How to Configure the RDS "Startup Environment" in Server 2016, 2019, 2022 & 2025
If you recently upgraded your infrastructure, you likely noticed a glaring omission: Microsoft removed the Environment, Sessions, and Remote Control tabs from the Active Directory Users and Computers (ADUC) GUI starting in Windows Server 2016.
However, the underlying functionality to force a specific application to open upon RDP login (often used for kiosk environments or restrictive workspaces) is still 100% supported in modern Windows Server deployments. You simply have to bypass the missing ADUC tabs and configure the startup environment using Group Policy (GPO).
Prerequisites Before You Begin
- You must have Domain Administrator privileges to create or edit Group Policy Objects.
- The file path to the executable you want to launch must be identical across all target Session Hosts.
- Users must have standard Remote Desktop connect permissions to the server.
-
Open Group Policy Management
Log into your Domain Controller and launch the Group Policy Management Console (gpmc.msc).
-
Create or Edit a GPO
Locate the Organizational Unit (OU) containing the users you want to restrict. Right-click the OU and select Create a GPO in this domain, and Link it here... Name the policy something identifiable (e.g., "RDS Kiosk Environment") and click Edit.
-
Navigate the Policy Tree
In the Group Policy Management Editor, drill down through the following path:
User Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment.
-
Enable the Startup Policy
In the right-hand pane, locate the policy titled Start a program on connection. Double-click it and change the radio button from "Not Configured" to Enabled.
-
Define the Application Path
Under the Options section, enter the exact local path to the executable file (e.g., C:\Program Files\YourApp\app.exe) in the Program path and file name field. Optionally, define the working directory. Click Apply and OK.
-
Update Policies and Test
Open Command Prompt on your target Session Host and run gpupdate /force. When the targeted users RDP into the server, they will bypass the standard Windows desktop and launch directly into the specified application.
Alternative Method: Restore Legacy RCM Behavior (Registry Fix)
If you prefer to manage startup environments directly through user objects in AD DS (via PowerShell or third-party tools) rather than GPO, you must manually force the Remote Connection Manager (RCM) to query Active Directory.
Starting in Windows Server 2016, Microsoft optimized connection times by stopping RCM from querying the user’s AD object for RDS attributes by default. To revert to the legacy Windows Server 2012 R2 behavior and force RCM to read your AD attributes, you must apply one of the following registry values on your Session Host.
Option 1: Apply System-Wide (Policies)
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
Name: fQueryUserConfigFromDC
Type: Reg_DWORD
Value: 1
Option 2: Apply to the specific RDP-tcp Node
Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-tcp
Name: fQueryUserConfigFromDC
Type: Reg_DWORD
Value: 1
Note: After applying either of these registry keys, you will need to restart the Remote Desktop Services service or reboot the Session Host for the changes to take effect.
Admin Note: The Modern Alternative
While the GPO method replaces the old ADUC Environment tab perfectly, Microsoft's modern recommended approach is to deploy a RemoteApp Collection. RemoteApp seamlessly integrates the application into the user's local Start Menu rather than loading a full server desktop shell.
Is Your Restricted Environment Fully Licensed?
Even if your users are only connecting to a single, locked-down application upon login, Microsoft still explicitly requires every connecting individual to be covered by a valid RDS User or Device CAL for proper authorization and to maintain uninterrupted access.
Related Posts
How to Fix the CredSSP “Encryption Oracle Remediation” RDP Error
Home – How to Fix the CredSSP “Encryption Oracle Remediation” RDP Error How to Fix the CredSSP “Encryption Oracle Remediation” RDP Error If you are managing Windows Servers, you have likely encountered this terrifying error message when trying to connect via Remote Desktop: “An authentication error has occurred. The function requested is not supported… This…
How to configure “Licensing Mode” and “License Server to Use” on a Windows Server?
Home / How to configure “Licensing Mode” and “License Server to Use” on a Windows Server? Configuring RDS Licensing Mode and License Server A guide for Windows Server 2016, 2019, 2022, and 2025. Configuring the Remote Desktop Services (RDS) licensing mode and license server on a Windows Server is a critical step for allowing more…
Everything you need to know about Microsoft RDS CALs
Home / Everything you need to know about Microsoft RDS CALs Everything you need to know about Microsoft RDS CALs A complete guide to Remote Desktop Services Client Access Licenses. What are Microsoft RDS CALs? RDS CALs (Remote Desktop Services Client Access Licenses) are a type of license required for a user or device to…
How to Remove or Delete all RDS CALs from a Windows Server?
Home / How to Remove or Delete all RDS CALs from a Windows Server? How to Delete All RDS CALs from Windows Server A guide for resetting licensing on Windows Server 2016, 2019, and 2022. The process for deleting all Remote Desktop Services (RDS) CALs from a Windows Server can be done through a few…
