Edit

Share via

License Remote Desktop session hosts

You can use the information in this article to configure licensing for session hosts on your Remote Desktop Services (RDS) deployments. The process is slightly different depending on which roles you assigned to the session host you're licensing.

Prerequisites

In order to install licenses for your session hosts, you need a Remote Desktop license server with per-user or per-device client access licenses (CALs) activated.

Configure licensing for an RDS deployment that includes the RD Connection Broker role

If you need to license session hosts where your RDS deployment doesn't include the connection broker role, you must specify a license server by using group policy either centrally from your Active Directory domain, or locally on each session host. You also need to do specify a license server when using Windows Server with Azure Virtual Desktop.

To specify a license server:

  1. On the RD Connection Broker computer, open Server Manager.

  2. In Server Manager, select Remote Desktop Services > Overview > Edit Deployment Properties > RD Licensing.

    A screenshot of the setup remote desktop services deployment page. The user selects the tasks drop-down menu and selects Edit Deployment Properties.

  3. Select the Remote Desktop licensing mode (either Per User or Per Device, as appropriate for your deployment).

    Note

    If you use domain-joined servers for your RDS deployment, you can use both Per User and Per Device CALs. If you use workgroup servers for your RDS deployment, you have to use Per Device CALs In that case, Per User CALs are not permitted.

  4. Specify a license server, and then select Add.

    A screenshot of the configure the deployment page. Two red borders surround the two radio buttons that say per device and per user, and a field for the file path for the license server.

Configure licensing for an RDS deployment that includes only the RD Session Host role and the RD Licensing role

  1. Depending on whether you want to configure Group Policy centrally from your domain or locally on each session host:

    • Open the Group Policy Management Console (GPMC) and create or edit a policy that targets your session hosts.

    • Open the Local Group Policy Editor on the session host.

  2. Go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing.

    A screenshot of the list of policies for Remote Desktop licensing. Use the specified Remote Desktop license servers and Set the Remote Desktop licensing mode are highlighted with red borders.

  3. In the policy list, right-click Use the specified Remote Desktop license servers, and then select Properties.

  4. Select Enabled, and then enter the name of the license server under License servers to use. If you have more than one license server, use commas to separate their names.

    A screenshot of the Use the specified Remote Desktop license servers window. The field labeled License servers to use is highlighted with a red border.

  5. Select OK.

  6. In the policy list, right-click Set the Remote Desktop licensing mode, and then select Properties.

  7. Select Enabled.

  8. Under Specify the licensing mode for the Remote Desktop Session Host server, select Per Device or Per User, as appropriate for your deployment.

    A screenshot of the Set the Remote Desktop licensing mode window. The drop-down menu for specifying the licensing mode for the RD Session Host server is highlighted with a red border.

Ensure an RD Session Host can access an RD licensing server in the same work group

This section only applies to work groups. Skip this section if your RD Session Host and RD licensing server are joined to a domain in Active Directory. You can also skip this section if the RD licensing server and RD Session Host server are the same machine.

After applying the security update for CVE-2024-38099, RD licensing servers enforce that RD Session Host servers present nonanonymous credentials when requesting or querying licenses. To enforce nonanymous credentials exist, confirm that the NT AUTHORITY\NETWORK SERVICE account under which the Remote Desktop Service runs on the RD Session Host has access to credentials. Configure the machines in a work group using the following steps.

First, we recommend creating a dedicated user on the RD licensing server:

  1. Connect to the RD licensing server. If doing so remotely, you may need to start the Remote Desktop Connection application using the mstsc.exe /admin command if the target machine can't contact a RD licensing server.

  2. Once connected, right-click Start, then select Run, and enter lusrmgr.msc. Then press ENTER.

  3. Select Users in the left pane.

  4. Open the Action menu and select New User….

  5. Choose a username and a unique strong password for the user. Then confirm the password.

  6. Uncheck the "User must change password at next logon" checkbox.

  7. Select Create.

Then, on each RD Session Host server that needs to connect to the RD licensing server, add the user:

  1. Connect to the RD Session Host machine. If doing so remotely, you may need to start the Remote Desktop Connection application if the target machine can’t contact any RD licensing server. Open Remote Desktop Connection as an administrator, or use the command: mstsc.exe /admin.

  2. Start a Command Prompt as NT AUTHORITY\NETWORK SERVICE. You can do this with PsExec from the Sysinternals Utilities, by running the following command as an administrator:

    psexec.exe -I -u "NT AUTHORITY\NETWORK SERVICE" cmd.exe

  3. Then, add the hostname or IP address of your licensing server, and a username and password to the licensing server with the following command:

    cmdkey /add:<NAME-OF-THE-LICENSING-SERVER> /user:<NAME-OF-THE-LICENSING-SERVER>\<USERNAME> /pass

  4. When prompted for the password, enter the password previously selected and press ENTER.

The RD Session Host should now be able to connect to the RD licensing server.

Alternatively, the requirement for proper authentication can be disabled on the licensing server. If you would like to disable the enforcement of authentication on your RD licensing server despite the risk, you can modify the registry.

Warning

Disabling the enforcement of authentication on the RD licensing server is not recommended and can result in increased security risks. Use it at your own risk.

If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To update the registry key and value on the RD licensing server:

  1. Start the Registry Editor.

  2. Modify the key: HKLM\ SYSTEM\CurrentControlSet\Services\TermServLicensing\Parameters with the following values:

    • Name: DisableWorkgroupAuthEnforcement

    • Type: REG_DWORD

    • Data: 1

Warning

Future versions of Windows may stop honoring this setting.

Next steps

Learn how to create reports to track RDS per-user CALs issued by a Remote Desktop license server at Track your Remote Desktop Services client access licenses (RDS CALs).