Windows
In some situations, you might not be able to connect to your Compute Engine Windows virtual machine (VM) instance with RDP. This might be due to configuration errors, network errors, or the boot process might not have completed.
This document describes a number of tips and approaches to troubleshoot and resolve common RDP issues.
Note: As of Windows 7, you can use RDP over UDP. For more information, see Remote Desktop Protocol (RDP) 8.0 update for Windows 7 and Windows Server 2008 R2. Ensure the VM is online and readyAfter the VM has finished booting, which may take a few minutes, confirm its state using one of the following methods:
Serial port 1Serial port 1 is used to log system and application activity. View its output to determine that your VM has finished booting and if services have started correctly.
In the Google Cloud console, go to the VM instances page.
Click the name of the VM you want to view logs for. The VM instance details page opens.
Under logs, select Serial port 1.
Review serial port 1 output and look for output similar to the following:
BdsDxe: loading Boot0003 "Windows Boot Manager" from HD(2,GPT,DD3FB000-7000-4000-8000-3977378A7000,0x0000,0x00000)/\EFI\Microsoft\Boot\bootmgfw.efi BdsDxe: starting Boot0003 "Windows Boot Manager" from HD(2,GPT,DD3FB000-7000-4000-8000-3977378A7000,0x0000,0x00000)/\EFI\Microsoft\Boot\bootmgfw.efi UEFI: Attempting to start image. Description: Windows Boot Manager FilePath: HD(2,GPT,DD3FB000-7000-4000-8000-3977378A7000,0x0000,0x00000)/\EFI\Microsoft\Boot\bootmgfw.efi OptionNumber: 3. 2021/04/13 10:50:22 GCEGuestAgent: GCE Agent Started (version 20210128.00) 2021-04-13T10:50:23.4621Z OSConfigAgent Info: OSConfig Agent (version 20210217.00.0+win@1) started. 2021/04/13 10:50:42 GCEMetadataScripts: Starting startup scripts (version 20200129.00). 2021/04/13 10:50:42 GCEMetadataScripts: No startup scripts to run.
Output containing GCEGuestAgent or GCEMetadataScripts confirms that Windows has started successfully. Try reconnecting to your VM using RDP.
Serial port 2 provides an interactive connection to the VM and also shows the output of the Special Administrative Console (SAC) . You can use serial console 2 to determine if system services have started successfully.
In the Google Cloud console, go to the VM instances page.
Click the name of the VM you want to view logs for. The VM instance details page opens.
Under logs, expand More, then click Serial port 2 (console).
Review the serial port 2 output and look for output similar to the following:
BdsDxe: loading Boot0003 "Windows Boot Manager" from HD(2,GPT,DD3FB000-7000-4000-8000-3977378A7000,0x0000,0x00000)/\EFI\Microsoft\Boot\bootmgfw.efi BdsDxe: starting Boot0003 "Windows Boot Manager" from HD(2,GPT,DD3FB000-7000-4000-8000-3977378A7000,0x0000,0x00000)/\EFI\Microsoft\Boot\bootmgfw.efi UEFI: Attempting to start image. Description: Windows Boot Manager FilePath: HD(2,GPT,DD3FB000-7000-4000-8000-3977378A7000,0x0000,0x00000)/\EFI\Microsoft\Boot\bootmgfw.efi OptionNumber: 3. <machine-info> <name>WINDOWS</name> <guid>b7ab5000-4000-e000-e000-bc5a738da000</guid> <processor-architecture>AMD64</processor-architecture> <os-version>10.0</os-version> <os-build-number>17763</os-build-number> <os-product>Windows Server 2019 Datacenter</os-product> <os-service-pack>None</os-service-pack> </machine-info> Computer is booting, SAC started and initialized. Use the "ch -?" command for information about using channels. EVENT: The CMD command is now available. SAC>
Output containing SAC started and initialized or CMD command is now available confirms that Windows has started successfully. Try reconnecting to your VM using RDP.
VM screenshots provide a visual representation of a VM's state, similar to a computer monitor.
Before you can capture a screenshot of your VM, you must enable the VM's virtual display. If you haven't already enabled the virtual display, see Enabling virtual displays.
Capture a screenshot. For more information, see Capturing a screenshot from a VM.
Review the screenshot to see that the instance is ready.
Compare your screenshot to the following to determine the current state:
If Windows has not started successfully after a few minutes, review the Troubleshooting Windows guide.
Check connectivity between your workstation and the VM instanceIf you run into issues when you connect your Windows VM, it is a good practice to identify whether the problem is with the workstation that you are using to connect, or the VM that you are connecting to. Check connectivity between your workstation and the VM by running the following command from your Linux, macOS, or Windows workstation:
curl -v telnet://DESTINATION_IP_ADDRESS:PORT
Replace the following:
DESTINATION_IP_ADDRESS: the IP address of your Windows VMPORT: the port configured for connecting through RDP on your Windows VMYou can also use Connectivity Tests for further verification of connectivity between the VM instance and other Google Cloud products and services. Additionally, it might also be useful to set up a bastion host on the same subnetwork for isolating RDP connectivity issues on the VM instance.
Check your Windows instance passwordEach Compute Engine Windows instance must have a local password set if it is not already on a domain or custom image. Confirm you have the correct password set by connecting to the VM through the Google Cloud CLI command-line tool or Google Cloud console. For more information, see Connect to a Windows VM's SAC.
If you have problems connecting, try creating or resetting the password. For more information, see Creating passwords for Windows VMs.
Check if you're using Windows Server CoreWhen connecting using RDP, if you receive a Command Prompt window on a blank background this likely indicates you are using Windows Server Core. To confirm that you are run the command below:
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v InstallationType
Server Core in your output confirms that you are using Windows Core edition.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
InstallationType REG_SZ Server Core
If you require a graphical user interface for your workload, look at creating a Windows instance that contains Desktop Experience instead of Server Core. Alternatively, you may review the Microsoft documentation for managing Windows Core server.
Check your VPC firewall rulesCompute Engine automatically provisions new projects with a firewall rule that allows RDP traffic. If you have an existing project, or have modified the configurations, the default firewall rule that permits RDP might not exist. Confirm that a rule allows RDP traffic to connect to the network that your affected instance is on.
To check if the default-allow-rdp firewall rule exists on your project, check the Firewall rules page, or run the following gcloud CLI command:
gcloud compute firewall-rules list
To create a new rule if one does not exist, create a rule with the following command:
gcloud compute firewall-rules create allow-rdp --allow tcp:3389
tcp: in the "create rule" command to match. Verify the external IP address
Ensure that you're connecting to the correct external IP address for the instance. View the IP for the instance from the VM instance page or by using the following gcloud CLI command:
gcloud compute instances list
If you have Windows Remote Desktop Services (formerly known as Terminal Services) installed on your instance, then the conditions of the Client Access Licenses (CALs) are enforced. With these CALs, RDP connections will fail under any of the following conditions:
Symptoms that you may not have enough valid licenses include messages such as:
If your RDP connections fail, you can use the admin switch to connect to the instance for administrative purposes. This can be done on a Windows machine by using the native Remote Desktop Connection client.
Note: Using the admin switch on a VM that has exhausted the available connection licences, can forcibly disconnect a user from the VM.%SystemRoot%\System32\mstsc.exe /admin
Two concurrent remote desktop sessions for administration are included with the on-demand Windows Server and SQL Server image.
To resolve issues with RDP connections, purchase new RDS licenses for your instance. For more details about CALs, review the Microsoft documentation. Alternatively, if Remote Desktop Services are not required, uninstall the service and use regular RDP connections.
Validate OS level configuration and resourcesIf the guest environment and configurations for the instance are correct, the operating system on the instance might be misconfigured. Additionally, without adequate resources it's possible that an RDP connection might fail to be established. To validate OS level configuration, connect to the Windows SAC:
Ensure the VM has adequate resourcesVerify the CPU, memory, disk usage, and available disk space are not reaching their limits. This data can be inspected by viewing the observability metrics in the Google Cloud console. Some metrics are available only for VMs that have the Ops Agent installed. Alternatively, if the Ops Agent is not installed, use the following commands when connected to SAC:
CPU usage, memory usage, disk usage and disk capacity
typeperf "\Processor(_Total)\% Processor Time" -sc 5
typeperf "\Memory\% Committed Bytes In Use" -sc 5
typeperf "\LogicalDisk(*)\% Idle Time" -sc 5
fsutil volume diskfree C:
The following are the recommended resource usages for an RDP connection, however these are just estimates, and might vary between instances.
If any of the suggested estimates are reaching their limits, you can modify that resource for the VM instance. To edit VM properties, see how to edit the machine type of a VM instance and increase the size of a persistent disk.
Check the OS configurationConnect to the VM's SAC and run the following commands to ensure that the instance is accepting connections:
Check to see that the ethernet adapter is enabled:
netsh interface show interface
netsh interface set interface Ethernet admin=enabled
Check to see that the instance has a valid IP configuration:
ipconfig /all
Check to see that DHCP is enabled on the instance:
netsh interface ipv4 show addresses
netsh interface ipv4 set address Ethernet dhcp
Check to see that the 'Remote Desktop Service' is running:
net start | find "Remote Desktop Services"
net start "Remote Desktop Services"
Check that Remote Connections are enabled:
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /f /v fDenyTSConnections /t REG_DWORD /d 0
Ensure that the Windows firewall has Remote Desktop Connections enabled:
netsh advfirewall firewall show rule name="Remote Desktop -User Mode (TCP-In)"
Pass: Enabled:Yes, Direction: In, Profiles: Public, Grouping: Remote Desktop, LocalIP: Any, RemoteIP: Any, Protocol:TCP, LocalPort: 3389, RemotePort: Any, Edge traversal: No, Action: Allow
Note: This is the default configuration, so your requirements might be different.Fail: (unexpected results, such as enabled = No)
Solution: Enable the default "Remote Desktop" firewall rule within Windows Firewall:
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
Check to see what port number is configured for RDP connections on the remote instance:
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber
Solution: Configure the port number in the registry required for RDP:
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /f /v PortNumber /t REG_DWORD /d [PORT NUMBER]Note: Number is in hexadecimal, 0xd3d = 3389 (default port is 3389).
Verify that another application is not trying to use the same port:
netstat -ano | find "3389"
tasklist /svc | find ""where PID is the identifier from the previous command. The output should only have Termservice being returned.
Ensure that connected user account has permissions for remote connections:
net localgroup "Remote Desktop Users"
Solution: Add the "Remote Desktop Users" rule to a user in the domain:
net localgroup "Remote Desktop Users" /add [DOMAIN\USERNAME]
The domain is required only for user accounts on a system joined to a different domain. For local accounts, specify only the username.
Verify the client/server security negotiation is set to its default value:
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 1 /f
In situations where your instance is connected to an Active Directory domain, but the connection could not be established you may receive the following error when trying to access your instance:
The remote computer that you are trying to connect to requires Network Level Authentication (NLA), but your Windows domain controller cannot be contacted to perform NLA.
Verify the user Network Level Authentication (NLA) is set to its default value:
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
Verify that your MTU size is no greater than the MTU of the network:
netsh interface ipv4 show subinterfaces
Solution: Set the MTU of the interface to the MTU of the VPC network:
netsh interface ipv4 set subinterface Ethernet mtu=MTU_OF_VPC_NETWORKNote: VPC networks have a default maximum transmission unit (MTU) of
1460 bytes. However, the network MTU can be set to the standard Ethernet MTU of 1500 bytes, up to 8896 bytes for jumbo frames, or as low as 1300. For more information about network MTUs, see the maximum transmission unit overview.
For more information about MTU size incompatibilities, see our packet fragmentation documentation.
If you try to connect to the VM by using RDP and the VM displays the keyboard layout screen, you need to select a language by connecting to Windows SAC. To select a language, complete the following steps:
powershell.Get the correct language string.
Get-WinUserLanguageList
Set the desired layout. Replace LANGUAGE_TAG with the language layout you want (for example, en-US).
Set-WinUserLanguageList -LanguageList LANGUAGE_TAG -force
Reboot your instance.
shutdown -r -t 0
For RDP errors on the logon screen mentioning you need the right to sign in through Remote Desktop Services or you must be granted the Allow log on through Terminal Services right, the Remote Desktop Users or Administrators group was removed from Local Computer Policy setting found in Allow log on through Remote Desktop Services or SeRemoteInteractiveLogonRight.
Verify there are no missing permissions blocking certificates authentication:
icacls.exe "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys"
Ensure that your antivirus/endpoint protection client settings allow for the configured port number and services.
Note: This process will vary between products, and might not have a command line solution.If you are able to establish an RDP connection but you are disconnected after some time with a message mentioning that your Timer Expired verify the following values are as expected:
Registry Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
Registry Keys:
MaxDisconnectionTimeMaxIdleTimeMaxConnectionTimeMaxDisconnectionTimeRemoteAppLogoffTimeLimitThese values are set in milliseconds. If these keys are missing from your registry then there are no session limits on your VM instance. If these keys are present in your registry but their values are set to 0, then your session will never expire.
If the above troubleshooting steps have not resolved your RDP connection issue, your Windows instance may not be booting or running correctly. In this case, review our guide for troubleshooting Windows.
What's nextLearn more about troubleshooting the Windows operating system.
Learn how to collect diagnostic information from a VM.
Learn about troubleshooting using the serial console.
Learn how to capture screenshots from VMs.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4