![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 51%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMJ%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 33%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDV%3C/text%3E%3C/svg%3E)
Hello Myler, Jim,
The behavior you describe thatTerminal Services starting but the system not listening on TCP 3389 indicates that the Remote Desktop Services stack is failing to bind the listener. Since you already confirmed that port 3389 is not in use and the RDS listener was rebuilt without success, the issue is not a simple port conflict. The timing with KB5073457 suggests a regression introduced by that update, but since uninstalling it did not restore functionality, the underlying configuration may have been altered during the patch cycle.
The first place to check is the listener configuration in the registry. Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
Confirm that the PortNumber value is set to 3389 (DWORD, decimal). Also check that the SecurityLayer and UserAuthentication values are consistent with your environment. If these values are corrupted or missing, the listener will not bind.
Next, verify the binding at the OS level. Run:
qwinsta
and
netstat -ano | findstr 3389
If qwinsta shows no RDP-Tcp listener and netstat shows nothing on 3389, the service is not binding. In that case, check the system log for Event ID 101, 105, or 56 under TerminalServices-RemoteConnectionManager. These events usually indicate certificate binding failures or policy restrictions.
Since you rebuilt the certificate, confirm that the RDP service is actually pointing to a valid certificate. Open Group Policy Editor and check under Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security. The setting “Select RDP transport protocols” should be set to “Use both TCP and UDP” or at least TCP. If it is set incorrectly, the listener will not start.
Another common cause after updates is that the Remote Desktop Services role is partially broken. Run:
sc query termservice
to confirm the service is running. If it is, but no listener is created, remove the RDS role completely, reboot, and reinstall it. Do not just uninstall/reinstall the Session Host component; ensure the base RDS role is clean.
Finally, check whether TLS enforcement is blocking the listener. If the update changed the minimum TLS version, and your certificate or configuration does not meet the requirement, the listener will silently fail. You can test by setting SecurityLayer to 0 (RDP Security) in the registry key above, restarting the service, and seeing if the listener binds. If it does, the issue is with TLS/certificate negotiation.
In short, the failure is not that Terminal Services won’t start, but that the RDP listener cannot bind to 3389. The most likely causes are registry corruption in RDP-Tcp, certificate binding issues, or TLS policy changes introduced by KB5073457. Reconfirm the registry values, check the event logs, and test with SecurityLayer=0 to isolate whether it is a certificate/TLS problem.
I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!
Domic Vo.
