On Windows 10 1809 we were seeing an issues where machines will get the error ‘Windows Couldn’t connect to the Remote Desktop Configuration Service. Please consult your system administrator” when trying to log in (physically).
This prevents the user logging on and returns them to the log on screen. If the machine is rebooted after this it will take somewhere between 6minutes to 2hours to restart, during this time you can move a mouse cursor on a black screen but otherwise cannot interact with the device.
Once it has occurred for the user all domain users subsequently connecting to that machine experience the problem
Log on using a local admin allows a successful log on and a toast notification pops up saying <” Failed to connect to a Windows Service. Windows couldn’t connect to the Remote Desktop Service. This problem prevents standard users from signing in”>
Cause:
This is caused by a registry key bloating with thousands of entries, an entry is added every time an app connects through the internet proxy:
“HKEY_USERS\S-1-5-19\Software\Classes\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings”
which manifests as a large NTUser.dat in c:\windows\serviceprofile\localservice
This is a confirmed bug fixed in June 18th 1809 Windows Update
The patch stops the bloat from occurring but a registry key is needed to remove the orphaned key entries. Microsoft originally published an incorrect key but has updated this with the correct key:
Path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
Setting: CleanupLeakedContainerRegistrations
Type: DWORD
Value: 1
A value of 1 removes preexisting registrations upon next reboot and is picked up by the WinHttpAutoProxyService this removes keys under:
“HKEY_USERS\S-1-5-19\Software\Classes\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings”
The fix
Deploy the latest cumulative update as soon as possible as this contains the rolled up patch, I’d also suggest deploying a Group Policy Preference to all of your 1809 machines/.
You can track the deletion of the keys in PowerShell with these handy commands:
# Count the leaked Containers
(Get-item -Path \”Registry::HKEY_USERS\S-1-5-19\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\”).SubKeyCount
# Verify that patch installed,
(Get-Item -path c:\windows\system32\winhttp.dll).VersionInfo
# Verify that Registry entry added,
Get-ItemProperty -path \”Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp” -Name CleanupLeakedContainerRegistrations
# Verify that the service is running
Get-Service WinHttpAutoProxySvc |select *