How to Set Up Windows Server 2016 Remote Desktop Session Host

Remote Desktop Session Host (RDSH) is a role service within Remote Desktop Services (RDS) that allows multiple users to simultaneously connect to a single Windows Server 2016 server and run applications or full desktops in an isolated session. It is the foundation of traditional centralised desktop and application delivery, enabling organisations to deploy business applications once on a server and provide access to hundreds of users without individual workstation installations. This guide covers installing and configuring RDSH on Windows Server 2016.

Planning Your RDSH Deployment

Before installing the role, plan your deployment carefully. Determine the number of concurrent users you expect. As a rough guide, a server with 16 CPU cores and 64 GB RAM can comfortably support between 50 and 100 concurrent sessions running typical Office productivity applications, depending on user behaviour. RDS CAL (Client Access Licences) are required for each user or device that connects to RDSH; without them, you have only a 120-day grace period. Decide whether you are deploying RDSH as a standalone server for a small environment or as part of a full RDS deployment with a Connection Broker, Gateway, and Web Access for larger environments.

Step 1: Install the Remote Desktop Session Host Role

Open Server Manager on Windows Server 2016. Click Add roles and features. Select Role-based or feature-based installation, then select your server. In the Server Roles list, expand Remote Desktop Services and check Remote Desktop Session Host. Add any required features when prompted and click Install. The server will need to restart after installation.

Alternatively, install via PowerShell:

Install-WindowsFeature -Name RDS-RD-Server -IncludeManagementTools -Restart

Step 2: Configure RD Session Host with Server Manager (Quick Deployment)

For small deployments, Server Manager provides a Quick Start deployment wizard. In Server Manager, click Remote Desktop Services in the left navigation. On the Overview page, click Session-based desktop deployment and follow the wizard. This automatically installs RDSH, RD Connection Broker, and RD Web Access on a single server, which is appropriate for small environments of under 50 users.

Step 3: Configure Remote Desktop Connection Settings

After installation, open Remote Desktop Session Host Configuration from Administrative Tools, or use Group Policy to configure session settings. Key settings to configure include session time limits, temporary folders, and printer redirection.

Using Group Policy, navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits and configure:

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" -Name MaxIdleTime -Value 1800000
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" -Name MaxDisconnectionTime -Value 900000

Step 4: Configure RD Licensing

After the 120-day grace period expires, RDSH will refuse connections unless a properly configured RD Licensing server is available and has sufficient CALs issued. Configure the licensing server on the RDSH server using Group Policy or the RD Session Host Configuration tool.

In Group Policy Editor (gpedit.msc or a domain GPO), navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing. Enable Use the specified Remote Desktop license servers and enter the FQDN of your RD Licensing server. Set the RD licensing mode to Per User or Per Device depending on your CAL type.

Set-RDLicenseConfiguration -LicenseServer "rdlicensing.domain.local" -Mode PerUser -ConnectionBroker "rdbroker.domain.local"

Step 5: Install Applications for Session Host Use

When installing applications on an RDSH server, use Install mode to ensure the application’s registry and file settings are properly captured for multi-user deployment. Use Add/Remove Programs in Control Panel to automatically switch to install mode, or manually switch:

change user /install
setup.exe
change user /execute

Alternatively, deploy applications using .msi packages via Group Policy software installation or SCCM/Intune, which handle the install mode automatically.

Step 6: Configure User Profile Disks or Roaming Profiles

For multi-server RDSH deployments where users may connect to different servers, configure User Profile Disks (UPD) or roaming profiles to ensure a consistent user experience. User Profile Disks are configured at the RD Collection level in Server Manager and store each user’s profile in a VHDX file on a file share:

Set-RDSessionCollectionConfiguration -CollectionName "DesktopCollection" -EnableUserProfileDisk $true -MaxUserProfileDiskSizeGB 20 -DiskPath "\fileserverUPDs"

Step 7: Configure RemoteApp Collections

Instead of delivering a full desktop, RDSH can publish individual applications as RemoteApp programs. Users see only the application window, which appears integrated with their local desktop. In Server Manager under Remote Desktop Services, click Collections, right-click your session collection, and select Publish RemoteApp Programs. Select the programs to publish from the list or browse for custom executables.

New-RDRemoteApp -CollectionName "DesktopCollection" -DisplayName "Notepad" -FilePath "C:WindowsSystem32notepad.exe" -CommandLineSetting DoNotAllow

Step 8: Adjust Windows Firewall and NLA Settings

Ensure Remote Desktop is allowed through the Windows Firewall and that Network Level Authentication (NLA) is enabled for security. NLA requires users to authenticate before a full RDP session is established, reducing the attack surface:

Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" -Name UserAuthentication -Value 1

Step 9: Monitor Active Sessions

Use the qwinsta (Query Session) and quser commands to monitor active sessions on the RDSH server:

qwinsta /server:localhost
quser /server:localhost

To log off a disconnected session by session ID:

logoff 3 /server:localhost

Security Hardening Tips

Restrict RDP access to authorised users and groups only by modifying the Remote Desktop Users local group. Enable RDP over HTTPS through an RD Gateway for internet-facing deployments rather than exposing port 3389 directly. Configure account lockout policies to protect against brute-force RDP attacks. Deploy Windows Defender Credential Guard and Remote Credential Guard to protect credentials during RDP sessions. Regularly patch both the OS and installed applications, as RDSH servers are high-value targets due to their multi-user nature.

A properly configured RDSH server on Windows Server 2016 provides a secure, scalable, and cost-effective platform for delivering applications and desktops to users across a corporate network or over the internet through an RD Gateway.