In some situations, you might not be able to connect to yourCompute Engine Windows virtual machine (VM) instance with RDP. This mightbe due to configuration errors, network errors, or the boot process might nothave completed.

This document describes a number of tips and approaches to troubleshoot andresolve common RDP issues.

Ensure the VM is online and ready

After the VM has finished booting, which may take a few minutes, confirm itsstate using one of the following methods:

If Windows has not started successfully after a few minutes, review theTroubleshooting Windowsguide.

Check connectivity between your workstation and the VM instance

If you run into issues when you connect your Windows VM, it is a goodpractice to identify whether the problem is with the workstation that you areusing to connect, or the VM that you are connecting to. Check connectivitybetween your workstation and the VM by running the following command from yourLinux, macOS, or Windows workstation:

curl -v telnet://DESTINATION_IP_ADDRESS:PORT

Replace the following:

• DESTINATION_IP_ADDRESS: the IP address of your Windows VM
• PORT: the port configured for connecting through RDP onyour Windows VM

You can also useConnectivity Testsfor further verification of connectivity between the VMinstance and other Google Cloud products and services. Additionally, it mightalso be useful to set up a bastion host on the same subnetwork for isolating RDPconnectivity issues on the VM instance.

Check your Windows instance password

Each Compute Engine Windows instance must have a local password setif it is not already on a domain or custom image. Confirm you have the correctpassword set by connecting to the VM through theGoogle Cloud CLI command-linetool or Google Cloud console. For more information, seeConnect to a Windows VM's SAC.

If you have problems connecting, try creating or resetting thepassword. For more information, seeCreating passwords for WindowsVMs.

Check if you're using Windows Server Core

When connecting using RDP, if you receive a Command Prompt window on a blankbackground this likely indicates you are usingWindows ServerCore. To confirm that you are run thecommand below:

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v InstallationType

Server Core in your output confirms that you are using Windows Core edition.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion    InstallationType    REG_SZ    Server Core

If you require a graphical user interface for your workload, look atcreating aWindows instancethat contains Desktop Experience instead of Server Core. Alternatively, you mayreview the Microsoft documentation formanaging Windows Coreserver.

Check your VPC firewall rules

Compute Engine automatically provisions new projects with a firewall rulethat allows RDP traffic. If you have an existing project, or have modified theconfigurations, the default firewall rule that permits RDP might not exist.Confirm that a rule allows RDP traffic to connect to the network thatyour affected instance is on.

To check if thedefault-allow-rdpfirewall rule exists on your project, check theFirewall rules page, or runthe following gcloud CLI command:

gcloud compute firewall-rules list

To create a new rule if one does not exist, create a rule with the followingcommand:

gcloud compute firewall-rules create allow-rdp --allow tcp:3389

Ensure that you're connecting to the correct external IP address for theinstance. View the IP for the instance from theVM instance pageor by using the following gcloud CLI command:

gcloud compute instances list

Use of Windows Remote Desktop Services (RDS)

If you have Windows Remote Desktop Services (formerly known as TerminalServices) installed on your instance, then the conditions of the Client AccessLicenses (CALs) are enforced. With these CALs, RDP connections will fail underany of the following conditions:

• You have used all your available licenses
• Your license is installed, but not configured or activated correctly
• Your RDS trial period of 180 days has expired

Symptoms that you may not have enough valid licenses include messages such as:

• This remote session was disconnected because there are no Remote DesktopLicense Servers available to provide a license.
• The remote session was disconnected because of an error related tolicensing in terminal server.
• The remote session was disconnected because there are no Remote Desktopclient access licenses available for this computer.

If your RDP connections fail, you can use the admin switch to connect to theinstance for administrative purposes. This can be done on a Windows machine byusing the native Remote Desktop Connection client.

%SystemRoot%\System32\mstsc.exe /admin

To resolve issues with RDP connections, purchase new RDS licenses for yourinstance. For more details about CALs, review theMicrosoft documentation. Alternatively, if Remote Desktop Services are not required, uninstall the service and use regular RDP connections.

Validate OS level configuration and resources

If the guest environment and configurations for the instance are correct, theoperating system on the instance might be misconfigured. Additionally, withoutadequate resources it's possible that an RDP connection might fail to beestablished. To validate OS level configuration,connect to the Windows SAC:

• Ensure the VM has adequate resources
• Check the OS configuration

Ensure the VM has adequate resources

Verify the CPU, memory, disk usage, and available disk space are not reachingtheir limits. This data can be inspected by viewing theobservability metricsin the Google Cloud console. Some metrics are available only for VMs that have theOps Agentinstalled. Alternatively, if the Ops Agent is not installed, use thefollowing commands when connected toSAC:

CPU usage, memory usage, disk usage and disk capacity

• CPU usage:

  typeperf "\Processor(_Total)\% Processor Time" -sc 5

• Memory usage:

  typeperf "\Memory\% Committed Bytes In Use" -sc 5

• Disk Usage:

  typeperf "\LogicalDisk(*)\% Idle Time" -sc 5

• Disk Capacity:

  fsutil volume diskfree C:

The following are the recommended resource usages for an RDP connection,however these are just estimates, and might vary between instances.

• CPU: <80%
• Memory: <80%
• Disk space: >20%
• Disk idle: >50%

If any of the suggested estimates are reaching their limits, you can modify thatresource for the VM instance. To edit VM properties, see how toedit the machine type of a VM instanceandincrease the size of a persistent disk.

Check the OS configuration

Connect to the VM's SACand run the following commands to ensure that the instance is acceptingconnections:

1. Check to see that the ethernet adapter is enabled:

   • Command:

     netsh interface show interface

   • Pass: Admin state is set toEnabled on Interface Name labeledEthernet
   • Fail: Admin state is set toDisabled on Interface Name labeledEthernet
   • Solution: Enable the ethernet adapter:

     netsh interface set interface Ethernet admin=enabled

2. Check to see that the instance has a valid IP configuration:

   • Command:

     ipconfig /all

   • Pass: Ethernet AdapterEthernet will show an IPv4 Address of thesubnet the instance is assigned to.
   • Fail: No IPv4 address, or an address that doesn't match what is shownin Google Cloud console.
   • Solution: Proceed to the next step.
   Note: If an address is assigned and not "(Preferred)" this means that theIP address was assigned as static on the guest OS level. This should be setto DHCP to allow the metadata server to assign the correct IP address.

3. Check to see that DHCP is enabled on the instance:

   • Command:

     netsh interface ipv4 show addresses

   • Pass: Output underEthernet containsDHCP Enabled: Yes.
   • Fail: Output underEthernet containsDHCP Enabled: No.
   • Solution: Enable DHCP on the ethernet adapter:

     netsh interface ipv4 set address Ethernet dhcp

   Note: Virtual network adapters on Google Cloud VM instances are set to"Ethernet" by default, but can be changed or have a number appended in thecase of multi-nic instances. In these cases, substitute the interface nameappropriately.

4. Check to see that the 'Remote Desktop Service' is running:

   • Command:

     net start | find "Remote Desktop Services"

   • Pass: Remote Desktop Service
   • Fail: (Remote Desktop Service missing from output)
   • Solution: Start the Remote Desktop Services:

     net start "Remote Desktop Services"

5. Check that Remote Connections are enabled:

   • Command:

     reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections

   • Pass: fDenyTSConnections REG_DWORD 0x0
   • Fail: fDenyTSConnections REG_DWORD 0x1
   • Solution: Enable remote desktop connections in the registry:

     reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /f /v fDenyTSConnections /t REG_DWORD /d 0

6. Ensure that the Windows firewall has Remote Desktop Connections enabled:

   • Command:

     netsh advfirewall firewall show rule name="Remote Desktop -User Mode (TCP-In)"

   • Pass: Enabled:Yes, Direction: In, Profiles: Public, Grouping: RemoteDesktop, LocalIP: Any, RemoteIP: Any, Protocol:TCP, LocalPort: 3389,RemotePort: Any, Edge traversal: No, Action: Allow

     Note: This is the default configuration, so your requirements might be different.

   • Fail: (unexpected results, such as enabled = No)

   • Solution: Enable the default "Remote Desktop" firewall rule withinWindows Firewall:

     netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

7. Check to see what port number is configured for RDP connections on the remoteinstance:

   • Command:

     reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber

   • Pass: PortNumber REG_DWORD [PORT NUMBER]
   • Fail: (unexpected port number)

   • Solution: Configure the port number in the registry required for RDP:

     reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /f /v PortNumber /t REG_DWORD /d [PORT NUMBER]

     Note: Number is in hexadecimal, 0xd3d = 3389 (default port is 3389).

8. Verify that another application is not trying to use the same port:

   • Command:

     netstat -ano | find "3389"

   • Pass: Look for an entry for the assigned RDP port with a status ofListening. The matching service can be found using the process identifier(PID) by using the following command:

     tasklist /svc | find ""

     where PID is the identifier from the previous command. The output shouldonly haveTermservice being returned.
   • Fail: Anything but theTermservice is using the assigned port.
   • Solution: Configure the application/service to use another portnumber.

9. Ensure that connected user account has permissions for remote connections:

   • Command:

     net localgroup "Remote Desktop Users"

   • Pass: (target local/domain username in resulting list)
   • Fail: (target local/domain username missing)

   • Solution: Add the "Remote Desktop Users" rule to a user in the domain:

     net localgroup "Remote Desktop Users" /add [DOMAIN\USERNAME]

     The domain is required only for user accounts on a system joinedto a different domain. For local accounts, specify only the username.

10. Verify the client/server security negotiation is set to itsdefault value:

    • Command:

      reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer

    • Pass: SecurityLayer REG_DWORD 0x1
    • Fail: SecurityLayer REG_DWORD 0x0 (or 0x2)
    • Solution: Set the security negotiation value in the registry:

      reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 1 /f

11. In situations where your instance is connected to an Active Directory domain,but the connection could not be established you may receive the following errorwhen trying to access your instance:

    The remote computer that you are trying to connect to requires Network Level Authentication (NLA), but your Windows domain controller cannot be contacted to perform NLA.

    Verify the user Network Level Authentication (NLA) is set to itsdefault value:

    • Command:

      reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication

    • Pass: UserAuthentication REG_DWORD 0x0
    • Fail: UserAuthentication REG_DWORD 0x1
    • Solution: Set the Network Level Authentication value in the registry:

      reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f

12. Verify that your MTU size is no greater than the MTU of the network:

    • Command:

      netsh interface ipv4 show subinterfaces

    • Pass: When the number after the MTU matches the MTU of the VPC network.
    • Fail: When the number after MTU is larger than the MTU of the VPC network.

    • Solution: Set the MTU of the interface to the MTU of the VPC network:

      netsh interface ipv4 set subinterface Ethernet mtu=MTU_OF_VPC_NETWORK

      Note: VPC networks have a defaultmaximum transmission unit (MTU) of1460 bytes. However, the network MTU can be set to the standard Ethernet MTU of1500 bytes, up to8896 bytes for jumbo frames, or as low as1300. For more information about network MTUs, see themaximum transmission unit overview.

      For more information about MTU size incompatibilities, see ourpacket fragmentationdocumentation.

13. If you try to connect to the VM by using RDP and the VM displays the keyboardlayout screen, you need to select a language by connecting to Windows SAC. Toselect a language, complete the following steps:

    1. Connect to the SAC.
    2. Open Powershell by typingpowershell.

    3. Get the correct language string.

       Get-WinUserLanguageList

    4. Set the desired layout. ReplaceLANGUAGE_TAG with the languagelayout you want (for example,en-US).

       Set-WinUserLanguageList -LanguageListLANGUAGE_TAG -force

    5. Reboot your instance.

       shutdown -r -t 0

14. For RDP errors on the logon screen mentioningyou need the right to sign inthrough Remote Desktop Services oryou must be granted the Allow log onthrough Terminal Services right, the Remote Desktop Users or Administratorsgroup was removed from Local Computer Policy setting found inAllow log on through Remote Desktop Services orSeRemoteInteractiveLogonRight.

    Note: If you encounter this issue, contact Google Cloud Support.

15. Verify there are no missing permissions blocking certificates authentication:

    • Command:

      icacls.exe "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys"

    • Pass: Output resemblesEveryone:(R,W) BUILTIN\Administrators:(F)
    • Fail: Output doesn't matchEveryone:(R,W) BUILTIN\Administrators:(F)
    Note: If you encounter this issue, contact Google Cloud Support.

16. Ensure that your antivirus/endpoint protection client settings allow for theconfigured port number and services.

    Note: This process will vary between products, and might not have a commandline solution.

Verify session timeout limits

If you are able to establish an RDP connection but you are disconnected aftersome time with a message mentioning that yourTimer Expired verify thefollowing values are as expected:

Registry Path:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services

Registry Keys:

• MaxDisconnectionTime
• MaxIdleTime
• MaxConnectionTime
• MaxDisconnectionTime
• RemoteAppLogoffTimeLimit

These values are set in milliseconds. If these keys are missing from yourregistry then there are no session limits on your VM instance. If these keysare present in your registry but their values are set to0, then your sessionwill never expire.

Troubleshoot Windows startup

If the above troubleshooting steps have not resolved your RDP connection issue,your Windows instance may not be booting or running correctly. In this case,review our guide fortroubleshootingWindows.

What's next

• Learn more abouttroubleshooting the Windows operatingsystem.

• Learn how tocollect diagnostic information from aVM.

• Learn abouttroubleshooting using the serialconsole.

• Learn how tocapture screenshots fromVMs.