17 April 2020

RDS customizations

This is a bit of a long post, so I apologize in advance… Sorry, but not sorry. There are a lot of things that you can customize in a RDS / RD Web Access deployment.

I’m doing these edits, or customizations on a Windows Server 2019 deployment, they should [in theory] work though on RDS deployments as far back as Windows Server 2012/R2, though your mileage may vary – see disclaimer below.

Standard disclaimer… Make sure to backup folders and files before you start making changes. I’m not responsible for anything you break, you’ve been warned.

Eliminate “/RDWeb” from the RDS URL

When adding the RD Web Access role on your remote desktop gateway or broker, it will auto-magically create the RDWeb website in IIS for you.

RDS sets up the the url for your site in the following format: “rds.playswellwithflavors.com/RDWeb” or “example.com/RDWeb”. However, you likely are not using this IIS host to serve up any other webpages other that RDS Web Access… So you probably want to eliminate the need for user to have to enter that “/RDWeb” at the end of the url. And make it appear as just “rds.playswellwithflavors.com” or “example.com”.

Microsoft makes this very easy to accomplish with a simple redirect in IIS.

  • Open IIS.
  • Click on the ‘Default Web Site’ in the left-side pane.
  • Click on ‘HTTP Redirect’ in right-side pane.
  • Check the box for ‘Redirect requests to this destination’.
    Enter in the field under it: /RDWeb
  • Click ‘Apply’.
  • Restart IIS
  • Test your website to confirm that you can reach it with the base url, without the “/RDWeb” appended at the end.

Password Reset Link

This customization will edit the Web Access Login Page to add a password reset link where users can change their AD passwords from the main login page.

  • Open IIS
  • In the left-hand pane, drill down into “Server”->”Sites”->”Default Site”->”RDWeb”->”Pages”
  • Double-click on “Application Settings” in the right-hand pane.
  • Find the value “PasswordChangeEnabled” and double-click on it. Edit it to ‘True’.
  • Click ‘Ok’.

Now that we edited that value to ‘true’, if the user’s password expires they will be prompted to change their password. That’s handy, right!?
Well, if you liked that, then let me tell you that it is possible to go one step further and make a link on the main page for them to reset their password, anytime.

  • Open the following folder: %windir%\Web\RDWeb\
  • Since we are going to be editing stuff here, make a backup copy of the “Pages” folder.
  • Now open the folder: %windir%\Web\RDWeb\Pages\en-US\
  • Right-click on the file “login.aspx” and select ‘Edit’.
  • With the file open, press “Ctrl+F” and then search for “userpass”.
  • Scroll down under the table that “userpass” is in. This is where we want to add our password reset link. Copy the code below and paste it into your file, then save and close it.
<td align="right">
Click <a href="password.aspx" target="_blank">here</a> to reset your password.
  • Reload the page in your browser to view the password reset link.

Change “Domain\user name” to “Email”

At the Web Access login page, I like to change the prompt for “Domain\user name” to “Email Address”. Call me cynical, but I find that users can remember their email address, but will almost always call and ask what to put as the domain. I like to just change this to what the user will understand and prevent them from needing to call me.

  • Now open the folder: %windir%\Web\RDWeb\Pages\en-US\
  • Make sure that you have already made a backup copy of the “Pages” folder.
  • Right-click on the file “login.aspx” and select ‘Edit’.
  • Look for “L_DomainUserNameLabel_Text” on line 21.
  • Change the value “Domain\\user name:” to “Email Address:”.
  • Look for “L_DomainNameMissingLabel_Text” on line 30.
  • Change the value “You must enter a valid domain name.” to “You must enter a valid email address.”
  • Save and close the file.
  • Reload the page in your browser to view the change.

Change the “Work Resources” text on the Login page

This will let you customize the text displayed with your logo in the upper left corner of the RDWeb login page.

  • Open an administrator PowerShell window on the RD Connection Broker.
  • Enter the following command: Set-RDWorkspace -Name "<YourBrandingHere>"
  • Reload the page in your browser to view the change.

Changing the RD Logos

You can brand your RD Web Access page with your company logo. There are two logos you can change. One is in the upper left corner, and the other one is smaller and in the upper right corner.

  • Take your logo image and resize it into two .png files with the names and dimensions specified below;
    • logo_01.png – 16pixels x 16pixels
    • logo_02.png – 48pixels x 48pixels
  • Now open the folder: %windir%\Web\RDWeb\Pages\images\
  • Make sure that you have already made a backup copy of the “Pages” folder.
  • Copy and paste the your logo image files into this folder.
  • Open IIS and restart the service.
  • Reload the page in your browser to view the change.
  • The “logo_01.png” file will replace the icon in the upper right corner.
  • The “logo_02.png” file will replace the icon in the upper left corner.

Change the “To protect against” message

This is the message on the login page that is beneath the “Sign In” button. You can customize it to your own message.

  • Now open the folder: %windir%\Web\RDWeb\Pages\en-US\
  • Make sure that you have already made a backup copy of the “Pages” folder.
  • Right-click on the file “login.aspx” and select ‘Edit’.
  • Look for “L_TSWATimeoutLabel_Text” on line 43.
  • Modify that value there to include your custom message.
  • Save and close the file.
  • Reload the page in your browser to view the change.

Change the RD Workspace name and other text

You can customize other text displayed on your RDWeb login page. Things like the page title and other small branding type changes…

  • Now open the folder: %windir%\Web\RDWeb\Pages\en-US\
  • Make sure that you have already made a backup copy of the “Pages” folder.
  • Right-click on the file “RDWAStrings.xml” and select ‘Edit’.
  • Make changes as desired to reflect what you want displayed;
    • PageTitle, line 3
    • HeadingRDWA, line 10
    • HeadingApplicationName, line 11
    • Help, line 12
  • Reload the page in your browser to view the change.
    • Note: Chrome based browsers like to cache these… Use a private browsing tab, or flush your browser cache if the changes are not appearing after reloading the page.

Remove ‘Help’ Link

This will remove the ‘Help’ link on the RDWeb login page that links to this MS documentation.

  • Now open the folder: %windir%\Web\RDWeb\Pages\
  • Make sure that you have already made a backup copy of the “Pages” folder.
  • Right-click on the file “site.xsl” and select ‘Edit’.
  • Press ‘Ctrl+G’ and enter 150, to go to line 150
  • Select and then delete lines 150-158.
  • Open IIS and restart the service.
  • Reload the page in your browser to view the change.

Change the Server Logo on Login Page

You can remove the “Server 2012” or “Server 2016” or “Server 2019” logo that is on the login page. I like to replace it with a 1px-by-1px transparent image. It won’t do much overall… But perhaps it’ll make a malicious person have to work a tad bit harder to determine what you’re OS you are on.

  • Replace the following image: %windir%\web\rdweb\pages\images\WS_h_c.png

Change the Microsoft Logo on Login Page

You can remove the “Microsoft” logo that is on the login page. I like to replace it with a 1px-by-1px transparent image. It doesn’t hurt anything being there, but if you’re cleaning up and editing the branding of your site, why would you leave this logo on it?

  • Replace the following image: %windir%\web\rdweb\pages\images\mslogo_black.png

If I come across other customization tips I’ll add them here…

9 April 2020

Setup BGInfo on Windows

BGinfo is a great utility/tool that I really like and I literally have on every server I deploy. It is totally customize-able and able to display whatever system information that you feel is important to you, right on the desktop background making it easy to see at a glance. It could be used to display anything from the server’s name, IP addresses, hard drive usage, memory usage, OS version, or even the user that you are currently logged in as.

Download BgInfo – https://docs.microsoft.com/en-us/sysinternals/downloads/bginfo

Create a folder, c:\utilities\, and make sure that all users have read and write access to it.

Move the BGInfo utility into the c:\utilities\ folder.
I also like to place any other Sysinternals utilities that I am using into this c:\utilities\ folder.

Run the BGinfo utility and take a few minutes to configure what information you wish to be displayed on your background.
Then save your configuration to the c:\utilities\ folder.

Create a shortcut to either Bginfo.exe (if you are on a 32-bit machine) or Bginfo64.exe (if are on a 64-bit machine).

Edit the target of that shortcut to include the name of your BGinfo configuration file.
In the picture below I’ve named mine “c:\utilities\mybgconfig.bgi”.

A few more handy suggestions to include in your shortcut’s target are:

  • /timer:0 – to avoid the typical UI popup
  • /nolicprompt – to make sure new users are not prompted with the EULA
  • /silent – to silence and errors

Which would result with the target field looking like:

c:\utilities\Bginfo64.exe c:\utilities\mybgconfig.bgi /timer:0 /nolicprompt /silent

Follow my article about finding the startup folder in Windows, and make a copy of your shortcut into that startup folder.
I prefer to copy the shortcut to the “Common Startup” folder, that way it will launch for any user that logs into the machine… But it’s up to you if you want to put it in the “User Startup” or “Common Startup” folder.

Now it’s time to test it out! Try logging out and then logging back in.

9 April 2020

Finding the Startup Folder on Windows

In recent years Microsoft has moved around where they “hide” the startup folder. That’s the folder that gets used to launch applications that start automatically when the user logs in. It’s not necessary hard to find, but it is well hidden.

There’s actually two places that startup folder lives. Each user has their own startup folder that will launch programs specific to that user. And there is also a common startup folder which will launch programs for any and all users that log into that machine.

How to find the users’ individual startup folder

  • Right click on the start menu and select ‘Run’.
  • Type “shell:startup” and click ok.
  • The startup folder will open, and you can drag-and-drag and shortcuts or applications you need into.

If you need to manually dive thru folders to get to the user’s startup folder, go to, but remember to change “<USER>” to the one you’re looking for:

C:\Users\<USER>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

How to find the all users’ common startup folder

  • Right click on the start menu and select ‘Run’.
  • Type “shell:common startup” and click ok.
  • The startup folder will open, and you can drag-and-drag and shortcuts or applications you need into.

If you need to manually dive thru folders to get to the common startup folder, go to:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
4 April 2020

Run Application as Different User

Windows makes it incredibly easy to run an application or script as another user on your computer. I find that I most often use this to run administrative or domain tools, when I’m logged in as just a normal user.

Method 1

This is the easiest method. While it took me a little while to remember it, I now use it almost daily and without even thinking about it.

Press and hold down the ‘Shift’ key on your keyboard, while you right-click on the program you want to launch.

This will only work on executable (EXE) files or shortcuts to executable files. If you try this and don’t see the option, then it is not an executable file.

Method 2

This method will create a shortcut that “knows” to launch an application as another user.

Create a shortcut to your executable

Right-click on the shortcut and modify the “Target” to:

runas /user:DOMAIN\USERNAME "path to executable"

Click ‘OK’. Then launch your shortcut. You will get prompted for your password everytime you launch your shortcut.

If you need to store the password with your shortcut, then modify the “Target” to this instead:

runas /savecred /user:DOMAIN\USERNAME "path to executable"

Click ‘OK’. Then right-click and select “Run as Administrator” the first time you use the shortcut. You will be prompted for the user password and it will get saved. From then on, just clicking the shortcut will launch it as your desired user.

Method 2.5

Alright this is basically the same method as above, so I didn’t feel right calling it a third method.

You can take the same trick from “Method 2” and just use it to run an application from a command prompt window.

C:\> runas /user:DOMAIN\USERNAME "path to executable"

3 April 2020

Pull Certificate from Digitally Signed Application

Most companies will use a certificate to sign their applications before they release their software to the world. This helps the user know to that the software they are running actually came from the software vendor, and hasn’t been altered or changed by someone.

Certificates are based on key pairs. There is a public key, and a private key. In terms of digitally signing an application, the public key is often just referred to as the Certificate.

How it works, in simpified terms… The software vendor holds a private key, and they guard it, keeping it safe in their organization. You can also think of is their fingerprint that they’ll use when signing something as it is unique. The public key is what we can see. Using a hash in the digitally signed application, we can use their public key, to see is if the hash value can be verified. If it checks out then we know that the digital signature is valid. If it doesn’t, well then we know the signature has been altered.

The I’ll show you below how you can pull the public half of the Certificate from an application. In this example we’ll pull Adobe’s certificate from Adobe Reader DC.

Right click on the application you want the signature of and select “Properties”

Click the “Digital Signature” tab, select the signature, then click the “Details” button.

Note: If you do not see the “Digital Signature” tab, then the file is not digitally signed.

Click the “View Certificate” button.

Click the “Details” tab and then select the “Copy to File” button.

Follow the “Certificate Export Wizard”.

After completing the export wizard, you’ll have the digital signature certificate of the digitally signed application.

Here’s an article I wrote that includes how to set a software restriction GPO policy using a certificate rule.

1 April 2020

Software Restriction by GPO

Using GPOs is a great way to allow or block programs from running on your corporate network. Just be careful and limit yourself to only blocking the applications which you actually have a need to block. Don’t go too crazy locking down programs

Microsoft first made the introduction of “Software Restriction Policies” in Windows Server 2008 and they’ve continued to evolve. Today I will show you four ways which Microsoft allows us to restrict programs from running.

  1. File Path / File Name Rule
  2. Network Zone Rule
  3. Hash Rule
  4. Certificate Rule

To begin, fire up the Group Policy Management Editor. Click on the start menu and type “gpmc.msc”. If you are on a Domain Controller it should work. If you’re on a workstation you’ll likely have to run Server Manager as a Domain Admin (or other user with the correct administrative privileges), choose “Group Policy Management” from the ‘Tools’ dropdown.

Once it’s open, scroll down to the folder “Group Policy Objects” and right-click on it to create a “New ” policy object. Give it an appropriate name, something like “Software Restrictions – Test”. Now find and right-click on your new policy and select “Edit…”.

The software restriction policy exists under both “Computer Configuration” and “User Configuration”. So depending on your needs, you can lock down either the user or the computer. 

Drill down into the policy… “Policies” -> “Windows Settings” -> “Security Settings” -> “Software Restriction Policies”.

Right-click on “Software Restriction Policies” and click “New Software Restriction Policies”

Select and open the “Additional Rules” folder.

Right-click under the two pre-existing default entries, and then from that drop-down menu select the type of rule you want to create. I’ll expand on the four methods below…

There are three security levels used in all of these rules:

  1. DISALLOWED: Software will not run, regardless of the access rights of the user.
  2. BASIC USER: Allows programs to run only as standard user.  Removes the ability to “Run as Administrator”.
  3. UNRESTRICTED: No changes made by this policy – Software access rights are determined by the file access rights of the user.

My examples below all show how to block software with ‘dissallowed’ rules. But just remember that you can just as easily allow for software by using ‘basic user’ and ‘unrestricted’ rules. Use them wisely!

1. Block by File Path / File Name Rule

In this example I will show you how to lock down the computer from running WordPad.

Select “New Path Rule”.

Type, or use the “Browse…” button, to enter the file path or file name you wish to block. Make sure that the ‘Security level’ is set to “Dissallow”. Then click ‘OK’.

Note: System variables will all function in the rule, variables such as %windir%, %ProgramFiles(x86)%, %AppData%, %userprofile%, and others.

It is important to note that many applications launch in more than just one way. So you may have to block multiple executables to fully block the application, just fyi.

You also need to take note of where/how software get launched from, as some applications have multiple ways they can be launched. Just FYI, in case you start banging your head as to why some block rule doesn’t seem to be working.

Also be careful using just the file name itself to try to block a program from running. If you were to block just the file name ‘update.exe’ for example, hundreds of applications all ship with an ‘update’ executable and they would all be hindered and unable run.

My rule of thumb is to always use the full path unless it’s truly a unique file name, and even then I still prefer to use the full path.

2. Block by Network Zone Rule

Select “New Network Rule”.

Select the Network zone you want to block. Make sure that the ‘Security level’ is set to “Dissallow”. Then click ‘OK’.

These rules allow you to block programs if they come from sites you’ve designated into a zone, like your Restricted sites. Or in the case that you were to be creating an allow rule, your local Intranet. While this option exists, it seems unlikely to me that most SMBs ever use it.

3. Block by Hash Rule

In this example I will show you how to lock down the computer from running WordPad.

Select “New Hash Rule”.

Use the “Browse…” button to navigate to the file which you are wanting to block. Select the file and click ‘Open’. It will automatically pull the needed file information and the “hash” it needs from the file you selected. Make sure that the ‘Security level’ is set to “Dissallow”. Then click ‘OK’.

The only problem this method has is that file hashes change any time there is ANY change to file. It doesn’t matter how small of a change is made, it will always create a new hash. That means that hash rules are best applied to older software that you are trying to kill, and not for programs that get updated often.

4. Block by Certificate Rule

In this example we will be blocking applications signed by Adobe Inc.

Select “New Certificate Rule”.

Use the “Browse…” button to navigate to the certificate file which you are wanting to use to block signed software. Select the file and click ‘Open’. Make sure that the ‘Security level’ is set to “Dissallow”. Then click ‘OK’.

Certificate rules are by far one of the most secure rules as they rely on certificates from trusted publishers. Because of this but they require more work on the PC’s part as it goes out and tries to verify the validity of the certificate, so they may significantly effect performance. I can’t tell you how much of an impact they’ll create, but it’s enough that MS warns us. Also, if the certificate ever expires, you’ll need create a new rule.

Here is how you can pull a certificate from a digitally signed application.

30 March 2020

Fix Quick Access Links in Windows

The Quick Access links is a feature in Windows that gives the user an easy way to access the folders which use frequently by pinning them to the top of the left pane in ‘File Explorer’. Sometimes the file that stores the pinned items can get corrupted and thus you loose access to the Quick Access pinned items. Here’s a few ways to fix it.

Method 1

We can reset the Quick Access Recent Items. This method will only apply to “stuck” recent folders, and won’t affect your pinned folders.

Right click on the Quick Access star icon and then click on ‘Options’.

Click the ‘Clear’ button under ‘Privacy’.

All of your Recent folders will be cleared from the Quick Access list.

Method 2

This method will reset and clear the Quick access shortcuts. But in my opinion this is the better way to fix it, as you can always re-pin your shortcuts.

Open File Explorer and copy/paste the following folder location:


Look for and then delete this file from the folder:

cmd.exe /c del “%AppData%\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms”

*Or you can open a ‘Run’ dialog (Windows key + R) and copy/paste the following command into it to delete the file.

cmd.exe /c del "%AppData%\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms"

This method will remove and clear any custom pinned items and frequent items from the Quick Access list. Windows will automatically regenerate the “f01b4d95cf55d32a.automaticDestinations-ms” file the next time that you launch File Explorer and wil list the default Quick Access links which you can expand upon.

27 February 2020

Server Manager – Orphaned RDS

So I’ve seen this a couple times and I always forget how to handle it, so hopefully writing this down will help me remember for next time…

You are replacing some Remote Desktop Session Host (RDSH) with a newer server, and everything looks good-to-go. Back on your Remote Desktop Connection Broker (RDCB), you have Server Manager open, and you proceed to remove the old RDSH servers. Easy. You then go back to edit other properties in in your RDS deployment and – BAM – you get an error message that states:

The following servers in this deployment are not part of the server pool:
1. <Old.RDSH.ServerName>
The servers must be added to the server pool

Powershell to our rescue! On your RDCB, open up a PowerShell window as an Administrator. Run the command below.

PS C:\> Get-RDServer

This will return a list of all the Remote Desktop servers you have in RDCB as well as their installed roles. You should see your old, unwanted, RDSH server in that list. Next, we can enter the command below to remove our orphaned RDSH server.

PS C:\> Remove-RDServer Old.RDSH.ServerName RDS-RD-SERVER

This will remove the ‘RDS-RD-SERVER’ role. Now if you go back to your RDCB, and back to your deployment, everything should be back to normal. It is no longer expecting the “Old.RDSH.Server” to be a server that Server Manger manages. In fact, at this point you should be able to remove it as a managed server.

Note: RDS is a complicated beast. The above mentioned trick utilizing PowerShell has worked for me the couple times I’ve needed in my scenario. However, your mileage may vary depending on your environment.

13 February 2020

Window 2019 KMS key and VAMT

Was beginning the introduction of Windows Server 2019 to a work environment and ran into some hurdles that were easily cleared, but want to share…

To begin with, you need to have a Volume Licensing agreement with Microsoft. We did and so I jumped into the MS Volume Licensing Service Center (VLSC) portal to grab our Client Specific Volume License Key (CSLVK) Key Management Service (KMS) key.

The CSLVK KMS key is what gets loaded into the KMS server. It’s basically your volume license key that gets hosted internally. The servers and desktops then use a Generic Volume License Key (GVLK) which let the machine know it needs to find and activate against an internal KMS resource and not go out to activate against Microsoft’s servers.

FWIW – you can find all of the GVLK product keys here – https://docs.microsoft.com/en-us/windows-server/get-started/kmsclientkeys

Apparently even if you have the Volume Licensing agreement, MS doesn’t automatically issue the CSLVK KMS key to you in your portal. You actually have to call them, verify some info, and have them generate a key for you which will then show up in your portal. The whole process took just under 5 minutes for me, and I was able to verify that I saw the key in my portal while I was still on the phone with MS.

To contact them I called 1-866-230-0560, option 4, option 1. That got me directly in contact with a representative that was able to issue the key. (Note: Menu options may change, I called in February 2020)

Jumping back into my KMS server, i tried to import the key directly into VAMT, also known as the Volume Activation Management Tool. This failed. I tried a couple more times, I even reinstalled the VAMT tool from the ADK toolkit. Nothing worked. Apparently though, I found out that this is a know issue. https://docs.microsoft.com/en-us/windows/deployment/volume-activation/vamt-known-issues

The workaround was to the slmgr.vbs tool. Entering the command below, allowed it to get added successfully. Replacing <CSVLK> with my actual key issued by MS. After entered, you’ll see a pop-up message stating that the key has been successfully added.

slmgr.vbs /ipk <CSVLK>

Once I had added my CSLVK, I was able to jump back into a new Windows Server 2019 virtual machine that I had created and use the slmgr.vbs command below to successfully activate the new virtual machine against my KMS server.

slmgr.vbs /ato