Application Server

A common point of failure is due to the group policy applied to the application server.

Group Policy Settings

In a typical enterprise scenario the administrator has applied Microsoft's security baseline group policies on Windows servers. There are some group policies that will prevent the application server from functioning. Some of these policies may not appear in your Group Policy editor if the template is missing from your Windows Policy folder, but must be changed to install correctly. Ensure the following group policies are either unconfigured or set to the following values in the table:

Path

Setting

Value

Comment

Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security Always prompt for password upon connection Disabled A login prompt will prevent remoteapp applications from launching.
Require use of specific security layer for remote (RDP) connections Enabled (SSL) or not configured Enhances security by requiring TLS 1.0 to authenticate the RD Session Host server during RDP connections.
Require user authentication for remote connections by using Network Level Authentication Enabled or not configured Enhances security by requiring user authentication earlier in the remote connection process. Some clients may require NLA authentication to login.
Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections Allow users to connect remotely by using Remote Desktop Services Enabled or not configured If this is not configured and users are able to connect then it may be left as not configured.
Windows Settings > Security Settings > Local Policies > User Rights Assignment Deny access to this computer from the network Remove Local account Local users must be able to remote into application server to run applications and configure the machine using the --app-server install. This is not required if using active directory authentication.
Deny log on through Remote Desktop Services Remove Local account Local users must be able to remote into application server to run applications. This is not required if using active directory authentication.
Allow log on through Remote Desktop Services Add Users Click object types and check "groups" then add the object "Users".
Windows Settings > Security Settings > Application Control Policies > AppLocker > Executable Rules Allow Everyone %OSDRIVE%\PROGRAMDATA\TURBO\* Turbo VM images may be cached in the PROGRAMDATA folder.
Windows Settings > Security Settings > Application Control Policies > AppLocker > Executable Rules Allow Everyone %OSDRIVE%\USERS\*\APPDATA\LOCAL\TURBO\* Turbo Container Sandboxes may be cached in the user's local AppData folder.

Diagnosing WinRM Errors (LEGACY)

The following group policies enables WinRM for legacy (prior to version 2019.7.26) Turbo Broker:

Path

Setting

Value

Comment

Administrative Templates > SCM: Pass the Hash Mitigations Apply UAC restrictions to local accounts on network logons Disabled or not configured Security baseline will enable this value. If the policy path is missing, locate the ptH.admx and add it in your group policy templates folder.
Administrative Templates > Windows Components > Windows Remote Management > WinRM Client Allow Basic authentication Enabled or not configured Security baseline default value is not configured.
Allow unencrypted traffic Enabled or not configured Security baseline will set this to disabled. The winrm command will test the connection using basic http.
Administrative Templates > Windows Components > Windows Remote Management > WinRM Service Allow remote server management through WinRM Enabled or not configured Application server provision requires WinRM. If enabled, make sure you set the IPv4 and IPv6 filters correctly.
Allow Basic authentication Enabled Application server provision requires WinRM.
Allow unencrypted traffic Enabled Application server provision requires WinRM.
Windows Settings > Security Settings > Local Policies > User Rights Assignment Deny access to this computer from the network Remove Local account Application server provision requires WinRM potentially over the local administrator account.

In a command prompt on the application server, issue the following command:

>winrm identify -r:http://localhost:5985 -auth:basic -u:{adminuser} -p:{password} -encoding:utf-8

The command should be an IndentifyResponse. If command fails and you have checked the group policies have been properly set, try the winrm quickconfig command. Note that the quickconfig command will request LocalAccountTokenFilterPolicy. Turbo does not require that setting to be enabled.

>winrm quickconfig
WinRM service is already running on this machine.
WinRM is not set up to allow remote access to this machine for management.
The following changes must be made:

Configure LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users.

Make these changes [y/n]? y

WinRM has been updated for remote management.

Configured LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users.

>winrm quickconfig
WinRM service is already running on this machine.
WinRM is already set up for remote management on this computer.

RemoteApp Registry Settings

The application server provisioner should make the required changes to enable RemoteApp execution. Ensure these registry settings were applied properly:

Path

Setting

Value

Comment

HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services fDenyTSConnections 0 (DWORD) Enables Terminal Services.
fDisableCam 0 (DWORD) Enables audio.
DisablePasswordSaving 0 (DWORD)
fPromptForPassword 0 (DWORD)
fEncryptRPCTraffic 0 (DWORD)
MinEncryptionLevel absent Remove this value.
HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\TSAppAllowList fDisabledAllowList 1 (DWORD) Enables the RemoteApp allowed program list.
CustomRDPSettings authentication level:i:2 (String) Specifies RemoteApp custom settings such as the authentication level.
HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\TSAppAllowList\Applications\turboplay Path C:\Program Files (x86)\Turbo\Cmd\turboplay.exe (String) Make sure turboplay is allowed.
HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\TSAppAllowList\Applications\turbo Path C:\Program Files (x86)\Turbo\Cmd\turbo.exe (String) Make sure turbo is allowed.
HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp SecurityLayer 2 (DWORD) Require TLS 1.0 to authenticate the RD Session Host server.
UserAuthentication 1 (DWORD) Enable Network Level Authentication.

Windows Updates

The following Windows updates are required to establish secure connections between the client and RD Session Host. Not installing the following updates on the application server may prevent connections between the client and application server from functioning:

Operating System

Update

Comment

Windows Server 2012 KB4103730 or KB4103726 Security update for Remote Desktop connections.
Windows Server 2016 KB4103723 Security update for Remote Desktop connections.

Windows Update Notifications

Disable Automatic Updates if Windows Update notifications are being shown on remote sessions:

First open the Local Group Policy Editor:

> gpedit.msc

Set Configure Automatic Updates to disabled under Computer Configuration/Administrative Templates/Windows Components/Windows Update.

Questions? Talk to us.