Hi, I've this issue after migration of RDS server from 2012 R2 to 2016 and client have Windows 10 1709 but with Windows 10 1703 no issue.

Any suggestions?

hi,

we're suffering from session hosts that produce black screen errors in a RDS 2016 farm.

already connected users can mostly work, all new connections end up with a black screen.

to resolve the error the server has to be restarted.

i can say that

- this error appears after error 1534 (Fehler bei der Profilbenachrichtigung des Ereignisses Delete für Komponente {709E2729-F883-441e-A877-ED3CEFC975E6}. Fehlercode: Das System kann die angegebene Datei nicht finden.) starts appearing in the eventviewer.

- upon checking the registry for this SID i end up at "ProfileNotifyHandler Class app id {E10F6C3A-F1AE-4adc-AA9D-2FE65525666E} inprocserver32, C:\Windows\System32\gameux.dll".

- starting explorer.exe per taskmgr does not open an actual explorer window although the process appears in taskmgr

- tskmgr, eventvwr, cmd can be started without problems

- affected users appear as active in RDS management

- no third party security software is installed

- farm is fully patched

- HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ProfileGUID and ProfileList are ok (no old or .bak entries)

looking forward on how to resolve this without  rebooting the server or a permanent fix

thank you

best regards

Hi,

our workstations with Windows 10 pro are in this weekend updated to version 1803. For main system we use RemoteAPP aplications on Windows server 2012R2 (Windows server 2012R2 is full updated). After update on client station are RemoteAPP slower, and  right mouse button is unresponsive, or react verly long time... 

It is a big problem for us.

PS: after replace mstsc.exe and mstscax.dll from older version Windows 10 is all OK. but this is not a solution.

Thanks.

We have a Windows 2008 R2 environment mostly. Our current DC's are Windows 2008 R2, yesterday we introduced 2 new Windows 2016 DC's and this morning we found that once some of our RDS servers started to query the new DC's users would get an "Access Denied" error trying to establish a connection. We found a reg setting to to have the RDS server ignore the error so users could log in, but then once a connection was established it was with a local profile, not a roaming profile.

In order to resolve the issue we powered off the 2016 DC's.

Anyone know what happened here and what we need to do to power on the 2016 Domain Controllers again.

Thanks.

Hello,

I'm using freerdp to check RDP availability of a Win10 virtual machine running under Proxmox 5.2 (kvm). The command used is:

/usr/bin/xfreerdp /cert-ignore /auth-only /u:$USER /p:$PASS /v:$HOST

Every time this command is launched, the svchost.exe process related to "TermService" grows around 8MB in its "private bytes" memory. That amount is reduced to around 5MB if you set the display size in freerdp to 1x1 (/size:1x1). That memory is never returned to the system and in a few days some messages related to "resource exhaustion" are logged and eventually RDP stops working. At that time, that svchost.exe process has more than 10GB of "private bytes" (VM has 20GB total memory). Win10 needs to be restarted for RDP to work again, as restarting TermServices service does not help.

Adding memory or a bigger pagefile to the VM only delays the time when RDP stops working, it will eventually fail anyway.

I dont know if this is caused by FreeRDP shutting down the connection without notifying the RDP Server properly or if it is a Windows issue or a configuration issue. It's very easy to create a DoS to a Win10 Pro RDP
server if you have valid credentials. I haven't tested any other Windows version nor any other virtualization environment. Luckly, it doesn't happend if you dont have valid credentials.

Please, give it a look to find out what could be causing this behaviour.
Thanks a lot

We are disabling TLS 1.0 per the standard recommendation via keys:

HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client

HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server

We're developing a C# Windows application, and one of the things we want to do with it is open a remote application inside our program. We can open a connection to the application's server using MSTSCLib, but to open our remote application either we open a remote desktop connection and open the program (which we don't want to do) or we open the remote application but in a separate window (which also isn't ideal).

This is how we get the remote application to open in a new window; is there a way to open the remote application inside the RDP client?

private AxMSTSCLib.AxMsRdpClient9NotSafeForScripting rdp;
rdp.RemoteProgram2.RemoteProgramMode = true;
rdp.OnConnected += (_1, _2) =>
{
rdp.RemoteProgram2.ServerStartProgram(@"C:\Windows\System32\calc.exe", "", "%SYSTEMROOT%", true, "", false);
};
rdp.Server = "servername.com";
rdp.UserName = "domain\\user";
rdp.AdvancedSettings7.PublicMode = false;
rdp.AdvancedSettings7.ClearTextPassword = "password";
rdp.Connect();

I have a script that I need to run against a bunch of servers in an RDS-Collection, with the intent being to cleanup bad profiles and registry entries. 

I have this setup as a scheduled task, but it isn't running the invoke-command lines when run through the scheduled task, but is working if I run from a command line or in the run dialog box.

Script is below.

    $RDCB = "groebrdgw01.groebnerassoc.loc"

    Import-Module remotedesktop

    $Servers = Get-RDSessionHost -CollectionName "farm1collection" -ConnectionBroker $RDCB | Select SessionHost

# Clean each server of temp directories and registry items.
    foreach ($Server in $Servers){
        $SessionHost = $Server.sessionhost
        Invoke-Command -ComputerName $SessionHost -Filepath "C:\_marcocloud\Sched_Tasks\PreventTempProifle_RDSH\C_UsersCleanup.ps1"
        Invoke-Command -ComputerName $SessionHost -Filepath "C:\_marcocloud\Sched_Tasks\PreventTempProifle_RDSH\UPDRegCleanup.ps1"
        #Write-host -fore yellow "Cleanup done on $Server"
    }

I would note that the task is running under a domain admin level account, and has been delegated logon as a batch rights on all servers.  Also task has been tested with "Run with highest privileges".

RDS apps hangs with error 0xe0464645 in unexpected moments.
I can see above behaviour on basic Windows apps like explorer or taskmgr, third party apps like totalcmd and java apps on jdk 1.8.  Amazingly Chrome browser seems to not fail with this error maybe because lack of user interactions like in apps above.

Error occurs for clients on Win7 and Win 10.
Error details from windows server 2016 log is always the same:

Faulting application name: dwm.exe, version: 10.0.10240.16384, time stamp: 0x559f3907
Faulting module name: KERNELBASE.dll, version: 10.0.10240.17394, time stamp: 0x590285b4
Exception code: 0xe0464645
Fault offset: 0x000000000002a1c8
Faulting process id: 0x1180
Faulting application start time: 0x01d41f5858025678
Faulting application path: C:\Windows\system32\dwm.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Report Id: 176068bc-37fb-47f6-8bbb-8a8ee6b801d0
Faulting package full name:
Faulting package-relative application ID:
Event ID:1000

Other apps hangs with detials "Top level window is idle"

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System><Provider Name="Application Error" /> <EventID Qualifiers="0">1000</EventID> <Level>2</Level> <Task>100</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2018-07-19T13:34:46.000000000Z" /> <EventRecordID>4580</EventRecordID> <Channel>Application</Channel> <Computer>RDS.int</Computer> <Security /> </System>
- <EventData><Data>dwm.exe</Data> <Data>10.0.10240.16384</Data> <Data>559f3907</Data> <Data>KERNELBASE.dll</Data> <Data>10.0.10240.17394</Data> <Data>590285b4</Data> <Data>e0464645</Data> <Data>000000000002a1c8</Data> <Data>1180</Data> <Data>01d41f5858025678</Data> <Data>C:\Windows\system32\dwm.exe</Data> <Data>C:\Windows\system32\KERNELBASE.dll</Data> <Data>176068bc-37fb-47f6-8bbb-8a8ee6b801d0</Data> <Data /> <Data /> </EventData></Event>

I have a Windows 2008 Server that I have been connecting to once a month remotely to apply OS updates.  Often, I reboot that server and it uses auto-logon to login and run an application. 

Today, I rebooted the server and when I try to connect with RDP, I get the login prompt and enter my credentials, I see a few expected messages fly by on the host OS (the last one I see is the word Welcome), but then the screen goes black.

The apps on the server are running successfully because our applications can connect to them, we just can't logon to the desktop of the Windows Server 2008.

I made no configuration changes (I NEVER do) other than to apply the latest Windows Server updates.

I would prefer not to drive to the computers location, or try to coordinate a time to have the server hosting company assist me with troubleshooting; but is there anything else I can do?  Any ideas about what might cause this?

Hi All,

We have the following problem, we are running a Windows Server 2012 (non R2) Session Host server using User Profile Disks. A user creates a new folder within their "Documents" folder, this new folder contains different file types eg, PDF, ZIP, DOC.

When the user tries to delete a file of the entire folder they are prompted by UAC. The user is not able to delete without an Administrator account confirming the UAC prompt.

We have checked the users security rights, the user has full access to the new folder and all files within.

Any suggestions would be appreciated.

Thanks,

Hi there,

has anybody heard/does anybody know whether the graving COM/.NET bug in KB4345418 does affect Remote Desktop Services deployments or not?

I've installed several Windows Server 2016 VMs last week, made a new RDS deployment and built half of it. The early deployed servers had like May Cumulative Update installed.

Now I want to add the second RDWA server as well as additional RDSHs - and the only thing I get is "Microsoft.RemoteDesktopServices.Common.RDManagementException" during the configuration phase. That means role installation and reboot via Server Manager passes but then it throws at the beginning of the configuration phase.

I've also tried adding the RDMS logging registry values but the expected "RDMSDeploymentUI.txt" doesn't exist in C:\Windows\Logs. The "RDMSUI-trace.log" gets written but doesn't contain helpful info.

As the 2nd RDWA as well as the other RDSH candidates have been patched to KB4345418 meanwhile and since .NET and COM are essential parts of Windows management and operations I suspect there might be a connection here.

I can only pinpoint two essential events that happened after the first RDWA and RDSH were added successfully:

• The RDCB server was HA'ed
• All RD servers including RDCBs as well as the undeployed candidate servers were patched to KB4345418

So either something is wrong/went wrong with the RDCB HA (but I don't get any other errors) or, for me a bit more likely, the hotfix issues are somehow impacting the manageability/deployment.

I've tried to uninstall KB4345418 from the 2nd RDWA candidate plus reboot but to no avail; regrettably, because of the way my deployments are structured, the RDCB servers had already gotten their "dism /Online /Cleanup-Image /StartComponentCleanup" thus making removal of the hotfix impossible.

Maybe it's also something totally different from the hotfix but I'm puzzled and in the dark here, not knowing how to proceed/better diagnose this.

For the time being cutting the whole RDS deployment down and starting fresh is out of the question especially since it is likely I might hit the same problem again.

Maybe someone of you has experience with this exceptions on 2016 or maybe even connections to the dev team regarding the current hotfix situation. Or someone that has patched their servers but is still able to add new RDWAs or RDSHs.

Regards and thanks a lot in advance,

Markus

When you try to install RDS role on server 2012 R2 using standard deployment, this issue may occur (Figure 1).

“Unable to connect to the server by using Windows PowerShell remoting”.

Figure 1: Unable to connect to the server by using Windows PowerShell remoting

First of all, we need to verify the configurations as it suggested:

1. The server must be available by using Windows PowerShell remotely.

2. The server must be joined to a domain.

3. The server must be running at least Windows Server 2012 R2.

4. The currently logged on user must be a member of the local Administrators group on the server.

5. Remote Desktop Services connections must be enabled by using Group Policy.

In addition, we need to check if the “Windows Remote Management “service is running and related firewall exceptions have been created for WinRM listener.

To enabling PowerShell remoting, we can run this PowerShell command as administrator (Figure 2).

Enable-PSRemoting -Force

Figure 2: Enable PowerShell Remoting

However, if issue persists, we need to check whether it has enough memory to work.

By default, remote shell allots only 150 MB of memory. If we have IIS or SharePoint App pool, 150 MB of memory is not sufficient to perform the remoting task. Therefore, we need to increase the memory via the PowerShell command below:

Set-Item WSMan:\localhost\Shell\MaxMemoryPerShellMB 1000

Then, you need to restart the server and the issue should be resolved.

You can get more information regarding Remote Troubleshooting by below link:

about_Remote_Troubleshooting

If you need further assistance, welcome to post your questions in the RDS forum.

Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

Hi there,

we have a problem with disabling the IE ESC on Server 2008 R2. It's a fully patched Server 2008 R2 Standard english. When installing the RDS-Session Host Role the IE ESC for Users was enabled. After adding the role IE ESC was automatically disabled.

When a new user logs on to the system, IE ESC is still enabled. When we Reset the IE (Advanced Tab, Reset) IE ESC is disabled for the users. But that's nothing we can deal with.

After searching the web, I found a similar Thread here: http://social.technet.microsoft.com/Forums/en/windowsserver2008r2rds/thread/5bd202d3-7f77-4631-9afc-d6a8a7821c42

What I figured out:

1. When RDS-Session Host Role is enabled, IE ESC for Users is automatically disabled. Why?

2. When enabling it for users, IE ESC is still disabled. When we Reset IE, IE ESC is enabled.

3. When disabling it for users, IE ESC is still enabled. When we Reset IE, IE ESC is disabled.

I have also reproduced this on a test machine (this machine is not patched)

Any suggestions how to disable IE ESC for all users without resetting IE first?

How can I assign a certificate to the Remote Desktop Session Host role?

I have assigned a certificate to RD Connection bruker - Enable Single Sign On, RD Connection Broker - Publishing, RD Web Access and RD Gateway, but still the old certificate is assigned to the Session Host.

-ae

Hi,

When I'm trying to deploy RemoteApp and Desktop Connections through GPO, it works but then it fails to update.

Start-Process -FilePath rundll32.exe -ArgumentList 'tsworkspace,WorkspaceSilentSetup', "\\shares\feed.wcx" -NoNewWindow -Wait

the Feed.wcx file:

<?xml version="1.0" encoding="utf-8" standalone="yes"?><workspace name="Enterprise Remote Access" xmlns="http://schemas.microsoft.com/ts/2008/09/tswcx" xmlns:xs="http://www.w3.org/2001/XMLSchema"><defaultFeed url="https://remote.domain.com/RDWeb/Feed/webfeed.aspx" /></workspace>

Applying the previous works perfectly for the first time, but when I update the connection from Task Scheduler it fails with the following error in event viewer:

Now, when I manually add the connection in control panel, the update task works normally without any issues.

Do you have any idea why silently deploying the connection causes an issue with the update task?

Thanks in advance,

Housam Smadi,

If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

Hi!

Quite a strange question ...

It is necessary on RD Gateway to check the computer name for correspondence in advance known.(Or any other marker, the easiest to install on third-party PCs and tablets)

If there are no problems with domain machines (On the NPS simply specify the rule in the CAP with the domain group of the PC), then with non-domain machines the problem.

Ships on logs, they send the following information about themselves:

Client Machine:
	Security ID:			NULL SID
	Account Name:			Notebook
	Fully Qualified Account Name:	-
	Called Station Identifier:		UserAuthType:PW
	Calling Station Identifier:		-

As an example of logs with the connection of a domain machine:

Client Machine:
	Security ID:			Domain\pc1$
	Account Name:		pc1.Domain
	Fully Qualified Account Name:	Domain\pc1$
	Called Station Identifier:		UserAuthType:PW
	Calling Station Identifier:	

Hi,

I have a setup with the following servers running Windows Server 2016

1x RDGW, RDCB, RDWA, RDLicensing.

5x RDSH

Im using UPD on the collection.

I have noticed very long login times, after policys etc are shown on screen it sits at a black screen for between 20sec and sometimes up to 5min.

I have also noticed that the svchost.exe that controls the Windows Firewall is using 25% to 50% when a user logs in and using around 1200Mb memory.

After I found this I checked the Windows Firewall with Advanced Security and found thousands of Cortana, Work or school account, Your account, Contact Support rules. 

I found a script in this thread that could delete the rules https://social.technet.microsoft.com/Forums/windows/en-US/9aad7675-d1ba-4900-9d85-0cd117f5514f/new-firewall-rules-created-for-each-user?forum=win10itprosetup

This made the CPU usage and memory usage go down to normal levels, but after every login a user does it builds up the list of rules again. With many users logging in to the system the rules build up very fast and the login times gets high and every server gets slow.

Example on our RDSH01 server that have been running in production since 2017-04-13 the script found and deleted 66153 rules that it found with "$Rules = Get-NetFirewallRule -All | Where-Object {$profiles.sid -notcontains $_.owner -and $_.owner }"

The script also tryed to get rules with this command "$rules2 = Get-NetFirewallRule -All -PolicyStore ConfigurableServiceStore | Where-Object { $profiles.sid -notcontains $_.owner -and $_.owner }" but fails with an "not enough space error"

The script removes the rules from here with the content of $rules "HKLM:\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules"

and $rules2 was meant to clean up at "HKLM:\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System"

but doesnt do anything because of the error on the Get-command. If I try to access it with regedit it stops to respond, guessing there are too many items in that container for it to handle.

Anyone know a solution for this problem? 

Regards Fredrik

Hi All

I've got a user working remotely outside the corporate Office. They've got a Canon MF720C Series printer.

I went to the Canon website, downloaded both the Windows Server 2012 R2 driver and the MacOS driver. I injected the printer into the Server 2012 R2 box (broker, gateway, session host etc all running on 1 machine) using the "Add dummy printer method".

I then added the printer using the same driver (but the macOS variant) on the client's Mac. I confirmed all the latest versions of windows updates are installed on the terminal server and that Mac OS and RD Client on Mac OS are all up to date. I also ensured printer forwarding is enabled.

When the user connects from the mac to the Terminal Server - the printer doesn't show up. So I checked the event log. Neither the Application nor the "System" event log show anything useful. However, the "TerminalServices-Printers log shows this:

Event ID: 1108
Configuration information for the Canon MF720C Series (redirected 126) printer could not be restored.

So the printer is definitely getting passed through - it just isn't showing up.

Does this indicate a driver version mismatch or is it something else? PS - redirecting printers works perfectly on Windows clients.