Forum Discussion

jhealeysrc's avatar
jhealeysrc
Copper Contributor
Mar 13, 2024

W11 Remote desktop issue with W10 host and TLS 1.3 enabled

Our organization has a mixed deployment of Windows 11 (mostly laptops) and Windows 10 (mostly remote desktops).

When 22H2 was released, Users with Windows 11 22H2 computers were not able to remote desktop into Windows 10 remote desktops anymore receiving an "Internal error occurred" when trying to connect, however Windows 11 21H2 still worked fine with remote desktop into Windows 10. Our initial work around was to copy the mstsc.exe and mstscax.dll from 21H2 over the top of the 22H2/23H2 versions, but this was not ideal as the versions would be replaced again with every Windows update.

I recently discovered the cause of the problem by turning on Verbose SCHANNEL logging and looking at the SCHANNEL events in the Event Viewer. Windows 11 21H2 mstsc version (10.0.22000.1042) is able to negotiate the connections correctly to a Windows 10 computer - schannel event 36880 in the SYSTEM log shows that a TLS client handshake completed successfully to the target computer using TLS 1.2 and CipherSuite 0xC030 (TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384).

If I do the same on a W11 22H2 or 23H2 computer, the schannel event 36880 for the connection attempt says "a TLS client handshake completed successfully" to the target computer using an unknown TLS version and CipherSuite 0x1302 (TLS_AES_256_GCM_SHA384) and the connection fails with Internal error occurred.

Our organization has performed security hardening on our endpoints and TLS 1.3 Client and Server and TLS 1.2 Client and Server are both enabled on all of our endpoints, with TLS 1.0 and TLS 1.1 being disabled. The CipherSuite that the 22H2/23H2 mstsc.exe/dll version was trying to use is TLS 1.3 compatible only. It's my understanding that Windows 10 doesn't support that cipher and for some reason unlike the 21H2 version of Remote desktop, the 22H2/23H2 versions do not negotiate the connection using TLS 1.2 and a TLS 1.2 compatible cipher if TLS 1.3 server is enabled on the target Windows 10 computer - they only try and negotiate the connection using the TLS 1.3 only compatible ciphers.

I was able to resolve the issue by disabling TLS 1.3 server on the Windows 10 computer, and only then would the Windows 11 computer connect to the Windows 10 computer via Remote Desktop over a TLS 1.2 connection using a TLS 1.2 cipher. 

I think this might be a bug in the newer Remote desktop versions, and was hoping to report it so it can be fixed because we shouldn't have to disable TLS 1.3 server to get this to work.

  • Macuslcc2430's avatar
    Macuslcc2430
    Copper Contributor
    New software always come with new problems. Wait Microsoft releasing a new version or report it to Microsoft so it can be fixed more quickly.
  • Monsey1305's avatar
    Monsey1305
    Copper Contributor
    It appears that the newer versions of Remote Desktop in Windows 11 22H2/23H2 are not able to negotiate connections with Windows 10 remote desktops when TLS 1.3 server is enabled. This is likely due to the fact that the CipherSuite used by the newer versions is TLS 1.3 compatible only, and Windows 10 does not support that cipher.

    Your workaround of disabling TLS 1.3 server on the Windows 10 computer is not ideal, as it reduces the security of the endpoint. It is possible that this issue is a bug in the newer Remote Desktop versions, and it would be wise to report this issue to Microsoft so that they can investigate and provide a fix.

    To report this issue to Microsoft, you can open the Feedback Hub app on your Windows 11 computer and submit a new feedback item under the "Remote Desktop" category. In the feedback item, describe the issue you encountered and provide any relevant details, such as the version numbers of the mstsc.exe and mstscax.dll files, the Event Viewer logs, and your organization's security hardening settings. Microsoft should review your feedback and provide any necessary updates or fixes for Remote Desktop.

Resources