Avatar of marrowyung
marrowyung
 asked on

Windows 11 make remote desktop connection do not works anymore.

hi,


once upgraded my Windows 10 PC to Windows 11, it seems not the only thing doesn't works now is remote desktop connection and it said it is because of the certification is not working!



my other PC STILL with Windows 10 can connect to the SAME remote PC !


so it MUST be Windows 11's problem ! I tried to recreate the remote desktop connection and it stills the same !


any way to solve it ? all latest Windows 11 patch is installed!


and how can I rollback to Windows 10 if no solution for it?

Windows 10Windows OSDesktopsWindows 11

Avatar of undefined
Last Comment
arnold

8/22/2022 - Mon
arnold

Seems they implemented a stricter security to deny access when the cert is invalid for whatever reason.
One option,is to renew the self signed RDS certificate on the server.

The other, is check what options rdp has

You could look at what they discuss in the windows 7 option.

Do you have NLA required?

https://social.technet.microsoft.com/Forums/en-US/fc4692a5-47cd-41ef-a388-b41026a300ed/remote-desktop-gateway-server8217s-certificate-has-expired-or-has-been-revoked-windows-7-issue

Save a rdp connection and see what settings you can adjust.
Possibly make the check less strict.
ASKER CERTIFIED SOLUTION
Qlemo

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
marrowyung

ASKER
arnold ,

tks.

https://social.technet.microsoft.com/Forums/en-US/fc4692a5-47cd-41ef-a388-b41026a300ed/remote-desktop-gateway-server8217s-certificate-has-expired-or-has-been-revoked-windows-7-issue

it works for Windows 7

One option,is to renew the self signed RDS certificate on the server.

how to do it ?

Qlemo 

that one is the final option to do when no choice.
arnold

You can see if the option helps in win 11

https://social.technet.microsoft.com/wiki/contents/articles/36151.renew-the-rdp-self-signed-certificate.aspx

Do you have internal Certificate Authority?

There are guides on creating and RDS template and then have it signed by a CA.

IMHO, there has to be an option in RDP on win11 to tell it to ignore certificate issuer, expiration issues

Try mstsc /?
See what options it has.
Your help has saved me hundreds of hours of internet surfing.
fblack61
marrowyung

ASKER
Do you have internal Certificate Authority?

yes

there has to be an option in RDP on win11 to tell it to ignore certificate issuer, expiration issues

not sure! never try that before!

arnold

Does your CA issue Remote Desktop certificates?

https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/remote-desktop-server-certificates-renewed

While references an old CA... The point is CA templates make sure you have a Remote Desktop certificate template enabled for issuance.
Then test ......

Once confirm, use autoenrollment to have the RDS get CA issued cert and see if that helps.
marrowyung

ASKER
Does your CA issue Remote Desktop certificates?
yes!
The point is CA templates make sure you have a Remote Desktop certificate template enabled for issuance.

yeah without cert I can't connect.

so how can server side regenerate the certification ?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
arnold

is the certificate seen as expired or has it been revoked, one option is to get in and renew the certificate just to be sure.

you would use your Gateway remote desktop services, to connect to the collection and go from there..
marrowyung

ASKER
is the certificate seen as expired or has it been revoked,

I am sure it is not as on my OTHER windows 10 PC, remote is ok , it is not working just AFTER upgrade.

SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
marrowyung

ASKER
I am sure of many things, commonly windows 10 generates a warning the the certificate issuer is not trusted, or the certificate expired.
Is this what you get when connecting remotely from windows 10 RDP?
The certificate can easily be checked,

no, AFTER upgraded to Windows 11. it seems Windows 11 has a lot of minor bugs!

Are you connecting using the hostname, full myserver.myaddomain.com or are you using myserver, or IP_address_of_myserver in windows 11?
The certificate RDP generates is commonly in a name, not sure whether you have it defined using Subject Alternate Name to include all other variations.

just use the SAME RDP connection AFTER upgrade! it is not working anymore !
I rollbacked to Windows 10 and it works back ON!

Certificate is valid (not expired) nor was the certificate revoked.


here team said get a new cert need money!

All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
marrowyung

ASKER
I rolled back to Windows 10 and it works back ON .

arnold

I thought you said you gave an internal CA that can issue certs for the RDP
Or see if they can use letsencrypt.org
marrowyung

ASKER
Or see if they can use letsencrypt.org

oh.. that one is free? 
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
marrowyung

ASKER
hi,

so I should be able to connect again after 90 days ?

arnold

The point is that you will need a process that will handle the auto-renewal and update of the cert.
letsencrypt.org includes implementations that deal with getting a certificate and then updating the certificate while the service that relies on it continues to function without admin intervention.

The items include how to update the certificate and then IIS server, most commonly to reflect the new certificate to be used for incoming connection.

The handler for the RDS service to reflect the newly renewed cert as the one to be used for the incoming connection is another matter that has to be worked possibly using powershell script dealing with importing the new certificate for which the private key already exists and then switching the rdS/Gateway to use the new cert .....

Using a windows CA with autoenrollment that is a yearly thing and that it can auto-renew .....

you have to test and work this thing out.

I still think, there has to be an option on the mstsc in windows 11 that deals with whether the certificate enforcement is strict or whether it can be relaxed.
It makes little sense that the stickt enforcement of certs/connection to RDP can not be overriden given internal administrator type RDP setups use self signed certs that expire after a year and few if any renew them...