Blog: Windows Server 2012 R2

The traditional method of opening Windows Task Manager, going to the Users tab, right clicking the user, and clicking Remote Control is no longer and option on Windows Server 2012 R2.

To shadow a session in Windows Server 2012 R2, you must use the "mstsc" command with the /shadow switch. First, open Windows Task Manager and go to the Users tab. Find the ID of the user you wish to shadow and remember this number. Then, from RUN or a Command Prompt, type “mstsc /shadow:<session id>”. The user will be prompted to allow you to shadow their session. This will work on Remote Desktop and normal servers.

If the server is a Remote Desktop Server, you can use Server Manager to shadow the session. Go To Remote Desktop Services, then Collections, and find the Connections window. Right click the user and click Shadow. The user will be prompted to allow you to shadow their session.


I was recently working with a customer and they had been prompted to reboot their server mid-day because of Windows updates. I told them to click “Restart Later” and forget about it because it should initiate the restart that night. However when I logged on to the server a few days later I got the notification that the server would reboot in 5 minutes.  I disabled the Windows Update service to prevent the reboot, then followed the steps below to force a reboot after updates are installed regardless if someone is logged into the server or the session is locked.
To change the AlwaysAutoRebootAtScheduledTime registry key value to enable automatic Windows Update restarts, follow these steps:

  1. Install Windows Update 2822241
  2. Start Registry Editor. To do this, follow these steps:
    1. Swipe in from the right edge of the screen, and then tap Search. Or, if you are using a mouse, point to the lower-right corner of the screen, and then click Search.
    2. In the search box, type "regedit.exe".
    3. Tap or click the displayed regedit.exe icon.
  3. Locate the following registry subkey:
  4. Swipe across or right-click AlwaysAutoRebootAtScheduledTime, and then tap or click Modify. Note If the entry does not exist, follow these steps to add it:
    1. On the Edit menu, point to New, and then tap or click DWORD Value.
    2. Type "AlwaysAutoRebootAtScheduledTime" in the Name field, and then press Enter.
  5. In the Value data box for this registry key, enter "1".
  6. Click OK.
  7. Exit the Registry Editor.


Microsoft has changed the way that RemoteApp are made available to users in Server 2012 R2. They have done away with the MSI Installer method and the ability to create a RDP file. The two deployments options now are RDWeb and RemoteApp/Desktop Connection.

RDWeb is a great option for remote users, Mac users, and users of Microsoft operating systems older than Windows 8. The users simply go to a website, login, and are presented with all of the applications published to them. You can also use RDWeb to allow users to start RDP connections to Windows computers, which might be useful for users working remotely who need to connect to their office computers.

The RemoteApp/Desktop Connection method publishes the RemoteApps available to a user to their desktop, without having to log into RDWeb. The applications the user has published to them simply show up in their Start Menu. This setting can be deployed to users using Windows 8 and newer computers via a Group Policy Object. The Desktop connection URL setting under User Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | RemoteApp and Desktop Connections should be set to https://FQDN/RDWeb/Feed/webfeed.aspx as shown below.

It is important to note that the RemoteApp/Desktop Connection method requires that the SSL certificate issued to the remote desktop server be trusted on the user’s PC for the GPO to apply. RDWeb will also show security warning if the SSL certificate is not trusted on the user’s PC. While eliminating these security messages can be achieved by using an internal certificate, in cases where there is not an internal certificate authority, it is likely more economical to purchase a trusted third party SSL certificate than use the self-signed certificate from the remote desktop server. A third party certificate will eliminate the need for the user’s PC to have any certificates imported into their certificate store.



There was a 2012 R2 server I had configured and been using to test with for several months. After a few months, I could no longer connect to the server with remote desktop. I could ping the server and browse the admin shares across the network. I logged in and verified the Remote Desktop Services service was started and enabled.

Looking at the event log, I could see that every time I tried to remote in, the System log was adding event 36870 – “A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.”

More research seemed to indicate that this was a problem with the Remote Desktop certificate on the system.  I opened the certificate manager for the local system, backed up the remote desktop certificate and then deleted it the certificate store.  Now, when I restarted the Remote Desktop Services service, I started getting a different event 1058 – “The RD Session Host Server has failed to replace the expired self-signed certificate used for RD Session Host Server authentication on SSL connections.  Access is denied.”

More research pointed me to checking the permissions in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys.  When I tried to set a permission on the folder, it propagated to all the files within except for one which said that access was denied.  I was unable to modify the permissions on the file itself even though I was logged in as the local administrator.

Taking a chance, I stopped the Remote Desktop Services service and was able to delete the file with the permission issues.  I restarted the Remote Desktop Services service and observed that a new Remote Desktop certificate had been created as well as a new file in the MachineKeys folder.  I was now able to connect to the server using remote desktop.


We had users testing with 2012 R2 Remote Desktop servers recently, and we came across a problem with viewing multiple pages in .tif files using the default viewer.  For this customer we decided to use a third party photo viewer utility called Irfanview.
Naturally, the next step was setting the .tif “open with” settings to use the new viewer for all users.  We came across a few articles about implementing User Group Policy Preferences –> Folder Option –> Open With settings.  When we tried to configure it, it didn’t change anything on 2012 R2 server. This worked in previous versions of Windows.
After more research we found this is now done by creating a default associations configuration file using DISM and then creating a GPO to use the resultant XML file.
1. Set the file associations that you need.
2. Export the settings using command “Dism /Online /Export-DefaultAppAssociations:<path>\default_associations.xml”.
3. Create a GPO and configure the Computer configuration\Administrative templates\Windows Components\File Explorer\Set a default associations configuration file.  Specify the path to the XML file you created.  This will change the registry settings in HKLM\Software\Policies\Microsoft\Windows\System\DefaultAssociationsConfiguration to the specified XML file.
The following is an example of the associations in the XML configuration that I used:
<?xml version="1.0" encoding="UTF-8"?>
  <Association Identifier=".gif" ProgId="IrfanView.GIF" ApplicationName="IrfanView" />
  <Association Identifier=".jpe" ProgId="IrfanView.JPG" ApplicationName="IrfanView" />
  <Association Identifier=".jpg" ProgId="IrfanView.JPG" ApplicationName="IrfanView" />
  <Association Identifier=".jpeg" ProgId="IrfanView.JPG" ApplicationName="IrfanView" />
  <Association Identifier=".png" ProgId="IrfanView.PNG" ApplicationName="IrfanView" />
  <Association Identifier=".tif" ProgId="IrfanView.TIF" ApplicationName="IrfanView" />
  <Association Identifier=".tiff" ProgId="IrfanView.TIF" ApplicationName="IrfanView" />