RemoteApp Slow after Windows10 1803 update on Server 2012 R2

As the title suggests, after updating Windows 10 computers to 1803, users have reported slow RemoteApp sessions.

You can try disabling Remote FX, but user reports suggest this causes further issues.

The easiest fix is to copy mstsc.exe and mstscax.dll from a 1709 build and replace the files on 1803. We have confirmed this works.

KB4103727 Breaks RDP/Remote Desktop Gateway

This morning we awoke to screams from users not being able to login to our remote desktop servers.

KB4103727 has been released which switches a flag to protect against the CredSSP attack.

The quickest way to fix this to get your users working is to patch your domain controller with the May updates and use group policy to push out a change

You can manually add this to the registry for desktop clients

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters] "AllowEncryptionOracle"=dword:00000002

or via command line

reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /f /v AllowEncryptionOracle /t REG_DWORD /d 2

To fix this problem, the May updates need to be installed on all servers and workstations.

More information:

 

RDP 0xC000035B Error occurred during login

I had the weirdest error recently when rolling out a remote app to a new customer. It was a Windows 7 machine that had the latest RDP updates installed.

When launching the thin app, the following error occurred on the client end:

Disconnected from remote computer

This stumped me for some time. It looked like some sort of authentication error. There is a Microsoft article on this, which applies to the RDP Gateway. I don’t think you should be applying a wholesale fix like this to a RDP Gateway, let alone on multi tenancy infrastructure.

I looked at the event log on the Remote Desktop Gateway server which was running Server 2012. I saw the following event log.

error

This confirmed to me that this was some sort of authentication error.

Looking at the local security options on the computer, I found the following:

Untitled-2

Now, on a normal domain, this would not be set. You need to set this to the following:

Untitled-1

Set to NTLM v2 for server 2012 connections.