Call4Cloud | MMP-C | Autopilot | Device Preparation

Remote App: The Last Whish

Patch My Pc | install & update thousands of apps

In one of my older blogs, I talked a lot about how and why you don’t always need to go hybrid (HAADJ). I also showed you the kind of problems you could run into. This blog will show you how to make sure your old legacy apps (which are configured as a Remote App / RemoteApp) can be easily deployed to your Entra Joined devices, so you won’t need to go Hybrid 😛

Please read my blog about HAADJ / SSO to on-premises from AADJ devices, before you continue…pretty please, with sugar on top

If you have been reading the blog above, you will probably have read that when a customer only has one or two legacy apps left that can’t be migrated, it can be hard to transform to a modern workplace. So what are we going to do?

As mentioned in that blog, you could create a Remote App and publish it to your clients’ devices. But how are we going to implement this? I guess there isn’t any good documentation that people could use. I have been getting this question often. So here we go!

1. Configure the RemoteApp connection URL

The only thing to configure this is by creating a settings catalog profile. So open Intune create a new settings catalog and search for “RemoteApp and desktop connections

Deploying a remote app default connection url

You can define the connection URL: https://portal.company.nl/RDWeb/Feedlogin/WebFeedLogin.aspx

But this policy will only work when your devices have the Windows Insider build… and I guess deploying the Insider build to all your production devices could be a little bit too much.

UPDATE 04-09-2021

Fantastic news! Finally, 1400 settings which were only available to the insider preview in the past are now available and ready to be implemented!

Now go install this Windows 10, version 21H1 Build 19043.1200 also known as KB5005101!!

2. PowerShell User Based Script

The second option is to use a PowerShell script and deploy it to our devices in Intune. There are only two prerequisites to note.

1.PowerShell must be enabled for your users

2. You will need to be in the same domain as the RDWeb to work…

But based on the information we have about SSO with AADJ devices in our on-premise environment, I guess this would be no problem!

The PowerShell script itself (Needs to be user-targeted and NOT to be run as system!)

$url = "https://portal.company.nl/RDWeb/Feed/WebFeed.aspx"

#Construct the XML file
$XML = @"
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<workspace name="Company Remote Access" xmlns="http://schemas.microsoft.com/ts/2008/09/tswcx" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<defaultFeed url="$URL" />
</workspace>
"@

#WCX file path.
$Directory = "c:\webfeed\"
$WCX = "webfeed.wcx";
$FullPath = ($Directory + $WCX);

#New folder.
New-Item $Directory -Type Directory -Force | Out-Null;

#Export the file.
$XML | Out-File -FilePath $FullPath -Encoding utf8 -Force | Out-Null;

#Add the web feed.
Start-Process -FilePath rundll32.exe -ArgumentList 'tsworkspace,WorkspaceSilentSetup',$($WCX).ToString() -Wait -NoNewWindow;

Please note: the example I am using, portal.company.nl, isn’t going to work as it doesn’t have a valid certificate!

Afbeelding met tekst  Automatisch gegenereerde beschrijving

So please use your own valid RDWeb when you want to test out the script!

Now let’s test it on an AADJ / Entra joined device. Please make sure to test if you can download the webfeed.aspx. If it ain’t working at the first attempt, try to add the RDWeb page to your local intranet site and make sure you have enabled “Automatic logon with current user name and password”

Afbeelding met tekst, binnen, schermafbeelding  Automatisch gegenereerde beschrijving

(of course, this can be done with a nice PowerShell script)

Now let’s fire up the PowerShell script and watch what happens

Work resources showing the 4 remote apps

The RemoteApps are also added to your start menu

The remote apps will show up in the startmenu

3. Download the RDP and deploy it with an Win32 App

Now for the third and last option, we have. Please make sure you have installed Chrome… (yeah I know… not Edge this time)

When Chrome is installed, browse to your RDWeb page like https://portal.company.nl/rdweb

When clicking/opening the remote app it will also download that file to your device…. And that’s exactly what you need!

Now, create a new folder and place that RDP file in it, and rename it to remoteapp.rdp. And if you want to make the shortcut look a little bit nicer, make sure you have the ICO from the remote app and place it in the same folder

Now we have the basics in place… let’s create a simple PowerShell script and give it the name: installremoteapp.ps1

md "c:\program files (x86)\rdp"
copy .\rdp.ico "c:\program files (x86)\rdp\rdp.ico"
copy .\remoteapp.rdp "c:\program files (x86)\rdp\remoteapp.rdp"

#Create Shortcut Desktops
if (-not (Test-Path "C:\Users\Public\Desktop\RemoteApp.url"))
{
$null = $WshShell = New-Object -comObject WScript.Shell
$path = "C:\Users\Public\Desktop\RemoteApp.url"
$targetpath = "c:\program files (x86)\rdp\remoteapp.rdp"
$iconlocation = "c:\program files (x86)\rdp\rdp.ico"
$iconfile = "IconFile=" + $iconlocation
$Shortcut = $WshShell.CreateShortcut($path)
$Shortcut.TargetPath = $targetpath
$Shortcut.Save()

Add-Content $path "HotKey=0"
Add-Content $path "$iconfile"
Add-Content $path "IconIndex=0"
}

Looking at the script, it will first create a new folder in the program files (x86) and it will copy the 2 files (RDP and ICO) to this folder. After it has copied the 2 files it will start creating a new shortcut on the public (all users) desktop folder with the name RemoteApp.

The shortcut will be targeted to the RDP file in the program files and it will attach that nice ICO to it!. Please make sure you define the shortcut $path as.URL otherwise the ICO will not work

Now just create an intunewin file from it and deploy it to Intune.

Install: powershell -ex bypass -file installremoteapp.ps1

Detection rule: File Exist C:\program files (x86) Folder: RDP

When you have deployed this app to Intune, on all your devices you targeted a new nice RDP icon will be available!

4. Combine Options 2 and 3 🙂

Another approach could be to combine options 2 and 3. As I said, you will first need to examine the RDP file itself.

As shown in option 3, you can do so by downloading the RDP itself and opening it with notepad…yeah notepad and copying the whole content

changing the rdp file to a remote app by opening it in notepad

Now create a new PowerShell script like the one shown below and paste your content between the @” “@

$targetdir = "c:\program files\REMOTEAPP"
New-Item -ItemType "directory" -Path $targetdir -Force

### REMOTEAPP

$rdpFile=@"
Content of the RDP FILE
"@

$rdpFile | Out-File "$targetdir\RemoteApp.rdp"
$WshShell = New-Object -comObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut("c:\users\public\Desktop\RemoteApp.lnk")
$Shortcut.TargetPath = "$targetdir\RemoteApp.rdp"
$Shortcut.Save()

And upload this PowerShell script to Intune. Please note that it must be configured to run as System!

Conclusion:

Moving away from your on-premise environment would mean you need to find a solution for your legacy apps. Creating and deploying a remote app could be your solution.

I hope this blog showed you your options and how to implement them! Now pretty, please move away from your on-premise environment to AADJ as soon as you can

Universal Pictures Home Entertainment GIFs - Find & Share on GIPHY

19 thoughts on “Remote App: The Last Whish

  1. With Option3.
    Is there a way to save the password?
    Adding the URL in manually gives you the option to ‘remember me’, this does not.

  2. Couldn’t get the install to work with “Install: powershell.exe -executionpolicy bypass -command “& ‘.\installremoteapp.ps1””

    Changed to “PowerShell.exe -ExecutionPolicy Bypass -file installremoteapp.ps1”

    1. Hi, I noticed the same… I copied the install command i used while testing it in sandbox powershell session. I changed it and added also option 4..

  3. In my environment the script creates the WCX file but does not install it. If I launch the wcx file manually I have to type my credentials and it works, I presume that is the issue.

    1. Hi, are the users in the same domain/ or aadj with ad connect installed? you also need to change the intranet website to automatically logon with the user id when the website is in the list of local intranet websites.

    1. Hi, thats true about 1400 insider previeuws are now available without insider previeuw version… but you will need to make sure your devices are up to date and have this update installed:
      KB5005101

  4. With KB5005101 devices appear as compliant with the RemoteApp policy, but in fact RemoteApps don’t appear…

      1. From the settings catalog (Windows Components > Remote Desktop Services > RemoteApp and Desktop Connections) I enabled “Specify default connection URL (User)” and added the webfeed URL in “Default connection URL: (User)”

        1. Hi, did you manage to fix that? I have the same problem. I configured this option in endpoint manager and it successfully applies, but the URL is not added on the device.

  5. You can combine this with HTML5 RDP-web + AzureAD Application proxy so you even have AzureAD auth & MFA.

      1. Can you elaborate on this? 🙂
        Or Rudy can you explain what to do, becasue a remote app with azure ad mfa seems like heaven.

  6. Hey Rudy,
    Great article, but I can’t seem to get it to work.

    Authentication success when logging in via RDWeb. When adding the webfeed url to RemoteApp manually, it seems to reject the credentials. Entering credential manually also doesn’t work. Have tried in multiple environments, but unfortunately with no success.

    Any ideas on how to fix this?

    Thanks,
    Groeten 😉
    Lars

  7. Hey Rudy,

    I can’t get this to work with AADJ devices in multiple environments. When trying so manually, I get a prompt stating credentials are invalid. When logging in with DOMAIN\USERNAME it does work. Any ideas on getting SSO to work?

    Thanks,

    Lars

  8. Hi there,
    is Option 1 working for anyone? I got the Intune policy applied but the Work Resources don’t show up. It just seems to do nothing?

    1. Hi, i am facing the same problem as well.
      I was wondering if it had anything to do with the default URL, must it end with .aspx?

      I also cannot see it propogating to the local computer group policy. So to say the intune policy mention in option 1 was assigned but nothing happened

Leave a Reply

Your email address will not be published. Required fields are marked *

49  −    =  43

Proudly powered by WordPress | Theme: Wanderz Blog by Crimson Themes.