This Post will show you how to deploy a Remote desktop session server (RDSH) in a workgroup (non Domain).
This deployment is Session based and will allow the use of desktop sessions. The down side to having a none domain joined Session host is that you will need to create users on the host and configure local Group policy’s to restrict user access.
I have deployed a single server (non domain Joined) with Server 2012 R2.
Configuring the FQDN
As this is a workgroup server (non Domain) you will need to configure the Fully Qualified Domain name.
This can be done under system Properites
Deployment
We are going to deploy the RDS 2012 Session Host Role and the RDS licencing role
This image shows the roles and features that have been installed, as you can see the session host and remote desktop roles are shown as installed.
Adding the RDSH Certificate
Firstly you will need to import your certificate to the Local Computer , Personal Folder as shown in the screen shot.
Before configuring RDSH Servers you will see a warning stating that the certificate is untrusted.
This is because the configuration data for RDSH is stored in the WMI, Win32_TSGeneralSetting class in WMI in the rootcimv2TerminalServices namespace. You will need to change the certificate from default using the following commands.
Firstly, You will need to find the certificate thumbprint.
You can also use PowerShell to find the Thumbprint:
Get-Childitem Cert:\LocalMachine\My
Run one of the following cmds to apply the new certificate to the Win32_TSGeneralSetting:
Command Prompt:
wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="Thumbprint"
PowerShell Cmd:
$path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace rootcimv2terminalservices -Filter "TerminalName='RDP-tcp'").__path
Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="THUMBPRINT"}Licencing
You will need to configure the licencing to allow multiple users to connect via sessions.
Adding Users
Add the users under Computer Management, Local Users and groups
Add the users to the remote desktop group.
you can also do this in the server manager under local Computer
As you are connecting to the RDSH host locally, use local\username
Applying Security
As you can see from the screen shots, users cannot install roles and features or modify Group Policy’s with out Administrator permissions, I would recommend configuring local group policy’s to lock down remote users, as you would in a Domain. You can access the local group policy editor via MMC and add the snapin for the Group policy editor.
Administering sessions
In the Group Policy editor, I have set the idle limit on the sessions so that if users are inactive for over a hour their session will be terminated.
.
You can also manage your users from the task menu
by right clicking on the user, you get a number of options including disconnecting the user, Sign them off, sending messages, and Connect which allows you to connect to a user session. You will need to be the user in question to do this.
When users are finished with their sessions they simply sign out, or they can disconnect. There is no option to shut down the server for remote session users.
Ryan Mangan's IT Blog 
Hello Mr. Ray
I have been trying to run 2012r2 in workgroup environment for quit some time of course i would like to use management tools like TSadmin and remoteapp
I was able to get everything working except the management tools
but I guess if we are able to make a pool maybe all the integrated management tools will work
Advice SVP
if not maybe a third party tool
thx
If you need any assistance with this drop me a line, I believe we have already spoken.
I can not find the Certificate to Import, Need a little more help with that part. The rest is easy!
You need to create one using an internal certificate authority or external certificate authority
Hello,
I also would like to use the management tools in workgroup configuration (non-domain).
How can i get those?
Thank u very much for deployment instructions above!
Hello Mr Ray. i would like to ask about grace period on licensing server. I have problem with that. My RDS server has grace period 120 days and i cannot configure remote desktop session host. On remote desktop services it says that i’m not part of domain users. Thanks for your help.
Ensure that you have logged in as a Local admin.
Thanks for this guide, but I am stuck on the same place as Martin Svec. You said to log in as a domain admin, but how do you log in as a domain admin when there is no domain?
HI Neil,
my pervious was a typo, that’s now been changed.
I am not sure what issue you are getting, so can you please provide a bit more info.
thanks for the response, i’m not very good with servers especially 2012. i’m trying to configure the licensing and had to look up other guides to figure out how to do this.
i go to server manager, click on remote desktop services and go to overview. from the overview page you are supposed to be able to add the licensing servers, but instead on that page it says “You are currently logged on as local administrator on the computer. You must be logged on as a domain user to manage servers and collections”
so i keep getting the message that the rds server has a grace period. i feel like i’m missing something easy, but i’m quite lost.
You will see this message if you are trying to access the RDMS. If this is a workgroup build as in not joined to the domain. You will need to install the licencing role manually and then load the licencing MMC in the metro start menu. You can configure licencing using the local group policy’s on the Server and again this can be found in the MMC.
Hi Ryan – I’m attempting to configure Remote Desktop Services on a hosted VPS that is in a Workgroup. Is it possible to use the RemoteApp functionality in this scenario? You help is greatly appreciated, thankyou
Not in a workgroup
Hi Ryan – I have read this article and it has resolved (I think) my licensing issue, but I am not able to connect to this workgroup server from a Windows 8,1 laptop. This failure tells me that:
1. Remote access to the server is not enabled
2. The remote computer is turned off.
3. The remote computer is not available on the network.
I suspect that option 1 is the most appropriate.
When following your instructions, the one error I get is when using the PowerShell window and the first element of the setup fails as follows:
PS C:\Users\Administrator> $path = (Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace rootcimv2terminalservices -Filter “TerminalName=’RDP-tcp'”).__path
Get-WmiObject : Invalid namespace “rootcimv2terminalservices”
At line:1 char:10
+ $path = (Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace rootcimv2termi …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-WmiObject], ManagementException
+ FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
Is this what causes the failure?
Following up on my last comment (currently unposted), I have fixed my issue. I spotted another information source which suggested the following:
Open a CMD window and enter the command
SystemPropertiesRemote
In my case the option was set to ‘Dont allow remote connections to this computer’. Switching this to ‘Allow remote connections to this computer’ and Apply resolved my issue.
It is worth you adding this step to your blog.
Hi Ryan – I’m attempting to configure Remote Desktop Services on a hosted VPS that is in a Workgroup, but I can’t configure the RDSH server. Is it possible in this scenario? How ?
You help is greatly appreciated, thankyou
I already solved the problem.
Thanks any way.
I already solved the problem.
Thanks any way.
Hi! Thanks for the great description. I did everything as described (left out the gateway part) and now I’m heaving the problem, that – although I activated the license server and installed user-RDS-CALs – the server won’t issue licenses (and the grace period clock is ticking).
Any idea what I can check? I also configured the server in gpedit.msc to use itself as the license server.
Thanks.
Could fix it myself: RDS in workgroup can only work with device cals – changing that helped!
Hi Ryan,
I installed RDS on a Windows 2012 R2 server in a workgroup (no AD) following the instructions from Microsoft kb2833839 article. Besides the fact that I have no RDMS, everything seems to work fine. The licensing mode has been set to Per User (mode 4).
I can connect RDS clients with no message about the 120 days grace period. But I notice in RDS Licence server that the User CALs are not issued when RDS clients are connected to the server.
Will I run into a problem when the 120 days grace perios will end? Thank’s in advance for your expertise,
François
You can only use device licenses with work group configurations
Point to note, you will need to manage rds using wmi and group policy as rdms is not available with out the connection broker which needs a domain.
Where do you get the certificate that you need to install?
Hi Ryan,
Excellent tutorials!
Is it possible to use User Profile Disks with a single RDS 2012 R2 workgroup deployment?
If not how do you suggest storing Users on a separate drive?
Thanks.
Jonathan
What is important for me would be similar to the Terminal Services Manager where I get to see whose logged in, disconnect, send message or log off a user. Is this what RDMS would do?
Hi
Thanks for the guide.
Is there any way to use session Remote Control (shadowing) in a workgroup setup?
Craig
Hello,
Copy / paste this into notepad and save as batch file (.bat). Edit ‘servername’ into your servers name…
@echo off
qwinsta
set /P id=Enter id: %=%
mstsc /v:servername /shadow:%id% /control /noConsentPrompt
Jelle
You’re a KING !!!!
thanks for the back link
The above iteration does not work. It wants a DOMAIN logon. How do I get around that?
it does
This is all I get for role services
TEST-SERVER Remote Desktop Services TermService Running Manual
TEST-SERVER Remote Desktop Licensing TermServLicensing Running Automatic
Any clues?
Ryan, can you go over the license requirement again? I am unable to run the Power Shell command without an error.
It looks incomplete from what you wrote above. Thanks, robb
You can only use Device Licenses using this method and you will need to configure the licensing via group policy as well as configuring license in the RD Licensing Manager
Hi Ryan
Thanks for the instructions and yes I got a standalone / workgroup server running with remote desktop services. Yay!
Next issue, if I now want to join that server to a domain, is it as simple as migrating user profiles and changing the server to join the domain or does RDS have the workgroup hard-wired to its settings ?
thanks
Tony
Hello Ryan
Trying to follow your instruction on inserting the certificate for RDSH and the modifications that you are doing. Can you explain in more step by step detail on were to obtain the certificate to be inserted.
You need to create one using IIS or other csr generation tools.
Hi, do you have a tutorial for creating certificate?
Not as of yet, one is coming
Still Stuck on where do I get the certificate from. Cant seem to find it!
You will need to create one and using a internal certificate authority or external. IIS is the place where most people generate the certificate
I had a question about a test server I setup with RDS setup on a workgroup server 2012 R2. my users are not getting assigned licenses by the server. I am still within the 120 days, but seeing it not hand out/assign the licenses makes me weary for a small production environment. Any tips?
Workgroup hands out Device Licences. User licenses don’t work in this case.
Ryan – I just want to be clear here, even though I have installed 5 user licenses your telling me the server will not work this way? I have to use device licenses? I’ll have to repurchase the the RDS licenses as device?
Hi Rick, From the testing i have carried out. Only device licenses work on workgroup deployments.
Thank you for the article. It helped me to deploy RDS on a workgroup. I would like to have 5 users. Do I need to buy a license for 5 devices? Or just 1 since it is a device license? Can anyone please comment on how they solved the licensing problem. Your help is much appreciated!
If you have 5 users and one device then the 1 device license will do the trick.
Hello Ryan, thank you so much for the tutorial. This is exactly what I need. I’m upgrading the network in a really small company, three accountants need to be able to connect remotely via RDP and launch an accounting program on the server, which will also have a MS SQL Express database.
The question: can this be done on Windows Server 2012 R2 Foundation, with a single server? If so, apart from the Foundation licence, I will be needing three RDS CALs and nothing more, correct? Again, thanks so much.
Hi Andrew, Specifying the requirements is not really a technical issue. I would recommend you confirm with MS on your requirements around licensing.
So I have this all working but I’m unsure of what to configure re licenses?? On 2008 you used the session manager and pointed at the license server but although the service is installed it doesn’t show up to configure.
Or is the fact that I have device licenses installed all I need?
Thanks
use group policy
Hi Ryan,
Please help me. I have RDS setup on a workgroup server 2012 R2. My mission is deploy HMI via Intouch Access Anywhere ( Wonderware) to Internet, my customer want to access HMI from internet . The guidance of intouch, I must deploy remote desktop service, then add Intouch Access Anywhere through RemoteApp. But I don’t fine RemoteApp after install RDS
Remote Apps are created inside the collection. If not remote apps are created/added then it will default to session collection
Thank you so much Ryan. this is a really good guide, got it all working and issuing licences.
I just wanted a simple standalone TS server here for testing and did not want to make the box a domain controller of a fictional domain and you have made it possible!
For anyone else who makes this mistake: I jumped the gun and activated my (MSDN) licences early before following Ryan’s guide. This meant that the licences were associated with the non-FQDN server and certificate. I was able to right click in RD Licensing Manger and choose “Manage licences” then migrate them, after ticking in blood that the old server was non-functional (true of course). This gave a new line in RD Licensing Manger alongside the old one but the logins decrement this new block of licences correctly.
Dominic
fidtz-DUDE!!!!!! 7 hrs of work later, pulling my hair our! This did IT!!! Thank you so much
Very helpful once again. Thanks for taking the time to write this.
Hi Ryan
I want to generate report of all the RDS user from a workgroup machine in Windows 2008R2. As per microsoft it is not possible.Is there a way I can extract this report
I used an Hyper-V machine to deploy the RDSH Server in a Workgroup and it works great!
I loved how you used the suffix to make it look like it’s in a domain. Clever 🙂
Ryan… Thanks much for this very helpful info. Clearly, it has saved the bacon of many of us that landed here.
One question… will this work for Server 2016?
Thanks!
Thanks for the guide, if I have a Trusted cert from Godaddy and have imported it to the server(RD gateway is using the trusted SSL cert), do I need to run
wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=”Thumbprint”
Looking to setup RDS server in Azure