Install and configure a Remote Desktop certificate on RD Session Host servers

When installing an Remote Desktop farm with a RD Gateway on Windows Server 2012, you install a certificate for the Broker, Web Access and Gateway roles using Server Manager. However, this does not add the certificate to the Remote Desktop Session Host (RDSH) servers. This means that you get a warning when connecting to a RemoteApp or desktop, because the RDSH severs will have a self-signed certificate. You can replace this certificate using a valid certificate. You will continue to get warnings for the following reasons:

  1. The name on the certificate does not match the RDSH server name
  2. The certificate is not from a trusted root certificate authority

The best way to resolve this is to purchase a single wilcard certificate e.g. * that covers both the RDWeb URL, as well as the server names. This also requires that your internal domain is a subdomain of your external domain. So you might use on the web, and as your AD domain. Your RDSH server is then e.g. You could also use a SAN certificate.

Note that you should NOT replace the certificates on the RDSH servers as listed below, if you are using self-signed certificates and you want to be able to connect from clients which are not joined to your domain. Even if you trust the root manually, the revocation information will not be available, and clients will not be able to connect, and will give a 0x607 error. See for more info on this error.

If you are just connecting internally from clients in the same domain, you should be able to use an internal Enterprise CA to create a SAN or wildcard certificate which you can use on your servers. So, only replace the certificates on the RDSH servers if:

  • Clients are all in the same      domain and you are using internal certificates
  • Clients are outside the domain,      but you have purchased commercial certificates

It is necessary to install the certificate on all of the RD Session Host servers manually. This is because there is no way to do this using the Server Manager GUI, and the certificate is not applied to session host servers automatically when configuring the certificates on the other roles.

  • Open the MMC and open the      Certificates snapin
  • Add the Local Computer
  • Import the certificate into      Computer\Personal
  • Open the certificate and find      the thumbprint on the details tab. Copy the thumbprint to notepad and      delete all the spaces.
  • Open up an elevated PowerShell      prompt and write:
  • wmic      /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set      SSLCertificateSHA1Hash=”‎PASTE_THUMBPRINT_STRING”
  • You can check the certificate      by running:
  • Get-WmiObject -class      “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices -Filter      “TerminalName=’RDP-tcp'”

Note that sometimes for the last command, you may need to remote the end quotes around RDP-tcp and type them in again if posting.

See for more information.

Customising the RDWeb web page

This outlines the customisation options with the default RDWeb page in Microsoft Server 2012, when using Remote Desktop Services with RDWeb. You can easily replace the logon and text at the top of the page.

As an example, you can change the default:


To something like this:


Replaceable Company Logo Image

Add the new Icon into the image folder

  • Add the new icon into the images folder located in:


Modify the site.xsl file

  • Backup this file:


To e.g. C:\Windows\Web\RDWeb\Pages\Site.xsl.bak

The word Replaceable appears 3 times in this file. Do a find for this word to find the sections below:

Run notepad as admin and open. I find the easiest way to do this is to run Powershell as admin, and then launch notepad from there. That way if you close down notepad, you quickly launch as admin again without finding notepad.

Edit the file:


Replaceable Company Logo Image


<img src=”../images/logo_02.png” width=”48″ height=”48″/>

To e.g.:

<img src=”../images/donkey_blue.png” width=”58″ height=”34″/>

Replaceable Company Logo Text and Application Type


<td class=”headingCompanyName”><xsl:value-of select=”@workspacename”/></td>

To e.g.:

<td class=”headingCompanyName”>msdonkey remote access</td>


<xsl:value-of select=”$strings[@id = ‘HeadingApplicationName’]”/>

To e.g.:

RemoteApps and Desktops

Automatic Virtual Machine Activation (AVMA) on Windows Server 2012 R2 Datacenter

Automatic Virtual Machine Activation (AVMA) is a new feature in Windows Server 2012 R2 which allows you to activate guest virtual machines automatically, when you have a Hyper-V host that is running Windows Server 2012 R2 Datacenter. This is a pretty awesome feature, especially in a test lab environment when you may have a Technet (RIP) or MSDN Datacenter product key, and don’t want to use up all of your activations on temporary guests. This is how I manage my lab at home, which consists of 2 HP Microservers with 16GB of RAM in each:

  • Install your Hyper-V hosts with Windows Server 2012 R2 Datacenter and activate using a valid key
  • Add the Hyper-V role
  • Install guests running one of the following Operating Systems:
    • Windows Server 2012 R2 Datacenter
    • Windows Server 2012 R2 Standard
    • Windows Server 2012 R2 Essentials
  • During setup, either paste in the key below or add it to your unattend files
  • When you logon, you will find that Windows is already activated!
  • Note that you could also do this after installation, if you skipped entering a key during setup (see this post on how to do that), either entering it manually when activating, or use slmgr /ipk <AVMA_key>

These are the keys that Microsoft provide for use with AVMA:

Edition AVMA key
Datacenter Y4TGP-NPTV9-HTC2H-7MGQ3-DV4TW
Essentials K2XGM-NMBT3-2R6Q8-WF2FK-P36R2


In my lab setup, I run sysprep on the first VM that I create, generalise and shut it down, and then create further VMs using a differencing disk with this as the master. This saves a lot of disk space. All the VMs using this template are then activated automatically with no further configuration required.

See for more information.

Install Windows to VDHX virtual hard disk on a new hard drive

This is how I create VHDX files during Windows setup, first formatting a blank disk, creating a VHDX virtual hard disk, and then installing Windows on the disk.

  1. Insert the Windows Server 2012, 8.1, or 7 DVD or bootable USB key. I always use a USB key as it is so much faster.
  2. Press SHIFT-F10 to get to a command prompt when setup is loaded.
  3. Type in diskpart
  4. list disk (note the disk ID)
  5. select disk 0 (assuming that it was listed as disk 0)
  6. clean
  7. create partition primary
  8. select partition 1
  9. active
  10. format fs=ntfs
  11. assign
  12. create vdisk file=”C:\disk1.vhdx” maximum=50000
  13. attach vdisk
  14. exit

No go back to setup and click through to the disk selection screen, or refresh if you were already there, and you will see the virtual disk. Windows will say that it cannot be installed onto this disk but just press next and it should install and boot with no issues.

Also see

Skipping product or license key during installation of Windows 8 and Server 2012

Windows 8 and Server 2012 have an annoying default installation process which forces you to enter a product key during installation. Often you may want to paste this in later, or just not enter one if you are installing a demo or test system, having to type one in manually is a massive pain. Luckily, you can easily modify the installation so that it lets you skip the requirement for entering the product key. The easiest way to do this is by creating the ei.cfg file in Sources folder in your ISO or USB media.

For Windows 8 or Server 2012 – this is the file that I normally create using notepad and save as ei.cfg in the Sources folder.


This works using MSDN or Technet (RIP) keys and media. I don’t bother entering the version, since I often may want to choose that during installation. By not entering the version you can choose if you want Standard, Datacentre etc.The format of the ei.cfg is as follows:

{Edition ID}
{Channel Type}
{Volume License}

[EditionID]: This is the version of Windows that you want to install. This varies by OS. You can use Dism /Get-ImageInfo and specify the image file  to get the editions available from the wim file e.g. Dism /Get-ImageInfo /imagefile:I:\sources\install.wimValid options are:

Windows 7:

Windows 8:
Windows Server 2012:
Note that there others, e.g. Foundation and Essentials for Server 2012.

[Channel]: This can be OEM or RETAIL depending on the type of media that you have.

[VL]: This can be 1 for  Volume License, or 0 for Retail

See for more information.


Creating bootable Windows Vista, 7, 8, 2012 USB or SD memory card

There are several ways to create  bootable USB media if you have an ISO. You can also do this using an SD card if you have a USB adapter for the memory card.  For windows 7 a 4GB drive is fine, for later you will need more than 4GB.

Microsoft Windows 7 USB/DVD download tool

The easiest method is probably the Microsoft Windows 7 USB/DVD download tool

This is simple and easy to use, and should work with Windows Vista ISOs or later.


This is another nice tool from, and works with Windows Vista ISOs or later.

Manual method


If you don’t have the ISO or want to do this manually, you can also use diskpart to prepare the drive and then copy the contents over. This is the way I normally end up doing it for some reason, the advantage being that you don’t need any other tools if you are running a Windows OS. Risk of formatting the wrong drive if you don’t know what you are doing with diskpart, so be careful.

Format the Drive

Run cmd.exe as Administrator and type the following:

  • list disk (Note which one is your USB disk – make sure you get       the right one!)
  • diskpart
  • select disk 2       (assuming that it was listed as disk 2)
  • clean
  • create partition       primary
  • select partition 1
  • active
  • format fs=fat32 (Note: Quick format does not work)
  • assign
  • exit

Copy the files

Mount the ISO or insert the DVD, and then copy the Windows files to your drive.

Modify the below example depending on your drive letters:

xcopy d:\*.* /s/e/f e:\

OR easier using Robocopy:

Robocopy d: f: /e


Note that you can do something similar on Linux using