Bastionhost's application O&M feature requires a Windows Server configured with RemoteApp. This guide walks you through deploying Windows Server 2019 as an application server — setting up an Active Directory (AD) domain, installing Remote Desktop Services (RDS), and configuring the required policies.
Before you begin
Supported Windows Server version
RemoteApp requires Windows Server 2016, 2019, or 2022. Windows Server 2000 and 2003 are not supported. This guide uses Windows Server 2019.
Physical or virtual machine
The server can be a physical machine or a virtual machine.
RDS licensing
Application O&M depends on RDS, which includes a 120-day free trial. After the trial ends, the application O&M feature stops working. To continue using RDS beyond the trial period, purchase Client Access Licenses (CALs) from Microsoft and activate a license server on the application server.
Choose a CAL type based on your team's usage pattern:
| CAL type | Purchase basis | Best for |
|---|---|---|
| Per Device CALs (recommended) | Maximum number of concurrent O&M connections — each O&M connection requires a CAL | Teams where concurrent users are fewer than total O&M personnel |
| Per User CALs | Total number of O&M personnel — each person requires a CAL | Teams where all personnel connect simultaneously |
After the 120-day RDS trial ends, the application O&M feature stops working. Purchase CALs on the official Microsoft website and activate them before the trial expires to avoid interruption.
Recommended server configuration
Size the application server based on the expected number of concurrent connections.
| Concurrent connections | CPU | Memory | System disk |
|---|---|---|---|
| 1–10 | 4 cores | 8 GB | 200 GB |
| 11–20 | 4 cores | 16 GB | 200 GB |
| 21–50 | 8 cores | 16 GB | 300 GB |
| 51–100 | 8 cores | 32 GB | 300 GB |
| More than 100 | 16 cores | 64 GB | 500 GB |
How RemoteApp works
RemoteApp, introduced by Microsoft in Windows Server 2008, lets users run applications hosted on a remote server without installing an operating system or application locally. When Bastionhost performs O&M on applications, it logs on to the application server and starts the client on the server, making RemoteApp a required component.
Deploy the application server
The deployment consists of five steps:
Step 1/5: Create an AD domain
Log on to the Windows Server 2019 machine. If you are using an Elastic Compute Service (ECS) instance, see Connect to an instance for available connection methods.
Click the
icon, select Server Manager, and on the Dashboard page, click Add roles and features.
Follow the wizard, keeping default values unless your environment requires otherwise. Configure:
Installation Type: Select Role-based or feature-based installation.
Server Roles: Select Active Directory Domain Services.
Features: Select .NET Framework 3.5 Features and .NET Framework 4.7 Features.
After installation completes, restart the server.
Step 2/5: Promote the server to a domain controller
On the Dashboard page, click Promote this server to a domain controller.
Follow the wizard, keeping default values unless your environment requires otherwise. Configure:
Deployment Configuration: Specify a root domain name, such as
example.com.
Domain Controller Options: Enter a Directory Services Restore Mode (DSRM) password. The password must contain letters, digits, and special characters.
DNS Options: Ignore the prompt and click Next.
Restart the server. After the restart, confirm the server is joined to the domain.
Step 3/5: Install Remote Desktop Services
Log on with a domain account or the administrator account.
If the domain name is
example.com, the domain account name isexample. The password is the same as the administrator account password.Click the
icon, select Server Manager, and on the Dashboard page, click Add roles and features.Follow the wizard, keeping default values unless your environment requires otherwise. Configure:
Server Roles: Select Remote Desktop Services.
Role Services: Select Remote Desktop Session Host and Remote Desktop Licensing.
Confirmation: Select Restart the destination server automatically if required.
Step 4/5: Install RemoteApp
Log on with a domain account or the administrator account.
If the domain name is
example.com, the domain account name isexample. The password is the same as the administrator account password.Click the
icon, select Server Manager, and on the Dashboard page, click Add roles and features.Follow the wizard, keeping default values unless your environment requires otherwise. Configure:
Installation: Select Remote Desktop Services installation.
Deployment Type: Select Quick Start.
Deployment Scenario: Select Session-based desktop deployment.
Server Selection: Select the server and click Next.
> Note: If a compatibility error appears, run Enable-PSRemotingin Windows PowerShell as administrator, then return to Server Selection and click Next. > >
Confirmation: Select Restart the destination server automatically if required.
Wait for the installation to complete.
Step 5/5: Configure the application server
This step covers six configuration tasks:
Adjust Local Group Policy
Open the Run dialog box and enter
gpedit.msc.
Navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host.
Under Connections, set the following policies:
Policy Setting Allow users to connect remotely by using Remote Desktop Services Enabled Limit number of connections Enabled — set RD Maximum Connections to 999999Restrict Remote Desktop Services users to a single Remote Desktop Services session Disabled Allow remote start of unlisted programs Enabled 
Under Session Time Limits, set:
Set time limit for disconnected sessions: Enabled — set End a disconnected session to 1 minute.
Block the IE address bar
Open the Run dialog box and enter
gpedit.msc.Navigate to Computer Configuration > Administrative Templates > Windows Components > Internet Explorer.
Set Enforce full-screen mode to Enabled.
Open Internet Explorer to verify the address bar is hidden. If the address bar does not appear, the configuration is effective.
Disable Windows Defender Firewall
Navigate to Control Panel > System and Security > Windows Defender Firewall > Custom settings and turn off the firewall.
Disable IE Enhanced Security Configuration
Click the
icon and select Server Manager.In the left-side navigation pane, click Local Server, then turn off IE Enhanced Security.
Configure the RD Licensing mode
Click the
icon, select Server Manager, and navigate to Remote Desktop Services > Overview. Double-click RD Licensing.
Select the license server and click Next. Complete the remaining steps as prompted.
Return to the Remote Desktop Services page and choose Tasks > Edit Deployment Properties.
Set the licensing mode to Per Device, select the remote desktop license server, and click Apply.
Enable remote desktop connections
Navigate to Control Panel > System and Security > System and click Allow remote access.
On the Remote tab, select Allow connections to this computer and clear Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended).
Click OK.