Deploy Windows 2016 RDS with PowerShell

Turotial on how to deploy Windows 2016 RDS with PowerShell in a Single Server

Updated based on Windows 2019 RDS Server

Lab Components

  1. 1 x Windows 2019 AD Domain Controller – AVENTIS-AD01.AVENTIS.LOCAL (
  2. 1 x Windows 2019 Server with RDS Roles – A001.AVENTIS.LOCAL (

Enable RSD Roles

Enable the following RDS Roles for A001 from AVENTIS-AD01

  • RDS Connection Broker
  • Web Access Server
  • RDS Session Host
Import-Module RemoteDesktop

$ServerName = "A001.AVENTIS.LOCAL"
New-RDSessionDeployment -ConnectionBroker $ServerName -WebAccessServer $ServerName -SessionHost $ServerName -Verbose

Do NOT run the PowerShell on A001 locally

A001 will be rebooted automatically once all RDS Roles installed successfully

RDS Licensing Server (Optional)

Login to A001 to enable RDS Licensing Role

Add-WindowsFeature -Name RDS-Licensing, RDS-Licensing-UI

Change the RDS License Mode to Per User Mode, and point local RDS Server to local Licensing Server

Set-RDLicenseConfiguration -Mode PerUser -LicenseServer A001.AVENTIS.LOCAL


Mode                 LicenseServer                                                  
----                 -------------                                                  
PerUser              {A001.AVENTIS.LOCAL}    

Add the Licensing Server into Deployment

Add-RDServer -Server A001.AVENTIS.LOCAL -Role RDS-LICENSING -ConnectionBroker $ServerName

Verify the remaing trial period with

(Invoke-WmiMethod -PATH (gwmi -namespace root\cimv2\terminalservices -class win32_terminalservicesetting).__PATH -name GetGracePeriodDays).daysleft

Session Collection

A Session Collection holds the apps and desktops you want to make available to users. pooled desktop sessions or personal desktop sessions can be configured

Create a Session Collection called UAT

$ServerName = "A001.AVENTIS.LOCAL"
New-RDSessionCollection –CollectionName UAT –SessionHost $ServerName –ConnectionBroker $ServerName –CollectionDescription “UAT for Session Host” 

Allow Domain Administrator to access to the new Session Collection. Domain Users is included by default.

$UserGroup =@("AVENTIS\Domain Users","AVENTIS\Administrator")
Set-RDSessionCollectionConfiguration -CollectionName UAT -UserGroup $UserGroup

Please refer to Microsoft Docs for detail configuration available with PowerShell

Publish Application

Verify Microsoft Edge is installed

Get-RDAvailableApp -CollectionName UAT | ? DisplayName -like "Microsoft Edge"

DisplayName                    FilePath                                                          CommandLineArguments
-----------                    --------                                                          --------------------
Microsoft Edge                 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe                          

Publish Microsoft Edge

$Alias = "MicrosoftEdge"
$FilePath = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

New-RDRemoteapp -Alias $Alias -DisplayName $Alias -FilePath $FilePath `
-ShowInWebAccess 1 -CollectionName "UAT" -ConnectionBroker $ServerName

Login to https://A001.AVENTIS.LOCAL with AVENTIS\USERNAME to verify Microsoft Edge is published and can be launched successfully

Deploy Windows 2016 RDS with PowerShell

RD Gateway

Add RDS Gateway Role with external FQDN =

Add-RDServer -Server "A001.AVENTIS.LOCAL" -Role "RDS-GATEWAY" -ConnectionBroker "A001.AVENTIS.LOCAL" -GatewayExternalFqdn ""

Set all RDS Roles to use the Let’s Encrypt Wildcard SSL Certificate

$Password = ConvertTo-SecureString -String "P@ssw0rd!@#$" -AsPlainText -Force
Set-RDCertificate -Role RDGateway -ImportPath "C:\Temp\Lets-AventisDev.pfx" -Password $Password -ConnectionBroker A001.AVENTIS.LOCAL
Set-RDCertificate -Role RDWebAccess -ImportPath "C:\Temp\Lets-AventisDev.pfx" -Password $Password -ConnectionBroker A001.AVENTIS.LOCAL
Set-RDCertificate -Role RDPublishing -ImportPath "C:\Temp\Lets-AventisDev.pfx" -Password $Password -ConnectionBroker A001.AVENTIS.LOCAL
Set-RDCertificate -Role RDRedirector -ImportPath "C:\Temp\Lets-AventisDev.pfx" -Password $Password -ConnectionBroker A001.AVENTIS.LOCAL

Verify SSL Certificate is configured properly


Role          Level          ExpiresOn                           IssuedTo
----          -----          ---------                           --------
RDRedirector  Trusted        12/06/2020 10:20:58                 CN=*
RDPublishing  Trusted        12/06/2020 10:20:58                 CN=*
RDWebAccess   Trusted        12/06/2020 10:20:58                 CN=*
RDGateway     Trusted        12/06/2020 10:20:58                 CN=*

RDS HTML5 Web Client

Update the PowerShellGet Module

Install-Module -Name PowerShellGet -Force

Close the existing PowerShell Console and reopen it, otherwise the module may not work

Install RD Web Client Management Module

Install-Module -Name RDWebClientManagement

Download the latest version of RD Web Client


Link the SSL Certificate used for RD Connection Broker

$Password = ConvertTo-SecureString -String "P@ssw0rd!@#$" -AsPlainText -Force
Import-RDWebClientBrokerCert -Path C:\Temp\Lets-AventisDev.pfx -Password $Password 

Publish RD Web Client

Publish-RDWebClientPackage -Type Production -Latest

Ignore the warning mention that per-device CALs are not supported if Pre-User CALs is used.

Go to https:// and login with domain user

Launch the Published Application – Microsoft Edge

Refer to Microsoft – Set up the Remote Desktop web client for your users for more detail

Redirect URL

Configure HTTP Redirect for the Default Web Site to /RDWeb in RDS Server

User can login to RD Web Client via now

Leave a Comment