fDenyTSConnections accidentally disable

Muhammad Zeeshan 241 Reputation points
2022-04-13T19:47:50.573+00:00

Hi ,

I was trying to provide multi user login to my VM in azure by accessing registry and changing fsession from 1 to 0. I accidentally changed the setting of fDesnyTSConnections.

Azure locked me out from the VM and now when i put the bastion credentials i get machine not available or credential not correct error.

How can I regain access to VM ?

Also note that my machine is behind a firewall with no public ip. I use bastion to connect to my VM.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,526 questions
Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,386 questions
0 comments No comments
{count} votes

Accepted answer
  1. Luis Rodriguez 6,201 Reputation points Microsoft Employee
    2022-04-16T20:09:15.533+00:00

    Hi Muhhamad,

    Have you tried already to reset RDS services in the VM?.
    For reference: https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/reset-rdp

    If the method above does not work you should be able to check and change the value of fDenyTSConnections key manually, via serial console:
    Check the current remote connection configuration:

    REM Get the local remote connection setting  
     reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections  
    

    If the command returns 0x1, the VM is not allowing remote connection. Then, allow remote connection using the following command:

    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f  
    

    Check if the RDP is disabled by group polices (Local or Domain policies):

    REM Get the group policy :  
    

    reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fDenyTSConnections
    If the group policy states that RDP is disabled (fDenyTSConnections value is 0x1), run the following command to enable the TermService service.

    REM update the fDenyTSConnections value to enable TermService service:  
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fDenyTSConnections /t REG_DWORD /d 0 /f  
    

    For reference:
    https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/troubleshoot-rdp-general-error#solution
    https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-windows#use-serial-console

    If you don't have access at all to the VM you could use another Azure VM as jumpbox:
    https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/data-management/architectures/connect-to-environments-privately#about-azure-bastion-host-and-jumpboxes

    I hope this helps!

    ----------

    Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    2 people found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful