Remote Desktop Failed - "An internal error has occurred"

OS -: Windows 2012 R2 Standard

Recently came across a server that was throwing this error, "An internal error has occurred" ,when an RDP session was attempted.

I could get in to the server

1) First thing I did was to restart"Remote Desktop Services" service. Service was restarted, but no luck with RDP sessions yet.

 2) Checked was event logs for any errors during RDM restart
Bingo! there's one

"The RD Session Host Server has failed to create a new self signed certificate to be used for RD Session Host Server authentication on SSL connections. The relevant status code was Access is denied."

3) Lets check Certs
Start -> Run -> type MMC and Enter

in MMC
File -> Add/Remote Snap-ins
Select Certificates and
Select Computer account and next
Leave selection as Local Computer and Finish
Press OK to complete. 
Expand Certificates and under Remote Desktop there was self-signed cert and it was expired.

4) So I decided to issue a new cert and decided to go with Enterprise CA.

5) Submitted a new cert by going to

First Folder "Personal"
Right click -> All Tasks -> "Request a new certificate"
Complete this using your organization's cert template.

You can also generate a new self-signed cert and export it to Personal store. Please note it needs to be there for the next command to work,


6) Once you have the new cert (CA or Self-Signed) sitting in personal store, we need to copy it's Thumbprint.
For this double click and open the cert inside MMC
Go to details tab
Scroll all the way down and last item will be Thumbprint.
Click that and you can see the Thumbprint listed below. Select and copy the whole value to a notepad file.
After that remove the blank spaces between characters. Mine looks like below

3c7a7a78ac6699b79182dff11329834117a183b3


7) open a command prompt as administrator and run below command, by replacing the Thumbprint with your

wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="3c7a7a78ac6699b79182dff11329834117a183b3"

once successfully completed, it will look like this

Should be all good once you restart "Remote Desktop" service once again. 

=========================================================================

If that was not applicable (Cert is still valid) , then try below

Enable TLS 1.2 at the system (SCHANNEL) level:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001