Category Archives: Remote Desktop (RDP)

Insider stuff, Recent Activity, Remote Desktop (RDP), Troubleshooting, WED Blog, Windows 11

Ongoing Reboot Issues Affect RDP

Leave a comment

I’m still struggling with reboot issues on Flo6. Lately, I have to go through the infamous “new CPU detection” alert, then deny it, before I get into Windows 11. After multiple such reboots just now, I elected to stay logged in and get some work done. No such luck: my ongoing reboot issues affect RDP. On the way to a working session, I got the mysterious error window you see as the lead-in graphic.

Why Do Ongoing Reboot Issues Affect RDP?

It seems that multiple successive reboots in Windows 11 can impact RDP. This can lead to stale RDP capability caches, stale virtual device handles, TPM/Hello falling shy of full initialization, mismatched channel GUIDs, and more. In short, things get shook up and need to settle down.

What’s interesting — and amusing — about this error is that it’s not really an error. Closer inspection reveals it carries error and extended error codes that are null (0x0) in value. And indeed, right after the error window popped up, an RDP session into P16  opened up and worked like a champ.

What Happened Here?

Though it’s reported as an authentication error, it actually occurred during virtual channel negotiation between Flo6 and P16. Naturally, that indicates both devices were working just fine, thanks, and trying to get together. Copilot speculates — and I concur — that the most likely culprit is a Windows Hello redirection problem. (That’s mostly guaranteed by my turning fTPM off on one boot to kick start that process, then turning it back on.)

Boy howdy, things do sometimes get strange here in Windows-World, though. On the whole, I’d rather have a bogus error that fixes itself (or isn’t really an error) than have a serious glitch that requires further troubleshooting. I’ve had enough of that already today, thanks very much!

Facebooklinkedin
Facebooklinkedin
Insider stuff, Recent Activity, Remote Desktop (RDP), WED Blog, Windows 11

Another Take On Failed RDP Login Fix

Leave a comment

Last Friday, I packed up the tiny but nifty Lenovo ThinkCentre Neo 50q to ship it back to North Carolina. Then, I stood the small but mighty ThinkStation P3 Ultra Gen2 up in its place. When I tried to RDP into that machine to catch it up with changes since it went dark in early January, it wouldn’t let me log in with my usual MSA. “I’ve seen this before,” I thought, as I recalled my Feb 19 blog on this very topic. That previous fix had changed the folder name for my user account and I wanted to avoid that on the P3Ultra2 if possible. So, I took another take on failed RDP login fix and came up with something better. Let me explain…

Details: Another Take on Failed RDP Login Fix

The P3 Ultra2 had been healthy after its identity‑stack cleanup, TPM reseal, and scheduled‑task repairs. Local login worked. The system was stable. Nothing in the logs suggested trouble. But RDP refused to authenticate. Every attempt failed with the same unhelpful message: “The credentials did not work.” The username was correct. The password was correct. The account was enabled. The SID matched. The machine was healthy. Yet RDP would not accept the credentials under any circumstances.

When this kind of failure presents, there’s usually some mismatch between the local Windows identity and the identity info RDP uses for remote validation. TL;DR version: that was exactly what went wrong.

Why Correct Credentials Failed RDP Validation

The key understanding requires knowing how RDP handles MSAs. When a user signs into a Windows PC locally, her or she can use Windows Hello, a PIN, or security tokens. That said, RDP cannot use any of these for remote login validation. Indeed, RDP requires a local NT password hash stored in the SAM on the target PC. If no such hash exists, RDP can’t validate user login input, even if the supplied password for an MSA is correct and current.

Here’s what went wrong on P3Ultra2: the MSA acccount had never generated a local password hash. From the first login, Windows 11 used Hello-based authentication. Alas, that means the SAM never got a password hash for that account. Locally, things worked as expected (because Hello could — and did — work with cloud based authentication). RDP could find no password hash and thus could not authenticate.

The Fix Is In, and Dead Easy

All I had to do was to sit down in front of the P3Ultra2 and force it to use the password for a single login. I did so at the lock screen by clicking the password icon (middle position in lead-in graphic) and then typing in the account password.

As soon as I did that, Windows automatically generated the NT password hash for that MSA. With that value now available, RDP immediately opened its remote access doors on my next try to get into P3Ultra2 through the Remote Desktop Connection App. Problem solved.

Sometimes, problems in Windows-World are huge and hairy. Sometimes, they’re astoundingly simple — as long as you can figure out what’s really going on. This particular RDP thing fell into the latter category. I’m glad I now understand, and gladder still it’s fixed.

Facebooklinkedin
Facebooklinkedin
Insider stuff, Recent Activity, Remote Desktop (RDP), WED Blog, Windows 11

Fixing Failed MSA Remote Login

Leave a comment

Every so often, I run into Windows 11 behavior odd enough to make me scratch my head. Occasionally, I’ll observe that my Microsoft Account (MSA) logins work perfectly at the local console. But they fail constantly if used within Remote Desktop Connection. The error? A familiar one: ‘Your credentials did not work. The logon attempt failed.’ Today, I’ll explain what worked for me when fixing failed MSA remote login.

In the meantime, I’d been working around this issue by setting up a Local account named “LocalOnly.” You can see it mentioned in the lead-in graphic for this blog post. If my upcoming technique doesn’t restore your MSA’s remote access as it did mine, you can use a local account to remote into a balky remote host if your MSA won’t work.

Refusal of Known, Good, Working Login

You may see this message while trying to RDP into a Windows 11 machine using an MSA. If so, you know how frustrating it is. Especially when you know those credentials are correct, and you can use them locally, no problem. What gives?

As it turns out, the answer lies in a complex and sometimes fragile identity stack that underpins Windows 11’s user authentication . Let’s unpack what’s going on under that hood.

Windows 11’s identity model for MSAs is built on three interdependent layers:

  1. SAM (Security Account Manager) – The local account database. It stores user SIDs (Security Identifiers) & basic account metadata.
  2. WAM (Web Account Manager) – The token broker that handles cloud authentication for MSAs. It’s responsible for storing and refreshing tokens so services like RDP can validate your identity.
  3. Ngc (Next Generation Credentials) – This layer handles Windows Hello and TPM-tied credentials, like PINs & biometric logins.

When all these layers are working and cooperating, things go swimmingly. Sometime though, particularly on Insider builds where MS is messing with this identity stack, things can get weird. Over time changes can mean an MSA works locally but not remotely.

A Swicheroo Is Key to Fixing Failed MSA Remote Login

Here’s what was happening on my ThinkPad X380 Yoga. I could log in locally using my MSA. But RDP logins would consistently get refused with the error message that serves as the lead-in graphic. After ruling out more obvious causes (e.g. network issues, RDP settings, firewall rules) I thought about the situation. Because local login worked, SAM and Ngc layers were probably OK. That presented WAM as a likely cause.

The fix, then, was simple. I rebuilt the WAM token cache, to make sure all pieces harmonized. Here’s what I did:

1. Log in locally using MSA
2. Visit Settings > Accounts > Your info
3. Change to “Sign in with a local account instead”
4. Sign out, or Reboot PC
5. Login locally using local account name/pwd
6. Visit Settings > Accounts > Your info
7. Change to “Log in with a Microsoft account”
8. Reboot PC

The switcheroo undid the link between the MSA and the account, made it local, then re-established a new connection. That completely rebuilds the whole infrastructure, including the WAM.

After that switcheroo (MSA > Local > MSA) RDP worked fine from my Flo6 primary desktop into the X380. The odds are good this technique will work for you, if you get caught in this situation. Here in Windows-World, a switcheroo sometimes works wonders. It did here, anyway!

 

 

Facebooklinkedin
Facebooklinkedin
Insider stuff, Recent Activity, Remote Desktop (RDP), WED Blog, Windows 11

Odd Restart Following KB5074109

Leave a comment

Yesterday was Patch Tuesday. This morning, I checked over the fleet to make sure all had gone well. With one exception — the Lenovo ThinkPad P16 Gen1 — it had. But the P16 showed me a restart behavior I’d never seen before.  Indeed, I can only observe this machine experienced an odd restart following KB5074109. Let me explain what happened…

Delineating Odd Restart Following KB5074109

Some of this oddity is no doubt self-induced. I fired off the restart command in Windows Update through an RDP session. That closed the remote desktop session on the client. On the P16 host, the logged-in Windows session kept running. The desktop stayed visible, and the Start menu popped up in response to the usual cursor activity. But apps didn’t work, and I couldn’t open settings to fire off the restart command again. Even more interestingly, the power button in the Start menu didn’t work either. How to force a restart?

WinKey-X let me open an administrative Windows Terminal session. From there I used shutdown /r /f /t 0, where /r tells Windows to restart, /f summarily kills any open apps that might otherwise block restart (seemed like a good idea to me, given circumstances), and /t 0 tells shutdown to do its thing right away (in 0 seconds, that is).

That did the trick! The P16 transitioned into an “Updates underway” screen that let me know the pending updates were being applied. Then it restarted, finished the post-GUI update process, and took me to the desktop.

How do I know it worked? Edge popped up the now-customary post update browser window as the P16 finished booting to the desktop:

Problem solved, I guess. I’m not sure what caused this strange behavior. I didn’t see this on any of my other updated PCs or VMs, But then I didn’t have RDP sessions open into them at the time, either. Just another niggling little mystery here in Windows-World. Just another normal day…

Facebooklinkedin
Facebooklinkedin
Cool Tools, Insider stuff, Recent Activity, Remote Desktop (RDP), WED Blog, Windows 11

Screen Change Breaks Advanced IP Scanner

2 Comments

Ooo wee ooo… Things got weird here at Chez Tittel this week. On Tuesday, I blogged about moving my Main display from left-hand monitor (1) to right-hand monitor (2). It gives improved visibility to the notification area. Alas, that screen priority change breaks Advanced IP Scanner, a favorite remote access monitoring and management tool of mine. Buckle up, kids: this is how the weirdness crept in…

How Screen Change Breaks Advanced IP Scanner

It drove me crazy, in fact. After the switchover, if I ran Advanced IP Scanner (I’ll abbreviate it as AIS from now on), it would launch. I’d see the window open briefly, and move to the right of my right-hand screen. Any attempts to bring it back into a visible spot on either monitor didn’t work. And it showed up on the Taskbar thumbnail as an empty white box.

Only when I went back to Settings > System > Display and reset the left-hand monitor as “Main display” did AIS reappear in viewable form. I’ve seen some quirks and oddities in my 30-plus year history with Windows, but this one ranks right up there near the top.

Because I have to choose between using AIS and easier access to the Notification area, I’m going with AIS (and have restored (1) as the main display). Why? Because I’m always messing with other PCs on my LAN and I like to remote into them. AIS makes it dead simple to open a Remote Desktop Connection into them via their current IP address. Local address tables get flaky when, as I often do, I switch units between Wi-Fi and wired Ethernet. So I’m choosing convenience over visibility.

And boy howdy, is that the way things sometimes go here in Windows-World. All I can say is “Happy Friday!”

Facebooklinkedin
Facebooklinkedin
Insider stuff, Recent Activity, Remote Desktop (RDP), WED Blog, Windows 11

Welcome RDP Session Handling Change

Leave a comment

I’m not sure when the change I’m about to document happened, but I just noticed it this morning. Last night before heading off to bed, I put my production desktop to sleep. At the time, I had 3 RDP sessions running elsewhere on my LAN. When I logged in this morning, instead of finding 3 Remote Desktop Connection prompts to re-establish those sessions, I found login prompts on lock screens into those sessions instead. This is a welcome RDP session handling change, as far as I can tell. I’m glad to see it.

Why Say: Welcome RDP Session Handling Change

As you can see, the lock screen snippet in the lead-in graphic shows my LocalOnly account. That’s a — you guessed it — purely local Windows account I use to establish RDP sessions into Windows 11 PCs that won’t let me log in using my preferred Microsoft Account (MSA).

When I saw that show up inside a Remote Desktop Connection session window (or three) this morning, I knew what it meant. It meant that MS kept the remote session ready to re-start, even though the client half of that session (my production desktop) had been asleep. That’s both good and convenient.

Copilot Sheds More Light

Copilot says that recent builds like 26200.6901 (what I’m running on the Flo6 right now) offer persistent RDP sessions across sleep/wake cycles. Instead of summary disconnection — the way things used to work — they now lock open RDP sessions (which is why I had to log back into them) and preserve memory state and open windows.

Good to know! This is what I call a nice surprise in Windows-World. Glad to see that MS has made this change: it makes my job easier.

Facebooklinkedin
Facebooklinkedin
Insider stuff, Remote Desktop (RDP), WED Blog, Windows 11

Latest Beta CU Keeps Remote MSA Login Glitch

Leave a comment

OK, then. I just logged into the ThinkPad X380 Yoga, where I run the Windows 11 Beta Channel Insider Previews.  I’ve been forced to remote into that laptop using a local account for months. But just now, I got fooled by a successful MSA login to Office immediately after login on that PC. I thought the MSA issue was fixed, but I thought wrong. The Remote Desktop Connection used my LocalOnly account to set up that remote session, after which the MSA worked fine to login through MS to access Office. Despite my hopes to the contrary, the latest Beta CU keeps remote MSA login glitch. Sigh.

Showing Latest Beta CU Fixes Remote MSA Login Glitch

If you look at the lead-in graphic, you’ll see two important things. One, Office asking me if I want to stay signed in. Two, it’s showing the account that stays that way if I agree (“Yes”) is an MSA. For the record, that is an old, expired MSA whose mail server/domain got turned off in 2024, so I don’t mind sharing it publicly. But as I explained, that’s not the same account that Remote Desktop Connection used to make the RDP connection in the first place. I got fooled!

The interesting thing, of course, is that RDP (via the Remote Desktop Connection, aka mstsc.exe) is still cannot resolve MSA lookups to the MS authentication servers during login. I’m still getting an invalid credentials error. I’ve also seen “unable to contact LSA” (Local Security Authority) errors as well. Sigh again.

Even though I tried an MSA, the error message still shows the local account.

With the update to Build 26120.6780 in the wake of KB5067103, that problem seems to persist. But, I’ve been through this on-again, off-again ability to use MSA logins for RDP for some time now. So I’m wondering: when will MS fix this thing? That’s the way things go with Insider Previews, here in Windows-World. As long as I can work around it, that’s OK!

Facebooklinkedin
Facebooklinkedin
Insider stuff, Remote Desktop (RDP), WED Blog, Windows 11

Remote Desktop Connection LSA Error

2 Comments

Over the past couple of years, I’ve noticed that establishing an RDP session from my primary desktop to other PCs sometimes fails under specific circumstances. I’m researching a story about this for Mayank Pamar at WindowsLatest, so keep an eye out for that opus. It’ll probably hit next week. When I attempt to get into some of my Windows 11 PCs (the only kind of physical PC I have any more), my login will occasionally be refused if I use a Microsoft Account (MSA). Indeed I’ll see a Remote Desktop Connection LSA error that reads “The Local Security Authority cannot be contacted.”

What Causes Remote Desktop Connection LSA Error?

Interestingly, there are a number of possible causes. Some are easy to fix, others fall on third parties. Here’s a partial list:

  • OS can’t validate credentials, particularly MSA logins (the most common and obvious reason, but one users cannot easily fix themselves)
  • Secure channel negotiation (to exchange credentials) fails
  • Time sync or DNS resolution fails
  • Credential policies are somehow misconfigured

Time sync and DNS stuff is probably the most approachable, so they’re worth trying. For the former that means Settings > Time & Language > Date & time > Sync now (under Additional Settings). For the latter, it’s only meaningful if using manual DHCP assignment, in which case Setting > Network & Internet > Ethernet or Wi-Fi > Edit DNS Settings > define preferred and backup DNS server addresses. Most users will get their DNS server assignments via DHCP.

The other items are a bit more convoluted. I’ll get to them in my upcoming story. Here in this brief blog, I’ll “leave them as an exercise for the reader” in the classic ploy used to avoid heavy lifting in so many, many textbooks I’ve read over the years…

A Typical (and Useful) Workaround

If I can’t get into a PC using my MSA, I’ll set up a local account on the affected machine with admin privileges and use that to RDP into the machine instead. This might cause issues on machines where you want or need access to account-speicific files or data (e.g. the associated C:\users\<name> folder hierarchy). But otherwise it works OK. In a small and unscientific survey of my local fleet, I’ve had to do this on just under half the machines (4 out of 9), most of which are running Insider Preview releases (and thus, have their foibles).

Here in Windows-World, if you can’t do things the way you want to, you must sometimes do them some other way. Obtaining RDP access to some of my test and experimental PCs puts me in those shoes from time to time. So it goes!

Facebooklinkedin
Facebooklinkedin
Insider stuff, Remote Desktop (RDP), WED Blog, Windows 11

Copilot Unpicks Local RDP Access

Leave a comment

On my sole remaining 2018 vintage Lenovo ThinkPad X380 Yoga, I’ve been fighting RDP connectivity issues. It’s running Windows 11 24H2 Insider Preview Beta Channel Build 26100.4946. All of a sudden, I couldn’t RDP into the machine at all. MSA-based access is still stuck on a Local Security Authority (LSA) access problem. But just now, Copilot unpicks local RDP access so I can use a local admin account to access it remotely. Phew!

Grinding Through as Copilot Unpicks Local RDP Access

Something was odd about the local account setup that didn’t sit right with RDP. Even though I’d set the account up with a password, that selfsame account did not have the PasswordRequired value field set to “True.” Turns out that RDP requires this setting before it will allow any account to connect.

Copilot cheerfully took me through some PowerShell syntax that didn’t work. Then it had me run the Command Prompt alternative that finally did the trick:

net user Actname YourSecurePassword123! /active:yes
/passwordreq:yes

Obviously, I used the actual account name for the Actname placeholder, and the real password for that string. But indeed it worked. And when I made my next login attempt, I was finally able to get back into that machine.

A Word of Warning

When I asked Copilot why this might have happened it informed me that this build “introduced a wave of under-the-hood changes” into Windows 11. Specifically, in the area of identity handling where “Insider builds often tweak how MSAs and local accounts are handled — especially in relation to login tokens, SID bindings, and credential providers.” That’s confirmation of what I’ve long suspected, because I’ve found myself unable to login to RDP using an MSA numerous times.

But this is the first time I’ve also been blocked for a local account as well. I’m just glad Copilot could steer me in the right direction to get a local connection working again. Even though my test and experiment PCs are mostly in the same office as my production desktop, it’s so much more convenient to access everything from the same keyboard, mouse and display setup. For me, RDP is an essential work tool. Bugs me to no end, when it doesn’t work right, as it does occasionally break down here in Windows-World. Sigh.

 

Facebooklinkedin
Facebooklinkedin
Insider stuff, Remote Desktop (RDP), Troubleshooting, WED Blog, Windows 10, Windows 11

Chasing RDP Login Takes Too Long

1 Comment

OK then, I’ve hit my troubleshooting time-out. Now that I’ve switched over to the Flo6 5800X build for my production desktop, I’m keeping the i7Skylake up and running in parallel. Why? So I can grab or look up things I discover I need on the new build that are only available on the old. So far, that’s included some logins that didn’t make it into the Norton Vault (only stored in Firefox on the old PC, as it turns out), various files and some app configuration data I didn’t know I’d need. Only one small problem: I can’t RDP into the account where all the stuff I need lives. I can RDP into the i7Skylake on a local admin account, but I get an LSA error when I try to log into my primary account. Alas, chasing RDP login takes too long, so I’m using TeamViewer instead. Indeed, it came up on the first try.

Why Chasing RDP Login Takes Too Long

Something has gone weird with NetBIOS and/or Domain Name resolution for RDP into the i7Skylake. That’s why I can get in using a local account, but not the MSA for the primary account. I’ve tried everything Copilot and Google can tell me about fixing that, to no avail, including:

  • Flush DNS name cache
  • Editing hosts file
  • Turning off browse service
  • Trying cmdkey explicit access in Command Prompt

And a whole bunch more. At present, I’ve spent at least 4 hours trying to MAKE it work. But RDP stubbornly refuses to let me use my MSA to log into i7Skylake.

The TeamViewer Alternative: Armadillo Time

TeamViewer doesn’t use RDP for remote access. It’s got its own set of protocols and services to manage LAN and Internet-based connections. It took me all of 15 minutes to get everything downloaded, installed, configured and running. I was able to access i7Skylake using the MSA I wanted on the first try. Go figure!

Sometimes, the best thing about beating your head against the way is how good it feels when you stop. Here in Windows-World this is not an unfamiliar sensation. If anybody knows how I can fix my RDP issue, I’d love some added insight and info. But for now, I have lots of other things to do — including a big deadline tomorrow on a writing project — so I’m taking the alternate route. If you’re not familiar with Jim Franklin’s wonderful armadillo image of that same name, check it out courtesy of Coast Monthly (it serves as the lead-in image for a terrific story).

Facebooklinkedin
Facebooklinkedin