Anyone else getting screwed by Microsoft April Patch that requires signed RDP files
Posted by Known_Experience_794@reddit | sysadmin | View on Reddit | 76 comments
Just curious how many others make heavy use of RDP files anywhere in their environment and having issues with the new warning boxes after applying Microsoft's April patches? If so, how are you planning to deal with these?
Yes, I know we can code sign them. But thats going to turn into a royal pain in the butt.
RiskyRedBeaver@reddit
https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/remotepc/understanding-security-warnings
HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Clientwith the following values:scalg@reddit
This is only temporary : A future Windows update might remove support for this setting, even on older versions of Windows. Plan to transition your environment to work with the new security dialog.
Hilitec@reddit
Hello,
If you need to fix it quickly on some machines, and you don't have time to write a policy (or the computer is not in a domain), you can ask your customer to surf there quickly, and it will download the registry .reg file for that: https:/6co.ch/rdp
Regards,
Known_Experience_794@reddit (OP)
The reg mod does in fact work. However, the problem with this is, that Microsoft pretty much warns that the reg mod they provide may not work after a future update. And they call it out pretty clearly at the bottom of that article.
zz9plural@reddit
Yes, I still made a GPO that sets the key as a temporary fix until I can get my internal root CA working properly again.
MS screwed that one up, too.
BlackV@reddit
yes, and they will also make the change (again) without telling anyone beforehand
BioshockEnthusiast@reddit
Well that's nothing new. Updates reset registry values all the damn time.
Quick_Plenty6970@reddit
this really saved our bacon, we got countless first line calls with no real impact on end users but call volume was growing.
Known_Experience_794@reddit (OP)
Yeah, they can still click through, and set the options. IF they know what to do. But its a sudden change and end user don't know what to do. Personally I think Microsoft really screwed the pooch on this one. And I am not sure I fully agree with the RDP file being a threat. We block RDP files via email filtering as I am sure a lot of other orgs do as well.
jspears357@reddit
Someone who gains user access to an admins computer can modify one of their RDP files, redirect it to something that looks like their server, then when they use their admin acct to log onto “their” server, capture the cred.
inbeforethelube@reddit
With this logic they should nuke the hosts file too
GMginger@reddit
Can't change that with only User level permissions, so it's not a good comparison.
inbeforethelube@reddit
Why does the admin here matter?
GMginger@reddit
I'm not sure what you're saying.
Some who gains user access to an admins computer isn't going to be able to modify the hosts file.
thortgot@reddit
Sure but there are dozens of ways into your environment that aren't email.
Known_Experience_794@reddit (OP)
No argument there. There is always a way in. But email is usually, the primary.
SparkyLou999@reddit
We had a number of systems where the dialog box was not rendered correctly and whatever you did it was impossible to tick the boxes.
The registry adjustment is a lifesaver - thank you.
BlackV@reddit
how are you getting "screwed" exactly?
cause of a a yes/no prompt ?
WTFKEK@reddit
r/sysadmin is more about desktop support issues nowadays.
Known_Experience_794@reddit (OP)
We ALL got screwed because Microsoft pulling this kind of dumb shit that will affect 95% of our user base, without so much as a peep of a heads up for it. Typical Microsoft stupidity these days. Thats how..
BlackV@reddit
100% agree this is dumb Ms shite
But how did you actually get screwed? What thing stopped you completely?
Screwed does not mean, you had to click on an extra dialogue or 2
Screwed means shite exploded
FatBook-Air@reddit
Tell me you don't work in enterprise IT without telling me.
stephendt@reddit
No. I'm not going to tell you
BlackV@reddit
lawl I mean I do, but seriously how?
FlyingRottweiler@reddit
Yep. Planning on pushing out the reg key on Monday to prevent the error, but as you said in another comment it’s unlikely to be a long term solution.
Ancient-Equipment673@reddit
Well is it an error ?
Known_Experience_794@reddit (OP)
Yep. Same here. Will be pushing out the reg key.. But we need a long term solution for this. Manually signing RDP files all the time is not a good answer. And whats worse, in my testing, even after you sign the files, you still get the same dialogue box. The only difference is that it will then let you save which connection options you want and remember them. But it looks like Microsoft now intends for that box to ALWAYS pop up every time.
man__i__love__frogs@reddit
Use RD Gateway, cert with a long expiration date from a CA that clients trust.... Not rocket science this stuff has been around for decades.
BlackV@reddit
you have to sign the file AND put the cert thumbprint on the machines trusted certs location, to get it all the way "gone"
Longjumping_Gap_9325@reddit
How does this impact thing like CyberArk remote connections where it provides an RFP download file to open a remote connection (if you don't do the in browser via guacamole deal)?
bzhgeek2922@reddit
On prem you can enable rdpfilesigning - basically giving pvwa access to https private key -
With pcloud and classic psm there is no way out, have to revert microsoft move through registry.
Secret_Account07@reddit
Here’s my question- why did we just find out about this the other week? Did anyone get any kind of heads up? They are supposed to give us enterprise users a heads up on changes BEFORE.
jmbpiano@reddit
I took a look at the github history for the Microsoft Learn page that documented the change. They added it to the repo a week before the update released.
As far as I can tell, that was the first mention anywhere that this was going to happen. For as impactful as it was, it really should have been a month or two advanced notice at least, imo.
psiphre@reddit
same tbh.
Secret_Account07@reddit
Couldn’t agree more.
I gave a heads up to our team of about 100. We manage several thousand servers and have many times that as customers.
Luckily we do several rounds of patching after patch Tuesday so weren’t caught off guard except for a few customers that patch immediately but still. Really shouldn’t be this way.
Known_Experience_794@reddit (OP)
What was that old saying someone said? "Move fast and break things" I think it was...
awful_at_internet@reddit
Now it's:
"Move fast - and here's where things get interesting:
Break Things: Our code salad is the finest gourmet assembly of script that you'll ever rectally digest, but sometimes you just need to add spaghetti sauce.
Cumulonimbus sailed the ocean blue in 1492.
Citation: website for a completely unrelated topic"
HDClown@reddit
There was a message center announcement... on the same day the patches making the change were released, lol.
bbqwatermelon@reddit
This is confirmation that GA channels are beta testers.
Secret_Account07@reddit
Yeah I saw that lol. What’s funny is I found complaints online about the issue before seeing the message.
I Swear Reddit is a better resource than MS message centers
JealousRhubarb9@reddit
I found out about it yesterday. Someone couldn’t print from a rdp service. I had to check the boxes and restart the rdp session
nodiaque@reddit
It's call insider channels. You should have some user in it in different build and rings
Known_Experience_794@reddit (OP)
Its the Microsoft way these days...
Sunsparc@reddit
We pushed out the cert our RDP is signed with to Trusted Publishers on all endpoints and also pushed the consent accepted registry key out. We already code signed our RDP files with a wildcard, so it was just a manner of pushing that to endpoints.
bjc1960@reddit
Worse - many machines are hanging/freezing and people are upset. They are going to need to be wiped unless we can find a cause/fix this weekend. Exec team's computers are all updated with no issue, so that is a saving grace.
BlackV@reddit
why?
bjc1960@reddit
The users are locking up after 2 to 10 minutes. They are unable to work. They are users that are remote. If you have others ideas, I am open to them. A wipe will get them working in three hours.
BlackV@reddit
Will it though?
I understand they are locking up after a few minutes, why would a wipe fix that?
Vs say using the windows app for rdp instead?
ellwood00@reddit
This guy made a powershell script to self sign it. I think it’s better than reverting the setting
https://www.reddit.com/r/sysadmin/s/64unfEDKLb
Stewie505@reddit
Oh yes.
This really threw a wrench into my end users daily workflow. We work in a pretty heavily regulated environment and my end users have been trained (very well) to report any unexpected or unannounced changes. So first thing in the morning it was a flood of incidents.
Luckily we deploy the various RDP files via GPO or Intune and staff already had code signing certificates. So we were able to deploy updated files pretty quick.
In the end everyone on the team were all a bit frustrated with what we felt could have been better communicated by Microsoft.
FIRSTFREED0CELL@reddit
The only place I use a lot of RDP connections is in my homelab, connecting to VMs. I use the free version of Devolutions Remote Desktop Manager, and it has been unaffected by the April patches.
(Work for me is mostly mainframe and network gear connections).
Known_Experience_794@reddit (OP)
Yes. This seems to only effect the use of .RDP files. I have tested my RDM as well and it is not affected. But we have users that regularly use RDP files. So they do not have RDM.
Ihaveasmallwang@reddit
It only affects the use of rdp files in windows Remote Desktop Connection. If you connect via the Windows App you aren’t affected. If you use another client app, you aren’t affected.
Red_Wolf_2@reddit
I'm still annoyed that the RDP client now centres the input fields for username and password... They used to be left or justified aligned, but now they just look wrong!
spin_kick@reddit
Yes, we all have.
UltraEngine60@reddit
It'd be a shame if you needed to renew your code signing certs on non enterprise devices every 72 hours... but thankfully there is an Azure service for that ;)
barkode15@reddit
It wasn't too big a deal for me. I've got a folder of about 50 rdp files that a few of use to connect to ERP servers.
Requested a cert from our CA and had Claude give me the 5 lines of powershell to recursively sign every file in the folder. Pushed the thumbprint out via GPO and we're all set. Took like 20 minutes.
TalkingToes@reddit
Can you post what they were? I get a Trusted OK, and still an error.
barkode15@reddit
Request a code signing or user cert from your AD CA and grab the thumbprint of it. Then run this targeting the folder of .rdp's
I got the new connection warning once after this, and was able to check the box to allow all from this publisher. We still get the "Identity of remote computer cannot be verified" popup, but that's some other issues with our setup.
Cormacolinde@reddit
Seemy comments in this thread for a permanent fix:
https://www.reddit.com/r/sysadmin/s/XTPOKj6Zt0
Tl9zaXh0eWZvdXI@reddit
This is the link you should be using https://www.reddit.com/r/sysadmin/comments/1sm61eo/fyi_microsoft_rdp_changes_with_april_cumulative/ogclwab/, you need to sign the rdp file AND push the signing cert hash to that GPO.
Nacke@reddit
We have had so many calls and was taken by surprise! We havent had time to dig deep but we did try signing a few RDP files and it doesnt solve the problem. You still get the pop up every time you try to connect with the shortcut. The only difference is that it is now Yellow and not Red, so not as scary looking, and you can save the selection of allowed resources to share. But it does not go away.
Has anyone solved this without the likely temporary regedit solution?
BlackV@reddit
its at least 2 steps, sing the file, trust the cert you used for signing
dedjedi@reddit
but ya gonna pay them for this privilege again and again when the time comes.
that's why enshitification happens. cuz we pay for it.
BlackV@reddit
France, Germany, china and a bunch of others are doing their best to move away entirely from MS tools (I mean it'll be a 10 year plan at lease, but they're on the way)
Demented_CEO@reddit
Don't shortcuts calling
mstscget past this as well?Known_Experience_794@reddit (OP)
I dont think you can enough command line arguments with mstc to do things like set gateway, printer, camera, mic redirection etc.. mstsc is just basic connection without the options as far as I can tell
justyouropionionman@reddit
Bro, just click more options and save it.
BlackV@reddit
er.. thats teh whole issue, rdp files will spit up the warning
https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/remotepc/understanding-security-warnings
Known_Experience_794@reddit (OP)
You can't. When you "save" it, thats created the RDP file. If you then click that RDP file, you then get MS's new warnings.. Every Time.. Even if you then digitally sign that RDP file, you will still get the dialogue box, its just less threatening looking, and it will save your selected options for next time, but next time the box will still pop up. It's probably going to be a combo of using the reg to give us time to prep, find and sign allt he RDP files and add the publisher as trusted on the workstations, and then end user training...
Alarmed-Shine8133@reddit
Picky correction - you can set the gateway with /g:servername.
Since none of the useful post-connection session details you mention can be set, mstsc is still off the table as a useful workaound.
qkdsm7@reddit
Meyhem.
Looks like for remoteapp shortcuts, the message can just go away if you don't accept quickly enough, and won't come back when you try to re-launch, so "it's all broken, what did you change?"
Alarmed-Shine8133@reddit
That's ugly. :|
It's a long shot, but can you check if users are actually logging off vs just disconnecting?
The not prompting sounds almost like a user reconnecting to a session that already has redirection off.
Eggslaws@reddit
Breath a sigh of relief you have just a simple warning message for RDP and it's not the users flooding your help desk with calls because they are locked out by bitlocker updates!
BatPsychological4678@reddit
How's everyone else handling the signed RDP files for older systems not supported by the new patches?
BatPsychological4678@reddit
How about RDP files used for QuickAssist or other non-shortcut scenarios? Any workarounds there?