Install Remote Desktop Services Host (RDS) without Domain (in a Workgroup)

This article explains how to install and configure the Remote Desktop Session Host terminal server role on a standalone Windows Server 2022/2019 in a workgroup (without an Active Directory domain) and without any other additional roles (Connection Broker, Remote Desktop Web Access, RDS Gateway).

Compared to the functionality available in an AD domain, the capabilities of a single RDS server deployment in a workgroup are limited. It cannot be scaled to a full-featured RDS farm, you cannot create separate session collections or publish RemoteApps, there is no Connection Broker, you cannot use User Profile Disks, the RDS service won’t be available to users during maintenance operations when the host is in the drain mode.

How to Install the RD Session Host Role on Windows Server

It is assumed that you already have a host with Windows Server (2022, 2019, or 2016) in place and have configured the basic settings (set network parameters and static IP address, server name (hostname), time/date and time zone, install the latest updates, etc.). You can now install the RDS role from the Server Manager console or PowerShell

To install the RDS using Server Manager, select Remote Desktop Session Host and Remote Desktop Licensing in Role-based or Feature-based installation -> Server roles -> Remote Desktop Services in RDS components (agree to install RSAT features to manage the roles).

Note that if you have selected the Remote Desktop Services installation in the Server Manager, the wizard will automatically install the RD Connection Broker and Web Access roles in the Standard deployment or Quick Start modes. In our case, there is no need for all of these roles, as we are installing a standalone RDS host.

You can also install Windows Server roles using PowerShell:

Install-WindowsFeature -Name RDS-Licensing, RDS-RD-Server –IncludeManagementTools

Check which RDS roles are installed on your server:

Get-WindowsFeature -Name RDS* | Where installed

Restart Windows with the command:

Restart-Computer

Install the RD Licensing Role and RDS Licenses (CALs)

The next step is to configure the Remote Desktop Licensing role, which provides licensing for users’ RDP connections. You can install and activate Remote Desktop Licensing and RDS CALs on the same host (if you have only one host in your network) or can place the RD Licensing role on a different server. A server with the RDS Licensing role can issue licenses to any number of RDS Hosts.

In a workgroup, you should use only Per-Device RDS CALs. If your licensing server only issues per-user licenses, the RDSH server will force users to log out every 60 minutes:

Remote Desktop License Issue
There is a problem with your Remote Desktop license, and your session will be disconnected in 60 minutes.

Configure the Remote Desktop Session Host in a Workgroup

Open the Remote Desktop Licensing Diagnoser console (lsdiag.msc). Note that your server is not yet configured to receive RDS CALs from the licensing server.

• The licensing mode for the Remote Desktop Session Host server is not configured
• Number of licenses available for clients: 0

If you do not point your RDSH to the licensing server, your server will be in trial grace mode. Users can only use it for 120 days ( a message will appear in the tray each time you connect: The Remote Desktop service will stop working in xxx days). Once the grace period has expired, your users will no longer be able to connect to the RDS with the error message:

Remote session was disconnected because there are no Remote Desktop client access licenses available for this computer.

Use the local Group Policy Editor console (gpedit.msc) to set the RDS licensing server address and license type.

1. Expand to Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Licensing;
2. Enable the option Set the Remote Desktop licensing mode and change to Per Device;
3. In Use the specified Remote Desktop license servers option, specify the IP address of the host on which the RD Licensing server is installed. If the RD licensing server is installed locally, enter localhost or 127.0.0.1;
4. Update local Group Policy settings and run the Remote Desktop Licensing Diagnoser. Make sure that it sees your RDS CALs.

In addition, you can use local GPO settings to set limits (timeouts) on the duration of RDP sessions and rules for disconnecting users when they are inactive.

Then create local user accounts on your RDS host. You can create users in  lusrmgr.msc or with PowerShell:

$UserPassword = ConvertTo-SecureString "PaSS123!" -AsPlainText -Force
New-LocalUser a.brown -Password $UserPassword -FullName "Andi Brown"

To allow a user to connect through Remote Desktop Services, add the user account to the local Remote Desktop Users group. Add users manually using the computer management console or with PowerShell:

Add-LocalGroupMember -Group "Remote Desktop Users" -Member a.brown

Now users can try to connect to your RDS host from their computers using the mstsc.exe client (or any other RDP client). Ensure that more than two active users can connect to the server simultaneously.

At the first login, a temporary license is issued for a user device (an RDS Per-Device licensing feature). The second time you log in, a permanent license is issued, which appears in the Remote Desktop Licensing Manager. Licenses are issued for 52-89 days (random number).

The following Event Viewer event provides information on the successful issuance of an RDS CAL (Applications and Services Logs -> Microsoft -> Windows -> TerminalServices—Licensing -> Operational).

Event ID: 82 The "Temporary" Windows Server 2022 : RDS Per Device CAL belonging to computer "ComputerName" has been upgraded to "Permanent" Windows Server 2022 : RDS Per Device CAL.

If you need to connect to a user’s RDP session, you can use the RDS shadow connection mode (it also works on an RDSH in a workgroup).

Publish RemoteApp on RDS Without Domain

On an RDS host in a workgroup, the session management console is not available, so there are no tools to publish RemoteApp. There is a workaround that allows you to publish any application as an RDS RemoteApp without an Active Directory domain.

Example REG file for publishing AdobeReader as a RemoteApp on the RDS session host:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\TSAppAllowList\Applications\MyAdobeReaderApp]
"CommandLineSetting"=dword:00000000
"RequiredCommandLine"=""
"Name"="Adobe Reader"
"Path"="C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe"
"ShortPath"="C:\\PROGRA~1\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe"
"IconPath"="C:\\PROGRA~1\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe"
"IconIndex"=dword:00000000
"ShowInTSWA"=dword:00000001
"SecurityDescriptor"=""

Replace the app name and paths in the REG file with yours and import it into the RDSH registry.

To automatically launch the published RemtoteApp, manually edit the *.RDP file. Add the following lines to the RDP file:

remoteapplicationmode:i:1
alternate shell:s:||MyAdobeReaderApp
remoteapplicationname:s:MyAdobeReaderApp
remoteapplicationprogram:s:||MyAdobeReaderApp

Try to run a RemoteApp application on the RDS by using your RDP file. The application published on RDSH should launch successfully on your desktop.

Configure the RD Gateway without a Domain (in a Workgroup)

If you need to provide secure access to your RDS host over the Internet, it is recommended that you place it behind a VPN or publish it through the RD Gateway.

The Remote Desktop Gateway allows you to securely access an RDS from the Internet using a secure SSL/TLS connection on port TCP:443 (rather than opening default RDP port 3389, which constantly logs attempts to brute-force passwords over RDP)

Contrary to popular belief, RD Gateway can be deployed in a workgroup environment (without an Active Directory domain). Refer to this guide for detailed instructions on how to set up an RD Gateway without a domain.