Understanding Remote Desktop Challenges in a Mixed Windows Environment
As IT professionals, we often face the challenge of managing a diverse fleet of devices running different versions of Windows. This can become particularly tricky when it comes to enabling secure remote access and support for users across your organization.
In a mixed environment of Windows 11 and Windows 10 machines, you may encounter issues with Remote Desktop connectivity, especially after upgrading to the latest versions of the operating systems. One such problem was recently highlighted in the Windows 11 community, where users reported an “Internal error occurred” when trying to connect from a Windows 11 22H2 or 23H2 device to a Windows 10 remote desktop.
The root cause of this issue lies in the changes made to the Remote Desktop client (mstsc.exe) in the newer versions of Windows 11. Let’s dive deeper into the problem and explore how you can configure and harden the remote access security settings to ensure a seamless remote support experience for your users.
Identifying the Remote Desktop Connection Issue
The issue arises due to the way the Remote Desktop client (mstsc.exe) in Windows 11 22H2 and 23H2 negotiates the connection to a Windows 10 host machine.
When a Windows 11 21H2 device connects to a Windows 10 remote desktop, the connection is successfully established using TLS 1.2 and a compatible cipher suite (0xC030 – TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384).
However, when a Windows 11 22H2 or 23H2 device attempts to connect to the same Windows 10 remote desktop, the connection fails with an “Internal error occurred” error. Upon further investigation, we can see that the newer versions of the Remote Desktop client are trying to negotiate the connection using TLS 1.3 and a TLS 1.3-only compatible cipher suite (0x1302 – TLS_AES_256_GCM_SHA384).
The issue stems from the fact that the Windows 10 host machine, despite having TLS 1.3 enabled, does not support the specific TLS 1.3 cipher suite being used by the Windows 11 22H2/23H2 Remote Desktop client. As a result, the connection fails, and the user is presented with the “Internal error occurred” message.
Resolving the Remote Desktop Connection Issue
To overcome this problem and enable seamless Remote Desktop connectivity between your Windows 11 and Windows 10 machines, you can try the following steps:
1. Disable TLS 1.3 on the Windows 10 Host Machine
Since the Windows 11 22H2/23H2 Remote Desktop client is unable to negotiate a compatible TLS 1.2 connection with the Windows 10 host, the best workaround is to disable TLS 1.3 on the Windows 10 machine. This will force the client to use TLS 1.2 instead, which is supported by both operating systems.
To disable TLS 1.3 on the Windows 10 host:
- Open the Local Security Policy editor by running
secpol.mscin the Run dialog. - Navigate to
Security Settings>Local Policies>Security Options. - Locate the policy “System cryptography: Use FIPS 140 compliant cryptographic algorithms, including stronger crypto for TLS” and set it to “Disabled”.
- Restart the Remote Desktop Services service on the Windows 10 host for the changes to take effect.
After making this change, the Windows 11 22H2/23H2 Remote Desktop client should be able to establish a successful connection to the Windows 10 host using TLS 1.2.
2. Ensure Proper Remote Desktop User Configuration
In addition to the TLS configuration, you should also verify that the user accounts have the necessary permissions to access the Remote Desktop services on the Windows 10 host machine.
- In the Local Security Policy editor, navigate to
Security Settings>Local Policies>User Rights Assignment. - Ensure that the “Allow log on through Remote Desktop Services” policy includes the appropriate user groups or individual user accounts that need remote access.
- If necessary, add the required user accounts or groups to this policy.
3. Harden Remote Desktop Security Settings
While resolving the immediate connectivity issue, it’s also a good opportunity to review and harden the overall Remote Desktop security configuration on your Windows 10 and Windows 11 machines. Here are some recommended security best practices:
a. Enforce Strong Encryption for Remote Desktop Connections
– Set the “Remote desktop services client connection encryption level” policy to “High” or “FIPS-compliant”.
– Ensure that the “Require secure RPC communication” policy is enabled.
– Disable the “Allow Basic authentication” and “Allow unencrypted traffic” policies.
b. Restrict Remote Desktop Access
– Limit the user accounts or groups that have the “Allow log on through Remote Desktop Services” permission.
– Consider using Conditional Access or Other Identity and Access Management (IAM) controls to further restrict remote access based on user, device, or network location.
c. Enable Multi-Factor Authentication (MFA) for Remote Access
– Integrate your Remote Desktop infrastructure with a secure MFA solution, such as Azure AD or a third-party identity provider, to add an extra layer of security for remote access.
d. Monitor and Audit Remote Desktop Activities
– Review and configure the appropriate security event audit policies to track successful and failed remote access attempts.
– Regularly review the security event logs to identify any suspicious activity or potential security breaches.
By following these steps, you can not only resolve the immediate Remote Desktop connectivity issue but also enhance the overall security and control of your remote access infrastructure, ensuring a secure and reliable remote support experience for your users.
Conclusion
Dealing with remote access challenges in a mixed Windows environment requires a comprehensive understanding of the underlying technology and a proactive approach to security configuration.
In the case of the Windows 11 22H2/23H2 Remote Desktop connectivity issue, the root cause lies in the changes made to the Remote Desktop client, which now prioritizes TLS 1.3 negotiation over TLS 1.2. By disabling TLS 1.3 on the Windows 10 host and ensuring proper user permissions, you can restore the Remote Desktop functionality between your Windows 11 and Windows 10 machines.
Furthermore, taking the time to review and harden the Remote Desktop security settings can help you future-proof your remote access infrastructure, protecting your organization from potential security risks and ensuring a seamless and secure remote support experience for your users.
As an experienced IT professional, it’s crucial to stay updated on the latest technology trends and security best practices to provide practical and effective solutions for your organization. By leveraging the insights and recommendations provided in this article, you can empower your team to tackle remote access challenges with confidence and maintain a secure and resilient IT environment.
