RDP users (Citrix XenApp) are getting connections refused/dropped and a black screen. This is Citrix MCS spawned terminal services on Windows Server 2012 R2. On the server seeing these messages:

Log Name:      Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
Source:        Microsoft-Windows-TerminalServices-LocalSessionManager
Date:          5/7/2019 12:08:15 PM
Event ID:      36
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      CTXIAHYP004.mydomain.com
Description:
An error occurred when transitioning from CsrConnected in response to EvCsrInitialized. (ErrorCode 0x80004005)

Log Name:      Application
Source:        Microsoft-Windows-Winlogon
Date:          5/7/2019 12:08:15 PM
Event ID:      4005
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      CTXIAHYP004.mydomain.com
Description:
The Windows logon process has unexpectedly terminated.

After extensive Internet search with these symptoms I am coming up empty.

I reviewed EventTracker and related MicrosoftHelp but these recommendations do not seem to apply in this case or are too vague to be useful. Those articles suggest a server resource constraint (we do not see this, unless it was temporary and is no longer present when the system event occurs), registry corruption (this seems very unlikely, but even if true, how do we determine which registry hive or key is corrupt?) or a service that needs restarting (which service? we do not see any errors showing failed or stopped services).

Any other tips?

Hi, I've this issue after migration of RDS server from 2012 R2 to 2016 and client have Windows 10 1709 but with Windows 10 1703 no issue.

Any suggestions?

I'm attempting to setup a Windows 2016 RDS Standard Deployment for Session Hosting.  The layout is as follows:
RDS01 - RDS Connection Broker and Web Access
TS02 - RDS Session Host
TS03 - RDS Session Host

The domain these servers are part of has (1) Windows 2008 Server and (2) Windows 2016 Servers acting as DCs.  The domain is running at Windows 2003 Functional Level.

All servers are on a single routed network with no firewall between them.  All DNS A and PTR records for all servers exist and resolve on all hosts.  All servers can be pinged by each other. In other words, there are no network connectivity issues.

I've setup the RDS deployment several times w/ the same results.

The Issue
I can login via the RDWeb interface on RDS01 from a Win10 desktop and connect to the published RDP desktop without issue (i.e. no error messages to the user) and no errors in the logs.  When I try to directly RDP to RDS01, I successfully authenticate as a user (per the event log) but get an error stating that the user doesn't have access to the system.  In the event log I get event id 1306 with the message of "Remote Desktop Connection Broker Client failed to redirect the user <domain>\<test user>.  Error: NULL".  

If I RDP to RDS01 as an administrator, I get the same error message but the RDP session opens and presents the desktop on RDS01.

I can RDP directly to TS02 or TS03 and login as a user and open the RDP session.  Redirection to some degree appears to be working in that I can disconnect a user session from TS02 and RDP to TS03 and the session is redirected back to TS02.  The event logs on RDS01 record this happening as well.

What I've tried already
1. In searching this event 1306 issue, I found several posts with this exact same behavior in WS 2012/R2.  Most "solutions" suggested point to the fact that the RDS Session Broker doesn't have sufficient authority to look up the users AD group membership via the tokenGroupsGlobalAndUniversal attribute or AuthzInitializeContextFromSid API function which leverages the tokenGroupsGlobalAndUniversal attribute.  (Example: https://social.technet.microsoft.com/Forums/windowsserver/en-US/29733a87-dbda-47bc-8b37-6eeac5ab5a0a/2012-rds-nonadministrators-can-not-access-vdi-pool?forum=winserverTS#97d883f1-7a64-4d02-9492-309638f92e79 )

The service is running as "Network Service" which does have network access via the Computer Object's authority in AD.  So following Microsoft's instructions (https://support.microsoft.com/en-us/kb/331951), I've added RDS01 to both the Windows Authorization Access Group and Pre-Windows 2000 Compatibility Access groups and rebooted RDS01 with the same results.  

2. I've verified the Windows Authorization Access Group has rights to read the tokenGroupsGlobalAndUniversal property/attribute on my test users and the computer objects of the servers.

3. I've setup an AD Service account following Microsoft's instructions (https://support.microsoft.com/en-us/kb/842423) with a similarly described access issue.  The service account user was added to the Windows Authorization Access Group.  This was unsuccessfully as well w/ the same event 1306 error.

4. I ran the following powershell commands to verify access of the Connection Broker to the OU (https://technet.microsoft.com/en-us/library/jj215512.aspx#)

Test-RDOUAccess -Domain [redacted.domain] -OU "Computers" -ConnectionBroker rds01.[redacted.domain] -verbose

This failed so I ran the following to grant access

Grant-RDOUAccess -Domain watsons.local -OU "Computers" -ConnectionBroker rds01.watsons.local -verbose 

The Test-RDOUAccess then succeeded.

I repeated this for the OUs that contained the users and the server computer objects.

I've disabled all GPOs to ensure there's no conflicts but have seen no change in the behavior or error messages.

With all that, I've exhausted every option that I can find to resolve this error to gain the expected functionality.  As a work around for the moment, I've setup a round-robin DNS A record that points to TS02 and TS03 w/ a very short TTL.  This gives the test users the ability to login and atleast test the desktop functionality.

Sorry for being so long winded with this but I thought it better to put all the cards on the table.

I'm open to any and all suggestions.

Thx!

Hi,

Not sure if this should be asked here or not. If I have submitted in error, please let me know and I will redirect my query elsewhere.

We have an RDS platform (single GW/CB/Lic server - Windows Server 2016, 3 RDSH servers - also Windows Server 2016). The platform is accessed using HP Thin Clients via the Gateway's RDWeb feed. The clients connect fine and all applications and hardware devices appear to work correctly.

However, intermittently (doesn't seem to be any rhyme or reason that I can ascertain) one of the servers (it can be any of the three) will BSOD with a bugcheck of 0x0000009f (DRIVER_POWER_STATE_FAILURE). The server automatically reboots after a period of time and then works normally. Sometimes the BSOD happens only once, but then other times it will BSOD three or four times in a row shortly after coming up from the previous BSOD reboot.

From what I can gather, Windows is attempting (and failing) to instruct some device attached to the system (presumably via one of the remote sessions) to enter into a power saving mode and BSODs as a result. I have disabled USB power saving on the server but this does not resolve the issue. I have tested one of the RDSH servers by removing it from the connection pool and left it running without clients for a number of months and it has so far not given me any problems.

I took the MEMORY.DMP file (which is available for anyone to peruse upon request) and tried my best to analyse it using the tools available, and it seems to point to hidusb.sys, though I am unsure as to how to trace the problem any further.

All RDSH servers are patched with latest crticial/security patches as of a week ago.

Any possible thoughts as to avenues I could explore to diagnose/resolve this issue?

Thank you in advance for any advice you might be able to offer.

Server: Windows Server 2016 Datacenter with latest updates
Client: Windows 10 Enterprise LTSB with latest updates

Problem: RDP connection from the client to the server takes almost 10 seconds.
The server is multihomed, interface 1 is 10.0.1.0/24 and interface 2 is 211.189.110.45/24.
The client has interface 211.189.110.200/24.
Interface 1 has a higher priority. Whole AD infrastructure is in 10.0.1.0/24.

No errors/warnings in Application or System event log.

But there are errors in Applications and Services Logs-> Microsoft -> Windows -> RemoteDesktopServices-RdpCoreTS

The network characteristics detection function has been disabled because of Reason Code: 2(Server Configuration)..
'Failed GetConnectionProperty' in CUMRDPConnection::QueryProperty at 2735 err=[0x80004001]
'Connection doesn't support logon error redirector' in CUMRDPConnection::GetLogonErrorRedirector at 4073 err=[0x80004001]
'Failed CreateVirtualChannel call on this Connections Stack' in CUMRDPConnection::CreateVirtualChannel at 2349 err=[0xd0000001]

Interface 2 which faces to the internet has enabled only these features:
- IPv4
- IPv6

But it did not work with all features enabled (as they're by default).

Hello, I have an unusual problem after installing Remote Desktop Services without AD on Windows Server 2019. Well, I installed CALs per user, I configured everything according to the service https://support.microsoft.com/en-us/help/2833839/guidelines-for -installing-the-remote-desktop-session-host-role-service and now after connecting the user to the server a message appears: There is a problem with your Remote Desktop license and the session will be disconnected in 60 minutes. Contact the system administrator to solve the problem. 

Dear Sirs,

We are configurating RDP web cliente.

We want to redirect the port 443 from 4040 but when we change this port, the gateway not open the port.

There is any posibily to change this port.G

Gateway server is a public dns (in order to not use VPN) but in this server, we can add the port.

Best Regards

When you try to install RDS role on server 2012 R2 using standard deployment, this issue may occur (Figure 1).

“Unable to connect to the server by using Windows PowerShell remoting”.

Figure 1: Unable to connect to the server by using Windows PowerShell remoting

First of all, we need to verify the configurations as it suggested:

1. The server must be available by using Windows PowerShell remotely.

2. The server must be joined to a domain.

3. The server must be running at least Windows Server 2012 R2.

4. The currently logged on user must be a member of the local Administrators group on the server.

5. Remote Desktop Services connections must be enabled by using Group Policy.

In addition, we need to check if the “Windows Remote Management “service is running and related firewall exceptions have been created for WinRM listener.

To enabling PowerShell remoting, we can run this PowerShell command as administrator (Figure 2).

Enable-PSRemoting -Force

Figure 2: Enable PowerShell Remoting

However, if issue persists, we need to check whether it has enough memory to work.

By default, remote shell allots only 150 MB of memory. If we have IIS or SharePoint App pool, 150 MB of memory is not sufficient to perform the remoting task. Therefore, we need to increase the memory via the PowerShell command below:

Set-Item WSMan:\localhost\Shell\MaxMemoryPerShellMB 1000

Then, you need to restart the server and the issue should be resolved.

You can get more information regarding Remote Troubleshooting by below link:

about_Remote_Troubleshooting

If you need further assistance, welcome to post your questions in the RDS forum.

Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

Windows Server 2019, Russian version, clean installation, licensed, activated, in the workgroup.

I need to use my camera from my Mac on a remote computer.

redirectclipboard:i:1
redirectprinters:i:1
redirectcomports:i:0
redirectsmartcards:i:1
devicestoredirect:s:*
drivestoredirect:s:*
redirectdrives:i:1
session bpp:i:32
prompt for credentials on client:i:1
server port:i:3389
allow font smoothing:i:1
promptcredentialonce:i:0
videoplaybackmode:i:1
audiocapturemode:i:1
gatewayusagemethod:i:0
gatewayprofileusagemethod:i:1
gatewaycredentialssource:i:0
full address:s:SIGNOUT-SERVER.IST2.NET
workspace id:s:signout-server.ist2.net
use redirection server name:i:1
loadbalanceinfo:s:tsv://VMResource.1.sign-vdi
use multimon:i:1
camerastoredirect:s:*

This RDP file works on windows but I can't figure out a way to use it on Mac. The key line is the last one: 

camerastoredirect:s:*

I need that one to pass through the webcam. 

we have RDS installed in Windows 2016 standard edition and use session-base desktop deployment.

It was working fine for about one year. About two weeks ago, we started to have the following issue:

This computer can't connect to the remote computer.
The two computers couldn't connect in the amount of time allotted. Try connecting again. If the problem continues, contact your network administrator or technical support. 

When this issue happens, we find some users are disconnected in the RDS-Collections-QuickSessionCollection. But we cannot log/sign off those users, they are always showing there.

BTW, we can sign of those users in the Task Manager-Users. 

We can solve this issue by restarting the server. How to fix it without restarting the server?

Thanks!

I've tried using 

mstsc /admin

with no luck. Any other ideas how to log in to my VM to install (or disable) RDP licenses?

Thanks,

Matt

hi,

we're suffering from session hosts that produce black screen errors in a RDS 2016 farm.

already connected users can mostly work, all new connections end up with a black screen.

to resolve the error the server has to be restarted.

i can say that

- this error appears after error 1534 (Fehler bei der Profilbenachrichtigung des Ereignisses Delete für Komponente {709E2729-F883-441e-A877-ED3CEFC975E6}. Fehlercode: Das System kann die angegebene Datei nicht finden.) starts appearing in the eventviewer.

- upon checking the registry for this SID i end up at "ProfileNotifyHandler Class app id {E10F6C3A-F1AE-4adc-AA9D-2FE65525666E} inprocserver32, C:\Windows\System32\gameux.dll".

- starting explorer.exe per taskmgr does not open an actual explorer window although the process appears in taskmgr

- tskmgr, eventvwr, cmd can be started without problems

- affected users appear as active in RDS management

- no third party security software is installed

- farm is fully patched

- HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ProfileGUID and ProfileList are ok (no old or .bak entries)

looking forward on how to resolve this without  rebooting the server or a permanent fix

thank you

best regards

I'm having problems with one Username, I get this error in Event Viewer:

Windows could not load your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. Windows could not load your profile because a server copy of the profile folder already exists that does not have the correct security. Either the current user or the Administrators group must be the owner of the folder.

1. The profile path exists: \\ts-srv\Profiles$\Username

2. The folder Username.V2 exists too.

3. The user has Full access Username folder.

What I did once is gave full rigths to Administrators for the Username.V2 folder, I wanted to see something and I did not have access so I've change the permission.

How to fix this issue ?

Thank you.

I have inherited the RDS environment across 3 Domains.
Have recently built a new license server for current 2016/2012 hosts and i wish to migrate our old 2008 R2 RD licenses.

How can i track which servers are accessing the old RD license server??
Are there log files i can look at as there are VM's all over the place.
Group Policy hasnt been used so mostly manual setups so can look at a security group to assist.

On a Windows Server 2008 R2 virtual server with RDWeb that's open externally (port 3389), a client is able to login to the RDWeb page but unable to connect when opening the remote application. 

I've not found any common events that show up in Event Viewer, but the Security logs show that the user logs on and back off a couple of times in a row. The typical events if I were to attempt a login from the client computer were ordered as:

An account was successfully logged on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

New Logon:
	Security ID:		MYDOMAIN\MYUSERNAME
	Account Name:		MYUSERNAME
	Account Domain:		MYDOMAIN
	Logon ID:		0x6bcec6fd
	Logon GUID:		{00000000-0000-0000-0000-000000000000}

Process Information:
	Process ID:		0x0
	Process Name:		-

Network Information:
	Workstation Name:	CLIENTHOSTNAME
	Source Network Address:	CLIENTIP
	Source Port:		CLIENTPORT

Detailed Authentication Information:
	Logon Process:		NtLmSsp 
	Authentication Package:	NTLM
	Transited Services:	-
	Package Name (NTLM only):	NTLM V2
	Key Length:		128

An account was logged off.

Subject:
	Security ID:		MYDOMAIN\MYUSERNAME
	Account Name:		MYUSERNAME
	Account Domain:		MYDOMAIN
	Logon ID:		0x6bcec6fd

Logon Type:			3

A logon was attempted using explicit credentials.

Subject:
	Security ID:		NETWORK SERVICE
	Account Name:		TS-HOSTNAME$
	Account Domain:		MYDOMAIN
	Logon ID:		0x3e4
	Logon GUID:		{00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
	Account Name:		MYUSERNAME
	Account Domain:		MYDOMAIN
	Logon GUID:		{db9597b1-8344-293c-7b99-fff6762c912f}

Target Server:
	Target Server Name:	localhost
	Additional Information:	localhost

Process Information:
	Process ID:		0x26f0
	Process Name:		C:\Windows\System32\inetsrv\w3wp.exe

Network Information:
	Network Address:	-
	Port:			-

An account was successfully logged on.

Subject:
	Security ID:		NETWORK SERVICE
	Account Name:		TS-HOSTNAME$
	Account Domain:		MYDOMAIN
	Logon ID:		0x3e4

Logon Type:			3

New Logon:
	Security ID:		MYDOMAIN\MYUSERNAME
	Account Name:		MYUSERNAME
	Account Domain:		MYDOMAIN
	Logon ID:		0x6bced09d
	Logon GUID:		{db9597b1-8344-293c-7b99-fff6762c912f}

Process Information:
	Process ID:		0x26f0
	Process Name:		C:\Windows\System32\inetsrv\w3wp.exe

Network Information:
	Workstation Name:	TS-HOSTNAME
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:		Authz   
	Authentication Package:	Kerberos
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

An account was logged off.

Subject:
	Security ID:		MYDOMAIN\MYUSERNAME
	Account Name:		MYUSERNAME
	Account Domain:		MYDOMAIN
	Logon ID:		0x6bced09d

Logon Type:			3

I'm not sure if these events help, but any ideas on this would be greatly appreciated. We had a similar issue two weeks ago where every user that tried to connect would time out with similar security events, and the workaround for that was to just try 3+ times and it would eventually let you connect. We never really fixed it, but it just kind of went away and this is the closest thing I've heard since.

Thank you

Hi, I've this issue after migration of RDS server from 2012 R2 to 2016 and client have Windows 10 1709 but with Windows 10 1703 no issue.

Any suggestions?

Hello everyone,

We are having the "can't connect, RD Gateway server temporarily unavailable" on RDWeb, only when accessed externally. Internally, the same external URL works. Server 2016.

This feature was working externally some time ago and we are not sure of what exactly broke it.

BPA's only warning is:

"The RD Gateway server SSL certificate must be configured with a valid certificate subject name

Severity: Warning

Problem:
The Remote Desktop Gateway (RD Gateway) server Secure Sockets Layer (SSL) certificate may not have a valid certificate subject name.

Impact:
If the RD Gateway server is configured to use an SSL certificate with a certificate subject name that is not valid, users cannot connect to internal network resources (computers) through the RD Gateway server.

Resolution
Use the RD Gateway Manager tool to select a valid SSL certificate for the RD Gateway server to use."

We have tried other certificates and the result is the same. All other certificates are also ok, they are valid and were made from Let's Encrypt.

Any help will be highly appreciated!

Hi everybody,

I have stand-alone Windows Server 2012 configured as DC (for further scalability) with appropriate domain and valid SSL Certificate. The machine is VIRTUAL.

Therefore, it's the same machine for every role (RD Gateway, RD Licensing etc).

Logging on as remote desktop user takes a few seconds and is quite OK.

Logging on of the same user(s) as a remote app always adds 60 secs of extra time.

I talk about the time after password prompt pops up, which happens almost immediately.

The following minute after confirming the password the logon dialog presents the message

"configuring remote desktop".

Those 60 seconds are well documented in the Event Log and the sequence is always the same.

It looks like two consecutive time-outs of 30 seconds each.

Below is an example of events sequence:

Event 1:

Log Name:      Microsoft-Windows-TerminalServices-Gateway/Operational
Source:        Microsoft-Windows-TerminalServices-Gateway
Date:          02/06/2019 09:53:51
Event ID:      312
Task Category: (3)
Level:         Information
Keywords:      
User:          NETWORK SERVICE
Computer:      computer_name.domain.example.com
Description:
The user "user@domain", on client computer "xx.xxx.xx.xxx:58554", has initiated an outbound connection. This connection may not be authenticated yet.
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-TerminalServices-Gateway" Guid="{4D5AE6A1-C7C8-4E6D-B840-4D8080B42E1B}" /><EventID>312</EventID><Version>0</Version><Level>0</Level><Task>3</Task><Opcode>30</Opcode><Keywords>0x4000000000000000</Keywords><TimeCreated SystemTime="2019-06-02T06:53:51.283267000Z" /><EventRecordID>31003</EventRecordID><Correlation ActivityID="{F9A66720-F292-459D-9E6D-40D1A86A0000}" /><Execution ProcessID="4696" ThreadID="15348" /><Channel>Microsoft-Windows-TerminalServices-Gateway/Operational</Channel><Computer>computer_name.domain.example.com</Computer><Security UserID="S-1-5-20" /></System><UserData><EventInfo xmlns="aag"><Username>user@domain</Username><IpAddress>xx.xxx.xx.xxx:58554</IpAddress></EventInfo></UserData></Event>

Event 2:
Log Name:      Microsoft-Windows-TerminalServices-Gateway/Operational
Source:        Microsoft-Windows-TerminalServices-Gateway
Date:          02/06/2019 09:53:51
Event ID:      313
Task Category: (3)
Level:         Information
Keywords:      
User:          NETWORK SERVICE
Computer:      computer_name.domain.example.com
Description:
The user "user@domain", on client computer "xx.xxx.xx.xxx:58558", has initiated an inbound connection. This connection may not be authenticated yet.
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-TerminalServices-Gateway" Guid="{4D5AE6A1-C7C8-4E6D-B840-4D8080B42E1B}" /><EventID>313</EventID><Version>0</Version><Level>0</Level><Task>3</Task><Opcode>30</Opcode><Keywords>0x4000000000000000</Keywords><TimeCreated SystemTime="2019-06-02T06:53:51.971015500Z" /><EventRecordID>31004</EventRecordID><Correlation ActivityID="{F9A66720-F292-459D-9E6D-40D1A86A0000}" /><Execution ProcessID="4696" ThreadID="3132" /><Channel>Microsoft-Windows-TerminalServices-Gateway/Operational</Channel><Computer>computer_name.domain.example.com</Computer><Security UserID="S-1-5-20" /></System><UserData><EventInfo xmlns="aag"><Username>user@domain</Username><IpAddress>xx.xxx.xx.xxx:58558</IpAddress></EventInfo></UserData></Event>

Event 3:
Log Name:      Microsoft-Windows-TerminalServices-Gateway/Operational
Source:        Microsoft-Windows-TerminalServices-Gateway
Date:          02/06/2019 09:53:52
Event ID:      313
Task Category: (3)
Level:         Information
Keywords:      
User:          NETWORK SERVICE
Computer:      computer_name.domain.example.com
Description:
The user "user@domain", on client computer "xx.xxx.xx.xxx:58558", has initiated an inbound connection. This connection may not be authenticated yet.
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-TerminalServices-Gateway" Guid="{4D5AE6A1-C7C8-4E6D-B840-4D8080B42E1B}" /><EventID>313</EventID><Version>0</Version><Level>0</Level><Task>3</Task><Opcode>30</Opcode><Keywords>0x4000000000000000</Keywords><TimeCreated SystemTime="2019-06-02T06:53:52.033537700Z" /><EventRecordID>31005</EventRecordID><Correlation ActivityID="{F9A66720-F292-459D-9E6D-40D1A86A0000}" /><Execution ProcessID="4696" ThreadID="15348" /><Channel>Microsoft-Windows-TerminalServices-Gateway/Operational</Channel><Computer>computer_name.domain.example.com</Computer><Security UserID="S-1-5-20" /></System><UserData><EventInfo xmlns="aag"><Username>user@domain</Username><IpAddress>xx.xxx.xx.xxx:58558</IpAddress></EventInfo></UserData></Event>

Event 4:
Log Name:      Microsoft-Windows-TerminalServices-Gateway/Operational
Source:        Microsoft-Windows-TerminalServices-Gateway
Date:          02/06/2019 09:53:52
Event ID:      200
Task Category: (2)
Level:         Information
Keywords:      Audit Success,(16777216)
User:          NETWORK SERVICE
Computer:      computer_name.domain.example.com
Description:
The user "domain\user", on client computer "xx.xxx.xx.xxx", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP".
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-TerminalServices-Gateway" Guid="{4D5AE6A1-C7C8-4E6D-B840-4D8080B42E1B}" /><EventID>200</EventID><Version>0</Version><Level>4</Level><Task>2</Task><Opcode>30</Opcode><Keywords>0x4020000001000000</Keywords><TimeCreated SystemTime="2019-06-02T06:53:52.174207400Z" /><EventRecordID>31006</EventRecordID><Correlation ActivityID="{F9A66720-F292-459D-9E6D-40D1A86A0000}" /><Execution ProcessID="4696" ThreadID="3132" /><Channel>Microsoft-Windows-TerminalServices-Gateway/Operational</Channel><Computer>computer_name.domain.example.com</Computer><Security UserID="S-1-5-20" /></System><UserData><EventInfo xmlns="aag"><Username>domain\user</Username><IpAddress>xx.xxx.xx.xxx</IpAddress><AuthType>NTLM</AuthType><Resource></Resource><ConnectionProtocol>HTTP</ConnectionProtocol><ErrorCode>0</ErrorCode></EventInfo></UserData></Event>

Event 5:
Log Name:      Microsoft-Windows-TerminalServices-Gateway/Operational
Source:        Microsoft-Windows-TerminalServices-Gateway
Date:          02/06/2019 09:53:52
Event ID:      300
Task Category: (5)
Level:         Information
Keywords:      Audit Success,(16777216)
User:          NETWORK SERVICE
Computer:      computer_name.domain.example.com
Description:
The user "domain\user", on client computer "xx.xxx.xx.xxx", met resource authorization policy requirements and was therefore authorized to connect to resource "computer_name.domain.example.com".
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-TerminalServices-Gateway" Guid="{4D5AE6A1-C7C8-4E6D-B840-4D8080B42E1B}" /><EventID>300</EventID><Version>0</Version><Level>4</Level><Task>5</Task><Opcode>30</Opcode><Keywords>0x4020000001000000</Keywords><TimeCreated SystemTime="2019-06-02T06:53:52.236734600Z" /><EventRecordID>31007</EventRecordID><Correlation ActivityID="{F9A66720-F292-459D-9E6D-40D1A86A0000}" /><Execution ProcessID="4696" ThreadID="1984" /><Channel>Microsoft-Windows-TerminalServices-Gateway/Operational</Channel><Computer>computer_name.domain.example.com</Computer><Security UserID="S-1-5-20" /></System><UserData><EventInfo xmlns="aag"><Username>domain\user</Username><IpAddress>xx.xxx.xx.xxx</IpAddress><AuthType></AuthType><Resource>computer_name.domain.example.com</Resource><ConnectionProtocol></ConnectionProtocol><ErrorCode>0</ErrorCode></EventInfo></UserData></Event>

Event 6:
Log Name:      Microsoft-Windows-TerminalServices-Gateway/Operational
Source:        Microsoft-Windows-TerminalServices-Gateway
Date:          02/06/2019 09:53:52
Event ID:      302
Task Category: (3)
Level:         Information
Keywords:      (16777216)
User:          NETWORK SERVICE
Computer:      computer_name.domain.example.com
Description:
The user "domain\user", on client computer "xx.xxx.xx.xxx", connected to resource "computer_name.domain.example.com". Connection protocol used: "HTTP".
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-TerminalServices-Gateway" Guid="{4D5AE6A1-C7C8-4E6D-B840-4D8080B42E1B}" /><EventID>302</EventID><Version>0</Version><Level>4</Level><Task>3</Task><Opcode>30</Opcode><Keywords>0x4000000001000000</Keywords><TimeCreated SystemTime="2019-06-02T06:53:52.252342300Z" /><EventRecordID>31008</EventRecordID><Correlation ActivityID="{F9A66720-F292-459D-9E6D-40D1A86A0000}" /><Execution ProcessID="4696" ThreadID="1984" /><Channel>Microsoft-Windows-TerminalServices-Gateway/Operational</Channel><Computer>computer_name.domain.example.com</Computer><Security UserID="S-1-5-20" /></System><UserData><EventInfo xmlns="aag"><Username>domain\user</Username><IpAddress>xx.xxx.xx.xxx</IpAddress><AuthType></AuthType><Resource>computer_name.domain.example.com</Resource><ConnectionProtocol>HTTP</ConnectionProtocol><ErrorCode>0</ErrorCode></EventInfo></UserData></Event>

Event 7:

Log Name:      Microsoft-Windows-TerminalServices-SessionBroker/Operational
Source:        Microsoft-Windows-TerminalServices-SessionBroker
Date:          02/06/2019 09:54:05
Event ID:      819
Task Category: RD Connection Broker processes connection request
Level:         Verbose
Keywords:      
User:          NETWORK SERVICE
Computer:      computer_name.domain.example.com
Description:
This connection request has timed out. User could not log on to the end point within the alloted time. Remote Desktop Connection Broker will stop monitoring this connection request.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-TerminalServices-SessionBroker" Guid="{D1737620-6A25-4BEF-B07B-AAC3DF44EFC9}" /><EventID>819</EventID><Version>0</Version><Level>5</Level><Task>101</Task><Opcode>11</Opcode><Keywords>0x2000000000000000</Keywords><TimeCreated SystemTime="2019-06-02T06:54:05.832911900Z" /><EventRecordID>534539</EventRecordID><Correlation ActivityID="{F420F4EE-0602-48B0-BB7C-BEDE86130000}" /><Execution ProcessID="4596" ThreadID="13724" /><Channel>Microsoft-Windows-TerminalServices-SessionBroker/Operational</Channel><Computer>computer_name.domain.example.com</Computer><Security UserID="S-1-5-20" /></System><EventData></EventData></Event>

Event 8:

Log Name:      Microsoft-Windows-TerminalServices-Gateway/Operational
Source:        Microsoft-Windows-TerminalServices-Gateway
Date:          02/06/2019 09:54:22
Event ID:      303
Task Category: (3)
Level:         Information
Keywords:      (16777216)
User:          NETWORK SERVICE
Computer:      computer_name.domain.example.com
Description:
The user "domain\user", on client computer "xx.xxx.xx.xxx", disconnected from the following network resource: "computer_name.domain.example.com". Before the user disconnected, the client transferred 229 bytes and received 156 bytes. The client session duration was 30 seconds. Connection protocol used: "HTTP".
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-TerminalServices-Gateway" Guid="{4D5AE6A1-C7C8-4E6D-B840-4D8080B42E1B}" /><EventID>303</EventID><Version>0</Version><Level>4</Level><Task>3</Task><Opcode>44</Opcode><Keywords>0x4000000001000000</Keywords><TimeCreated SystemTime="2019-06-02T06:54:22.319436200Z" /><EventRecordID>31009</EventRecordID><Correlation ActivityID="{F9A66720-F292-459D-9E6D-40D1A86A0000}" /><Execution ProcessID="4696" ThreadID="15348" /><Channel>Microsoft-Windows-TerminalServices-Gateway/Operational</Channel><Computer>computer_name.domain.example.com</Computer><Security UserID="S-1-5-20" /></System><UserData><EventInfo xmlns="aag"><Username>domain\user</Username><IpAddress>xx.xxx.xx.xxx</IpAddress><AuthType></AuthType><Resource>computer_name.domain.example.com</Resource><BytesReceived>156</BytesReceived><BytesTransfered>229</BytesTransfered><SessionDuration>30</SessionDuration><ConnectionProtocol>HTTP</ConnectionProtocol><ErrorCode>1226</ErrorCode></EventInfo></UserData></Event>

Event 9:

Log Name:      Microsoft-Windows-TerminalServices-Gateway/Operational
Source:        Microsoft-Windows-TerminalServices-Gateway
Date:          02/06/2019 09:54:22
Event ID:      300
Task Category: (5)
Level:         Information
Keywords:      Audit Success,(16777216)
User:          NETWORK SERVICE
Computer:      computer_name.domain.example.com
Description:
The user "domain\user", on client computer "xx.xxx.xx.xxx", met resource authorization policy requirements and was therefore authorized to connect to resource "computer_name.domain.example.com".
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-TerminalServices-Gateway" Guid="{4D5AE6A1-C7C8-4E6D-B840-4D8080B42E1B}" /><EventID>300</EventID><Version>0</Version><Level>4</Level><Task>5</Task><Opcode>30</Opcode><Keywords>0x4020000001000000</Keywords><TimeCreated SystemTime="2019-06-02T06:54:22.397561300Z" /><EventRecordID>31010</EventRecordID><Correlation ActivityID="{F9A66720-F292-459D-9E6D-40D1A86A0000}" /><Execution ProcessID="4696" ThreadID="5640" /><Channel>Microsoft-Windows-TerminalServices-Gateway/Operational</Channel><Computer>computer_name.domain.example.com</Computer><Security UserID="S-1-5-20" /></System><UserData><EventInfo xmlns="aag"><Username>domain\user</Username><IpAddress>xx.xxx.xx.xxx</IpAddress><AuthType></AuthType><Resource>computer_name.domain.example.com</Resource><ConnectionProtocol></ConnectionProtocol><ErrorCode>0</ErrorCode></EventInfo></UserData></Event>

Event 10:

Log Name:      Microsoft-Windows-TerminalServices-Gateway/Operational
Source:        Microsoft-Windows-TerminalServices-Gateway
Date:          02/06/2019 09:54:22
Event ID:      302
Task Category: (3)
Level:         Information
Keywords:      (16777216)
User:          NETWORK SERVICE
Computer:      computer_name.domain.example.com
Description:
The user "domain\user", on client computer "xx.xxx.xx.xxx", connected to resource "computer_name.domain.example.com". Connection protocol used: "HTTP".
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-TerminalServices-Gateway" Guid="{4D5AE6A1-C7C8-4E6D-B840-4D8080B42E1B}" /><EventID>302</EventID><Version>0</Version><Level>4</Level><Task>3</Task><Opcode>30</Opcode><Keywords>0x4000000001000000</Keywords><TimeCreated SystemTime="2019-06-02T06:54:22.397561300Z" /><EventRecordID>31011</EventRecordID><Correlation ActivityID="{F9A66720-F292-459D-9E6D-40D1A86A0000}" /><Execution ProcessID="4696" ThreadID="5640" /><Channel>Microsoft-Windows-TerminalServices-Gateway/Operational</Channel><Computer>computer_name.domain.example.com</Computer><Security UserID="S-1-5-20" /></System><UserData><EventInfo xmlns="aag"><Username>domain\user</Username><IpAddress>xx.xxx.xx.xxx</IpAddress><AuthType></AuthType><Resource>computer_name.domain.example.com</Resource><ConnectionProtocol>HTTP</ConnectionProtocol><ErrorCode>0</ErrorCode></EventInfo></UserData></Event>

Event 11:

Log Name:      Microsoft-Windows-TerminalServices-Gateway/Operational
Source:        Microsoft-Windows-TerminalServices-Gateway
Date:          02/06/2019 09:54:54
Event ID:      302
Task Category: (3)
Level:         Information
Keywords:      (16777216)
User:          NETWORK SERVICE
Computer:      computer_name.domain.example.com
Description:
The user "domain\user", on client computer "xx.xxx.xx.xxx", connected to resource "computer_name.domain.example.com". Connection protocol used: "UDP".
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-TerminalServices-Gateway" Guid="{4D5AE6A1-C7C8-4E6D-B840-4D8080B42E1B}" /><EventID>302</EventID><Version>0</Version><Level>4</Level><Task>3</Task><Opcode>30</Opcode><Keywords>0x4000000001000000</Keywords><TimeCreated SystemTime="2019-06-02T06:54:54.123103000Z" /><EventRecordID>31012</EventRecordID><Correlation ActivityID="{F9A66720-F292-459D-9E6D-40D1A86A0000}" /><Execution ProcessID="4696" ThreadID="3132" /><Channel>Microsoft-Windows-TerminalServices-Gateway/Operational</Channel><Computer>computer_name.domain.example.com</Computer><Security UserID="S-1-5-20" /></System><UserData><EventInfo xmlns="aag"><Username>domain\user</Username><IpAddress>xx.xxx.xx.xxx</IpAddress><AuthType></AuthType><Resource>computer_name.domain.example.com</Resource><ConnectionProtocol>UDP</ConnectionProtocol><ErrorCode>0</ErrorCode></EventInfo></UserData></Event>

Event 12:

Log Name:      Microsoft-Windows-TerminalServices-Gateway/Operational
Source:        Microsoft-Windows-TerminalServices-Gateway
Date:          02/06/2019 09:54:54
Event ID:      205
Task Category: (2)
Level:         Information
Keywords:      (16777216)
User:          NETWORK SERVICE
Computer:      computer_name.domain.example.com
Description:
The user "domain\user", on client computer "xx.xxx.xx.xxx", successfully connected to the remote server "computer_name.domain.example.com" using UDP proxy. The authentication method used was: "Cookie".
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-TerminalServices-Gateway" Guid="{4D5AE6A1-C7C8-4E6D-B840-4D8080B42E1B}" /><EventID>205</EventID><Version>0</Version><Level>4</Level><Task>2</Task><Opcode>30</Opcode><Keywords>0x4000000001000000</Keywords><TimeCreated SystemTime="2019-06-02T06:54:54.123103000Z" /><EventRecordID>31013</EventRecordID><Correlation ActivityID="{F9A66720-F292-459D-9E6D-40D1A86A0000}" /><Execution ProcessID="4696" ThreadID="15808" /><Channel>Microsoft-Windows-TerminalServices-Gateway/Operational</Channel><Computer>computer_name.domain.example.com</Computer><Security UserID="S-1-5-20" /></System><UserData><EventInfo xmlns="aag"><Username>domain\user</Username><IpAddress>xx.xxx.xx.xxx</IpAddress><AuthType>Cookie</AuthType><Resource>computer_name.domain.example.com</Resource><BytesReceived></BytesReceived><BytesTransfered></BytesTransfered><SessionDuration></SessionDuration><ConnectionProtocol></ConnectionProtocol><ErrorCode>0</ErrorCode></EventInfo></UserData></Event>

Event 13:

Log Name:      Microsoft-Windows-TerminalServices-Gateway/Operational
Source:        Microsoft-Windows-TerminalServices-Gateway
Date:          02/06/2019 09:54:54
Event ID:      302
Task Category: (3)
Level:         Information
Keywords:      (16777216)
User:          NETWORK SERVICE
Computer:      computer_name.domain.example.com
Description:
The user "domain\user", on client computer "xx.xxx.xx.xxx", connected to resource "computer_name.domain.example.com". Connection protocol used: "UDP".
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-TerminalServices-Gateway" Guid="{4D5AE6A1-C7C8-4E6D-B840-4D8080B42E1B}" /><EventID>302</EventID><Version>0</Version><Level>4</Level><Task>3</Task><Opcode>30</Opcode><Keywords>0x4000000001000000</Keywords><TimeCreated SystemTime="2019-06-02T06:54:54.123103000Z" /><EventRecordID>31014</EventRecordID><Correlation ActivityID="{F9A66720-F292-459D-9E6D-40D1A86A0000}" /><Execution ProcessID="4696" ThreadID="3132" /><Channel>Microsoft-Windows-TerminalServices-Gateway/Operational</Channel><Computer>computer_name.domain.example.com</Computer><Security UserID="S-1-5-20" /></System><UserData><EventInfo xmlns="aag"><Username>domain\user</Username><IpAddress>xx.xxx.xx.xxx</IpAddress><AuthType></AuthType><Resource>computer_name.domain.example.com</Resource><ConnectionProtocol>UDP</ConnectionProtocol><ErrorCode>0</ErrorCode></EventInfo></UserData></Event>

Event 14:

Log Name:      Microsoft-Windows-TerminalServices-Gateway/Operational
Source:        Microsoft-Windows-TerminalServices-Gateway
Date:          02/06/2019 09:54:54
Event ID:      205
Task Category: (2)
Level:         Information
Keywords:      (16777216)
User:          NETWORK SERVICE
Computer:      computer_name.domain.example.com
Description:
The user "domain\user", on client computer "xx.xxx.xx.xxx", successfully connected to the remote server "computer_name.domain.example.com" using UDP proxy. The authentication method used was: "Cookie".
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-TerminalServices-Gateway" Guid="{4D5AE6A1-C7C8-4E6D-B840-4D8080B42E1B}" /><EventID>205</EventID><Version>0</Version><Level>4</Level><Task>2</Task><Opcode>30</Opcode><Keywords>0x4000000001000000</Keywords><TimeCreated SystemTime="2019-06-02T06:54:54.123103000Z" /><EventRecordID>31015</EventRecordID><Correlation ActivityID="{F9A66720-F292-459D-9E6D-40D1A86A0000}" /><Execution ProcessID="4696" ThreadID="12344" /><Channel>Microsoft-Windows-TerminalServices-Gateway/Operational</Channel><Computer>computer_name.domain.example.com</Computer><Security UserID="S-1-5-20" /></System><UserData><EventInfo xmlns="aag"><Username>domain\user</Username><IpAddress>xx.xxx.xx.xxx</IpAddress><AuthType>Cookie</AuthType><Resource>computer_name.domain.example.com</Resource><BytesReceived></BytesReceived><BytesTransfered></BytesTransfered><SessionDuration></SessionDuration><ConnectionProtocol></ConnectionProtocol><ErrorCode>0</ErrorCode></EventInfo></UserData></Event>

Event 15:

Log Name:      Microsoft-Windows-TerminalServices-Gateway/Operational
Source:        Microsoft-Windows-TerminalServices-Gateway
Date:          02/06/2019 09:54:54
Event ID:      303
Task Category: (3)
Level:         Information
Keywords:      (16777216)
User:          NETWORK SERVICE
Computer:      computer_name.domain.example.com
Description:
The user "domain\user", on client computer "xx.xxx.xx.xxx", disconnected from the following network resource: "computer_name.domain.example.com". Before the user disconnected, the client transferred 637 bytes and received 4567 bytes. The client session duration was 0 seconds. Connection protocol used: "UDP".
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-TerminalServices-Gateway" Guid="{4D5AE6A1-C7C8-4E6D-B840-4D8080B42E1B}" /><EventID>303</EventID><Version>0</Version><Level>4</Level><Task>3</Task><Opcode>44</Opcode><Keywords>0x4000000001000000</Keywords><TimeCreated SystemTime="2019-06-02T06:54:54.466828900Z" /><EventRecordID>31016</EventRecordID><Correlation ActivityID="{F9A66720-F292-459D-9E6D-40D1A86A0000}" /><Execution ProcessID="4696" ThreadID="3132" /><Channel>Microsoft-Windows-TerminalServices-Gateway/Operational</Channel><Computer>computer_name.domain.example.com</Computer><Security UserID="S-1-5-20" /></System><UserData><EventInfo xmlns="aag"><Username>domain\user</Username><IpAddress>xx.xxx.xx.xxx</IpAddress><AuthType></AuthType><Resource>computer_name.domain.example.com</Resource><BytesReceived>4567</BytesReceived><BytesTransfered>637</BytesTransfered><SessionDuration>0</SessionDuration><ConnectionProtocol>UDP</ConnectionProtocol><ErrorCode>1226</ErrorCode></EventInfo></UserData></Event>

Event 16:

Log Name:      Microsoft-Windows-TerminalServices-Gateway/Operational
Source:        Microsoft-Windows-TerminalServices-Gateway
Date:          02/06/2019 09:54:54
Event ID:      303
Task Category: (3)
Level:         Information
Keywords:      (16777216)
User:          NETWORK SERVICE
Computer:      computer_name.domain.example.com
Description:
The user "domain\user", on client computer "xx.xxx.xx.xxx", disconnected from the following network resource: "computer_name.domain.example.com". Before the user disconnected, the client transferred 1641 bytes and received 7160 bytes. The client session duration was 0 seconds. Connection protocol used: "UDP".
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-TerminalServices-Gateway" Guid="{4D5AE6A1-C7C8-4E6D-B840-4D8080B42E1B}" /><EventID>303</EventID><Version>0</Version><Level>4</Level><Task>3</Task><Opcode>44</Opcode><Keywords>0x4000000001000000</Keywords><TimeCreated SystemTime="2019-06-02T06:54:54.529322500Z" /><EventRecordID>31017</EventRecordID><Correlation ActivityID="{F9A66720-F292-459D-9E6D-40D1A86A0000}" /><Execution ProcessID="4696" ThreadID="15808" /><Channel>Microsoft-Windows-TerminalServices-Gateway/Operational</Channel><Computer>computer_name.domain.example.com</Computer><Security UserID="S-1-5-20" /></System><UserData><EventInfo xmlns="aag"><Username>domain\user</Username><IpAddress>xx.xxx.xx.xxx</IpAddress><AuthType></AuthType><Resource>computer_name.domain.example.com</Resource><BytesReceived>7160</BytesReceived><BytesTransfered>1641</BytesTransfered><SessionDuration>0</SessionDuration><ConnectionProtocol>UDP</ConnectionProtocol><ErrorCode>1226</ErrorCode></EventInfo></UserData></Event>

Event 17:

Log Name:      Microsoft-Windows-TerminalServices-SessionBroker/Operational
Source:        Microsoft-Windows-TerminalServices-SessionBroker
Date:          02/06/2019 09:54:54
Event ID:      800
Task Category: RD Connection Broker processes connection request
Level:         Verbose
Keywords:      
User:          NETWORK SERVICE
Computer:      computer_name.domain.example.com
Description:
RD Connection Broker received connection request for user domain\user. 
Hints in the RDP file (TSV URL) = tsv://MS Terminal Services Plugin.1.RemoteApps 
Initial Application = rdpinit.exe 
Call came from Redirector Server = computer_name.domain.example.com 
Redirector is configured as Virtual machine redirector
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-TerminalServices-SessionBroker" Guid="{D1737620-6A25-4BEF-B07B-AAC3DF44EFC9}" /><EventID>800</EventID><Version>0</Version><Level>5</Level><Task>101</Task><Opcode>11</Opcode><Keywords>0x2000000000000000</Keywords><TimeCreated SystemTime="2019-06-02T06:54:54.669933800Z" /><EventRecordID>534540</EventRecordID><Correlation ActivityID="{F420EE10-A030-485A-8B06-EFE8C1E30000}" /><Execution ProcessID="4596" ThreadID="13724" /><Channel>Microsoft-Windows-TerminalServices-SessionBroker/Operational</Channel><Computer>computer_name.domain.example.com</Computer><Security UserID="S-1-5-20" /></System><UserData><EventXML xmlns="Event_NS"><param1>domain\user</param1><param2>tsv://MS Terminal Services Plugin.1.RemoteApps</param2><param3>rdpinit.exe</param3><param4>computer_name.domain.example.com</param4><param5>Virtual machine redirector</param5></EventXML></UserData></Event>

Event 18:
Log Name:      Microsoft-Windows-TerminalServices-SessionBroker/Operational
Source:        Microsoft-Windows-TerminalServices-SessionBroker
Date:          02/06/2019 09:54:55
Event ID:      801
Task Category: RD Connection Broker processes connection request
Level:         Verbose
Keywords:      
User:          NETWORK SERVICE
Computer:      computer_name.domain.example.com
Description:
RD Connection Broker successfully processed the connection request for user domain\user. Redirection info: 
Target Name = COMPUTER_NAME 
Target IP Address = XXX.X.XX.XXX, a000:b000:c000::d000:e000 
Target Netbios = COMPUTER_NAME 
Target FQDN = computer_name.domain.example.com 
Disconnected Session Found = 0x0
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-TerminalServices-SessionBroker" Guid="{D1737620-6A25-4BEF-B07B-AAC3DF44EFC9}" /><EventID>801</EventID><Version>0</Version><Level>5</Level><Task>101</Task><Opcode>11</Opcode><Keywords>0x2000000000000000</Keywords><TimeCreated SystemTime="2019-06-02T06:54:55.091773200Z" /><EventRecordID>534541</EventRecordID><Correlation ActivityID="{F420EE10-A030-485A-8B06-EFE8C1E30000}" /><Execution ProcessID="4596" ThreadID="6204" /><Channel>Microsoft-Windows-TerminalServices-SessionBroker/Operational</Channel><Computer>computer_name.domain.example.com</Computer><Security UserID="S-1-5-20" /></System><UserData><EventXML xmlns="Event_NS"><param1>domain\user</param1><param2>COMPUTER_NAME</param2><param3>XXX.X.XX.XXX, a000:b000:c000::d000:e000</param3><param4>COMPUTER_NAME</param4><param5>computer_name.domain.example.com</param5><param6>0x0</param6></EventXML></UserData></Event>

I have numbered the events for ease of reference.

As can be seen from event #7  and #14 the user disconnects twice after 30 sec timeout.

From some research it seems like a possible problem may be in the VM settings, which is not in my control so if it is the case I would have to know what exactly to ask from the hosting service.

Any idea/solution will be greatly appreciated!