Share via

RDP broken after updates

Derick Brown 30 Reputation points
2026-01-06T19:49:27.27+00:00

Our Windows 11 Enterprise machines are having problems connecting through RDP after the 24H2 and 25H2 updates. Even after uninstalling said updates, the problem persists. This is greatly affecting our ability to work.

How do we fix this issue??

Windows for business | Windows 365 Enterprise

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daphne Huynh (WICLOUD CORPORATION) 660 Reputation points Microsoft External Staff Moderator
    2026-01-15T03:30:25.2733333+00:00

    Welcome to the Microsoft Q&A Platform and thank you for sharing your concern with us.

    I understand how challenging this issue has been. Based on your description, RDP connections failing with "invalid credentials" after the 24H2 and 25H2 updates, even after uninstalling. I would like to share some insights that may help clarify what you are seeing.

    • Update Window

    I don’t have full visibility into the specific KBs applied during your upgrade to 25H2. However, the 24H2 and 25H2 updates introduced significant changes to the RDP transport layer and security stack. These changes are not fully reverted when the updates are uninstalled, as certain registry values and system components remain modified.

    Please help me to install the latest cumulative update for your Windows 11 Enterprise build.

    Reference: Windows 11, version 25H2 update history - Microsoft Support

    • Registry Settings for Security Protocol Negotiation

    Open Registry Editor and navigate to HKLM\System\CurrentControlSet\Control\TerminalServer\Winstations\RDP-Tcp and set fAllowSecProtocolNegotiation to 1

    • Group Policy and User Rights

    Ensure users are in the Remote Desktop Users group (lusrmgr.msc). You can check Group Policy by following the path as below:

    Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow logon through Remote Desktop Services.

    Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Access this computer from the network

    • Recreate RDP-Tcp Listener

    If registry corruption is suspected, export the RDP-Tcp key from a working machine and import it to the affected one, then restart Remote Desktop Services.

    Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

    • VLAN/Network Specifics

    If the issue only occurs across VLANs, check for:

    Firewall rules blocking RDP (TCP 3389), Network policies affecting authentication traffic and Routing issues between VLANs

    • Check RDP Certificate and MachineKeys Permissions
      1. Open certlm.msc on the affected machine
      2. Delete the RDP self-signed certificate under Remote Desktop.
      3. Restart the Remote Desktop Services service.
      4. If the certificate is not recreated, check permissions on C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys:
    - Administrators: Full control
- Everyone: Read, Write
- System: Full control
- Network Service: Full control

    I hope this information can help you to finish it successfully. Wish you a pleasant day! 

    Was this answer helpful?

    0 comments
  2. Domic Vo 22,035 Reputation points Independent Advisor
    2026-01-06T20:22:11.66+00:00

    Hello Derick Brown,

    Microsoft has acknowledged that the 24H2 update introduced a regression in the Remote Desktop stack, specifically affecting Windows 11 Enterprise systems. The issue is tied to changes in the RDP transport layer and security hardening, which caused sessions to hang, disconnect, or fail to establish. The complication you are seeing—where uninstalling the updates does not restore functionality, is because the update modified system components and registry values that are not rolled back cleanly when the patch is removed. In other words, the uninstall does not revert the RDP stack to its pre‑update state.

    The official fix is being delivered through cumulative updates released after March 2025. Microsoft confirmed the problem and pushed a server‑side update along with hotfixes in KB5050094 and KB5051987, and later cumulative updates corrected the RDP regression. To resolve this, you need to ensure your machines are fully patched with the latest cumulative update for your build of Windows 11 Enterprise. Simply uninstalling 24H2 or 25H2 will not help; you must apply the corrective update that contains the RDP fix.

    In the meantime, there are two mitigations that have been shown to restore functionality until the proper patch is applied. First, disable UDP transport for RDP by setting the following registry key:

    HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client

    Create or set fClientDisableUDP as a DWORD with value 1.

    This forces RDP to use TCP only, bypassing the broken UDP transport introduced in 24H2. After setting this, reboot the machine and test RDP connectivity.

    Second, if you are using NLA (Network Level Authentication), confirm that the policy under Local Security Policy > Security Options > Require user authentication for remote connections by using NLA is consistent across all machines. In some cases, mismatched NLA enforcement after the update caused authentication failures.

    To summarize: the uninstall did not fix the issue because the regression persists in system components. The supported resolution is to apply the latest cumulative update where Microsoft has corrected the RDP stack. As a temporary workaround, disable UDP transport for RDP via the registry key above.

    I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!

    Domic Vo.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.