logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

App Control: RDP Login Failure With Server 2022

App Control: RDP Login Failure With Server 2022

Environment

  • App Control Agent: All Supported Versions
  • Microsoft Window Server 2022: All Supported Versions

Symptoms

  • Limited hardware resources and/or multiple security products running on the same box exposes or worsens the issue.
  • Attempts to log in via Remote Desktop Fail with the error: 
    Your Remote Desktop Services session has ended, possibly for one of the following reasons:

The administrator has ended the session.
An error occurred while the connection was being established
A network problem occurred.

For help solving the problem, see "Remote Desktop" in Help and Support.
  • Windows Event Viewer Application Log shows the dwm.exe process registering and exiting 8 times: 
    Level: Information
Source: Desktop Window Manager
Event ID: 9027
The Desktop Window Manager has registered the session port.
    Level: Warning
Source: Dwminit
Event ID: 0
The Desktop Window Manager process has exited. (Process exit code: 0x800401f0, Restart count: 8, Primary display device ID: )

Cause

Race condition with the Dwm.exe process and rpcss.dll

Resolution

Carbon Black has determined that this issue is not ultimately caused by App Control.
It is recommend to contact Microsoft support for additional assistance with the Race Condition on dwn.exe and rpcss.dll.
In the meantime changes in Agent version 8.9.2 will help reduce the chances of this Race Condition.

Customers running 8.8.x - 8.9.0 have reported higher rates of failure. It is highly recommended to contact Microsoft Support regarding this Race Condition and request additional assistance.
In the meantime, Carbon Black Support has found a few workarounds that may help reduce the chance of encountering this race condition.
  1. Upgrade to Agent version 8.9.2.
    Changes to Agent 8.9.2 (EP-18471, EP-18811) will help lessen the chances of this race condition for most customers.
  2. Test the changes, if the issue persists, continue.
  3. Log in to the Console and navigate to https://ServerAddress/agent_config.php
  4. Add a new Agent Config: 
    Name: RDP 2022 - Disable Expansion Timeout (or something memorable)
Host ID: 0
Value:
kernelExpandRulesTimeoutMs=0
Platform: Windows
Status: Enabled
Create For: Select the relevant Policy/Policies
  5. Save the changes and verify the Agent shows as Connected & Up to Date before attempting to reproduce the issue.
  6. If the issue persists, add another Agent Config to ignore the involved processes: 
    Property Name: RDP 2022 - KPE (or something memorable)
Host ID: 0
Value: kernelProcessExclusions=*\Windows\system32\dwm.exe:4194303,*\Windows\system32\LogonUI.exe:4194303
Platform: Windows
Status: Enabled
Create For: Select the relevant Policy/Policies
  7. Save the changes and verify the Agent shows as Connected & Up to Date before attempting to reproduce the issue.

Additional Notes

  • Reminder: This ultimately is caused by a race condition issue on Server 2022 that Microsoft has stated they will not currently be addressing.
  • For security reasons, it is recommended to avoid creating the Kernel Process Exclusion listed unless absolutely necessary. 
  • Some customers have noted the issue persists even when all security products have been removed.

Related Content


Labels (1)
Labels:
Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
CB_Support
Creation Date:
‎06-14-2023
Views:
3512
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.