If you would like to read the other parts in this article series please go to:
- Microsoft RDS Policies explained (Part 1)
- Microsoft RDS Policies explained (Part 3)
- Microsoft RDS Policies explained (Part 4)
Introduction
In Part 1 of the article series MS RDS Policies we started with describing how RDS settings can be configured and that policies always win. We continued describing the policy locations both available within the machine and user configuration. We started with describing policy settings available in the computer configuration which should be applied to the RDS License Server and the RDS Client. In this part two we will discuss the settings available on the computer configuration level for the RD Session Host.
Computer Configuration policy settings
Remote Desktop Session Host
For the RD Session (Remote Desktop Session Host) the policies are separated in several subfolders as shown in the below figure.
Figure 1: Remote Desktop Session Host Policy Overview
Application Compatibility – Turn off Windows Installer RDS Compatibility
Figure 2: Remote Desktop Session Host – Application compatibility
With this setting you can change the Windows Installer behavior on a RD Session Host. By default RDS compatibility is enabled and makes it possible to run the Windows Installer functionality on a per user basis. When you enable this setting (which leads to disabling Windows Installer RDS compatibility) all requests are queued up for a single msisexec process. Personally, I did not find a reason to disable this functionality.
Application Compatibility – Turn on Remote Desktop IP virtualization
Some applications require a unique IP address, which is by default logically not the case if the application is running on RD Session Host. To solve this issue, Remote Desktop IP Virtualization is introduced. With this setting you enable the IP virtualization feature. When enabling this setting you need to specify if the virtual IP is provided per session or per program. When using per program you need to define the executable to which an IP address should be configured. Desktop IP virtualization also needs the configuration of the next setting.
Application Compatibility – Select the network adapter to be used for Remote Desktop IP Virtualization
When you need to use Remote Desktop IP virtualization configuring this setting is mandatory. You need to specify the IP address of the Network Interface Card which should be used for this feature. Besides the IP address you need also to specify the network mask using the slash notation, for example 192.168.77.201/24.
Application Compatibility – Do not use Remote Desktop Session Host server IP address when virtual IP address is not available
When no virtual IP addresses are available (anymore) by default the session will use the RD Session Host IP address (just like you did not have RD IP Virtualization enabled). If you don’t want that, you should enable this setting, but remember that the session won’t have network connectivity at all. So be really careful when enabling this setting, it’s only for real specific use cases.
Figure 3: Remote Desktop Session Host – Connections
Connections – Automatic Reconnection
With this setting you can control the Automatic Reconnection behavior. By default it’s already enabled. When configuring this setting on disabled, automatic reconnection is disabled. Normally you won’t have to configure this setting as by default automatic reconnection is enabled.
Connections – Allow users to connect remotely by using Remote Desktop Services
Although it is an RD Session Host policy, I only use this one on non RD Session Host servers as users are allowed to connect using RDS when the RDS Session Host role is installed. However, this setting is really useful for a server where RDS is not installed, but would like to enable RDP access for the administrators. Enabling this policy makes the Remote Access configured on the Remote Tab of the system properties is checked.
Connections – Deny logoff of an administrator logged in to the console
This setting only applies to XP and Windows 2003, so it actually obsolete. This setting prevents a log off from an administrator connected to the console when another administrator connects to the console via the RDP client.
Connections – Configure Keep-alive connection interval
With this setting you configure how often the server checks the session state in minutes. If you don’t configure this setting the session state is not checked. When the interval is passed the server checks if the session listed as connected is actually still communicating with the server.
Connections – Limit number of connections
By default an RD Session Host has no limit on the number of sessions that can be created on the RD Session Host. With this policy enabled you can define the maximum number of sessions that can be set-up on the RD Session Host.
Connections – Suspend user sign-in to complete app registration
This is a new policy for the latest operating systems. By default as soon as the system is started RDS sessions can be set-up, while applications can be registered in the background. Some applications work only if the application registration is completely finished. Enabling this policy will lead to the fact that the server will wait for 6 minutes before RDS session can be set-up. It is also used in cases where the start menu needs to be customized. Another use case is to provide an automated small maintenance window for cleaning the server.
Connections – Set rules for remote control of Remote Desktop Services
With this policy you can define whether remote control (also known as shadowing) is allowed and via which methodology (full control, view session and one of those two with or without user’s permission). As this policy is for Shadowing, it does not apply to Window Server 2012 as only Remote Assistance is available. However, the policy does not list Windows Server 2012 R2 as applicable, however MS re-introduced shadowing in this version (so, I expect this setting will work for R2 as well, but I did not test it).
Connections – Select network detection on the server
With this policy you can change the way the RD Connection Host determines the network quality based on the initial connection (Connect Time Detect) and during the session (Continuous Network Detect). You can disable one of these two or both. Disabling Connect Time Detect will cause the session to always be connected based on a low-speed connection, while disabling Continuous Network Detect arranges that the session will not be adjusted if network quality changes during the session. This policy applies only to the latest versions of operating systems and in my opinion it should be adjusted only in specific use cases.
Connections – Select RDP transport protocols
A similar setting was also available within the RD Client settings. However, this policy is based on the host instead of the client. Just as the client setting you can configure if you would like to use both UDP and TCP, only UDP or only TCP.
Connections – Restrict Remote Desktop Services users to a single Remote Desktop Services session
With this policy you can restrict a user to have only one session on the server, otherwise the user can have multiple sessions. When a session is in a disconnected state the user will be automatically redirected to this disconnected session. This behavior can also be specific at the collection level within the RDS management console.
Connections – Allow remote start of unlisted programs
By default a user can only start programs that are defined as RemoteApps (when not publishing a Remote Desktop). In the specific case you would like to change that behavior (but why would you publish that program as a RemoteApp in that case) you can enable the policy “Allow remote start of unlisted programs”. When this setting is enabled any program available on the RD Session Host can be started.
Connections – Turn Off Fair Share CPU Scheduling
By default Microsoft has enabled Fair Share CPU Scheduling. With this policy setting you can turn off this feature. In my article FairShare of Resources in RD Session Host, I explained in detail about Fair Share of resource in a RD Session host, so check that article for more information.
In this part three we will continue describing the RD Session Host settings.
Figure 4: Remote Desktop Session Host – Device and Resource Redirection
Device and Resource Redirection – Allow Audio and Video playback redirection
Within the Device and Resource Redirection subfolder all settings are available to define if local devices are available within the Remote Desktop Session. The first setting is about allowing audio and video to be redirected to the client or will be played on the RD Session Host. Microsoft used different default behaviors between the different operating system levels. Windows 2008R2 or lower audio and video redirection is not allowed by default, while Windows 2012 and higher it’s allowed by default. If possible I would always redirect audio and video playback to the client.
Device and Resource Redirection – Allow audio recording redirection
With this setting you can specify if recording devices (like microphones) can be used within the Remote Desktop Session. Again the default behavior is different between the several versions of the operating system, so that determines if you need to configure this setting to satisfy your needs. To be sure you can always define this (and the other settings), so you know for sure the configuration of the RD Session Host is as you would like to have it set.
Device and Resource Redirection – Limit audio playback quality
Configuring the audio playback quality can enhance performance on slow links. However, currently Microsoft is using Dynamic playback quality, where the audio quality will be dynamically adjusted based on the network bandwidth. So I prefer to use this setting, but if quality should always be High (independent of the network bandwidth) you can adjust the behavior with this setting. Also, good to know that choosing Disabled, the audio playback quality will be Dynamic (instead of none audio playback what some people expects).
Device and Resource Redirection – Do not allow Clipboard redirection
With this policy you can define if users are allowed to copy/cut and paste text and/or image via the clipboard functionality. By default it is enabled, so in case no information sharing is allowed between the client and the RD Session Host you should enable this setting to disable the clipboard redirection functionality.
Device and Resource Redirection – Do not allow drive redirection
With this policy you can adjust that client drives are redirected into the RD Session Host. By default client drive redirection is allowed, but can be disabled with this policy. Some operating systems rely on drive redirection for allowing file copy redirection in combination with clipboard redirection, like Windows 2003 or using Windows client OS as the RD Host. USB sticks redirection is not configured using drive redirection but via Plug and Play redirection.
Device and Resource Redirection – Do not allow … port redirection
Also COM and LPT port can be redirected within the session. Nowadays this is not used much anymore as devices previously connected via such ports are now connected using USB.
Device and Resource Redirection – Do not allow supported Plug and Play device redirection
By default redirection of Plug and Play devices is allowed, so only if you would disable redirection of Plug and Play devices totally you should configure this setting to enable. More used is the option to limit specific types of Plug and Play devices using the policy Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions policy settings.
Device and Resource Redirection – Do not allow smart card device redirection
Pretty similar as the previous settings, by default smart card devices are allowed to be redirected within the RD session, if it’s required to disable smart card devices in the RD session enable this policy.
Device and Resource Redirection –Allow time zone redirection
With this setting you can adjust the time zone redirection behavior. When you enable this setting the client will forward his time zone to the RD Session Host, so if you connect to a Remote Desktop the local time of the client will be shown. By default time zone redirection will not take place and the time of the RD Session Host will be shown. Only configure this setting if you publish a Remote Desktop while your clients are in different time zones.
Summary
In this second article I started describing the available policies that can be defined on the RD Session Host. As there are many policies on this level I will continue describing these policy settings in an upcoming part of this article series.
If you would like to read the other parts in this article series please go to:
- Microsoft RDS Policies explained (Part 1)
- Microsoft RDS Policies explained (Part 3)
- Microsoft RDS Policies explained (Part 4)
