Minimizing and restoring Windows Server 2016 RDS RemoteApp causes a frozen black screen to be displayed

Update: July 11, 2018

The support engineer gave me a call back yesterday and said this is apparently a known issue at Microsoft and a patch is supposed to be released at some point.  He could not provide an exact ETA but said possibly in August 2018.

Problem

You’ve deployed a new Windows Server 2016 RDS environment and published RemoteApps but received complains that when a user’s session times out after the configured idle limit, they receive the following Windows and unable to click the OK button:

Idle timer expired

Session has been idle over its time limit.

It will be disconnected in 2 minutes.

Click OK to stay connected.

The problem with the window above is that the RDS RemoteApp session has disconnected but the window indicating the end of the session is stuck behind this warning window. There is really nothing the user can do to get the window in the background to get on top of this one so they need to terminate the RDS session via the task bar.

One of the solutions that correct this issue is to disable the Use advanced RemoteFX graphics for RemoteApp configuration found:

Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment

Disabling this feature corrects the problem but it creates a new problem where if the user’s desktop launching the RemoteApp does not have the left most monitor as their primary monitor:

What happens with this setup for users is that they would launch the RemoteApp without any issues:

The application will work as expected but if the user minimizes it:

Then attempts to restore the RemoteApp, the application will attempt to be restored on the left non-primary monitor and display a black screen that the user cannot interact with:

This appears to only be a display issue because the user can right-click on the application in the task bar, close it, relaunch the application and not lose any work. What’s strange is that this does not appear to affect applications that are not maximized meaning if the application was launched and then minimized as such:

The application would restore without any issues. Another alternative workaround is to configure the left most monitor as the primary:

Another workaround I was able to find was to limit the amount of monitors for the RemoteApps with the Limit number of monitors configuration:

While this corrects the issue, it restricts the application to the primary monitor disallowing the user to drag the window to the left or any other monitor and this was likely going to be very annoying.

I had opened a case with Microsoft about two weeks back, which was closed because I couldn’t replicate it on my desktop (I always use my left most monitor as primary) but have been since reopened this week after figuring this out. The engineer hasn’t called me back yet but knowing the cause allowed me to find this forum post discussing the same problem on Windows 10:

[Windows 10 1709] Issues when maximizing RDP App

https://social.technet.microsoft.com/Forums/lync/en-US/831fda26-1336-4806-a3eb-8b989e023a52/windows-10-1709-issues-when-maximizing-rdp-app?forum=win10itprogeneral

I had this issue too. I found that re-enabling remotefx on session servers made the issue go away. But now window focus is messed up, when a new window pop up in a remote application it goes behind the main application until user clicks out of the app, the pop up will appear.

The environment I’m experiencing this problem uses Windows 7 as the desktop so I can confirm that this isn’t limited to Windows 10. There isn’t a resolution in the forum post so I hope to get to the bottom of this and share the resolution.

Server Manger displays the following message for Remote Desktop Services: "There are no RD Connection Broker servers in the server pool"

I’ve been asked several times this year about a seemingly trivial task that I tend to forget myself so I thought I’d write a quick blog post about it in case someone encounters the same situation and for myself to refer to in the future.

Problem

You’ve in one of the following situations:

1. You’ve deployed a new RDS server and added it to an existing collections and would like to perform administrative tasks from that server

2. You’ve asked another administrator to administer an existing RDS server but this administrator uses an account that has never performed these tasks

The problem encountered here in either of the cases above is that when you log onto an RDS server that was recently added to a collection or with an account that has never administered the RDS collections before, you will notice that the options to administer the servers are not available in Server Manager:

Navigating to the Remote Desktop Services section will display the following message:

There are no RD Connection Broker servers in the server pool.

To manage a deployment, you must add all the servers in the deployment to the server pool.

To create a new deployment, run the Add Roles and Features Wizard and select the Remote Desktop Services installation option.

Solution

I find that most administrators including myself would eventually figure this out but I tend to forget a few months afterwards. To get the Remote Desktop Services collection to show up in the Server Manager console, click on the Manage button on the top right hand corner and then Add Servers:

You will need to add all of the RDS servers in the collection into this Window but if you only know of one because you’re not familiar with the environment, you can go ahead and add just the one you know of:

Hitting the OK button will bring you back to the Dashboard:

Clicking on the Remote Desktop Services section will display a message telling you that you need to add the rest of the servers in the deployment:

The following servers in this deployment are not part of the server pool:

The servers must be added to the server pool.

Proceed by adding the servers listed:

You should now see the collections in the deployment once the servers have been added:

Adding an account from an external domain with a forest trust configured throws the error: “The security identifer could not be resolved…”

Problem

You’ve successfully deployed a new Windows Server 2012 R2 Remote Desktop Services farm in your environment and have begun assigning permissions to users located in another forest that you are forest trust with:

While you are able to browse the domain in the separate forest and select a user or group, you quickly notice you receive the following error message when you attempt to apply the settings:

The security identifier could not be resolved. Ensure that a two-way trust exists for the domain of the selected users.

Exception: The network path was not found.

Solution

I’ve come across the same problem with a Windows Server 2008 R2 Remote Desktop Services deployment and it looks like this problem still persists in the newer Windows Server 2012 R2 version. To get around this issue, we would need to create a Domain local group in the domain where the RDS server is installed:

… then proceed and add the user or group from the federated forest domain into the Domain local group:

… and because we can’t add a Domain local group into any other type of group such as Global or Universal in the domain, we would have to assign it directly to the RDS Collection and RemoteApp:

Not exactly the most elegant solution but good enough for a workaround.

Removing the: “A website is trying to run a RemoteApp program. Make sure that you trust the publisher before you connect to run the program.” message prompt when launching RD Web Access RemoteApp

Problem

You’ve configured your RemoteApp resources on your Remote Desktop Services and attempt to launch an application but receive the following warning message:

A website is trying to run a RemoteApp program. Make sure that you trust the publisher before you connect to run the program.

This RemoteApp program could harm your local or remote computer. Make sure that you trust the publisher before you connect to run this program.

Don’t ask me again for remote connections from this publisher

As shown in the screenshots above, you have the option of checking the checkbox that reads:

Don’t ask me again for remote connections from this publisher

… to remove this prompt but you do not want everyone in the organization to receive this prompt.

Solution

One of the ways to remove this warning prompt is to implement a GPO and apply it to the user or computer account to trust the SHA1 thumbprint of the certificate presented.  Begin by opening the properties of the certificate and navigating to the Details tab that is used for your Remote Desktop Services portal:

Scroll down to the bottom where the Thumbprint is listed:

Select the Thumbprint field:

Select the thumbprint and copy the text:

Now before we proceed to copy this into the setting of the GPO we’ll be using, it is important to paste the thumbprint you have just copied into a command prompt as such:

Notice how there is a question mark: ? in front of the thumbprint? Note that paste this into Notepad does not reveal this unwanted question mark:

Proceed and copy the thumbprint from the command prompt without the question mark.

Next, create a new GPO or open an existing GPO that you would like to use and navigate to:

Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client

Note that this policy can be applied to either a computer object or a user account so use whichever fits better for your environment.

Proceed and open the Specify SHA1 thumbprints of certificates representing trusted .rdp publishers:

Paste the copied thumbprint into the Comma-separated list of SHA1 trusted certificate thumbprints field:

Apply the configuration:

The user should no longer see the warning prompt once the policy is applied to a computer object or user account.

Removing New Profile First Run Items for XenApp, RDS and Terminal Server with GPO

Having deployed numerous Citrix XenApp and Microsoft RDS over the past few years, I’ve found that I constantly refer to my notes for removing new profile first run items and seeing how I haven’t written a blog post for this year, I figured I’d write one now so I can refer my colleagues to it.

Several add-ons are ready for use

There are two ways to disable the Several add-ons are ready for use prompt when Internet Explorer is first launched:

\

The first is to edit the local policy of the server by running gpedit.msc and navigate to:

Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Automatically activate newly installed add-ons

… or:

User Configuration > Administrative Templates > Windows Components > Internet Explorer > Automatically activate newly installed add-ons

Note that both would provide the same result but I prefer using the Computer Configuration because it is applied to the computer rather than the User Configuration which is applied to each user’s profile.

Enable the configuration:

If using a local computer policy is not acceptable, this could be configured using a GPO to modify the following registry key:

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Ext

IgnoreFrameApprovalCheck = 1

Protected mode is turned off for the local intranet zone.

To disable the Protected mode is turned off for the Local intranet zone. message:

… create a new DWORD registry key named NoProtectedModeBanner with a value of 1 at the following location:

HKCU\Software\Microsoft\Internet Explorer\Main

Refer to my previous blog post for more detail:

Notes on Security Banner and IE Settings for Citrix XenApp servers
http://terenceluk.blogspot.com/2013/09/notes-on-security-banner-and-ie.html

Set up Internet Explorer 11

To disable the Set up Internet Explorer 11 prompt:

Create a GPO and enable the following User or Computer Configuration setting:

Administrative Templates > Windows Components > Internet Explorer

Then enable the following setting:

Prevent performance of First Run Customize settings

Office 2013 First Run

To get rid of the First things first. Office 2013 first run prompt:

… load the Office 2013 ADM or ADMX templates and navigate to:

User Configuration > Policies > Administrative Templates > Microsoft Office 2013 > Privacy > Trust Center

Then enable the following setting:

Disable Opt-in Wizard on first run

Welcome to your new Office

To disable the Welcome to your new Office prompt:

… load the Office 2013 ADM or ADMX templates and navigate to:

User Configuration > Policies > Administrative Templates > Microsoft Office 2013 > First Run 

Then enable the following setting:

Disable First Run Movie

Enable the following setting as well:

Disable Office First Run on application boot

Outlook 2013 Cached Exchange Mode

XenApp and RDS servers more often than not operate Outlook in non-cached mode so to ensure that this is disabled, load the Office 2013 ADM or ADMX templates and navigate to:

User Configuration > Policies > Administrative Templates > Microsoft Outlook 2013 > Account Settings > Exchange > Cached Exchange Mode

Then disable the following setting:

Cached Exchange Mode (File | Cached Exchange Mode)

Proceed and also disable the following setting:

Use Cached Exchange Mode for new and existing Outlook profiles

Remove Add Account Citrix Receiver

To remove the Add Account Citrix Receiver prompt for new profiles:

… use the following Citrix KB:

http://support.citrix.com/article/CTX135438

Method 3

Change Registry values post installation to suppress the Add Account window.

1. Under HKLM\Software\Citrix\Dazzle, set AllowAddStore value to N.
   Note: On 64-bit machines, use HKLM\Software\WOW6432Node\Citrix\Dazzle.
2. Restart Citrix Receiver for Windows to apply the new Registry value.

Welcome to Microsoft Office 2010

To disable the Welcome to Microsoft Office 2010 prompt:

… load the Office 2010 ADM or ADMX templates and navigate to:

User Configuration > Policies > Administrative Templates > Microsoft Office 2010 > Miscellaneous 

Then enable the following setting:

Suppress recommended settings dialog

Outlook 2010 Cached Exchange Mode

XenApp and RDS servers more often than not operate Outlook in non-cached mode so to ensure that this is disabled, load the Office 2010 ADM or ADMX templates and navigate to:

User Configuration > Policies > Administrative Templates > Microsoft Outlook 2010 > Account Settings > Exchange > Cachced Exchange Mode

Then disable the following setting:

Cached Exchange Mode (File | Cached Exchange Mode)

Outlook 2010 Do not prompt user to create new profile

If you do not want users to be prompted with the wizard to create their Outlook profile, navigate to:

User Configuration > Policies > Administrative Templates > Microsoft Outlook 2010 > Account Settings > Exchange

Then enable the following setting:

Automatically configure profile based on Active Directory Primary SMTP address