Log Messages:
'Failed GetConnectionProperty' in CUMRDPConnection::QueryProperty at 2884 err=[0x80004001]
'Connection doesn't support logon error redirector' in CUMRDPConnection::GetLogonErrorRedirector at 4179 err=[0x80004001]
Disconnect trace:CUMRDPConnection Disconnect trace:'calling spGfxPlugin->PreDisconnect()' in CUMRDPConnection::PreDisconnect at 4595 err=[0xc], Error code:0xC
Assumption and proposed solution:
Issue occurs when Windows 10 1809 clients connect to Server 2019. Windows 10 1803 or older are not having this problem. Here’s an item to test on the server.
$tsServerClientRegKey="REGISTRY::HKLM\SOFTWARE\Microsoft\Terminal Server Client"
$keyName='UseURCP'
$value=0
Set-ItemProperty $tsServerClientRegKey -name $keyName -value $value
———————-
Log messages:
TCP socket READ operation failed, error 64
TCP socket WRITE operation failed, error 64
There appears to be a threshold on Windows to limit the number of connections. Client OS would be 100, and server OS as 3000 by default. Here’s how to set this to a maximum value.
$tsServerRegKey="REGISTRY::HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server"
$keyName='MaxOutstandingConnections'
$value=65536
Set-ItemProperty $tsServerRegKey -name $keyName -value $value
———————-
Event viewer messages:
RDP_TCP: An error was encountered when transitioning from StateUnknown in response to Event_Disconnect (error code 0x80070040).
RDP_SEC: An error was encountered when transitioning from FStatePassthrough in response to FEventCheckAndCompleteReadsFailed (error code 0x8007139F).
# Proposed solution
$tsServerClientRegKey="REGISTRY::HKLM\SOFTWARE\Microsoft\Terminal Server Client"
$keyName='RDGClientTransport'
$value=1
Set-ItemProperty $tsServerClientRegKey -name $keyName -value $value
————————
Event message:
The network characteristics detection function has been disabled because of Reason Code: 2(Server Configuration)..
Comment: this message appears to be expressing proper English. Although, I don’t know what to do with it.
————————
Event message:
The RDP display control module failed to change the session monitor layout. The operation failed with error code 0xFFFFFFFF.
onecoreuap\shell\roaming\settingsynccore\settingsyncreporting\settingsyncreporting.cpp(28)\SettingSyncCore.dll!00007FFC12C03D2A: (caller: 00007FFC2E177456) ReturnHr(3) tid(1060) 800708CA This network connection does not exist.
Restoring operations failed (Result: 0x800708CA).
Comment: I’m also unsure about any interpretation of the error above. Although, this correlates to a Windows 2019 Server with RDS role enabled. This machine is behind strict network zones (HIPPA). Clients often using Windows 10 to RDP-access this ‘bastion’ host.
————————
TerminalServices-ClientActiveXCore messages:
RDPClient_SSL: An error was encountered when transitioning from TsSslStateHandshakeInProgress to TsSslStateDisconnecting in response to TsSslEventHandshakeContinueFailed (error code 0x80004005).
RDPClient_SSL: An error was encountered when transitioning from TsSslStateDisconnected to TsSslStateDisconnected in response to TsSslEventInvalidState (error code 0x8000FFFF).
A possible workaround is to change the display setting on the .rdp to a lower display resolution setting (e.g. 1280×1024). This happens when client machine’s resolution is 2560 x 1440 and the [virtual] video card in the host machine isn’t as capable. Another idea is to peruse the Windows 10 Remote Desktop UWP app.
———————-
Event messages:
Failed to establish a network connection.
Error: The transport connection attempt was refused by the remote system.
Server name: dc02.kimconnect.ad
Server address: x.x.x.x:445
Instance name: \Device\LanmanRedirector
Connection type: Wsk
Guidance:
This indicates a problem with the underlying network or transport, such as with TCP/IP, and not with SMB. A firewall that blocks TCP port 445, or TCP port 5445 when using an iWARP RDMA adapter, can also cause this issue.
The server name cannot be resolved.
Error: The object was not found.
Server name: server006.intranet.kimconnect.ad
Guidance:
The client cannot resolve the server address in DNS or WINS. This issue often manifests immediately after joining a computer to the domain, when the client's DNS registration may not yet have propagated to all DNS servers. You should also expect this event at system startup on a DNS server (such as a domain controller) that points to itself for the primary DNS. You should validate the DNS client settings on this computer using IPCONFIG /ALL and NSLOOKUP.
Comment: pre-pending a username with DOMAIN\username would work when encountering these errors.
———————-
Error messages:
"Because of a protocol error (code: 0x112f), the remote session will be disconnected. Please try connecting to the remote computer again."
# Configure RemoteFX: Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment > set RemoteFX to 0
# 1-liner command to execute task above
set-itemproperty "REGISTRY::HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations" -name 'fEnableRemoteFXAdvancedRemoteApp' -value 0
—————————-
Complain: Remote Desktop Session Does Not Show Login Prompt, and session would disconnect after 2 seconds…
Comment: Some Internet sources have alluded to CredSSP being the culprit. I have not yet tested setting CredSSP value to TRUE yet. On the same note, I’m guessing the issue would be more related to RemoteFX, rather than authentication. Will update this note once I gather more info.
get-item "WSMan:\$env:computername\service\auth\credSSP"
WSManConfig: Microsoft.WSMan.Management\WSMan::winbastionhip04\Service\Auth
Type Name SourceOfValue Value
---- ---- ------------- -----
System.String CredSSP false
Update: issue seems to be related to the default MSTSC remote desktop client on Windows 10 machines. It’s a hit or miss workaround to configure MSTSC to reduce resolution and disable bitmap caching. Hence, a better hack is to use Microsoft’s newer RDP client here: https:// www.microsoft.com/en-us/p/microsoft-remote-desktop/9wzdncrfj3ps
——————
Log messages:
Automatic registration failed at join phase.
Exit code: Unknown HResult Error code: 0x801c001d
Server error:
Tenant type: undefined
Registration type: undefined
Debug Output:
joinMode: Join
drsInstance: undefined
registrationType: undefined
tenantType: undefined
tenantId: undefined
configLocation: undefined
errorPhase: discover
adalCorrelationId: undefined
adalLog:
undefined
adalResponseCode: 0x0
Automatic registration failed. Failed to lookup the registration service information from Active Directory. Exit code: Unknown HResult Error code: 0x801c001d. See https://learn.microsoft.com/en-us/entra/identity/devices/hybrid-join-plan
Log Name: Microsoft-Windows-Security-Mitigations/KernelMode
Source: Microsoft-Windows-Security-Mitigations
Date: 3/4/2021 12:42:13 AM
Event ID: 1
Task Category: (1)
Level: Information
Keywords:
User:
Computer:
Description:
Process '\Device\HarddiskVolume4\Windows\System32\svchost.exe' (PID 33640) would have been blocked from generating dynamic code.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Mitigations" Guid="{fae10392-f0af-4ac0-b8ff-9f4d920c3cdf}" />
<EventID>1</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2021-03-04T08:42:13.232916800Z" />
<EventRecordID>1266946</EventRecordID>
<Correlation />
<Execution ProcessID="33640" ThreadID="30788" />
<Channel>Microsoft-Windows-Security-Mitigations/KernelMode</Channel>
<Computer></Computer>
<Security UserID="S-1-5-21-2195821719-3162908599-1472692150-15697" />
</System>
<EventData>
<Data Name="ProcessPathLength">52</Data>
<Data Name="ProcessPath">\Device\HarddiskVolume4\Windows\System32\svchost.exe</Data>
<Data Name="ProcessCommandLineLength">55</Data>
<Data Name="ProcessCommandLine">C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc</Data>
<Data Name="CallingProcessId">33640</Data>
<Data Name="CallingProcessCreateTime">2021-03-04T08:40:49.427147800Z</Data>
<Data Name="CallingProcessStartKey">13792273859390411</Data>
<Data Name="CallingProcessSignatureLevel">60</Data>
<Data Name="CallingProcessSectionSignatureLevel">12</Data>
<Data Name="CallingProcessProtection">81</Data>
<Data Name="CallingThreadId">30788</Data>
<Data Name="CallingThreadCreateTime">2021-03-04T08:40:50.984756900Z</Data>
</EventData>
</Event>
Log Name: Microsoft-Windows-User Device Registration/Admin
Source: Microsoft-Windows-User Device Registration
Date: 11/1/2021 10:44:22 PM
Event ID: 360
Task Category: None
Level: Warning
Keywords:
User:
Computer:
Description:
Windows Hello for Business provisioning will not be launched.
Device is AAD joined ( AADJ or DJ++ ): Not Tested
User has logged on with AAD credentials: Not Tested
Windows Hello for Business policy is enabled: Not Tested
Windows Hello for Business post-logon provisioning is enabled: Not Tested
Local computer meets Windows hello for business hardware requirements: Not Tested
User is not connected to the machine via Remote Desktop: No
User certificate for on premise auth policy is enabled: Not Tested
Machine is governed by none policy.
See https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust for more details.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-User Device Registration" Guid="{23b8d46b-67dd-40a3-b636-d43e50552c6d}" />
<EventID>360</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2021-11-02T05:44:22.442956600Z" />
<EventRecordID>2994</EventRecordID>
<Correlation />
<Execution ProcessID="12332" ThreadID="16156" />
<Channel>Microsoft-Windows-User Device Registration/Admin</Channel>
<Computer>TESTSERVER</Computer>
<Security UserID="S-1-5-21-2195821719-3162908599-1472692150-15697" />
</System>
<EventData>
<Data Name="Message">Windows Hello for Business provisioning will not be launched.</Data>
<Data Name="DeviceIsJoined">Not Tested</Data>
<Data Name="AADPrt">Not Tested</Data>
<Data Name="NgcPolicyEnabled">Not Tested</Data>
<Data Name="NgcPostLogonProvisioningEnabled">Not Tested</Data>
<Data Name="NgcHardwarePolicyMet">Not Tested</Data>
<Data Name="UserIsRemote">No</Data>
<Data Name="LogonCertRequired">Not Tested</Data>
<Data Name="MachinePolicySource">none</Data>
</EventData>
</Event>
Comment: This appears to be affecting Windows 2019 Servers. These machines have a scheduled task named ‘Automatic-Device-Join’ that facilitates ‘hybrid joins’. At the time of this writing, the environment of the affected machines are not hybrid. Here is some info from Microsoft: https:// docs.microsoft.com/en-US/troubleshoot/windows-server/deployment/event-307-and-304-logged-for-deploying