- Windows security event log backup to SQL Server Express with PowerShell - Fri, Mar 18 2022
- Exploiting the CVE-2021-42278 (sAMAccountName spoofing) and CVE-2021-42287 (deceiving the KDC) Active Directory vulnerabilities - Thu, Feb 10 2022
- Perform Active Directory security assessment using PowerShell - Thu, Jan 6 2022
There are many reasons why an RDP connection to a remote machine might fail. The screen below shows a typical error for a failed RDP connection.
"Remote Desktop can't connect to the remote computer for one of these reasons:"
RDP connection failed
Verify the network connectivity
Every admin should be familiar with this RDP error. The most common cause of a failing RDP connection concerns network connectivity issues, for instance, if a firewall is blocking access.
You can use ping, a Telnet client, and PsPing from your local machine to check the connectivity to the remote computer. Keep in mind ping won't work if ICMP is blocked on your network. The main advantage of Telnet and PsPing is that you can connect via TCP, and you can check whether the RDP port 3389 is open.
The Telnet client isn't enabled by default. Use this command to enable Telnet from a command prompt:
dism /online /Enable-Feature /FeatureName:TelnetClient
And use this one from a PowerShell console:
Install-WindowsFeature -name Telnet-Client
Use PsPing if you have problems enabling the Telnet client. PsPing also lets you test the connectivity to a specific TCP port. It is portable, so no installation is required.
First, try to ping the remote computer's hostname or IP address.
The remote machine connection timed out with PsPing
As you can see in the screenshot above, I was unable to ping the remote machine, and the port was not reachable as well.
If this works, and you are unable to ping the machine using the FQDN name, check whether DNS resolution is working properly. Sometimes the hostname is pointing to another machine on DNS that is either offline or not in use.
If you can't connect at all, a local firewall (Windows Firewall or third-party security software) or a network firewall might be blocking the port. The PowerShell command below lets you display the Windows Firewall state on the remote machine.
Invoke-Command -ComputerName [ComputerName] -ScriptBlock {netsh advfirewall show allprofiles}
Remote computer firewall status
For testing purposes, you can disable Windows Firewall on the remote computer with this command:
Invoke-Command -ComputerName Win7 -ScriptBlock {netsh advfirewall set allprofiles state off}
Note that you should enable PSRemoting on the remote computer to execute the above command. If not, you can use PsExec to enable PowerShell remoting with the command below:
psexec \\RemoteComputer -u administrator -p PASSWORD netsh advfirewall set allprofiles state off
Verify user permissions
If your user account has no administrator privileges, you should be a member of the local Remote Desktop Users group to access the remote machine via RDP. By default, no members are in this group, and only members of the Administrators group can connect via RDP.
Read this 4sysops article to learn how to add users remotely to a user group.
Allow Remote Desktop Connection
Ensure Remote Desktop is enabled on the remote computer. The RDP listener could be inactive. You can enable the Remote Desktop Connection either from System Properties or from the registry.
Option 1: Select Start > Run, type sysdm.cpl, and select the Remote tab.
Remote computer RDP settings
Option 2: Select Start > Run, type regedit, navigate to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > Terminal Server, and set the value for the key fDenyTSConnections to 0 (0 = Enable; 1 = Disable).
Remote computer RDP settings in the Registry
You can use this PowerShell command to enable RDP remotely:
(Get-WmiObject Win32_TerminalServiceSetting -Computername [ComputerName] ‑Namespace root\cimv2\TerminalServices).SetAllowTsConnections(1,1)
And from the command prompt, you can use the next command if the Remote Registry service is running on the remote computer:
REG ADD "\\[RemoteComputer] \HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /d 0 /f /t REG_DWORD
Verify the status of the RDP services
On both the local (client) computer and the remote (target) computer, the following services should be running:
- Remote Desktop Services (TermService)
- Remote Desktop Services UserMode Port Redirector (UmRdpService)
The UmRdpService is an RDP port redirector service, which helps redirect drives, printers, and ports from the local to the remote machine. For example, if you want to map all of your local drivers to the remote computer, this service will do the job.
If the UmRdpService service was set to disabled through a central Group Policy, RDP connections to this machine will fail. Note that sometimes restarting the service won't fix the issue, and you have to reboot the machine after reconfiguring the Startup Type to Automatic.
Remote computer RDP services status
The PowerShell command below starts both of these services remotely if they are in a stopped state. Note that this only works if the service Startup Type is set to either Automatic or Manual.
"TermService","UmRdpService" | ForEach-Object{ (Get-WmiObject Win32_service -ComputerName [RemoteComputer] -Filter "Name = '$_' ").StartService() }
The output of the command should be either 0 (started) or 10 (already running). Check out this article to learn more about return codes and their descriptions.
Identify whether Group Policy is blocking RDP
You can enable or disable Remote Desktop centrally through Group Policy settings. To check those settings, go to Start > Run, type gpedit.msc, navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections, and find the Allow users to connect remotely by using Remote Desktop Services setting. If the setting is Disabled, you should change it to Enabled or Not Configured.
RDP settings in Group Policy
Use GPResult (gpresult /h C:\output.htm) from a console on the remote machine to verify whether Group Policy has been applied properly. Also you can use rsop.msc to get the applied Group Policy settings on a particular machine.
Check the RDP listener port on the remote computer
By default, the RDP client verifies that the Remote Desktop service on the remote computer is listening on port 3389. If not, another application could be occupying the same port.
To check whether any remote session (RDP-TCP) already exists on that computer, use qwinsta, which gives you a list of local as well as remote sessions.
Using qwinsta to list sessions
The screenshot above shows that the rdp-tcp session with session ID 65536 already exists.
To verify that the Remote Desktop service is using the correct port, use the Registry Editor. Go to Start > Run, type regedit, navigate to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > Terminal Server > WinStations > RDP-Tcp, and review the PortNumber setting.
RDP port setting from the registry
Alternatively, you can use the command below:
REG QUERY "\\[Remote Computer]\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /F "PortNumber"
If the output of the RDP port value is 0x00000d3d (hex), your RDP port is configured with a default port, which is 3389. In the screenshot above, the default RDP port was changed to 3388. In this case, either you have to change the RDP port to the default one, or you access the remote machine via the new port 3388.
In the Remote Desktop client, you have to specify the custom RDP port in the computer address space as shown in below:
RDP access with a different port
If another application is using the RDP port, you have to find that application on the remote machine and then reconfigure it to use a port other than 3389. Use the netstat command to find the application PID listening on port 3389. And with the tasklist command, you can identify the name of the application running with this PID as shown below:
Check whether another process is using the RDP port
Checking RDP connectivity with PowerShell
Checking all those possible connectivity issues manually is a time-consuming task. I wrote a little PowerShell script that automates this task.
My Get-RDPStatus.Ps1 script checks connectivity of the remote computer via ping, FQDN, RDP ports, and RDP services, and the RDP status with NLA (Network Level Authentication). The script uses WMI cmdlets that work over RPC and therefore does not require PSRemoting. The screenshots below shows the output of the script.
The latest version is available for download from the Github.
Subscribe to 4sysops newsletter!
Sample Script output 2
Sample Script output 1
Conclusion
Many articles discuss Remote Desktop connection problems. I wrote this one mainly to compile all possible causes of failed RDP connections. If you know of another possible cause, please post a comment below.
Hello,
A very common error is the famous "CredSSP encryption oracle remediation" message error due to may 2018 update when it's installed on the server but not on the desktop (or the opposite).
Laurent,
forgot to include…Thanks for reminding
https://4sysops.com/archives/rdp-authentication-error-due-to-the-credssp-encryption-oracle-remediation-error/
Great tips Krishna!
I tried the famous 'registry hack' for the CredSSP problem and it didn't work for me. After further research, I came across another fix which requires a group policy edit….and it worked!!
Here's the link:
CredSSP Encryption Oracle Remediation Fix
i face one problem, the RDP need protocol ICMPv4.
i enable ICMPv4, then RDP able to connect. else is fail. (even TCP, UDP is enable on windows firewall)
do you have any idea?
basic info:
windows server 2019 std
connect to juniper SSG5 (an old firewall)
rdp port: not default
Hi I am trying to connect to a remote desktop for the first time in the office – I get in as far as remote desktop but then POP up stating requesting computer name appears. Is this due to the desktop in the office not being turned on or asleep or the settings not set up to work remotely?
HI guys,
I did try to reach my PC from outside of my home network. Success to set port forwarding. I'm able to reach my PC with RDP to put the public IP, but I have register the IP as a web address and I can't put the web address right to as a RDP address like an IP. I got error message that the web address includs illegal characters. So what should I do if I want to reach my PC by RDP by use a web address?
You can obtain a free hostname from a dynamic DNS service provider like Dynu and then use that hostname to access your PC in your home network using RDP. I have both RDP and VNC access to my machine at home so that in case RDP fails, I am able to access using VNC.
Hi, very nice manual one of the best i ever found on the web.
I have some deep problem related to termDD, unfortunately it does not load
EventID:7026 ""The following boot-start or system-start driver(s) failed to load:
TermDD""
and as a result i have
EventID:7001 "The Remote Desktop Services service depends on the Terminal Device Driver service which failed to start because of the following error:
An instance of the service is already running."
Any suggestions will be strongly appreciated.
none of the above worked for me.
Do you have any specific error messages?
I would suggest to open a topic in Admin forum – https://4sysops.com/forums/forum/it-administration/
Thanks for the great article!!
RDP issue has been fixed for me by enabling – gpedit.msc -> RDP connections – enable.
Thanks for the post. It's very useful and informative.
Remote Control Option in Task Manager for terminal Users connection is not available in Server 2012 R2. Recently we have reinstalled the OS. Could to help to resolve the issue. Number of users login with servers. we should take remote some time on login administrator.
Could you be more specific? Its not clear what your requesting. Are you talking about the Users tab in Task Manager, where you can manually logoff users?
More users are login with their profiles in server. I want to login with particular user profile via remote control option in task manager. But i couldnt able to find out the option while login on server.
Sorry, I dont get what you mean. There is nothing like Remote Control in Task Manager. The only thing available is a Connect, which connects you to the RDP session.
Remote Control is available in SCCM, not on a RDP server.
If you speak about session shadowing, see following guide.
http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/
Hello, where do you put the IP address in the PowerShell Get-RDPStatus.Ps1 script?I have 7 PCs in network and all have the same computer name.
Best regards,
I have a strange RDP problem I am trying to track down.
1. I can RDP to a workstation from my barracuda sslvpn as long as I have the setting for “Network Level Authentication” set to No. If I change that to yes it fails.
2. We are replacing the barracuda vpn with a new vpn and it does not have that setting and will not connect.
3. If I go on to another workstation in the same subnet and try and connect I can not connect. The error I get is “This computer can not connect to the remote computer” I know it has something to do with NLA, but I can not for the life of me figure out what is set different on these computers to keep me from being able to connect.
Seems you are connecting from outside of your network. Check this article:
https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-allow-access
Hi, I have an issue with RDP to the windows server2012 with Domain users. I can connect to the server with "mstsc /v:computerIP /admin" but cannot connect through RDP. It stuck into initiating a remote connection and after a while, I will get the usual error that check network connection ,…
Can an one help in this regard
Hi kian,
mstsc=RDP. What if you try just with?
Can you try from Powershell to run
assuming you have RDP port unchanged, you should get TCPtest succeeded.
Hi Leos,
Thank you for your reply. The first command failed again. But the second command TcpTest succeeded.
Do you have any idea
by any chance, is the target server a terminal with RDS services installed? do you have valid licenses available?
If you can connect with /admin switch, then RDP is working. The only explanation I have that you have expired licenses or trial period on RDS.
Hi, I have an issue with RDP to the windows 10. I am working with aws cloud. not able to connect the RDP
I am searching on google how to solve RDP connection error problem and I find your post, hopefully, it will work. Thanks in advance!
SO I WAS TRYING TO FIX A PROBLEM ON MY REMOTE DESKTOP THAT REQUIRES CHANGING MY MAC ADDRESS BUT AS SOON AS I DID I IMMEDIATELY LOST CONNECTION TO IT. ALL EFFORT TO REGAIN ACCESS AS BEING FUTILE. PLEASE I NEED HELP WHAT CAN I DO TO REGAIN ACCESS, I AM CURRENTLY IN ANOTHER COUNTRY ON A BUSINESS TRIP AND MY HOST COMPUTER IS A DESKTOP PC(CAN’T HAVE IT MAILED).
PS;HOST COMPUTER IS RUNNING WINDOWS 7
Unfortunately, you will have to have someone physically change the MAC adress on your original PC back, else the connection will stay lost
Maybe ask the other person then to install also a teamviewer/anydesk for easier access?
One thing to add, at least for Windows 7 and 8.1 … it had me pull out my hair in despair. The RDP was set, the firewall was set, the network connection was a workgroup with DHCP and up and running through a switch on an ADSL router. It used to work and stopped once I upgraded the network card. What seems to have “unlocked” RDP for me … shut down both the receiving and sending machines. Shut down, do not restart – I did that half a dozen times and it did nothing. I even reset my ADSL router to force the DHCP to reset everything. Shutting down seems to be critical for Windows to gobble the settings once you switch both computers on again.
Any one facing issues of error 126 in services remote desktop services start and stop not working I am facing please help
Do you have this error on the server side?