@wrx7m Is that a computer configuration or user configuration policy? Try applying the rules to only non-admins groups.
Yeah, it is at the computer level. I would like to do it via user config but I only want them to apply to users on the RD servers. I need to figure out the proper way to structure AD/GPOs to not screw up everything else.
I am guessing creating another OU as a sub container and move the RD servers into.
Edit: Since it isn't GPP, there isn't any item level targeting, so I can't do it that way.
If you can make those changes directly in the registry, maybe can allow you to use GPP and item level targeting.
This would have happened on Server 2012 R2 as well, dual scan has been around and causes a lot of problems as you noted.
It is strange that I didn't have these issues in 2012 R2. I essentially copied the same GPO for 2012 R2 and made some minor changes to it to convert it for 2016. My 2012 R2 show the correct default service.
Weird, I have various Server 2016and now 2019 with WSUS and while dual scan was an issue for me on Server 2012/ 2012 R2 not anymore.
FYI - Published apps still create a full profile on the RDS box, Just the desktop isn't presented to the user. If the application allows them to browse around, they could typically see the drive letters, the mapped printers, etc... that's why you still need to lock all that stuff down.
Thanks for the info. I will keep that in mind. I was debating about using UPD's like @wrx7m and that was my interest in this post.
Also, still planning out where to put Connection Broker, WebAccess and Licensing but that is another post.
For local profile management, UPDs are a lot cleaner. If we are not putting them on a file server across the network then a second partition/VHDX is set up for that task to keep them separate.
With the inclusion of FSLogix with RDS CALs/SALs now it's a no-brainer, IMNSHO, to set the project up on the FSLogix version.
Storage management is another reason why UPDs on a network or separate partition make sense. Keeping a local profile on the C:\ of the session host is messy and can cause issues down the road with users coming and going.
As far as the Broker/Gateway/Web put those roles on one VM but separate from the Session Host.
With Pre-Staging machines you need to rely on adding the device mac addresses manually or use Microsoft AD to add them with a Script or Manually to be ready to WDS. This makes it that you can add the devices before hand and only those devices will get the deployment. However you can setup an specific network or VLAN to have the WDS
For Multicast, I like this article https://specopssoft.com/blog/wds-multicast-configuration/
However I like the option to disconnect the clients when their speeds go way low and then go unicast instead of multicast. Multicast makes sense that way that way the slow clients do not slow the faster clients.
I am still not sure why MDT is not being implemented but that is for another post.