RDS 2012R2/Profile Disk: Adobe Reader X says “There was an error opening this document. Access Denied”

PDF attachments from application is not opening correctly. Adobe Reader spits this error message.


We use RDS 2012 R2 and Profile Disks for the users. Somehow PDF files on the profile disk is having same issue with Adobe Reader.

Solution: It turn out to be new Adobe Reader software has Protected Mode feature. This feature has issues with Profile Disks and Roaming profiles. Just disable Protected Mode under Security (Enhanced) section in Preferences.


Hope this helped you. Leave me a reply. Smile

Citrix/RDS: Publish Internet Explorer without Address Bar

Publishing IE for a web application without address bar is easier than you think. Simply publish the following VBScript or PowerShell script to launch IE without address bar and go to specific intranet website.

Copy either one of the script into Notepad and save as LaunchIE.vbs for vbscript OR LaunchIE.PS1 for PowerShell. Change the website address in the script. Run the script to make sure it works as you expected. Publish the script in Citrix or RDS.

Here is the VBScript Code. You can download this script from here: http://sdrv.ms/1cijdke

‘ Script: LaunchIE.vbs
‘ Purpose: Launch IE without Address bar with the given website
‘ Written by: Anand Venkatachalapathy

‘ Note: Replace your own webstie below in 12th line

Dim objIE
Set objIE = WScript.CreateObject (“InternetExplorer.Application”)
objIE.Toolbar = false    ‘Turning off the tool/address bar
objIE.Navigate “
objIE.Visible = true

‘ End of Script

Here is the PowerShell Code. Download the script from here: http://sdrv.ms/1cijnYN

#    __                           __       __________
#   / /   ____ ___  ______  _____/ /_     /  _/ ____/
#  / /   / __ `/ / / / __ \/ ___/ __ \    / // __/
# / /___/ /_/ / /_/ / / / / /__/ / / /  _/ // /___
#/_____/\__,_/\__,_/_/ /_/\___/_/ /_/  /___/_____/
# Launch IE without Tool bar and Address bar
# Written by: Anand the Awesome Venkatachalapathy
# Replace your website on next line
$site = “

#Get IE Application object
$ie = New-Object -ComObject “InternetExplorer.Application”

#Hide Address Bar and Tool Bar
$ie.AddressBar = $false
$ie.ToolBar = $false

#Launch the IE with the specified website address

#-*-*-*-*-*-*-*-*-*-*- The End *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

RDS: Trusting the certificate used for publishing by GPO

When you run a published RDS RemoteApp and you are getting this following warning dialog box, that means the certificate used to publish the RemoteApp is not in trusted by the local computer.

“A website wants to run a RemoteApp program. Make sure that you trust the publisher before you connect to run the program.”


There is a easy fix, but not very well documented anywhere. Technet document says simply add the RDS Certificate thumbprint into credentials delegation section in GPO. It’s all well and good, but they forgot to mention thumbprint have to in UPPERCASE and no spaces. I have mentioned step by step instructions below to add the certificate thumbprint in to GPO. GPO needs to apply to all domain computers that used to access RDS RemoteApp.

1. Open your RDS Certificate like below and go to Details and find Thumbprint. (below is yahoo’s SSL certificate used as example)


2. Select and Copy the Thumbprint into clipboard. (e.g., ‎e9 c0 09 f9 4e f5 e9 92 e2 fa 56 5d 13 f5 a2 56 76 da 6e 7b)

3. Convert all characters to Uppercase and remove the spaces. You could use the following PowerShell commands to do just that. Replace your cert thumbprint with mine below.

$thumbprint = “‎e9 c0 09 f9 4e f5 e9 92 e2 fa 56 5d 13 f5 a2 56 76 da 6e 7b”

($thumbprint).ToUpper().Replace(” “,””)

Copy the Result to clipboard. Note: leave the first character.

My thumbprint converted to E9C009F94EF5E992E2FA565D13F5A25676DA6E7B.

4. Open GPMC (Group Policy Management Console). Create a new Policy or edit an existing policy that applies to all computers. E.g., Default Domain Policy.

5. Right click on GPO and select Edit the Policy.

6. Go to User Configuration ==>Policies ==>Administrative Templates ==> Windows Components ==> Remote Desktop Services ==>Remote Desktop Connection Client


7. Double click the setting: Specify SHA1 thumbprints of certificates representing trusted .rdp publishers. Enable this policy. Under Options, paste the converted thumbprint into the text box. Click OK.

8. Double click on the setting: Allow .rdp files from valid publishers and user’s default .rdp settings.

You can close the Group Policy Management Editor and apply the setting to the users. But you can do more. You can specify the servers to which the user’s default credentials can be delegated (default credentials are those that you use when first logging on to Windows). Edit the same GPO as below.

1. Go to Computer Configuration ==> Policies ==> Administrative Templates ==> System ==> Credentials Delegation


2. Double click on Allow delegating default credentials. Click Show button in Options next to “Add servers to the list”.


3. Add your Connection Broker, RDS Gateway and common name FQDN as following format.


4. Do the same for Apply delegating saved credentials.

That’s all. Enjoy.

RDS 2012: Profile Disks and Temp Profiles

The huge pain with using Profile Disks in Windows Server 2012 RDS is to dealing with TEMP profiles. When the user’s profile corrupts and started creating TEMP user profiles, Admins has to deal with fixing the issue and it’s NOT easy. But if you want to know how to fix it, here it is.

1. Delete User’s profile disk (.VHDX). To find the user’s correct profile disk, you have to check the NTFS security tab in properties of the xxxxx.vhdx file.


2. Check all Remote Desktop Session Host servers C:\Users folder to check which server has the corrupt user profile. (hint: check \\sessionhost\c$\users from your computer)

3. Once you find the server, Remote desktop to that server. You will see the following event log message on that server in System Logs.

Remote Desktop Services could not apply a user desktop for a user account with a SID of <GUID>. A temporary profile was enforced for the user. Verify that the user profile disk settings are correct. The error code is 0x800700AA.0

4. Open REGEDIT and expand to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

5. Click each sub key section and watch ProfileImagePath value. This value will say username in the path.

6. Once you find the correct key, Delete it.

7. Have user logon again to the RemoteApp or VDI. RDS will create new profile disk.

Hope that fixed your issue. If so, please leave me a thanks note.