How do I set up a PC for Remote Desktop?
For Windows 10, do the following:
1.
On the device you want to connect to, open Settings.
2.
Select System and then Remote Desktop.
3.
Use the slider to enable Remote Desktop.
4.
In general, it's best to keep the PC awake and discoverable to
facilitate connections. Click Show settings to go to the power
settings for your PC, where you can change this setting.
Why can't I connect using Remote Desktop?
Here are some possible solutions to common problems you might
encounter when trying to connect to a remote PC. If these solutions don't work,
you can find more help on the Microsoft Community website.
·
The remote PC can't be found. Make sure you
have the right PC name, and then check to see if you entered that name
correctly. If you still can't connect, try using the IP address of the remote
PC instead of the PC name.
·
There's a problem with the network. Make sure you
have internet connection.
·
The Remote Desktop port might be blocked by a firewall. If you're using
Windows Firewall, follow these steps:
1.
Open Windows Firewall.
2.
Click Allow
an app or feature through Windows Firewall.
3.
Click Change
settings. You might be asked for an admin password or to
confirm your choice.
4.
Under Allowed
apps and features, select Remote Desktop, and then tap or
click OK.
If you're using a different firewall, make sure the port for
Remote Desktop (usually 3389) is open.
·
Remote connections might not be set up on the remote PC. To fix this,
scroll back up to How do I set up a PC for Remote
Desktop? question
in this topic.
·
The remote PC might only allow PCs to connect that have Network
Level Authentication set up.
·
The remote PC might be turned off. You can't
connect to a PC that's turned off, asleep, or hibernating, so make sure the
settings for sleep and hibernation on the remote PC are set to Never (hibernation
isn't available on all PCs.).
Why can't I find or connect to my PC?
Check the following:
·
Is the PC on and awake?
·
Did you enter the right name or IP address?
Important
Using the PC name requires your network to resolve the name
correctly through DNS. In many home networks, you have to use the IP address
instead of the host name to connect.
·
Is the PC on a different network? Did you configure the PC to
let outside connections through? Check out Allow access to your PC from
outside your network for help.
·
Are you connecting to a supported Windows version?
Specific errors
Why do I get an "Insufficient privileges" error?
You are not allowed to access the session you want to connect
to. The most likely cause is that you are trying to connect to an admin
session. Only administrators are allowed to connect to the console. Verify that
the console switch is off in the advanced settings of the remote desktop. If
this is not the source of the problem, please contact your system administrator
for further assistance.
Why does the client say that there is no CAL?
When a remote desktop client connects to a Remote Desktop
server, the server issues a Remote Desktop Services Client Access License (RDS
CAL) stored by the client. Whenever the client connects again it will use its
RDS CAL and the server will not issue another license. The server will issue
another license if the RDS CAL on the device is missing or corrupt. When the
maximum number of licensed devices is reached the server will not issue new RDS
CALs. Contact your network administrator for assistance.
Why did I get an "Access Denied" error?
The "Access Denied" error is a generated by the Remote
Desktop Gateway and the result of incorrect credentials during the connection
attempt. Verify your username and password. If the connection worked before and
the error occurred recently, you possibly changed your Windows user account
password and haven't updated it yet in the remote desktop settings.
What does "RPC Error 23014" or "Error
0x59e6" mean?
In case of an RPC
error 23014 or Error
0x59E6 try again after waiting a few minutes, the RD Gateway
server has reached the maximum number of active connections. Depending on the
Windows version running on the RD Gateway the maximum number of connections
differs: The Windows Server 2008 R2 Standard implementation limits the number
of connections to 250. The Windows Server 2008 R2 Foundation implementation
limits the number of connections to 50. All other Windows implementations allow
an unlimited number of connections.
What does the "Failed to parse NTLM challenge" error
mean?
This error is caused by a misconfiguration on the remote PC.
Make sure the RDP security level setting on the remote PC is set to
"Client Compatible." (Talk to your system admin if you need help
doing this.)
What does "TS_RAP you are not allowed to connect to the
given host" mean?
This error happens when a Resource Authorization Policy on the
gateway server stops your user name from connecting to the remote PC. This can
happen in the following instances:
·
The remote PC name is the same as the name of the gateway. Then,
when you try to connect to the remote PC, the connection goes to the gateway
instead, which you probably don't have permission to access. If you need to
connect to the gateway, do not use the external gateway name as PC name.
Instead use "localhost" or the IP address (127.0.0.1), or the
internal server name.
·
Your user account isn't a member of the user group for remote
access.
General Remote Desktop connection troubleshooting
Check the status of the RDP protocol on a remote computer
You can configure your PC for remote access with a few easy
steps.
1.
On the device you want to connect to, select Start and
then click the Settings icon on the left.
2.
Select the System group followed by the Remote Desktop item.
3.
Use the slider to enable Remote Desktop.
4.
It is also recommended to keep the PC awake and discoverable to
facilitate connections. Click Show settings to enable.
5.
As needed, add users who can connect remotely by clicking Select
users that can remotely access this PC.
1.
Members of the Administrators group automatically have access.
6.
Make note of the name of this PC under How to connect to this PC.
You'll need this to configure the clients.
Check the status of the RDP protocol on a remote computer
Important
Follow this
section's instructions carefully. Serious problems can occur if the registry is
modified incorrectly. Before you start modifying the registry, back
up the registry so you can restore it in case something goes wrong.
To check and change the status of the RDP protocol on a remote
computer, use a network registry connection:
1.
First, go to the Start menu,
then select Run.
In the text box that appears, enter regedt32.
2.
In the Registry Editor, select File, then
select Connect
Network Registry.
3.
In the Select
Computer dialog box, enter the name of the remote
computer, select Check
Names, and then select OK.
4. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server.
o If the value of
the fDenyTSConnections key
is 0,
then RDP is enabled.
o If the value of
the fDenyTSConnections key
is 1,
then RDP is disabled.
5.
To enable RDP, change the value of fDenyTSConnections from 1 to 0.
Check whether a Group Policy Object (GPO) is blocking RDP on a
local computer
If you can't turn on RDP in the user interface or the value
of fDenyTSConnections reverts to 1 after you've changed it, a GPO may be overriding the
computer-level settings.
To check the group policy configuration on a local computer,
open a Command Prompt window as an administrator, and enter the following
command:
cmdCopy
gpresult /H c:\gpresult.htmlAfter this command finishes, open gpresult.html. In Computer
Configuration\Administrative Templates\Windows Components\Remote Desktop
Services\Remote Desktop Session Host\Connections, find the Allow users to connect
remotely by using Remote Desktop Services policy.
·
If the setting for this policy is Enabled, Group Policy is not
blocking RDP connections.
· If the setting for this policy is Disabled, check Winning GPO. This is the GPO that is blocking RDP connections.
Check whether a GPO is blocking RDP on a remote computer
To check the Group Policy configuration on a remote computer,
the command is almost the same as for a local computer:
cmdCopy
gpresult /S <computer name> /H c:\gpresult-<computer name>.htmlThe file that this command produces (gpresult-<computer
name>.html) uses the same information format as the local computer version
(gpresult.html) uses.
Modifying a blocking GPO
You can modify these settings in the Group Policy Object Editor
(GPE) and Group Policy Management Console (GPM). For more information about how
to use Group Policy, see Advanced Group Policy Management.
To modify the blocking policy, use one of the following methods:
·
In GPE, access the appropriate level of GPO (such as local or
domain), and navigate to Computer
Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections > Allow users to connect remotely by
using Remote Desktop Services.
1.
Set the policy to either Enabled or Not configured.
2.
On the affected computers, open a command prompt window as an
administrator, and run the gpupdate
/force command.
·
In GPM, navigate to the organizational unit (OU) in which the
blocking policy is applied to the affected computers and delete the policy from
the OU.
Check the status of the RDP services
On both the local (client) computer and the remote (target)
computer, the following services should be running:
·
Remote Desktop Services (TermService)
·
Remote Desktop Services UserMode Port Redirector (UmRdpService)
You can use the Services MMC snap-in to manage the services
locally or remotely. You can also use PowerShell to manage the services locally
or remotely (if the remote computer is configured to accept remote PowerShell
cmdlets).
On either computer, if one or both services are not running,
start them.
Note
If you start
the Remote Desktop Services service, click Yes to
automatically restart the Remote Desktop Services UserMode Port Redirector
service.
Check that the RDP listener is functioning
Important
Follow this section's
instructions carefully. Serious problems can occur if the registry is modified
incorrectly. Before you start modifying the registry, back
up the registry so you can restore it in case something goes wrong.
Check the status of the RDP listener
For this procedure, use a PowerShell instance that has
administrative permissions. For a local computer, you can also use a command
prompt that has administrative permissions. However, this procedure uses
PowerShell because the same cmdlets work both locally and remotely.
1.
To connect to a remote computer, run the following cmdlet:
PowerShellCopy
Enter-PSSession -ComputerName <computer name>
2.
Enter qwinsta.
4.
Export the RDP listener configuration from a working computer.
1.
Sign in to a computer that has the same operating system version
as the affected computer has, and access that computer's registry (for example,
by using Registry Editor).
2.
Navigate to the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-Tcp
3.
Export the entry to a .reg file. For example, in Registry
Editor, right-click the entry, select Export, and then enter a filename for
the exported settings.
4.
Copy the exported .reg file to the affected computer.
5.
To import the RDP listener configuration, open a PowerShell
window that has administrative permissions on the affected computer (or open
the PowerShell window and connect to the affected computer remotely).
1.
To back up the existing registry entry, enter the following
cmdlet:
PowerShellCopy
cmd /c 'reg export "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-tcp" C:\Rdp-tcp-backup.reg' 2.
To remove the existing registry entry, enter the following
cmdlets:
PowerShellCopy
Remove-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-tcp' -Recurse -Force
3.
To import the new registry entry and then restart the service,
enter the following cmdlets:
PowerShellCopy
cmd /c 'regedit /s c:\<filename>.reg' Restart-Service TermService -Force
Replace <filename> with the name of the exported .reg
file.
6.
Test the configuration by trying the remote desktop connection
again. If you still can't connect, restart the affected computer.
7.
If you still can't connect, check the status of the RDP
self-signed certificate.
Check the status of the RDP self-signed certificate
1.
If you still can't connect, open the Certificates MMC snap-in.
When you are prompted to select the certificate store to manage, select Computer account,
and then select the affected computer.
2. In the Certificates folder under Remote Desktop, delete the RDP self-signed certificate.
3.
On the affected computer, restart the Remote Desktop Services
service.
4.
Refresh the Certificates snap-in.
5.
If the RDP self-signed certificate has not been recreated, check the permissions of the
MachineKeys folder.
Check the permissions of the MachineKeys folder
1.
On the affected computer, open Explorer, and then navigate
to C:\ProgramData\Microsoft\Crypto\RSA\.
2.
Right-click MachineKeys,
select Properties,
select Security,
and then select Advanced.
3.
Make sure that the following permissions are configured:
o Builtin\Administrators:
Full control
o Everyone: Read, Write
Check the RDP listener port
On both the local (client) computer and the remote (target)
computer, the RDP listener should be listening on port 3389. No other
applications should be using this port.
Important
Follow this
section's instructions carefully. Serious problems can occur if the registry is
modified incorrectly. Before you starty modifying the registry, back
up the registry so you can restore it in case something goes wrong.
To check or change the RDP port, use the Registry Editor:
1.
Go to the Start menu, select Run, then
enter regedt32 into
the text box that appears.
o To connect to a
remote computer, select File,
and then select Connect
Network Registry.
o In the Select Computer dialog
box, enter the name of the remote computer, select Check Names, and
then select OK.
2. Open the registry and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\<listener>.
3.
If PortNumber has
a value other than 3389,
change it to 3389.
Important
You can operate Remote Desktop services using another port.
However, we don't recommend you do this. This article doesn't cover how to
troubleshoot that type of configuration.
4.
After you change the port number, restart the Remote Desktop
Services service.
Check that another application isn't trying to use the same port
For this procedure, use a PowerShell instance that has
administrative permissions. For a local computer, you can also use a command
prompt that has administrative permissions. However, this procedure uses
PowerShell because the same cmdlets work locally and remotely.
1.
Open a PowerShell window. To connect to a remote computer,
enter Enter-PSSession -ComputerName <computer name>.
2.
Enter the following command:
PowerShellCopy
cmd /c 'netstat -ano | find "3389"' 
3.
Look for an entry for TCP port 3389 (or the assigned RDP port)
with a status of Listening.
Note
The process identifier (PID) for the process or service using
that port appears under the PID column.
4.
To determine which application is using port 3389 (or the
assigned RDP port), enter the following command:
PowerShellCopy
cmd /c 'tasklist /svc | find "<pid listening on 3389>"' 
5.
Look for an entry for the PID number that is associated with the
port (from the netstat output). The services or processes that are associated
with that PID appear on the right column.
6.
If an application or service other than Remote Desktop Services
(TermServ.exe) is using the port, you can resolve the conflict by using one of
the following methods:
o Configure the other
application or service to use a different port (recommended).
o Uninstall the other
application or service.
o Configure RDP to use
a different port, and then restart the Remote Desktop Services service (not
recommended).
Check whether a firewall is blocking the RDP port
Use the psping tool to test whether you can reach the affected computer
by using port 3389.
1. Go to a different computer that isn't affected and download psping from https://live.sysinternals.com/psping.exe
2.
Open a command prompt window as an administrator, change to the
directory in which you installed psping, and then enter the following command:
Copy
psping -accepteula <computer IP>:3389 3.
Check the output of the psping command for
results such as the following:
o Connecting to
<computer IP>: The remote computer is reachable.
o (0% loss): All attempts to
connect succeeded.
o The remote computer
refused the network connection: The remote computer is not reachable.
o (100% loss): All attempts to
connect failed.
4.
Run psping on multiple computers to test their ability to connect to
the affected computer.
5.
Note whether the affected computer blocks connections from all
other computers, some other computers, or only one other computer.
6.
Recommended next steps:
o Engage your network
administrators to verify that the network allows RDP traffic to the affected
computer.
o Investigate the
configurations of any firewalls between the source computers and the affected
computer (including Windows Firewall on the affected computer) to determine
whether a firewall is blocking the RDP port.
No comments:
Post a Comment