Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Windows RT Tablets, x86 applications and Windows Server Remote Desktop Services. A better together Microsoft Experience.
Published Sep 20 2018 01:21 AM 913 Views

First published on TechNet on Feb 17, 2014

Hello, Jeff ‘the dude’ Stokes back with a post to help you fully utilize that BYOD experience. That of course would be the Windows Surface RT and Windows Surface 2 tablets. They have a place and that place is Modern Apps. But what about legacy x86 apps you say? You can run those too via RemoteApp, and as Montell Jordan would say… this is how we do it .

How does one enable a mobile workforce with affordable devices and simple to construct backend environments, one might ask? This post is a primer, a guide for a proof of concept, a tantalizing tale of tranquil steps aka a guide for you to set this up in a test lab. So read and learn as the dude guides you through this step by step. A lab we will build, a proof of concept Remote Desktop Services node, with Remote Applications. If you don’t have a Windows RT Tablet, fear not, you can reproduce the steps in a Windows 8.1 VM as well.

Installing the RDS Server

1. Install Windows Server 2012. Run Windows Updates. Pick everything. Install. Reboot. Do the normal stuff (time zone, name, domain join, etc.).

2. Enable the RDS Role. This is an easy step, but an important one. It goes a little something like this:


3. We add a role and feature, through the wizard of course!


4. and then hit next. For our lab/proof of concept/playground, we just pick “Quick Start”.


5. This is not a VDI Post (nor a Love Song ) so pick Session-based desktop deployment.


6.  And then we need to of course verify we are installing this role and feature set on PICKLE! Well, that’s my name for the demo, you picked your own I’m sure for your lab. I also named my lab based on the movie I watched most recently...


7. No funky rights needed here, because the wizard is going to take care of it for us! That’s something the PG did an awesome job on. Standing up a (simple) VDI or RDS setup is quite easy in this wizard, kudos to them!


8. Check the box for “restart automatically if required” and click “deploy” and away we go…

It’ll reboot and then continue in progress…if you run into issues the event log is a good place to start, but I haven’t had a wizard deployment fail yet myself.


9. You’ll know it’s done when you can see this screen. Do note, the bottom, where it tells you the link to access your RDS farm. You can click it right there in the Wizard. You’ll also need it later if you want to test connectivity with other folks, etc.


10. By the way, normally you’d need licensing, etc setup. I’m not really wanting to get into licensing in this post though, sorry. After all, this is a proof of concept. So instead I get this:

Note: Configuring RDS for High Availability, Security, Internet-Facing Gateways, etc, is beyond the scope of this guide. Thank you.


11. Now that PICKLE has the role we can go into the management console for it. See the green plus signs? We can click those and easily add a server for that role. It is quite a slick setup really. A RD Gateway is mainly used to publish RDS apps to the Internet, Extranet or Intranet, so we don’t get into that with this post either. Again, simple, easy setup here.


12. Note that almost everything is wizard based or guided setup. The only thing we need to do, well, we don’t HAVE to, but the only thing I’m going to do here is make sure my apps are published:

13. Note it made Domain Users the default user group for this demo. It also was kind enough to publish 3 apps…but how do we get to them on a Surface RT (or anything else for that matter)?


Connecting With a Domain Joined Client

Let us start simple. For our non-Surface/Mobility friends, I’ll first connect from a domain joined machine, a VM running Windows 7 x64 SP1.


1. The first time a user hits the logon page, they are prompted to run the ‘Microsoft Remote Desktop Services Web Access Connector’ add-in. That’s fine, it’s needed.


2. Then you simply logon to the webpage using a Domain User account and select if you want the browser to be able to save credentials (the radio button at the bottom):


3. After doing so a balloon will appear that notes you are connected to work resources. This should be a common sighting for you with this exercise.


4. And then your web page will look like this. It’s the default suite of applications, just to demo that the thing works for you. Nothing too harmful, nice easy apps. Any x86 app should work though from my experience.


5. Launch an app, and voila you get a prompt, awfully similar to the mstsc window….note the publisher is unknown because we haven’t trusted the certificate.


6. After you connect, you are running the app, but remotely, as the icon on the taskbar tells us… to exit out, simply click the X like you would any other window. Easy enough right?

Connecting With a Surface RT/Surface 2

Ok so great. We’ve got remoteapp working. How does mobility come into this, specifically whats the angle on Windows Surface RT? Well, the limitation (or advantage) of RT is not running legacy x86 applications. But if you need long battery life + x86 legacy apps, publish the application in RDS and then connect from RT.

1, So logon to a Windows RT (or if you don’t have an RT tablet yet, a non-domain joined Windows 8.x x86/x64 install can be used here) and install from the store, the RDC app!


2. Now that you have it installed, there is a work around needed to trust the server (you don’t have a domain join so the client doesn’t know who pickle is). So open Internet Explorer and go to the IIS address, and download the certificate so you can install it on the machines’ certificate store:


3. Warning, danger Will Robinson! Untrusted Cert (No, for a demo/poc, I did not get a real SSL cert)


4. Go to view the certificate and on details, download it by copying it to a file.


5. Pick the top option as seen below:


6. I then save it somewhere easy to recall, in this case, on the desktop.


7. And viola, we’ve exported the cert successfully.


8. Now we run the command certutil –f –urlfetch –verify “cert.cer” > certverify.txt and we can see the URL is correct, should work, etc, in the text file.


9. Here is the results, we can see the cert info, looks good to me (I am not a cert guy, but bear with me, if you have to troubleshoot certificates, this is a way to do it).


10. Now, install the certificate. Just right click the .cer file and select “Install Certificate”.


11. Here is a certificate import wizard, remember! Local machine here folks. Not Current User.


12. Now, don’t let it guess, place the certificate into the “Trusted Root Certification Authorities” store.


13. Tada! Its done.



14. Now launch the Modern RDC client!

You place the web site name of your RDS farm into the modern app:


15. Then you are prompted for credentials (recall you aren’t domain joined here):


16. At which point you connect and get this!


17. So you click the OK button and are rewarded with a selection of awesome apps! The same list as we saw in the website right, on the desktop? Click an app you want to run.


We’re now running Calc remotely in RT/8.x non-domain joined from our Server in a RDS session. YAY!



So, one might ask, ‘Dude, I followed all these steps, and I see this, but why? What for? How? Huh?’ I’ll tell you, we just stood up a proof of concept RDS farm, we connected from non-domain joined assets securely to domain apps (in this case, Calc…which can calculate gas mileage did you know?!)


Now some have been awfully critical of the RT OS, saying it can’t run x86 / x64 applications so what’s the point. The point is a new model of application design, Modern Apps. But if you have an application, a legacy application, that you need to run, and you want longer battery life and a thin device and touch and all that, you can still run your legacy app provided you have some network connectivity. That’s not a bad deal in my opinion.

Some follow on questions. What about a real PKI solution? The dude is not a PKI guy, but yes, you could do the same and trust the CA I imagine. Or a real SSL cert. You would still have to import a certificate in any situation. Does Intune do this? Looks like it does. See for more information.

What about licensing, can we do this without paying more? We look to need RDS CALs for this, but check with a licensing specialist for your account. You may already own the licenses to roll this out and not even know it! See this for more information though.


Jeff “I got 99 problems but legacy apps aren’t 1” Stokes.

Version history
Last update:
‎Feb 19 2020 08:26 PM
Updated by: