Cannot RDP to specific host in specific subnet

Hi, I posted this on another forum and was directed here so here goes:

This issue is ripping me a new one so I'd really appreciate any help... 

Layout:

desk and test are on subnet 1
frank is on subnet 2
vpn is on its own subnet but is passed subnet 1 in the vpn config (handled by router)

all are windows 10

there is full routing between subnets (pass all traffic)
ping works to all hosts, telnet over 3389 works to all hosts, TightVNC works, just rdp is acting up
window firewall is completely off on frank, desk, and test

test is a completely fresh install of windows with all updates

there is no windows domain or anything and all computers are in "WORKGROUP"

rdp testing table:

_from_ -> _to_ _result_
desk -> test yes
desk -> frank no "the logon attempt failed"

frank -> test yes
frank -> desk yes

test -> desk yes
test -> frank no "connects and show lockscreen but says 'username or passowrd is incorrect try again'"

vpn -> desk yes
vpn -> frank yes
vpn -> test yes

keep in mind telnet 3389 works even when rdp doesn't

for some reason frank is the only one that others cannot connect TO (it can connect to others) and for some reason vpn clients are able to connect to frank.



Troubleshooting:

On frank when I attempt to connect from desk/test I sometimes get the following error in frank's event log:

A CredSSP authentication to TERMSRV/<desk/test ip> failed to negotiate a common protocol version.  The remote host offered version 4 which is not permitted by Encryption Oracle Remediation.

Microsoft recommends this page:
https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018

Based on the above, tried setting to "vulnerable" or whatever, no good.

So I update all windows machines to the latest build so now all rdp clients are version 10.0.17134 and it doesn't help at all except now when test fails to connect to frank it has the same message as desk, that is "the logon attempt failed" and no longers shows the logon screen as it did previously.

I also tried creating a new account "test" on frank but that got the same error.




IF i connect frank to subnet 1 everything works fine so I think it is simply something to do with that host being on a differnet subnet. Is there anything I can set to allow rdp even though it is in another subnet. How can I rdp to frank and have it remain in subnet 2? please help!