RDS and RemoteApp Performance Issues on Windows Server 2019/2016

In this article, I’ve put together some solutions to common performance problems with RDS servers or published RemoteApp that I’ve encountered in my infrastructure. Before implementing any of the solutions or workarounds, check if it is suitable for your infrastructure and environment.

Fixing RDS Performance on Windows Server 2016/2019 with UPD

RDS servers running Windows Server 2019/2016 with a large number of users may experience slow performance when using User Profile Disks.

The problem is that new inbound and outbound rules are created in Windows Defender Firewall every time a user logs in.  Those firewall rules are not automatically removed when the user logs out.

Over time, a lot of duplicate rules appear in the firewall, which leads to a dramatic decrease in performance of the RDS server (slow login, black screen when logging in via RDP, RDS hosts freeze, menus don’t open, and the Start button does not appear).

Check the number of rules in Windows Defender Firewall using the PowerShell command:

(Get-NetFirewallRule).count

In my case, one of the RDS hosts had 18,000 firewall rules! These rules are created for Windows UWP Store apps each time a user signs in.

To fix the issue, you must first install the latest security updates for your version of Windows Server (at least KB4467684 on Windows Server 2016 and KB4490481 for Windows Server 2019). Then create the following registry parameter on your RDSH:

• Reg key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
• Type: REG_DWORD
• Property: DeleteUserAppContainersOnLogoff
• Value: 1

You can create a registry property using the PowerShell command:

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy" -Type DWord -Name DeleteUserAppContainersOnLogoff -Value 1

Don’t forget to manually clear the inbound and outbound rules in Windows Defender Firewall. If there are few firewall rules, you can use a PowerShell script from the TechNet thread (https://social.microsoft.com/Forums/Azure/en-US/992e86c8-2bee-4951-9461-e3d7710288e9/windows-servr-2016-rdsh-firewall-rules-created-at-every-login?forum=winserverTS).

Poor RDS/RemoteApp Performance Due to High Mouse Polling Rate

Many users complain about poor RDP session performance, high latency, and mouse lags after migrating the RDS farm to Windows Server 2019. The mouse is very slow to respond to movement, the cursor shakes, and freezes.

This problem can be related to the high DPI and polling rate settings of some optical mice (usually gaming mice). For example, the popular Logitech G203 mouse has a default polling rate of 1000 times per second (1000 Hz). A high mouse polling rate seems to cause a high load on the RDP connection, and you may encounter lags when working with RemoteApps. If you reduce this value to 125 times per second (125 Hz), the mouse problem in the RDP session will disappear.

You can reduce the Polling Rate using the vendor’s mouse tools.

If you can’t reduce the polling rate, try to disable the mouse cursor shadow (uncheck the Enable pointer shadow option) and select the None scheme for the pointer in the mouse settings in the Windows Control Panel (main.cpl).

Slow RemoteAPP, Mouse, and Menu Lags after Windows 10 Upgrade

Users may experience performance issues with RemoteApps published on Windows Server 2019/2016/2012R2 RDS servers after the Windows 10 build upgrade. RDS RemoteApps may start to work much slower, any action that is caused by a mouse click is performed (drawn) 2-3 times longer, and context menus in RemoteApps are displayed slowly (menu items blink, you have to click on them several times, sometimes they do not appear at all). Similar problems occurred when upgrading Windows 10 builds on clients to 1803 and 20H2.

To work around this problem, you can try to change the value of the Use Advanced RemoteFX graphics for RemoteApp parameter to Disabled using the local GPO editor (gpedit.msc) (GPO section: Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Remote Session Environment).

However, there is also a workaround to replace the RDP client version with an older one. Because performance issues with RemoteApp have been encountered also in Windows 10 1709, it’s best to use RDP libraries from 1607 or 1703. The thing is that after upgrading the Windows 10 build, a new version of the RDP client is installed, which doesn’t work correctly with the programs published via RDS RemoteApp.

You can fix poor RemoteApp performance on clients by replacing the mstsc.exe and mstscax.dll files in the C:\Windows\System32 folder with the versions from a previous build of Windows 10 (1703 or 1607).

How to replace RDP client files in Windows 10?

1. Close all RDP connections and running RemoteApp (it is better even to restart the computer);
2. Download the archive with the versions of mstsc.exe and mstscax.dll from Windows 10 1607 build (mstsc-w10-1607.zip);
3. Copy the original mstsc.exe and mstscax.dll files from the C:\windows\system32\ to the C:\BackUp using the commands:md c:\backup\
copy C:\windows\system32\mstsc.exe c:\backup
copy C:\windows\system32\mstscax.dll c:\backup
4. Then you need to assign your account to the owner of the mstsc.exe and mstscax.dll files in the C:\windows\system32\ directory, disable inheritance and grant yourself the permissions to modify the files:takeown /F C:\windows\system32\mstsc.exe
takeown /F C:\windows\system32\mstscax.dll
icacls C:\windows\system32\mstsc.exe /inheritance:d
icacls C:\windows\system32\mstscax.dll /inheritance:d
icacls C:\windows\system32\mstsc.exe /grant root:F
icacls C:\windows\system32\mstscax.dll /grant root:F
   In this example, the name of the local account with administrator permissions is root. Replace it with your account name.
5. Replace the files in the C:\windows\system32\ directory with the files from the archive;
6. Restore the original permissions on the copied files. To do this, enable inheritance of NTFS permissions and set the owner of the files to “NT Service\TrustedInstaller” using the ICACLS tool:icacls C:\windows\system32\mstsc.exe /inheritance:e
icacls C:\windows\system32\mstscax.dll /inheritance:e
icacls C:\windows\system32\mstsc.exe /setowner "NT Service\TrustedInstaller" /T /C
icacls C:\windows\system32\mstscax.dll /setowner "NT Service\TrustedInstaller" /T /C
7. It remains to re-register the library::
   regsvr32 C:\Windows\System32\mstscax.dll

This will temporarily fix the RemoteApp performance issue on Windows 10 clients.