How to Configure Remote Desktop Session Host on Windows Server 2019
Remote Desktop Session Host (RDSH) is the core component of a Windows Server 2019 Remote Desktop Services deployment that allows multiple users to connect simultaneously and run shared applications or full desktops in isolated sessions. Each user gets a private session with their own desktop environment, running on the server’s hardware. RDSH is used for centralised application delivery, virtual desktop infrastructure, and replacing traditional thick-client deployments with server-hosted sessions.
Planning the RDSH Deployment
Before installation, determine the session capacity needed. A general sizing guideline for knowledge worker sessions (Office, browser, lightweight applications) on Windows Server 2019 is 6 to 8 sessions per vCPU core and 1.5 to 2 GB of RAM per concurrent session. For more demanding applications such as CAD or data analytics tools, reduce session density accordingly. A two-tier RDS deployment consists of an RDSH server running applications and an RD Connection Broker managing session load balancing. For production environments, deploy at minimum two RDSH servers behind a Connection Broker for redundancy.
Installing the Remote Desktop Session Host Role
Install the RDSH role using Server Manager or PowerShell. The RD Session Host role must be installed and the server rebooted before configuration. Note that installing RD Session Host without a licensing server will only provide a 120-day grace period before licensing enforcement kicks in.
# Install RD Session Host and Management Tools
Install-WindowsFeature -Name RDS-RD-Server -IncludeManagementTools
# Check installation status
Get-WindowsFeature -Name RDS-RD-ServerAfter the role installs, a reboot is required. If you plan a full RDS deployment with Connection Broker, install the complete RDS stack using the RDS Quick Start or full deployment option in Server Manager.
# Full RDS deployment via PowerShell (single-server for smaller deployments)
New-RDSessionDeployment `
-ConnectionBroker "rds-broker.corp.local" `
-SessionHost "rds-host01.corp.local" `
-WebAccessServer "rds-web.corp.local"Configuring Remote Desktop Licensing Mode
Without proper RD Licensing configuration, the RDSH server will refuse new connections after the 120-day grace period expires. Configure the licensing mode and license server using Group Policy or PowerShell. The two licensing modes are Per User (tracks licenses per user account) and Per Device (tracks licenses per connecting device).
# Set licensing mode to Per User and point to the license server
$registryPath = "HKLM:SOFTWAREPoliciesMicrosoftWindows NTTerminal Services"
Set-ItemProperty -Path $registryPath -Name "LicensingMode" -Value 4 # 4 = Per User, 2 = Per Device
Set-ItemProperty -Path $registryPath -Name "LicenseServers" -Value "rdlicensing.corp.local"
# Alternatively use Group Policy:
# Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > RD Licensing
Configuring Maximum Session Connections
By default, Windows Server 2019 RDSH allows up to 32,767 simultaneous RDP sessions. In practice you should limit this to what your server hardware can sustain. Configure connection limits through Group Policy or the RD Session Host Configuration tool.
# Set maximum connections via registry
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlTerminal Server" `
-Name "MaxConnectionAllowed" -Value 100Configuring Session Timeouts and Disconnection Policies
Managing session timeouts is critical on a shared RDSH to reclaim resources from idle or disconnected sessions. Configure these settings via Group Policy under Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > RD Session Host > Session Time Limits.
# Via registry - these are the keys that Group Policy uses
$GPPath = "HKLM:SOFTWAREPoliciesMicrosoftWindows NTTerminal Services"
# Set idle session timeout to 30 minutes (in milliseconds)
Set-ItemProperty -Path $GPPath -Name "MaxIdleTime" -Value 1800000
# Set disconnected session timeout to 1 hour
Set-ItemProperty -Path $GPPath -Name "MaxDisconnectionTime" -Value 3600000
# Set active session time limit (optional, 0 = no limit)
Set-ItemProperty -Path $GPPath -Name "MaxConnectionTime" -Value 0
# When limits are reached: 1 = disconnect, 2 = end session
Set-ItemProperty -Path $GPPath -Name "fResetBroken" -Value 1Configuring Remote Desktop Connection Settings
Use the Local Group Policy Editor or Active Directory GPO to configure RDP connection quality settings. For bandwidth-limited users, reducing colour depth and disabling audio/video redirection can improve performance significantly.
# Configure RDP connection parameters via registry
$TSPath = "HKLM:SOFTWAREPoliciesMicrosoftWindows NTTerminal Services"
# Set color depth: 8 = 256 colors, 16 = high color, 32 = true color
Set-ItemProperty -Path $TSPath -Name "ColorDepth" -Value 32
# Disable wallpaper in sessions
Set-ItemProperty -Path $TSPath -Name "NoDesktopWallPaper" -Value 1
# Limit audio quality to improve bandwidth usage
Set-ItemProperty -Path $TSPath -Name "AllowAudioCapture" -Value 0User Profile Management on RDSH
User profiles on RD Session Host servers should be managed with roaming profiles or User Profile Disks (UPD) to ensure users get consistent profiles across multiple RDSH servers and that profiles do not consume excessive local disk space. UPDs are virtual hard disk files stored on a file share — each user gets a single VHD that travels with them.
# User Profile Disks are configured per RD Session Collection
# This requires RD Connection Broker to be deployed
# Example: Enable UPD for a collection
Set-RDSessionCollectionConfiguration `
-CollectionName "StandardDesktop" `
-ConnectionBroker "rds-broker.corp.local" `
-EnableUserProfileDisk $true `
-MaxUserProfileDiskSizeGB 10 `
-DiskPath "\fileserverUserProfileDisks"Monitoring Active Sessions
Query current sessions on the RDSH server using the qwinsta (Query Window Station) or query session command, or PowerShell cmdlets.
# List all active and disconnected sessions
qwinsta /server:localhost
# Query sessions via PowerShell
Get-RDUserSession -ConnectionBroker "rds-broker.corp.local"
# Get sessions on the local RDSH server
query session /server:localhostTo send a message to a connected user’s session, or to log off a specific session by session ID:
# Send message to session ID 3
msg 3 "Server maintenance will begin in 15 minutes. Please save your work."
# Log off a specific session (session ID from qwinsta output)
logoff 3 /server:localhostConfiguring RDS Security Settings
Harden the RDSH server by enforcing Network Level Authentication (NLA), which requires users to authenticate before a full RDP session is established. NLA reduces the attack surface by preventing unauthenticated connections from consuming session resources.
# Enforce NLA via registry
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" `
-Name "UserAuthentication" -Value 1
# Require NLA via Group Policy registry equivalent
Set-ItemProperty -Path "HKLM:SOFTWAREPoliciesMicrosoftWindows NTTerminal Services" `
-Name "UserAuthentication" -Value 1
# Set RDP encryption level: 1=Low, 2=Client Compatible, 3=High, 4=FIPS
Set-ItemProperty -Path "HKLM:SOFTWAREPoliciesMicrosoftWindows NTTerminal Services" `
-Name "MinEncryptionLevel" -Value 3Enabling RemoteApp Mode
In RemoteApp mode, specific applications are published to users rather than full desktops, providing a seamless application experience that integrates the remote application into the local taskbar. RemoteApp configuration is covered in detail in the RemoteApp article, but the RDSH server must have the RemoteApp feature enabled.
# Check if RemoteApp is allowed
Get-RDRemoteApp -CollectionName "StandardApps" -ConnectionBroker "rds-broker.corp.local"
# Enable RemoteApp mode on the local server
Set-ItemProperty -Path "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerTSAppAllowList" `
-Name "fDisabledAllowList" -Value 1Conclusion
Configuring an RD Session Host on Windows Server 2019 involves installing the role, configuring licensing mode, setting appropriate session timeout policies, implementing user profile management, and hardening the server with NLA and encryption requirements. For multi-server deployments, the RDSH role works in conjunction with RD Connection Broker for load balancing and RD Gateway for secure external access. Regular monitoring of session counts and performance counters ensures the RDSH server operates within its designed capacity.
