Fixing Windows 11 Remote Access and Remote Control Configuration and Security Hardening

Understanding the Windows 11 Remote Desktop Challenge

As organizations adopt the newest Windows operating system, Windows 11, they often face unique challenges when it comes to remote access and remote control functionality. The transition from Windows 10 to Windows 11 has introduced some compatibility issues, particularly when it comes to remote desktop connections between Windows 11 and older Windows 10 systems.

One of the primary issues that IT professionals have encountered is the inability of Windows 11 users to remotely access their Windows 10 counterparts. This problem often manifests when users with Windows 11 version 22H2 or 23H2 try to connect to Windows 10 systems, receiving an “Internal error occurred” message during the connection attempt.

Upon further investigation, the root cause of this problem appears to be related to the negotiation of the Transport Layer Security (TLS) protocol and cipher suites between the two systems. Windows 11 22H2 and 23H2 versions of the Remote Desktop client (mstsc.exe and mstscax.dll) seem to be unable to properly negotiate a TLS 1.2 connection with Windows 10 hosts that have TLS 1.3 enabled.

This issue can be particularly problematic for organizations that have implemented strict security hardening measures, such as disabling older TLS versions (1.0 and 1.1) and enforcing the use of TLS 1.2 and TLS 1.3. While these security measures are generally recommended, they can inadvertently cause compatibility issues with the Remote Desktop functionality between Windows 11 and Windows 10 systems.

Troubleshooting and Resolving the Remote Desktop Connection Issue

To address the Remote Desktop connection problems between Windows 11 and Windows 10 systems, IT professionals can follow these steps:

1. Identify the Underlying Cause

The first step is to understand the specific cause of the Remote Desktop connection failure. This can be done by enabling verbose SCHANNEL logging on the affected systems and examining the event logs.

Look for SCHANNEL event ID 36880 in the System event log, which provides details about the TLS negotiation process. Analyze the information in this event to determine the TLS version and cipher suite being used during the failed connection attempt.

If the event log shows that the Windows 11 22H2 or 23H2 client is attempting to use a TLS 1.3-only cipher suite, while the Windows 10 host is only capable of supporting TLS 1.2 and earlier, this is likely the root cause of the connection failure.

2. Disable TLS 1.3 on the Windows 10 Host

To resolve the issue, the recommended solution is to disable TLS 1.3 on the Windows 10 host system. This will force the Remote Desktop connection to negotiate using TLS 1.2, which is supported by both the Windows 11 client and the Windows 10 host.

To disable TLS 1.3 on the Windows 10 system, you can follow these steps:

1. Open the Registry Editor (regedit.exe).
2. Navigate to the following registry key:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server
3. Set the “Enabled” value to “0” (zero) to disable TLS 1.3 on the server.
4. Restart the Remote Desktop Services (RDS) on the Windows 10 host.

After making these changes, the Windows 11 client should be able to establish a successful Remote Desktop connection to the Windows 10 host using TLS 1.2.

3. Evaluate Alternate Remote Access Solutions

While disabling TLS 1.3 on the Windows 10 host may resolve the immediate issue, it’s important to consider more robust and secure remote access solutions. Some alternative approaches include:

a. RDP Gateway: Utilizing an RDP Gateway can provide an additional layer of security and control over remote desktop connections. The RDP Gateway acts as an intermediary, authenticating users and restricting access to approved systems.

b. VPN Integration: Integrating remote desktop access with a Virtual Private Network (VPN) can enhance security by requiring users to authenticate and establish a secure tunnel before connecting to remote systems.

c. Two-Factor Authentication: Implementing two-factor authentication, such as integrating with a service like Duo, can significantly improve the overall security of remote desktop access.

d. Least-Privilege Access: Carefully managing user permissions and only granting remote desktop access to users who genuinely require it can help mitigate the risk of unauthorized access.

By exploring these alternative solutions, organizations can not only address the immediate Windows 11 to Windows 10 remote desktop issue but also strengthen their overall remote access security posture.

Securing Remote Desktop Access: Best Practices

Regardless of the specific remote desktop solution employed, it’s essential to follow best practices to ensure the security of your remote access infrastructure. Here are some key recommendations:

1. Enforce Strong Password Policies: Require users to create complex, unique passwords for their accounts, and consider implementing password expiration policies.

2. Enable Network Level Authentication (NLA): NLA adds an extra layer of authentication before a Remote Desktop connection is established, helping to prevent unauthorized access.

3. Restrict Remote Desktop Access: Limit the number of user accounts with Remote Desktop access, and only grant this privilege to those who genuinely require it.

4. Utilize Firewalls and Access Controls: Configure firewalls to restrict access to the Remote Desktop port (TCP 3389) from untrusted networks. Leverage Access Control Lists (ACLs) to further limit connection attempts.

5. Keep Software Up-to-Date: Ensure that both the Remote Desktop client and server software are regularly updated to the latest versions, which often include important security patches and bug fixes.

6. Monitor and Audit Remote Desktop Activity: Regularly review the event logs and security logs associated with Remote Desktop connections to identify any suspicious activity or potential security breaches.

7. Implement Centralized Management: Leverage Group Policy or other configuration management tools to enforce consistent Remote Desktop security settings across your entire organization.

8. Consider Alternative Remote Access Solutions: As mentioned earlier, explore more robust remote access solutions, such as RDP Gateways, VPNs, and two-factor authentication, to enhance the overall security of your remote access infrastructure.

By following these best practices, organizations can significantly improve the security and reliability of their Remote Desktop deployments, even in the face of compatibility challenges between Windows 11 and Windows 10 systems.

Conclusion

The transition to Windows 11 has introduced some unique challenges when it comes to remote desktop functionality, particularly in scenarios where Windows 11 clients need to connect to Windows 10 hosts. By understanding the underlying causes of these issues, IT professionals can effectively troubleshoot and resolve the connection problems by disabling TLS 1.3 on the Windows 10 systems.

Beyond the immediate fix, it’s crucial for organizations to continuously evaluate and enhance their remote access security posture. This includes adopting more robust remote access solutions, enforcing strong password policies, and implementing centralized management and monitoring practices.

By addressing the Windows 11 remote desktop challenges and implementing comprehensive security measures, IT professionals can ensure that their organizations can securely and reliably leverage remote desktop capabilities to support their workforce, even as technology continues to evolve.

For more IT insights and troubleshooting tips, be sure to visit the ITFix blog regularly.