Windows 10 Update from 1809 to 1903 Remote Desktop Fails

Joe Spradlin
Joe Spradlin used Ask the Experts™
on
I have manually updated a few Dell OptiPlex workstations using the Microsoft update tool to upgrade from 1809 to 1903.  Everything was working fine prior and everything except Remote Desktop Connection is still working fine.  The boxes that I  upgraded I can access via SCCM remote services, but I can't remote desktop from my box to one that I performed the update to.  I haven't changed the group policy or anything like that and have check all the "basic" requirements for remote desktop.  Any ideas on what my issue could be?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jason JohanknechtIT Manager

Commented:
Make sure the network is still PRIVATE (Not Public).
Distinguished Expert 2018

Commented:
Verify whether they listen on port 3388 using this command at the machine that you are trying to reach on an elevated command prompt:
Netstat | findstr 3389

Open in new window

Then if that command shows 3389 as listening, verify from remote if that port can be reached using:
Telnet targetname 3389

Open in new window

(Command shell would go black if the port is reachable). Telnet might need to be installed, first. Add windows feature -> telnet client
Joe SpradlinDirector of IT

Author

Commented:
I am not quite sure what you mean.  All the boxes are on an active directory domain and we didn't change the group policy or network connections.  It still has full access to what it should on the domain and everything is working as normal except that I can't remote desktop to it fro my other workstations.  I can remote desktop to the ones I haven't updated yet fine.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Jason JohanknechtIT Manager

Commented:
If it is joined to the domain, then it should show DOMAIN (Not private or Public) in the network profile.  

In the Registry you can verify:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\

Open the network profile that you have to verify, and look at the "Category" value:

0 = public

1 = private

2 = domain
Joe SpradlinDirector of IT

Author

Commented:
When I run the command it doesn't return anything.  If I try to telnet using those ports it says connection refused.
Joe SpradlinDirector of IT

Author

Commented:
Jason Johanknecht, It shows Domain as the default profile.
Distinguished Expert 2018

Commented:
So you found out that the problem is at the target already.

See if the service "remote desktop services" is running.
Jason JohanknechtIT Manager

Commented:
What AV solution are you running on workstations?  Any problems showing with a local firewall?
Are you connecting RDP via IP address or name?
Distinguished Expert 2018

Commented:
If the port is not listening, the firewall is not the reason, but the service.
Joe SpradlinDirector of IT

Author

Commented:
Yes, the Remote Desktop Service is running...that's the first stuff I checked.  :)
I can ping the box, but when I try and remote desktop in it just goes from Initializing to the standard blurb if it doesn't connect.
I have no issues when using SCCM Remote Control.  But it should still work either way.
Distinguished Expert 2018

Commented:
Check the registry settings for remote desktop to allow connections. Sorry, no hint as I am on the road.
Jason JohanknechtIT Manager

Commented:
Have you installed all updates for v1903 and rebooted?
Jason JohanknechtIT Manager

Commented:
Try disabling the local firewall on the host PC.  Retest.
Joe SpradlinDirector of IT

Author

Commented:
Jason,
Yes, installed all updates and rebooted many times.  Firewall is disabled.
Distinguished Expert 2018

Commented:
The internal firewall is Disabled? So is it off or is the service disabled? Never disable the service. Please turn it on, for a test.
Jason JohanknechtIT Manager

Commented:
Good point McKnife, by disabled... I mean turn off temporarily for 10-15 minutes.
Distinguished Expert 2018

Commented:
The registry key I was talking about is HKEY_LOCAL_MACHINE > System > CurrentControlSet > Control > Terminal Server. Change the value of “fDenyTSConnections” to “0” and restart the remote desktop service.
Examine again if the netstat command shows 3389 to be open, then, using this command:
netstat -ano | findstr 3389

Open in new window


If not, make sure that you didn't configure a custom port for RDP.
Under remote properties on the remote system,

Is "Allow connections only from computers running Remote Desktop with Network Level Authentication" checked?

If so, try unchecking it
Joe SpradlinDirector of IT

Author

Commented:
McKinfe, I will check that out.  kenfcamp, it is unchecked.
can you try adding port 3389 (assuming) to the allowed list on the firewall?
Jason JohanknechtIT Manager

Commented:
Try Network Reset (& Reboot on host PC) and then reconfigure the static IP.
Director of IT
Commented:
Ok, so after some trial and error, this is what we discovered.
When we had a "fresh" build @ 1903 instead of an in-place upgrade from 1809 to 1903 everything worked fine.  However, when we in-place upgraded from 1809 to 1903 using the Microsoft tool, it occasionally corrupts something that is necessary to these functions.  We went through all we could try to see what isn't set right and why it was rejecting the connections.  In the end, this is what we did to resolve it:

Modified Group Policy:  (should have had this stuff set anyway, best practices ya know)
1.      NLA is now required
2.      Secure connection required
3.      SSL encryption enforced

Thanks for the suggestions guys.  Much appreciated!
Joe Spradlin
Joe SpradlinDirector of IT

Author

Commented:
Thanks for the suggestions guys.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial