Fixing “Internal Error” in Remote Desktop After Windows Security Patches – Certificate and RDP Issues


2 views

Many sysadmins (myself included) recently encountered a frustrating scenario: immediately after installing critical Windows security patches (particularly the March 2017 "NSA vulnerability fixes"), Remote Desktop connections started failing with a generic "Internal Error" message. The server remains functional for other services, but RDP becomes completely inaccessible.

Through troubleshooting multiple affected servers (Windows Server 2012 R2 in my case), here's what we've learned:

  • The error occurs immediately upon connection attempt, suggesting certificate/authentication failure rather than network issues
  • Telnet tests to port 3389 succeed, confirming basic connectivity
  • Event logs reveal Event ID 1057: "The Terminal Server has failed to create a new self signed certificate"
  • Existing RDP certificates often appear expired in Certificate Manager

When you can access the server through alternative means (like a local VM), check the certificate store with this PowerShell snippet:


Get-ChildItem -Path Cert:\LocalMachine\RemoteDesktop |
Where-Object {$_.NotAfter -lt (Get-Date)} |
Select-Object Subject, NotAfter, Thumbprint

This will list any expired certificates in the Remote Desktop store. The security updates appear to have broken the auto-renewal mechanism for RDP certificates.

Here's the step-by-step solution that worked across multiple affected servers:

  1. Delete the problematic certificate: 
    
$expiredCert = Get-ChildItem -Path Cert:\LocalMachine\RemoteDesktop |
Where-Object {$_.NotAfter -lt (Get-Date)} |
Select-Object -First 1

Remove-Item -Path $expiredCert.PSPath -Force
  2. Trigger certificate regeneration: 
    
Restart-Service TermService -Force
  3. Verify the new certificate: 
    
Get-ChildItem -Path Cert:\LocalMachine\RemoteDesktop |
Format-Table Subject, NotBefore, NotAfter, Thumbprint -AutoSize

For domain-joined servers, you can prevent future issues by configuring certificate auto-enrollment:


# GPO Path: Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies
# Enable: "Certificate Services Client - Auto-Enrollment"
# Set enrollment policy to "Renew expired certificates" and "Update certificates"

If you lack alternative access methods, consider these emergency options:

  • Hosting provider console access (many offer web-based KVM)
  • Windows Remote Management (WinRM) if enabled: 
    
winrm quickconfig
Enter-PSSession -ComputerName server.domain.com -Credential (Get-Credential)
  • Emergency Management Services (EMS) for physical servers

To avoid similar outages after future updates:

  • Monitor certificate expiration dates with Nagios/Zabbix scripts
  • Implement certificate auto-renewal policies
  • Maintain multiple remote access methods (SSH, WinRM, etc.)
  • Test security updates in staging before production deployment

The root cause appears to be a combination of certificate expiration and security updates modifying RDP authentication behavior. Microsoft's KB4012212 and subsequent patches changed how Terminal Services handle certificate validation, making previously tolerated expired certificates completely unacceptable.

After applying the March 2023 Windows security patches (specifically KB5023705 for Server 2012 R2), multiple clients suddenly couldn't establish Remote Desktop connections to our hosted server. The connection attempt fails immediately with:

Remote Desktop Connection: An internal error has occurred

Key observations:

  • TCP port 3389 remains open (confirmed via telnet)
  • No explicit certificate-related errors during connection attempts
  • Web services continue running normally
  • Affects all client types (Windows, iOS)

Through a Windows 7 VM on the same host, we discovered the root cause in Event Viewer:

Event ID 1057: The Terminal Server has failed to create a new self signed certificate...
Status code: Object already exists

The RDP certificate had expired two months prior, but connections continued working until the security update. The patch appears to have enforced stricter certificate validation while failing to properly renew the self-signed certificate.

For those with limited access (like our case with only VM access), here's how to force certificate renewal:


# First, delete the existing RDP certificate
Get-ChildItem -Path Cert:\LocalMachine\RemoteDesktop | 
Where-Object {$_.Subject -match "TERMSRV"} | 
Remove-Item -Force

# Then trigger automatic renewal
(Get-WmiObject -Namespace root\cimv2\TerminalServices -Class Win32_TSGeneralSetting).SetSelfSignedCertificate()

If WMI fails, try the legacy method:


# For older Server 2012 R2 systems
$tsgs = gwmi -Namespace root\cimv2\TerminalServices -Class Win32_TSGeneralSetting
$tsgs.CreateSelfSignedCertificate(1)

When automatic renewal fails, manually bind a certificate:


# Export existing cert (if salvageable)
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -match "TERMSRV"}
Export-Certificate -Cert $cert -FilePath C:\temp\rdpcert.cer

# Find the cert thumbprint
$cert.Thumbprint

# Bind to RDP service
winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="yourserver.com"; CertificateThumbprint="$thumbprint"}

To avoid future disruptions:

  1. Set up certificate auto-renewal policies in Group Policy (gpedit.msc > Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services)
  2. Monitor certificate expiration dates with this PowerShell snippet: 
    
Get-ChildItem -Path Cert:\LocalMachine\RemoteDesktop |
Select-Object Subject, NotAfter |
Where-Object {$_.NotAfter -lt (Get-Date).AddDays(30)}
  3. Consider using publicly trusted certificates instead of self-signed