Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article helps troubleshoot errors when you connect to a remote machine.
When you use a direct Remote Desktop Protocol (RDP) connection to connect to a Windows machine, the connection fails with one of the following errors. The error occurs before or after entering credentials on the Remote Desktop connection application.
-
Remote Desktop can't connect to the remote computer for one of these reasons:
1) Remote access to the server is not enabled
2) The remote computer is turned off
3) The remote computer is not available on the networkMake sure the remote computer is turned on and connected to the network, and that remote access is enabled.
-
This computer can't connect to the remote computer.
Try connecting again. If the problem continues, contact the owner of the remote computer or your network administrator.
There are several possible root causes, but the main ones are the RDP-TCP listener not working and incorrect network configurations.
Verify if the error is related to the machine's state or performance
First, check if the machine is running. If it's running and has console access (for example, Integrated Lights Out (iLO) for physical machines, or Hyper-V console for virtual machines), test connecting to the machine through it. If successful, proceed to verify if the error is related to the RDP-TCP listener.
Contact Microsoft Support for further assistance in the following scenarios:
- You can't put the machine in a running state.
- The machine is in a running state, but the console access to the machine fails.
Verify if the error is related to the RDP-TCP listener
Run the qwinsta
command to verify if the RDP-TCP listener is working for RDP connections to function.
C:\Windows\System32>qwinsta
SESSIONNAME USERNAME ID STATE TYPE DEVICE
services 0 Disc
>console 1 Active
rdp-tcp 65536 Listen
If the output list includes the rdp-tcp
line in the Listen
state, the RDP-TCP listener is running. Proceed to verify if the error is related to the network.
Otherwise, use the following methods to troubleshoot the issue.
Check registry configurations
Important
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For protection, back up the registry before you modify it so that you can restore it if a problem occurs. For more information about how to back up and restore the registry, see How to back up and restore the registry in Windows.
Open Registry Editor and make sure these keys are set as follows:
The DWORD value fEnableWinStation has the value data of 1.
Default path:
Computer\HKEY\_LOCAL\_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp
The DWORD value fDenyTSConnections has the value data of 0.
- Default path:
Computer\HKEY\_LOCAL\_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
- Policy path (if the policy is configured):
Computer\HKEY\_LOCAL\_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
- Default path:
Note
Policies override default configurations and should be configured with gpedit.msc (locally) or gpmc.msc (domain level).
If both policy and default value are configured, make sure both fDenyTSConnections values are set to 0, to avoid possible listener issues.
Check services
Make sure the following services are running:
- Remote Desktop Services (TermService).
- Remote Desktop Services UserMode Port Redirector (UmRdpService).
Contact Microsoft Support for further assistance if any of the services fails to start.
Check permissions
Add the Network service to the local administrator group on the affected machine, and run the following PowerShell cmdlet on an elevated session:
Add-LocalGroupMember -Group Administrators -Member "Network Service"
After that, restart the Remote Desktop Services service (TermService).
Check sysprep state
Make sure the machine isn't in Sysprep state by opening Registry Editor and checking the following keys:
Computer\HKEY\_LOCAL\_MACHINE\SYSTEM\Setup
Both the DWORD values SystemSetupInProgress and OOBEInProgress are set to 0.
Replace the RDP-TCP subkey
Export the following subkey on a functioning machine with the same Windows version:
Computer\HKEY\_LOCAL\_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
Back up the existing key on the affected machine. Then, delete it and replace it with the subkey exported from the functioning machine.
Note
You can't access the machine via RDP with the RDP-Tcp
subkey deleted.
Contact Microsoft Support
If the preceding steps can't resolve the issue of RDP-TCP listener not working, contact Microsoft Support for further assistance.
Verify if the error is related to network
If the RDP-TCP listener is working, use the following steps to check if you can connect to the server through a console session (for example, iLO for physical machines, or Hyper-V console for virtual machines):
- Type mstsc in the Run box to open the Remote Desktop Connection application.
- In the Remote Desktop Connection application, type localhost in the Computer box and select Connect.
If the error persists, the problem is with the server. Go to verify machine's configurations and roles.
If the error no longer occurs, it's probably related to the network and might be troubleshot further with the following steps.
Note
The preceding test is only possible on Windows Server machines and might not be available on all occasions (for example, Azure virtual machines).
If it isn't available or possible, test connectivity with the Test-NetConnection cmdlet from a machine in the same network.
To confirm connectivity issues, run the following steps from a machine in the same network:
Open an elevated PowerShell window, and run the following cmdlet:
Test-NetConnection -ComputerName <www.contoso.com> -port 3389 -InformationLevel Detailed
In the output list, if
TcpTestSucceeded
isTrue
, it indicates no connectivity issues. Go to verify machine's configurations and roles.If
TcpTestSucceeded
isFalse
, it indicates connectivity issues. Go to the next step.
Check the default RDP port
Open Registry Editor and make sure the following key is set as follows:
Computer\HKEY\_LOCAL\_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp
The DWORD value PortNumber has the value 0x00000d3d (3389).
If the value is different, Remote Desktop Connection connections should use hostname:port or IPaddress:port as the computer name.
Check Domain Name System (DNS) resolution
If the connection fails when using the machine's hostname, try connecting using its IP address.
- If the connection works with the IP address, the issue is likely related to name resolution.
- If the connection also fails with the IP address, proceed to the next troubleshooting step.
Check Firewall or Network Security Group configuration
Check if firewall rules allow RDP to the machine, or if the firewall is disabled.
Open wf.msc, select Inbound Rules and look for Remote Desktop - User Mode (TCP-In) and Remote Desktop - User Mode (UDP-In). Make sure that they're enabled to all profiles.
You can get the same result with the following PowerShell cmdlet on an elevated session:
Get-NetFirewallRule -DisplayGroup "Remote Desktop" | Set-NetFirewallRule -Enabled True
To rule out the firewall, it can be disabled with the PowerShell cmdlet:
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
If other network elements are restricting traffic, they should be checked.
When using Azure Cloud, check if the Network Security Group (NSG) is configured to allow RDP to a subnet or network interface card (NIC). NSG is mandatory if you use standard SKU for public IP addresses.
Check Anti-Virus (AV)
Anti-virus can negatively affect RDP connections to machines. If possible, disable the AV service and test the connections.
To completely rule out the AV as the root cause, uninstall it and restart the machine.
Contact Microsoft Support
If the preceding steps can't resolve the issue, the RDP-TCP listener is working and the connectivity test result is False
, contact Microsoft Support for further assistance.
Verify machine's configurations and roles
If the RDP-TCP listener is working, and the connectivity test result to the machine is True
, other scenarios related to machine's processes, roles or configurations should be checked.
Check the concurrent process using the default RDP port
Run the following commands in an elevated command prompt or PowerShell window, and make sure the Process ID (PID) of TermService
matches the one listening on port 3389:
-
tasklist /svc | findstr TermService
-
netstat -anob | findstr 3389
For example, TermService
with PID 820 is listening on port 3389.
C:\Windows\System32>tasklist /svc | findstr TermService
svchost.exe 820 TermService
C:\Windows\System32>netstat -anob | findstr 3389
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 820
TCP [::]:3389 [::]:0 LISTENING 820
UDP 0.0.0.0:3389 *:* 820
UDP [::]:3389 *:* 820
If the PID doesn't match, find what process is listening on port 3389 and stop it. Then, restart the Remote Desktop Services service (TermService).
Check Remote Desktop self-signed certificate
Check if you can re-create the Remote Desktop self-signed certificate by following these steps:
- Open the Certificates Microsoft Management Console (MMC) snap-in. When you're prompted to select the certificate store to manage, select Computer account, and then select the affected computer.
- In the Certificates folder under Remote Desktop, delete the RDP self-signed certificate.
- Restart the Remote Desktop Services service on the affected computer.
- Refresh the Certificates snap-in.
- If the RDP self-signed certificate isn't re-created, go to Remote Desktop self-signed certificate.
- If the RDP self-signed certificate is re-created, go to the next step.
Check Remote Desktop Services (RDS) roles
Check if unnecessary RDS roles are installed, on Server Manager > Manage > Remove Roles and Features > Server Roles - Remote Desktop Services.
If unnecessary roles are installed, uncheck the corresponding box and proceed to remove them (for example, Remote Desktop Connection Broker role). Restart the machine in the end.
Machines with the Remote Desktop Connection Broker role in RDS deployments might still encounter the issue if the following conditions aren't met:
- Check if the Remote Desktop Connection Broker service (TSSDis) is running.
- In the Computer Management (compmgmt.msc) snap-in, System Tools > Local Users and Groups > Groups > RDS Endpoint Servers group must contain the NT AUTHORITY\NETWORK SERVICE account.
Contact Microsoft Support
If the preceding steps can't resolve the issue, the RDP-TCP listener is working and the connectivity test result is True
, contact Microsoft Support for further assistance.