RDS 2012 Certificates. SSO. A website is trying to run a RemoteApp program.

The goal was to remove this dreaded end-user dialogue box:
A website is trying to run a RemoteApp program. Make sure that you trust the publisher before you connect to run the program.

Simple right? Wrong; especially when I came across many blogs attempting to address RDS certificate issues. This one post gets you 90% there but was not complete. Specifically, see the red section below.
Steps:

  1. Get a certificate (in my case, a GoDaddy wildcard cert)
  2. Assign the certificate to the RDS roles. Refer to this great post with screen shots.
  3. Extract the certificate thumbprint, remove the “Get-Childitem Cert:\LocalMachine\My” PowerShell command on your RDS server or follow the steps outlined on Morgan Simonsen’s blog. Make sure you properly format the thumbprint: no spaces, all caps.
  4. Create and assign a GPO for the following settings:
    1. Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client > “Specify SHA1 thumbprints of certificates representing trusted .rdp publishers”.
      Under Options, paste the formatted thumbprint.
      Specify SHA1 thumbprints of certificates representing trusted .rdp publishers
    2. Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client > “Allow .rdp files from valid publishers and user’s default .rdp settings”.
      Enable.
    3. Computer Configuration > Policies > Administrative Templates > System > Credentials Delegation > “Allow Delegating Default Credentials > “Allow Delegating Default Credentials”.
      Enable and add “TERMSRV/<insert your RDS gateway/server name>” (refer to the example text in the GPO editor).
      Allow Delegating Default Credentials 
    4. Yet after repeated gpupdate /force and a full reset of IE settings, the dialogue warning persisted. Then I stumbled across these two nuggets: here combined with 2nd post down here. The “Specify SHA1…” GPO was not adding the proper “PublisherBypassList” keys.
      The solution? Manually adding the “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\PublisherBypassList” as a User Configuration GPO registry update.
      PublisherBypassList GPO
      Notice the key is the thumbprint above with an additional “00” placed at the end.
      PublisherBypassList regedit
      The easiest way to verify the key is to check the “Do not remind me….” on the RDS prompt. It will save the thumbprint for you in the proper format.
  5. For icing on the cake, enable single sign-on; see this excellent blog post or the official MSDN blog post“.

Enjoy. SSO RDS connections with no dialogue boxes or end-user warnings or prompts.

“Set Up Internet Explorer 11” Bypass with GPO or Registry

This took too long to Google the answer.  Most information is out-of-date with IE8/IE9 solutions.  It is basically a duplicate of this post from Andres Cheah.

The goal is to bypass this dialogue box:
set-up-ie-11

Our users are easily confused.

Using Group Policy Editor

  1. Use gpedit.msc or launch the Group Policy Editor.
    Note: In an Active Directory environment, open gpmc.msc and either edit an existing GPO, or create a new one and link it to the domain level, or to an OU of your choice.
    Refer to “Group Policy for Beginners” from Microsoft for the basics.
  2. In the left pane, expand User Configuration > Administrative Templates > Windows Components > Internet Explorer.
  3. On the right pane, double-click on “Prevent running First Run wizard”. A new settings window will open up.
    prevent-first-run-ie-11
  4. Set the value to “Enable”.
  5. In the options section you must choose one of the two options from the drop-down menu:
    1. Go directly to “Welcome To IE” page.  This configures IE to skip the Welcome screen and and go to the “Welcome to Internet Explorer” page directly.
    2. Go directly to home page.  This configures IE to skip the Welcome screen and go directly to your home page.  This is the option we chose.  You can combo this up with this post from ServerFault to also push a desired homepage to users.
      You need to choose one of the two, otherwise the configuration will not work.

For those who really want to dig into how IE11 is handling the policy, I later came across this post from chentiangemalc where it details how the policy is applied and the associated ADMX.  It also explains why much of the internet is outdated in the older “Prevent performance of First Run Customize Settings” that were used in IE8 and IE9 (e.g. here, here and here).