In some situations, you might not be able to connect to your Compute Engine Windows virtual machine (VM) instance with RDP. This might be due to configuration errors, network errors, or the boot process might not have completed.
This document describes a number of tips and approaches to troubleshoot and resolve common RDP issues.
Ensure the VM is online and ready
After the VM has finished booting, which may take a few minutes, confirm its state using one of the following methods:
Serial port 1
Serial port 1 is used to log system and application activity. View its output to determine that your VM has finished booting and if services have started correctly.
In the Google Cloud console, go to the VM instances page.
Click the name of the VM you want to view logs for. The VM instance details page opens.
Under logs, select Serial port 1.
Review serial port 1 output and look for output similar to the following:
BdsDxe: loading Boot0003 "Windows Boot Manager" from HD(2,GPT,DD3FB000-7000-4000-8000-3977378A7000,0x0000,0x00000)/\EFI\Microsoft\Boot\bootmgfw.efi BdsDxe: starting Boot0003 "Windows Boot Manager" from HD(2,GPT,DD3FB000-7000-4000-8000-3977378A7000,0x0000,0x00000)/\EFI\Microsoft\Boot\bootmgfw.efi UEFI: Attempting to start image. Description: Windows Boot Manager FilePath: HD(2,GPT,DD3FB000-7000-4000-8000-3977378A7000,0x0000,0x00000)/\EFI\Microsoft\Boot\bootmgfw.efi OptionNumber: 3. 2021/04/13 10:50:22 GCEGuestAgent: GCE Agent Started (version 20210128.00) 2021-04-13T10:50:23.4621Z OSConfigAgent Info: OSConfig Agent (version 20210217.00.0+win@1) started. 2021/04/13 10:50:42 GCEMetadataScripts: Starting startup scripts (version 20200129.00). 2021/04/13 10:50:42 GCEMetadataScripts: No startup scripts to run.
Output containing GCEGuestAgent
or GCEMetadataScripts
confirms that
Windows has started successfully. Try reconnecting to your VM using RDP.
Serial port 2
Serial port 2 provides an interactive connection to the VM and also shows the output of the Special Administrative Console (SAC) . You can use serial console 2 to determine if system services have started successfully.
In the Google Cloud console, go to the VM instances page.
Click the name of the VM you want to view logs for. The VM instance details page opens.
Under logs, expand More, then click Serial port 2 (console).
Review the serial port 2 output and look for output similar to the following:
BdsDxe: loading Boot0003 "Windows Boot Manager" from HD(2,GPT,DD3FB000-7000-4000-8000-3977378A7000,0x0000,0x00000)/\EFI\Microsoft\Boot\bootmgfw.efi BdsDxe: starting Boot0003 "Windows Boot Manager" from HD(2,GPT,DD3FB000-7000-4000-8000-3977378A7000,0x0000,0x00000)/\EFI\Microsoft\Boot\bootmgfw.efi UEFI: Attempting to start image. Description: Windows Boot Manager FilePath: HD(2,GPT,DD3FB000-7000-4000-8000-3977378A7000,0x0000,0x00000)/\EFI\Microsoft\Boot\bootmgfw.efi OptionNumber: 3. <machine-info> <name>WINDOWS</name> <guid>b7ab5000-4000-e000-e000-bc5a738da000</guid> <processor-architecture>AMD64</processor-architecture> <os-version>10.0</os-version> <os-build-number>17763</os-build-number> <os-product>Windows Server 2019 Datacenter</os-product> <os-service-pack>None</os-service-pack> </machine-info> Computer is booting, SAC started and initialized. Use the "ch -?" command for information about using channels. EVENT: The CMD command is now available. SAC>
Output containing SAC started and initialized
or CMD command is now
available
confirms that Windows has started successfully. Try reconnecting
to your VM using RDP.
VM Screenshot
VM screenshots provide a visual representation of a VM's state, similar to a computer monitor.
Before you can capture a screenshot of your VM, you must enable the VM's virtual display. If you haven't already enabled the virtual display, see Enabling virtual displays.
Capture a screenshot. For more information, see Capturing a screenshot from a VM.
Review the screenshot to see that the instance is ready.
Compare your screenshot to the following to determine the current state:
- A Windows login screen confirms the OS has started successfully, you can now attempt to connect via RDP.
- The Windows Update progress screen indicates the VM is not yet ready, allow more time it to complete the updates.
- A services loading screen indicates the VM is not yet ready, allow more time for the VM to start necessary services.
- A UEFI loading screen may indicate a missing boot file/record or corrupt boot sector/manager.
- A Windows blue screen error may be temporary or require further troubleshooting.
If Windows has not started successfully after a few minutes, review the Troubleshooting Windows guide.
Check your Windows instance password
Each Compute Engine Windows instance must have a local password set
if it is not already on a domain or custom image. Confirm you have the correct
password set by connecting to the VM through the Google Cloud CLI
command-line
tool or Google Cloud console. For more information, see Connecting to the
Windows SAC.
If you have problems connecting, try creating or resetting the password. For more information, see Creating passwords for Windows VMs.
Check if you're using Windows Server Core
When connecting using RDP, if you receive a Command Prompt window on a blank background this likely indicates you are using Windows Server Core. To confirm that you are run the command below:
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v InstallationType
Server Core
in your output confirms that you are using Windows Core edition.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallationType REG_SZ Server Core
If you require a graphical user interface for your workload, look at creating a Windows instance that contains Desktop Experience instead of Server Core. Alternatively, you may review the Microsoft documentation for managing Windows Core server.
Check your VPC firewall rules
Compute Engine automatically provisions new projects with a firewall rule that allows RDP traffic. If you have an existing project, or have modified the configurations, the default firewall rule that permits RDP might not exist. Confirm that a rule allows RDP traffic to connect to the network that your affected instance is on.
To check if the default-allow-rdp firewall rule exists on your project, check the Firewall rules page, or run the following gcloud CLI command:
gcloud compute firewall-rules list
To create a new rule if one does not exist, create a rule with the following command:
gcloud compute firewall-rules create allow-rdp --allow tcp:3389
Verify the external IP address
Ensure that you're connecting to the correct external IP address for the instance. View the IP for the instance from the VM instance page or by using the following gcloud CLI command:
gcloud compute instances list
Use of Windows Remote Desktop Services (RDS)
If you have Windows Remote Desktop Services (formerly known as Terminal Services) installed on your instance, then the conditions of the Client Access Licenses (CALs) are enforced. With these CALs, RDP connections will fail under any of the following conditions:
- You have used all your available licenses
- Your license is installed, but not configured or activated correctly
- Your RDS trial period of 180 days has expired
Symptoms that you may not have enough valid licenses include messages such as:
- This remote session was disconnected because there are no Remote Desktop License Servers available to provide a license.
- The remote session was disconnected because of an error related to licensing in terminal server.
- The remote session was disconnected because there are no Remote Desktop client access licenses available for this computer.
If your RDP connections fail, you can use the admin switch to connect to the instance for administrative purposes. This can be done on a Windows machine by using the native Remote Desktop Connection client.
%systemroot%/system32/mstsc.exe /admin
To resolve issues with RDP connections, purchase new licenses for your instance. For more details about CALs, review the Microsoft documentation. Alternatively, if Remote Desktop Services are not required, uninstall the service and use regular RDP connections.
Check the OS configuration
If the environment and configurations for the instance are correct, the operating system on the instance might be misconfigured. You can use the interactive serial console to connect to the instance and troubleshoot the problem.
Connect to the instance through one of the available command line methods, and run the following commands to ensure that the instance is accepts connections:
Check to see that the 'Remote Desktop Service' is running:
- Command: net start | find "Remote Desktop Services"
- Pass: Remote Desktop Service
- Fail: (Remote Desktop Service missing from output)
- Solution: net start "Remote Desktop Services"
Check that Remote Connections are enabled:
- Command: reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections
- Pass: fDenyTSConnections REG_DWORD 0x0
- Fail: fDenyTSConnections REG_DWORD 0x1
- Solution: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /f /v fDenyTSConnections /t REG_DWORD /d 0
Ensure that the Windows firewall has Remote Desktop Connections enabled:
- Command: netsh advfirewall firewall show rule name="Remote Desktop - User Mode (TCP-In)"
Pass: Enabled:Yes, Direction: In, Profiles: Public, Grouping: Remote Desktop, LocalIP: Any, RemoteIP: Any, Protocol:TCP, LocalPort: 3389, RemotePort: Any, Edge traversal: No, Action: Allow
Fail: (unexpected results, such as enabled = No)
Solution: netsh firewall set service remotedesktop enable
Check to see what port number is configured for RDP connections on the remote instance:
- Command: reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber
- Pass: PortNumber REG_DWORD [PORT NUMBER]
- Fail: (unexpected port number)
Solution: reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /f /v PortNumber /t REG_DWORD /d [PORT NUMBER]
Ensure that connected user account has permissions for remote connections:
- Command: net localgroup "Remote Desktop Users"
- Pass: (target local/domain username in resulting list)
- Fail: (target local/domain username missing)
Solution: net localgroup "Remote Desktop Users" /add [DOMAIN\USERNAME]
The domain is required only for user accounts on a system joined to a different domain. For local accounts, specify only the username.
Reset client/server security negotiation to its default value:
- Command: reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer
- Pass: SecurityLayer REG_DWORD 0x1
- Fail: SecurityLayer REG_DWORD 0x0 (or 0x2)
- Solution: reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 1 /f
Reset user network level authentication to its default value:
- Command: reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication
- Pass: UserAuthentication REG_DWORD 0x0
- Fail: UserAuthentication REG_DWORD 0x1
- Solution: reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
Verify that your MTU size is no greater than the MTU of the network:
- Command: netsh interface ipv4 show subinterfaces
- Pass: When the number after the MTU matches the MTU of the VPC network.
- Fail: When the number after MTU is larger than the MTU of the VPC network.
Solution: netsh interface ipv4 set subinterface Ethernet mtu=MTU_OF_VPC_NETWORK
For more information about MTU size incompatibilities, see our packet fragmentation documentation.
Ensure that your antivirus/endpoint protection client settings allow for the configured port number and services.
Troubleshoot Windows startup
If the above troubleshooting steps have not resolved your RDP connection issue, your Windows instance may not be booting or running correctly. In this case, review our guide for troubleshooting Windows.
What's next
Learn more about troubleshooting the Windows operating system.
Learn how to collect diagnostic information from a VM.
Learn about troubleshooting using the serial console.
Learn how to capture screenshots from VMs.