Monday, January 4, 2010

RemoteApp and Desktop Connections: How to distribute and install the URL Feed

This post is adapted from the forthcoming Windows Server 2008 R2 Remote Desktop Services Resource Kit

RemoteApp and Desktop Connections new to Windows 7. It uses a feed from the RD Web Access server to populate Windows 7 clients with RemoteApps and Desktop Connections from designated RDSH servers or farms.

To configure RemoteApps and Desktop Connections on Windows 7 clients you either enter the feed URL manually in Windows 7 RemoteApps and Desktop Connections Control Panel applet, or you distribute a configuration file that you run on the Windows 7 client.

Creating this config file is easy. 

Logon to the RD Connection Broker server
·         start the Remote Desktop Connection Manager
·         Right click Remote Desktop Connection Manager and choose Create Configuration File
·         Add the URL of the RAD feed in the form of:
·                https://your-RD-Web-Access-Server/Feed/webfeed.aspx

But what if you want to distribute and execute this config file without any user intervention?

These articles tell you that you CAN do this and even show you how to create the config file:

But they don’t tell you HOW to do this.   Here is the script that you can use to distribute the config file:

So now that you have the script you might be asking yourself “How the heck do I implement this??” Good question.  One I asked myself.  Let me make it easy for you.

Basically, you will want to sign the PowerShell code (unless you want to allow unsigned code to execute which I doubt you want to do…), add the code signer cert to all client machines that will trust code signed by the code signer, and either use the PowerShell script as a logon script (2008 R2 schema) or create a VB logon script that will in turn call the PowerShell script.

Here are all the steps to do this:

1.       Get a code signing cert from your CA for a user that will sign scripts. Talk to your CA admin person about this, or get one from a public CA.

2.       Once you have the signing certificate, make sure it is installed in the personal store on the computer that the code signer will log into to sign code. To check this, or to add the code signer’s cert, have the user login, then open an MMC (type MMC in the search box or Run box) then click File > Add/Remove Snapins, click certificates (user certificates), click Add, click OK. Then open the user Certificates Snapin, and navigate to Personal à Certificates.  You should see the code signer’s cert here.  If not then add it by right clicking on the Personal Certificates Folder and choosing Import (or request) depending on what you need to do (import an existing cert or request one).

3.       Have the code signing user open PowerShel and sign the PowerShel script like this:

$cert=Get-ChildItem -Path cert:\CurrentUser\my -CodeSigningCert
set-authenticodeSignature PATH-TO-FILE-HERE\Install-RADCConnection.ps1 -certificate $cert

4.       Next you will need to get a copy of the code signer cert to place in the trusted publishers folder on each computer that will trust code signed by this user. You will do this via GPO in the next step.
If you don’t already have this certificate handy, on the PKI server, open Certificate Authority, and under the server, find the certificate in question in the Issued Certificates folder, double click it, navigate to the Details tab and click copy to file…

5.       Next add the code signer cert to the Trusted Publishers folder in Cert Management on each PC that will run scripts signed by that user.
Do this by creating a Computer GPO and placing it on the computer OU. The Computer policy should be:

Computer Configuration | Policies | windows Settings | Security Settings | Public Key Polcies | Trusted Publishers |

Right click this folder, choose Import, and point to the certificate you saved in the prior step

6.       Configure the PowerShell Execution Policy for the computers in your domain that you want to be able to run signed scripts. 

Computer Policy | Admin templates | Windows Components | Windows PowerShell | Turn On Script Execution
Set this to “Enable” and “Allow only signed Scripts”.


7.       For 2008 R2 DC’s: Create a User GPO, add the PowerShell script as a logon script:
·         User Configuration | Policies |Windows Settings |Scripts (Logon/Logoff)
·         Double click Logon, then click Add…then click the Browse button
·         Locate the PowerShell script
·         In the Parameters box, add: \\servername\sharename\scripts\name-of-feed.wcx


8.     Create a VB logon script to call the logon PowerShell Script:

Set objShell = CreateObject("Wscript.Shell")

a.       Create user Logon GPO to launch the VB script that will in turn call the PowerShell script:
·         User Configuration | Policies |Windows Settings |Scripts (Logon/Logoff)
·         Double click Logon, then click Add…then click the Browse button
·         Locate the VB script made in step 5.

9.       Have a regular user login to their Windows 7 machine and test.

Hope this helps you!


  1. Windows 7 Key It is wonderful right here. good research. I've been searched this kind of information for quite a while. thanks

  2. Future:

    Btw, your blog is fantastic!!

  3. I don't understand why MS can include something like RemoteApp setup in the control panel, but not have a GPO to manage the settings :(

    made in england

  4. I reckon this blog very instructive and configuration RemoteApps and Desktop Connections on Windows 7 has well demonstrated through URL feed. minecraft server hosting

  5. Cominform is your partner for efficient, custom-tailored business software-solutions. The Cominform team develops on innovative platforms and in line with cutting-edge standards. Here are options for Web Desktop,Web-Desktop, SAML Cordova Plugin , SQL Cordova Plugin , SAML Phonegap Plugin and SQL Phonegap Plugin.