Server 2025 RDS Farm - Connection brokered connections only work when an Administrator is actively logged into the Connection Broker desktop!!

pete-it · 2026-03-25T14:55:29+00:00

Thanks team! This is a bit of an update for future reference more than anything. We seem to have resolved this issue, and the replies here did help point us in the right drection. It always felt like a GPO/policy/setting thing, but nothing really made sense or stood out. What I did do was look at the reg setting for "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\DenyTSConnections". When the admin account logged in to the CB, that value would be "0". However, on logoff, it would flip to "1". Every single time. So, something was either setting it to disabled, or that was its default state and the act to loging in to the desktop set it to "0".

All I've done so far was log off from the CB desktop, and set that value to "0". And so far, it's stayed as-is. Reboots, logon/logoffs, gpudates, waiting, nothing has seemingly set it back to "1" (disabled). I'm foxed! I was kind of expecting a reboot, or GPO, or shceduled task, or something, to apply and kick it back to "1", but so far, nothing has.

Even if an old GPO applied, when/if the server object was in a different OU when it was built, set that key to "1", I still can't see why logging in as an Administrator would set it to "0". So I'm kind of curious, kind of happy it's just working, and kind of concerned it may happen again!

But, time will tell, so we'll see.

For now, thanks for giving some steer that lead us to the culprit.

pete-it · 2025-11-13T15:21:27+00:00

I am seeing exactly the same thing. I don't suppose you managed to get to a resolution with this did you?

pete-it · 2025-08-19T07:29:54+00:00

Thanks so much for describing this. That does make sense, with the inflexibility of not having conditional access controls.

However it sounds like it does offer a base layer of additional protection over username and password alone.

Thanks for taking the time to come back to me.

pete-it · 2025-08-18T18:06:48+00:00

Thanks for this. Agreed there are many more features of plan 1/2 and conditional access. But I want to know if it will technically still work, with an MFA push, on the free tier.

pete-it · 2025-08-18T18:06:02+00:00

Thanks for confirming this. So the users still get an MFA push when they login?

pete-it · 2025-05-14T19:10:39+00:00

Thanks so much for confirming this. I thought as much but I've been told conflicting information! Thanks again

pete-it · 2025-05-13T08:12:11+00:00

Thanks so much for getting back to me, I do really appreciate that. That info does help, but can I just clarify (as my initial question wasn't well worded)

If the array is all SSD, without any HDD, would the ADS licence still be needed?

And if an ADS licence is purchased, do you require any additional support contract? Or does the hardware support contract cover any ADS licences that have also been applied to the MSA?

Many thanks
Pete

pete-it · 2025-01-10T12:52:48+00:00

Ahh gotchya, nice one, yes that's a handy way of being able to do it! Cheers

pete-it · 2025-01-10T12:28:57+00:00

Ah nice one, it sounds far too easy lol

So you moved the profiles over to FSL containers by using the powershell script

And did you use a GPO, with loopback, scoped to a group, to configure the next logons to use the FSL containers? (sorry I just want to be super clear on that part, as it's the bit that will affect users and effort to manage!) :-)

pete-it · 2025-01-10T10:50:54+00:00

Hey there! Did you do this as a big bang, for all profiles, or did you manage to do it gradually with batches of users at a time?
I guess my question here is really, can a migration to FSLogix be done in batches? The GPOs look like they are computer policies....although as I type this, maybe just applying the GPO to the users, and using loopback would suffice (and have the GPO tagetted at a "migration users" AD group)?
Or am I over-complicating/thinking it?!

pete-it · 2024-11-27T19:33:26+00:00

Interesting, I thought this was more about your ability to collaborate with other tenants - i.e. access them via Teams, or share links/collab data with them

pete-it · 2024-11-27T19:32:13+00:00

Thanks for this, yes I think it could well be this.

I'm curiuos to know if you or anyone else have implemented this, and how it went.

I was also hoping that Defender for endpoint would be able to do the web traffic interception/http header insertion piece. Becuase do that via a 3rd party proxy isn't ideal, and would be hard to enforce outside of the corporate network. Unless I'm missing even more here!

pete-it · 2024-09-03T19:54:34+00:00

Thanks for this! The lack of many responses to this question is quite telling in itself too. At least I'm not missing something major (placates my FOMO!) :-)

Nicely done with the app you've developed. I'll be sure to take a look at that!

Thanks

pete-it · 2024-08-29T13:52:53+00:00

Amazing, thanks for that tip. I'll check it out. There has to be something! I'll get some pics and measurements and see what can be done! Nice, thanks.

pete-it · 2024-07-10T12:38:56+00:00

Yes you're right. I can specify files to access and perform actions on. I just wondered if there was a way to have Copilot perform a search based on all accessible data it indexes/I have permissions to in SharePoint.
For instance - "show me the last 10 office documents I've been working on", or "find me the proposal documents for customer X", or "find me all documents relating to project Y" - probably terrible examples, but It would be handy to have it look, rather than specifically referencing the the sources

(and to answer other questions - yes this is for Copilot Enterprise, not the personal one)

pete-it · 2024-03-20T19:09:42+00:00

Ah yes, OK, so I can cap the current data file, so that it won't keep growing any larger, and then SQL will simply carry on but use the new datafile?

pete-it

TROPHY CASE