recreate RDP certificate - RSA MachineKeys - Internal error

C.Huss 25 Reputation points
2024-01-16T11:15:13.4+00:00

Hey, I have a fresh installed Windows 11 Pro. Everything is working as expected.
But after running sysprep oobe (and capturing...) remote desktop is not working anymore.

When connecting via RDP it comes up with internal error. I figured out the while starting sysprep the certificate from RemoteDesktop gets deleted ( I asume that normal behaviour). But I do not get those certifcate back. Tried the machine which did run the sysprep and also a new windows machine (buildt a new iso image with exchanging the wim file before). Both installing are missing the client (host) certificate in the remote desktop folder in the cert console. I tried a lot starting with restarting the RDP service. But also tried to move the RSA/MachineKeys folder and set new permissions on it.. nothing helps...

What I do in my base image, is that I deactivate TLS 1.0, 1.1 - could that be a reason ?

Any other ideas how to get rdp back running ?

Also checked firewall, port, etc... by disabling remote desktop I do get different messages. I must be the certificate.

https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/rdp-error-general-troubleshooting#check-the-permissions-of-the-machinekeys-folder Chris

Windows for business Windows Client for IT Pros User experience Remote desktop services and terminal services
Windows for business Windows Client for IT Pros User experience Other
0 comments No comments
{count} votes

Accepted answer
  1. Anonymous
    2024-01-18T02:25:58.6966667+00:00

    Hello,

    Firstly, you can disable NLA to use RDP layer for communication instead of SSL.

    This is the step:

    1. Open the Group Policy Management Editor by typing "gpedit.msc" in the Run dialog and pressing Enter.
    2. Navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security.
    3. In the right pane, double-click on "Require user authentication for remote connections by using Network Level Authentication."
    4. Select the "Disabled" option.
    5. Click "Apply" and then "OK" to save the changes.
    6. In the right pane, double-click on "Require use of specfic security layer for remote(rdp) connections."
    7. Select the "Enabled" option and choose 'RDP'.
    8. Click "Apply" and then "OK" to save the changes.

    If you want to use SSL, and ensure you certificate back, you could keep the following tips:

    1. Back up "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" , delete it.
    2. Open "services.msc" , find CNG Key Isolation. Ensure its state is running
    3. Restart your rdp service , you will see a brand new "MachineKeys" folder. Note : actually the specific key should be "f686aace6942fb7f7ceb231212eef4a4_6d79d916-3396-4e4a-a786-639cad86eac2" , but the permission of the parent folder is also important. follow the document you found before "Check the permissions of the MachineKeys folder" Kind Regards,
      Karlie Weng

1 additional answer

Sort by: Most helpful
  1. C.Huss 25 Reputation points
    2024-01-16T11:39:39.9866667+00:00

    Found it. While do a bit of hardening in windows my script is deactivating
    Remote Desktop Configuration" service (SessionEnv) (in german: **Remotedesktopdienste-Sitzungsumgebung)
    **
    So with set it back to manually and start the service the certificates where regenerated.
    Before I just tried and restarted the normal remote desktop service Thans anyway. Hope that helps someone else at some stage. Chris

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.