RDP internal Error, but not from every PC/Server

Question

Hi everyone,

we have the "internal error" in RDP sessions.

When trying to connect from Windows Server 2019 or Windows 11 we get the error.

When trying to connect from Windows Server 2016 or Windows 10 to the same machines (yes, there are a few, running Win10 and Win11) everything works fine.

We went though all other tips found in the internet (comparing Ciphers, local and Domain GPOs, deleting RSA MachineKeys, Updating Windows several times, sfc, dism, dejoin domain and rejoin, turn off udp in rdp, deleting self signed RDP Certs, NLA off and on, use RDP as admin or in console mode, set other negotiation modes for rdp (SSL/RDP)) but none had done the trick.

Comparing the mstsc.exe file on several PCs and Servers gives us different sizes and versions, but there is no way i will download and replace it from any website (security you know) when not even MS gives you a download for that.

The Eventviewer wont give any clue (even the security Log).

Why do we get the error only from Windows Server 2019 and Windows 11?

Win11 is otherwise unusable in that really confusing behavior and we will have to go back to Win10 for every computer in the company....

And yes, i am aware of the UDP-Setting and https://support.microsoft.com/de-de/topic/26-januar-2023-kb5022360-betriebssystembuild-22621-1194-vorschau-f6973dbe-bcc4-402a-8b9a-0541b0959403 But that did not the trick too.

@Microsoft, please advise

Answer 1

So, there is an update and solution: (see REAL solution comment xD)

The solution was to create a new GPO:

Computer config -> Policies -> Windows Settings -> Security Settings -> LocalPolicies -> Security Options -> "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" set to enabled.

roll that out to all Computers in the domain.

The only clue to that was on the remote client an Error in the System log Schannel (Event ID 38674) stating "An unknown connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed."

Not even Wireshark was a clue, since the encryption negotioation is not very obvious.

This has to be an combination of a Windows update changing the RDP encrytion handling in Win11 and Server 2019 and some hardening in the past in the Windows domain.

If you stumble upon this: give the FIPS GPO a try and dont forget to reboot the affecting machines :)

If you want to verivy before rolling out a GPO, use the local Security Policy on the affecteed machines, there is the option too.

Answer 2

Long time no see, the REAL solution was an GPO setting some registry settings and NOT the FIPS Settings, since this is not really an option for environments using "non FIPS settings" Just dont use The Keys "SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3" and its Subkeys "Client" and "Server" (Mabye its just the key "Server"). Many Blogs and how tos are wrong on this. You brake RDP with this way.