[German]Today, October 11, 2022 is Microsoft's patchday, and Windows 10 will also receive its monthly security update. As a precaution, I draw your attention to an issue that could possibly cause trouble in a few hours under Windows 10 20H2 to 21H2: Microsoft is expected to disable TLS 1.0 and 1.1 with the security update for these Windows 10 versions. On the other hand, it looks like the TLS 1.3 implementation is causing problems on Windows 10. So, there could be problems with remote desktop applications and all applications that rely on TLS 1.0/1.1.
Preview update disables TLS 1.0/1.1
I had already mentioned it in the blog post Windows 10 20H2-21H2 Preview Update KB5017380 (Sept. 20, 2022). Microsoft has already disabled TLS 1.0 and 1.1 in Windows 10 Enterprise version 20H2, Windows 10 Education, Windows 10 IoT Enterprise version 20H2, and Windows 10 version 21H1 to 21H2 in September 2022 with the optional cumulative (preview) update KB5017380.
Since the changes in the preview updates will be incorporated into the corresponding security updates the following month, support for TLS 1.0 and 1.1 will likely be disabled across the board on Patchday, October 11, 2022 (unless Microsoft has already received so much negative feedback from the preview that the feature has been taken out).
At this point, as a precaution, I remind you of my recent blog post Bug: Outlook no longer connects to the mail server (October 2022). Microsoft Outlook sync fails on Windows 10 when TLS 1.3 is used. Microsoft suggests removing support for TLS 1.3 as a workaround so Outlook can sync again.
A reader report on Remote Desktop apps
The issue has come back into focus for me due to a reader feedback from Antonio Francisco Vanucchi from Brazil. Antonio had left a comment in English because he encountered a problem. He suggested that I take this up on the blog to warn other administrators. To that end, he wrote to me:
After I installed the optional update KB5017380 on my customer's workstations, Remoteapp setup no longer works. After entering the URL *https://mydomain]/rdweb/feed/webfeed.aspx in Control Panel/Remoteapp and Desktop Connections, I received the message:
"An error has occurred. Contact your workstation administrator for assistance.".
Antonis writes that no errors were reported in the event viewer. While doing some research, he came across my blog with the post about the preview update – and he also found the note that KB5017380 disables TLS 1.0 and 1.1 by default on all Windows 10 machines. The Remote app for Windows Server 2016, however, relies heavily on TLS 1.0, according to him. This is the reason why the above error is reported, according to Antonio.
Antonio sent me the link to the (already published 2 years ago, but still up to date) reddit.com thread Error when adding remoteapp connection url in control panel, where the problem is described.
Error when adding remoteapp connection url in control panel
I have a Remote Access server set up in our domain that pushes out some applications for users. Traditionally, we have been asking users to log into the web portal to access the rdp files so they use our apps.
However, I want to simplify this by pushing them out via GPO. To test this, I used my pc (Windows 10) as a test. I went to control panel > remoteapp and desktop connections and added the url: https://[mydomain]/rdweb/feed/webfeed.aspx and I continuously get this:
"An error occurred. Contact your workplace administrator for assistance."
I can resolve that link in a browser, as it asks me for my credentials, and then downloads a file.
I can not for the life of me find anything in Event Viewer that is giving me any errors whatsoever. Nothing in system, nothing in RemoteApp and Desktop Connections. Nada.
I know it should be asking for credentials, but it doesn't even give me that option.
I tested this on one of our testbench servers (a vm) and it worked (Windows Server 2016) just fine.
Whats even more hilarious is it works on the rdp client on my mac with no issues as well!
Tested it with several other client pc's and I am getting the same thing. I'm at a loss, I have no idea on how to proceed.
Someone there also outlines the following workaround. In the tech community, there is an entry from October 4, 2022, which points out the potential problem.
KB5017380 Breaks RemoteApp
I installed KB5017380 on a brand new machine to bring it up to date. When it came time to set up RemoteApp, I entered an URL to my RemoteApp server and got an error that said "An error occurred. Please contact your Administrator." (paraphrased).
No information was given in Event Viewer or anywhere else. I have several other machines and they work just fine, although has no KB5017380 installed.
Googled for an answer and very few came up. In fact, only 2 article came up and they both pointed the problem to KB5017380. I then uninstalled that, rebooted, and tried RemoteApp again. RemoteApp now works!
You've been warned. This update breaks RemoteApp, or at least won't let you set up new RemoteApp connections. I hope Microsoft pulls this out and fix it before returning it back into the updates. I'm posting that information here to hopefully save you hours figuring out why you can no longer create new RemoteApp connections. Good luck!
So there are two places where you can find information on this topic.
TLS workaround (still) fails
Antonio then dug further and wrote: If you don't want to uninstall the update, registry changes should enable TLS 1.0. Microsoft describes the approach in the 2021 support post Managing SSL/TLS Protocols and Cipher Suites for AD FS. To re-enable TLS 1.0, the registry editor regedit.exe must be run via Run as administrator. Then navigate to the key:
Create a new subkey TLS 1.0 and a sub-subkey Client with a new DWORD value DisabledByDefault, set to 0. After restarting Windows, TLS 1.0 should be supported again.
Reads quite well, but Antonio wrote me about it that this approach did not work for him. He was forced to uninstall the optional preview update KB5017380. Then he had to reinstall the September 13, 2022 security update KB5017308 to get Remoteapp setup to work again. He hopes that the upcoming October 2022 security update will correct the problem for him.
Regarding update KB5017308, it should be noted that it is responsible for the problems described in the article Windows 10 Update KB5017308 causes issues when creating/copying files via GPO. So it remains exciting to see what the October 2022 patchday will bring – in any case, you have advance information about possible problems. Thanks to Antonio for the hint.
Patchday: Windows 10-Updates (September 13, 2022)
Windows 10 Update KB5017308 causes issues when creating/copying files via GPO
Windows 10 20H2-21H2 Preview Update KB5017380 (Sept. 20, 2022)
Bug: Outlook no longer connects to the mail server (October 2022)
Übersicht: TLS-Support in Windows
Cookies helps to fund this blog: Cookie settings