Diagnoser. Look for
messages like the following:
The grace period for the Remote Desktop Session Host server has expired, but the RD Session Host server
hasn't been configured with any license servers. Connections to the RD Session Host server will be denied
unless a license server is configured for the RD Session Host server.
License server <computer name> is not available. This could be caused by network connectivity problems,
the Remote Desktop Licensing service is stopped on the license server, or RD Licensing isn't available.
These problems tend to be associated with the following user messages:
The remote session was disconnected because there are no Remote Desktop client access licenses available
for this computer.
The remote session was disconnected because there are no Remote Desktop License Servers available to
provide a license.
In this case, configure the RD Licensing service.
If the RD License Diagnoser lists other problems, such as "The RDP protocol component X.224 detected an error
in the protocol stream and has disconnected the client," there may be a problem that affects the license
certificates. Such problems tend to be associated with user messages, such as the following:
Because of a security error, the client could not connect to the Terminal server. After making sure that you are
signed in to the network, try connecting to the server again.
In this case, refresh the X509 Certificate registry keys.

Configure the RD Licensing service


The following procedure uses Server Manager to make the configuration changes. For information about how
to configure and use Server Manager, see Server Manager
1. Open Ser ver Manager and navigate to Remote Desktop Ser vices .
2. On Deployment Over view , select Tasks , and then select Edit Deployment Proper ties .
3. Select RD Licensing , then select the appropriate licensing mode for your deployment (Per Device or Per
User ).
4. Enter the fully qualified domain name (FQDN) of your RD License server, and then select Add .
5. If you have more than one RD License server, repeat step 4 for each server.
Refresh the X509 Certificate registry keys
IMPORTANT
Follow this section's instructions carefully. Serious problems can occur if the registry is modified incorrectly. Before you
starty modifying the registry, back up the registry so you can restore it in case something goes wrong.

To resolve this problem, back up and then remove the X509 Certificate registry keys, restart the computer, and
then reactivate the RD Licensing server. Follow these steps.

NOTE
Perform the following procedure on each of the RDSH servers.

Here's how to reactivate the RD Licensing server:


1. Open the Registry Editory and navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Ser ver\RCM .
2. On the Registry menu, select Expor t Registr y File .
3. Enter expor ted- Cer tificate into the File name box, then select Save .
4. Right-click each of the following values, select Delete , and then select Yes to verify the deletion:
Cer tificate
X509 Cer tificate
X509 Cer tificate ID
X509 Cer tificate2
5. Exit the Registry Editor and restart the RDSH server.
User can't authenticate or must authenticate twice
7/22/2020 • 10 minutes to read • Edit Online

This article addresses several issues that can cause problems that affect user authentication.

Access denied, restricted type of logon


In this situation, a Windows 10 user attempting to connect to Windows 10 or Windows Server 2016 computers
is denied access with the following message:

Remote Desktop Connection:


The system administrator has restricted the type of logon (network or interactive) that you may use. For
assistance, contact your system administrator or technical support.

This issue occurs when Network Level Authentication (NLA) is required for RDP connections, and the user is not
a member of the Remote Desktop Users group. It can also occur if the Remote Desktop Users group has
not been assigned to the Access this computer from the network user right.
To solve this issue, do one of the following things:
Modify the user's group membership or user rights assignment.
Turn off NLA (not recommended).
Use remote desktop clients other than Windows 10. For example, Windows 7 clients do not have this issue.
Modify the user's group membership or user rights assignment
If this issue affects a single user, the most straightforward solution to this issue is to add the user to the Remote
Desktop Users group.
If the user is already a member of this group (or if multiple group members have the same problem), check the
user rights configuration on the remote Windows 10 or Windows Server 2016 computer.
1. Open Group Policy Object Editor (GPE) and connect to the local policy of the remote computer.
2. Navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\User
Rights Assignment , right-click Access this computer from the network , and then select Proper ties .
3. Check the list of users and groups for Remote Desktop Users (or a parent group).
4. If the list doesn't include either Remote Desktop Users or a parent group like Ever yone , you must add it
to the list. If you have more than one computer in your deployment, use a group policy object.
For example, the default membership for Access this computer from the network includes Ever yone . If
your deployment uses a group policy object to remove Ever yone , you may need to restore access by
updating the group policy object to add Remote Desktop Users .

Access denied, A remote call to the SAM database has been denied
This behavior is most likely to occur if your domain controllers are running Windows Server 2016 or later, and
users attempt to connect by using a customized connection app. In particular, applications that access the user's
profile information in Active Directory will be denied access.
This behavior results from a change to Windows. In Windows Server 2012 R2 and earlier versions, when a user
signs in to a remote desktop, the Remote Connection Manager (RCM) contacts the domain controller (DC) to
query the configurations that are specific to Remote Desktop on the user object in Active Directory Domain
Services (AD DS). This information is displayed in the Remote Desktop Services Profile tab of a user's object
properties in the Active Directory Users and Computers MMC snap-in.
Starting in Windows Server 2016, RCM no longer queries the user's object in AD DS. If you need RCM to query
AD DS because you're using Remote Desktop Services attributes, you must manually enable the query.

IMPORTANT
Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you
modify it, back up the registry for restoration in case problems occur.

To enable the legacy RCM behavior on a RD Session Host server, configure the following registry entries, and
then restart the Remote Desktop Ser vices service:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Ser vices
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Ser ver\WinStations\
<Winstation name>\
Name: fQuer yUserConfigFromDC
Type: Reg_DWORD
Value: 1 (Decimal)
To enable the legacy RCM behavior on a server other than a RD Session Host server, configure these registry
entries and the following additional registry entry (and then restart the service):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Ser ver
For more information about this behavior, see KB 3200967 Changes to Remote Connection Manager in
Windows Server.

User can't sign in using a smart card


This section addresses three common scenarios where a user can't sign in to a remote desktop using a smart
card.
Can't sign in with a smart card in a branch office with a read-only domain controller (RODC )
This issue occurs in deployments that include an RDSH server at a branch site that uses a RODC. The RDSH
server is hosted in the root domain. Users at the branch site belong to a child domain, and use smart cards for
authentication. The RODC is configured to cache user passwords (the RODC belongs to the Allowed RODC
Password Replication Group ). When users try to sign in to sessions on the RDSH server, they receive
messages such as "The attempted logon is invalid. This is either due to a bad username or authentication
information."
This issue is caused by how the root DC and the RDOC manage user credential encryption. The root DC uses an
encryption key to encrypt the credentials and the RODC gives the client the decryption key. When a user
receives the "invalid" error, that means the two keys don't match.
To work around this issue, try one of the following things:
Change your DC topology by turning off password caching on the RODC or deploy a writeable DC to teh
branch site.
Move the RDSH server to the same child domain as the users.
Allow users to sign in without smart cards.
Be advised that all of these solutions require compromises in either performance or security level.
User can't sign in to a Windows Server 2008 SP2 computer using a smart card
This issue occurs when users sign in to a Windows Server 2008 SP2 computer that has been updated with
KB4093227 (2018.4B). When users attempt to sign in using a smart card, they are denied access with messages
such as "No valid certificates found. Check that the card is inserted correctly and fits tightly." At the same time,
the Windows Server computer records the Application event "An error occurred while retrieving a digital
certificate from the inserted smart card. Invalid Signature."
To resolve this issue, update the Windows Server computer with the 2018.06 B re-release of KB 4093227,
Description of the security update for the Windows Remote Desktop Protocol (RDP) denial of service
vulnerability in Windows Server 2008: April 10, 2018.
Can't stay signed in with a smart card and Remote Desktop Services service hangs
This issue occurs when users sign in to a Windows or Windows Server computer that has been updated with KB
4056446. At first, the user may be able to sign in to the system by using a smart card, but then receives a
"SCARD_E_NO_SERVICE" error message. The remote computer may become unresponsive.
To work around this issue, restart the remote computer.
To resolve this issue, update the remote computer with the appropriate fix:
Windows Server 2008 SP2: KB 4090928, Windows leaks handles in the lsm.exe process and smart card
applications may display "SCARD_E_NO_SERVICE" errors
Windows Server 2012 R2: KB 4103724, May 17, 2018—KB4103724 (Preview of Monthly Rollup)
Windows Server 2016 and Windows 10, version 1607: KB 4103720, May 17, 2018—KB4103720 (OS Build
14393.2273)

If the remote PC is locked, the user needs to enter a password twice


This issue may occur when a user attempts to connect to a remote desktop running Windows 10 version 1709
in a deployment in which RDP connections don't require NLA. Under these conditions, if the remote desktop has
been locked, the user needs to enter their credentials twice when connecting.
To resolve this issue, update the Windows 10 version 1709 computer with KB 4343893, August 30, 2018—
KB4343893 (OS Build 16299.637).

User can't sign in and receives "authentication error" and "CredSSP


encryption oracle remediation" messages
When users try to sign in using any version of Windows from Windows Vista SP2 and later versions or
Windows Server 2008 SP2 and later versions, they're denied access and recieve messages like these:

An authentication error has occurred. The function requested is not supported.


...
This could be due to CredSSP encryption oracle remediation
...

"CredSSP encryption oracle remediation" refers to a set of security updates released in March, April, and May of
2018. CredSSP is an authentication provider that processes authentication requests for other applications. The
March 13, 2018, "3B" and subsequent updates addressed an exploit in which an attacker could relay user
credentials to execute code on the target system.
The initial updates added support for a new Group Policy Object, Encryption Oracle Remediation, that has the
following possible settings:
Vulnerable: Client applications that use CredSSP can fall back to insecure versions, but this behavior exposes
the remote desktops to attacks. Services that use CredSSP accept clients that have not been updated.
Mitigated: Client applications that use CredSSP can't fall back to insecure versions, but services that use
CredSSP accept clients that have not been updated.
Force Updated Clients: Client applications that use CredSSP can't fall back to insecure versions, and services
that use CredSSP will not accept unpatched clients.

NOTE
This setting should not be deployed until all remote hosts support the newest version.

The May 8, 2018 update changed the default Encryption Oracle Remediation setting from Vulnerable to
Mitigated. With this change in place, Remote Desktop clients that have the updates can't connect to servers that
don't have them (or updated servers that have not been restarted). For more information about the CredSSP
updates, see KB 4093492.
To resolve this issue, update and restart all systems. For a full list of updates and more information about the
vulnerabilities, see CVE-2018-0886 | CredSSP Remote Code Execution Vulnerability.
To work around this issue until the updates are complete, check KB 4093492 for allowed types of connections. If
there are no feasible alternatives you may consider one of the following methods:
For the affected client computers, set the Encryption Oracle Remediation policy back to Vulnerable .
Modify the following policies in the Computer Configuration\Administrative Templates\Windows
Components\Remote Desktop Ser vices\Remote Desktop Session Host\Security group policy
folder:
Require use of specific security layer for remote (RDP) connections : set to Enabled and
select RDP .
Require user authentication for remote connections by using Network Level
authentication : set to Disabled .

IMPORTANT
Changing these group policies reduces your deployment's security. We recommend you only use them
temporarily, if at all.

For more information about working with group policy, see Modifying a blocking GPO.

After you update client computers, some users need to sign in twice
When users sign in to Remote Desktop using a computer running Windows 7 or Windows 10, version 1709,
they immediately see a second sign-in prompt. This issue happens if the client computer has the following
updates:
Windows 7: KB 4103718, May 8, 2018—KB4103718 (Monthly Rollup)
Windows 10 1709: KB 4103727, May 8, 2018—KB4103727 (OS Build 16299.431)
To resolve this issue, ensure that the computers that the users want to connect to (as well as RDSH or RDVI
servers) are fully updated through June, 2018. This includes the following updates:
Windows Server 2016: KB 4284880, June 12, 2018—KB4284880 (OS Build 14393.2312)
Windows Server 2012 R2: KB 4284815, June 12, 2018—KB4284815 (Monthly Rollup)
Windows Server 2012: KB 4284855, June 12, 2018—KB4284855 (Monthly Rollup)
Windows Server 2008 R2: KB 4284826, June 12, 2018—KB4284826 (Monthly Rollup)
Windows Server 2008 SP2: KB4056564, Description of the security update for the CredSSP remote code
execution vulnerability in Windows Server 2008, Windows Embedded POSReady 2009, and Windows
Embedded Standard 2009: March 13, 2018
Users are denied access on a deployment that uses Remote
Credential Guard with multiple RD Connection Brokers
This issue occurs in high-availability deployments that use two or more Remote Desktop Connection Brokers, if
Windows Defender Remote Credential Guard is in use. Users can't sign in to remote desktops.
This issue occurs because Remote Credential Guard uses Kerberos for authentication, and restricts NTLM.
However, in a high-availability configuration with load balancing, the RD Connection Brokers can't support
Kerberos operations.
If you need to use a high-availability configuration with load-balanced RD Connection Brokers, you can work
around this issue by disabling Remote Credential Guard. For more information about how to manage Windows
Defender Remote Credential Guard, see Protect Remote Desktop credentials with Windows Defender Remote
Credential Guard.
On connecting, user receives "Remote Desktop
Service is currently busy" message
4/7/2020 • 2 minutes to read • Edit Online

To determine an appropriate response to this issue, see the following:


Does the Remote Desktop Services service becomes unresponsive (for example, the remote desktop client
appears to "hang" at the Welcome screen).
If the service becomes unresponsive, see RDSH server memory issue.
If the client appears to be interacting with the service normally, continue to the next step.
If one or more users disconnect their remote desktop sessions, can users connect again?
If the service continues to deny connections no matter how many users disconnect their sessions, see
RD listener issue.
If the service begins accepting connections again after a number of users have disconnected their
sessions, check the connection limit policy.

RDSH server memory issue


A memory leak has been found on some Windows Server 2012 R2 RDSH servers. Over time, these servers
begin to refuse both remote desktop connections and local console sign-ins with messages like the following:

The task you are trying to do can't be completed because Remote Desktop Service is currently busy. Please
try again in a few minutes. Other users should still be able to sign in.

Remote Desktop clients attempting to connect also become unresponsive.


To work around this issue, restart the RDSH server.
To resolve this issue, apply KB 4093114, April 10, 2018—KB4093114 (Monthly Rollup), to the RDSH servers.

RD listener issue
An issue has been noted on some RDSH servers that have been upgraded directly from Windows Server 2008
R2 to Windows Server 2012 R2 or Windows Server 2016. When a Remote Desktop client connects to the RDSH
server, the RDSH server creates an RD listener for the user session. The affected servers keep a count of the RD
listeners that increases as users connect, but never decreases.
You can work around this issue with the following methods:
Restart the RDSH server to reset the count of RD listeners
Modify the connection limit policy, setting it to a very large value. For more information about managing the
connection limit policy, see Check the connection limit policy.
To resolve this issue, apply the following updates to the RDSH servers:
Windows Server 2012 R2: KB 4343891, August 30, 2018—KB4343891 (Preview of Monthly Rollup)
Windows Server 2016: KB 4343884, August 30, 2018—KB4343884 (OS Build 14393.2457)

Check the connection limit policy


You can set the limit on the number of simultaneous remote desktop connections at the individual computer
level or by configuring a group policy object (GPO). By default, the limit is not set.
To check the current settings and identify any existing GPOs on the RDSH server, open a command prompt
window as an administrator and enter the following command:

gpresult /H c:\gpresult.html

After this command finishes, open gpresult.html . In Computer Configuration\Administrative


Templates\Windows Components\Remote Desktop Ser vices\Remote Desktop Session
Host\Connections , find the Limit number of connections policy.
If the setting for this policy is Disabled , then group policy is not limiting RDP connections.
If the setting for this policy is Enabled , then check Winning GPO . If you need to remove or change the
connection limit, edit this GPO.
To enforce policy changes, open a command prompt window on the affected computer, and enter the following
command:

gpupdate /force
Remote Desktop client disconnects and can't
reconnect to the same session
7/22/2020 • 2 minutes to read • Edit Online

After Remote Desktop client loses its connection to the remote desktop, the client can't immediately reconnect.
The user receives one of the following error messages:
The client couldn't connect to the terminal server because of a security error. Make sure you are signed in to
the network, then try connecting again.
Remote Desktop disconnected. Because of a security error, the client could not connect to the remote
computer. Verify that you are logged onto the network and then try connecting again.
When the Remote Desktop client reconnects, the RDSH server reconnects the client to a new session instead of
the original session. However, when you check the RDSH server, it says that the original session is still active and
didn't enter a disconnected state.
To work around this issue, you can enable the Configure keep-alive connection inter val policy in the
Computer Configuration\Administrative Templates\Windows Components\Remote Desktop
Ser vices\Remote Desktop Session Host\Connections group policy folder. If you enable this policy, you
must enter a keep-alive interval. The keep-alive interval determines how often, in minutes, the server checks the
session state.
This issue can also be fixed by reconfiguring your authentication and configuration settings. You can reconfigure
these settings at either the server level or by using group policy objects (GPOs). Here's how to reconfigure your
settings: Computer Configuration\Administrative Templates\Windows Components\Remote
Desktop Ser vices\Remote Desktop Session Host\Security group policy folder.
1. On the RD Session Host server, open Remote Desktop Session Host Configuration .
2. Under Connections , right-click the name of the connection, then select Proper ties .
3. In the Proper ties dialog box for the connection, on the General tab, in Security layer, select a security
method.
4. Go to Encr yption level and select the level you want. You can select Low , Client Compatible , High , or
FIPS Compliant .
NOTE
When communications between clients and RD Session Host servers require the highest level of encryption, use FIPS-
compliant encryption.
Any encryption level settings you configure in Group Policy override the settings you configured using the Remote
Desktop Services Configuration tool. Also, if you enable the System cryptography: Use FIPS compliant algorithms for
encryption, hashing, and signing policy, this setting overrides the Set client connection encr yption level policy.
The system cryptography policy is in the Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options folder.
When you change the encryption level, the new encryption level takes effect the next time a user signs in. If you
require multiple levels of encryption on one server, install multiple network adapters and configure each adapter
separately.
To verify your certificate has a corresponding private key, go to Remote Desktop Services Configuration, right-click the
connection that you want to view the certificate for, select General, then select Edit . After that, select View
cer tificate . When you go to the General tab, you should see the statement, "You have a private key that
corresponds to this certificate" if there's a key. You can also view this information with the Certificates snap-in.
FIPS-compliant encryption (the System cr yptography: Use FIPS compliant algorithms for encr yption,
hashing, and signing policy or the FIPS Compliant setting in Remote Desktop Server Configuration) encrypts and
decrypts data sent between the server and client with the Federal Information Processing Standard (FIPS) 140-1
encryption algorithms that use Microsoft cryptographic modules. For more information, see FIPS 140 Validation.
The High setting encrypts data sent between the server and client by using strong 128-bit encryption.
The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength
supported by the client.
The Low setting encrypts data sent from the client to the server using 56-bit encryption.
Remote laptop disconnects from wireless network
4/7/2020 • 2 minutes to read • Edit Online

This issue may occur when a Remote Desktop client connects to a laptop computer by using an 802.1x wireless
network. The laptop intermittently disconnects from the wireless network and doesn't automatically reconnect.
This is a known issue that occurs when the network authentication setting for the wireless network connection is
User authentication .
To work around this issue, set the network authentication setting to User or computer authentication or
Computer authentication .

NOTE
To change the network authentication settings on a single computer, you may need to use the Network and Sharing
Center control panel to create a new wireless connection with the new settings.

For a full description of how to configure wireless network settings using GPOs, see Configure Wireless
Network (IEEE 802.11) Policies.
Poor performance or application problems during
remote desktop connection
4/7/2020 • 2 minutes to read • Edit Online

This article addresses several common issues that users can experience when they use remote desktop
functionality.
Intermittent problems with new Microsoft Azure virtual machines
This issue affects virtual machines that have been recently provisioned. After the user connects to the virtual
machine, the remote desktop session does not load all the user's settings correctly.
To work around this issue, disconnect from the virtual machine, wait for at least 20 minutes, and then connect
again.
To resolve this issue, apply the following updates to the virtual machines, as appropriate:
Windows 10 and Windows Server 2016: KB 4343884, August 30, 2018—KB4343884 (OS Build 14393.2457)
Windows Server 2012 R2: KB 4343891, August 30, 2018—KB4343891 (Preview of Monthly Rollup)
Video playback issues on Windows 10 version 1709
This issue occurs when users connect to remote computers that are running Windows 10, version 1709. When
these users play video using the VMR9 (Video Mixing Renderer 9) codec, the player shows only a black window.
This is a known issue in Windows 10, version 1709. The issue doesn't occur in Windows 10, version 1703.
Desktop sharing issues on Windows 10
This issue occurs when the user has a read-only user profile (and associated registry hive), such as in a kiosk
scenario. When such a user connects to a remote computer that is running Windows 10, version 1803, they can't
share their desktop.
To fix this issue, apply the Windows 10 update 4340917, July 24, 2018—KB4340917 (OS Build 17134.191).
Performance issues when mixing versions of Windows 10 if NLA is disabled
This issue occurs when Remote Desktop client computers running Windows 10 connect to remote desktops that
run different versions of Windows 10 while NLA is disabled. Users of Remote Desktop clients on computers
running Windows 10, version 1709 or earlier experience poor performance when they connect to remote
desktops running Windows 10, version 1803 or later.
This occurs because, when NLA is disabled, the older client computers use a slower protocol when they connect
to Windows 10, version 1803 or a later version.
To resolve this issue, apply KB 4340917, July 24, 2018—KB4340917 (OS Build 17134.191).
Black screen issue
This issue occurs in Windows 8.0, Windows 8.1, Windows 10 RTM, and Windows Server 2012 R2. A user
launches multiple applications in a remote desktop, then disconnects from the session. Periodically, the user
reconnects to the remote desktop to interact with the applications, and then disconnects again. At some point,
when the user reconnects, the remote desktop session only shows a black screen. To get the session to display
properly again, the user then has to end their session from either the remote computer's console or the RDSH
server console and stop their session's applications.
To resolve this issue, apply the following updates as appropriate:
Windows 8 and Windows Server 2012: KB4103719, May 17, 2018—KB4103719 (Preview of Monthly Rollup)
Windows 8.1 and Windows Server 2012 R2: KB4103724, May 17, 2018—KB4103724 (Preview of Monthly
Rollup) and KB 4284863, June 21, 2018—KB4284863 (Preview of Monthly Rollup)
Windows 10: Fixed in KB4284860, June 12, 2018—KB4284860 (OS Build 10240.17889)
Input method editor issue in RemoteApp scenarios
7/2/2021 • 2 minutes to read • Edit Online

We've been made aware of the following issues with the input method editor (IME) through user feedback:
Users have reported being unable to change IME mode from their applications.
Users couldn't change IME mode using the keyboard.
Switching between remote applications doesn't change the IME mode.
Affected platforms:
Azure Virtual Desktop
Remote Desktop Services (so far, this issue has only been reported for Windows Server 2019)
We're currently working on a solution to help solve this issue.
Additional Remote Desktop resources
11/2/2020 • 2 minutes to read • Edit Online

In addition to the information here in the Windows Server 2016 library, you can use the following resources to
learn about and get help with Remote Desktop Services:
Participate in general discussions about Remote Desktop Services in the RDS TechNet forum.
For discussion about Remote Desktop applications/clients for Windows, Android, iOS, and Mac, visit the
Remote Desktop clients TechNet forum.
For MultiPoint, check out the MultiPoint TechNet forum.
If you have ideas about Remote Desktop Services that you want to share with us, post a topic in our UserVoice
forum.

You might also like