Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RemoteApp constantly prompting after start due to group policy setting #841

Open
codeart1st opened this issue Sep 25, 2022 · 39 comments
Open
Labels

Comments

@codeart1st
Copy link

Windows build number:

22621.586

Your Distribution version:

20.04

Your WSL versions:

WSL version: 0.66.2.0
Kernel version: 5.15.57.1
WSLg version: 1.0.42
MSRDC version: 1.2.3401
Direct3D version: 1.606.4
DXCore version: 10.0.25131.1002-220531-1700.rs-onecore-base2-hyp
Windows version: 10.0.22621.586

Steps to reproduce:

Restart WSL with WSLg. (Happens after Windows Boot or manual WSL Restart)

WSL logs:

No response

WSL dumps:

No response

Expected behavior:

No prompts after WSL with WSLg startup or maybe an option to accept the prompt for the future.

Actual behavior:

After every restart of WSL I get constantly this prompt three times in a row. This is the second laptop from my company I getting this error with WSLg. I think it's caused by a Group Policy, but didn't which one. I can't find any reports on the internet for this behavior. I don't think it's related to WSLg in thirst place, but maybe someone has a workaround.

image

@codeart1st codeart1st added the bug Something isn't working label Sep 25, 2022
@hideyukn88
Copy link
Member

@codeart1st. would you please share output from reg QUERY "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /S on Windows's command prompt?

@codeart1st
Copy link
Author

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
    AuthenticationLevel    REG_DWORD    0x2
    fDenyTSConnections    REG_DWORD    0x0
    LoggingEnabled    REG_DWORD    0x1
    UseBandwidthOptimization    REG_DWORD    0x1
    OptimizeBandwidth    REG_DWORD    0x0
    UseCustomMessages    REG_DWORD    0x0
    fAllowToGetHelp    REG_DWORD    0x1
    fAllowFullControl    REG_DWORD    0x1
    MaxTicketExpiry    REG_DWORD    0x1
    MaxTicketExpiryUnits    REG_DWORD    0x1
    fUseMailto    REG_DWORD    0x1
    fAllowUnsolicited    REG_DWORD    0x1
    fAllowUnsolicitedFullControl    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client
    fEnableUsbBlockDeviceBySetupClass    REG_DWORD    0x1
    fEnableUsbNoAckIsochWriteToDevice    REG_DWORD    0x50
    fEnableUsbSelectDeviceByInterface    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbBlockDeviceBySetupClasses
    1000    REG_SZ    {3376f4ce-ff8d-40a2-a80f-bb4359d1415c}

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbSelectDeviceByInterfaces
    1000    REG_SZ    {6bdd1fc6-810f-11d0-bec7-08002be2092f}

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
    foobar\administratoren    REG_SZ    foobar\administratoren
    FOOBAR\admins    REG_SZ    FOOBAR\admins

Changed the domain to foobar.

@hideyukn88
Copy link
Member

@codeart1st, thanks for info, yes, it looks like you have below policy set which causing server side authentication and WSLg's server side is Linux thus it is not using that by default.

AuthenticationLevel REG_DWORD 0x2

By default, authentication level is specified at

authentication level:i:0

I would like to double check if you press yes to continue, does WSLg works expectedly? thanks!

@hideyukn88 hideyukn88 changed the title RemoteApp constantly prompting after start RemoteApp constantly prompting after start due to group policy setting Sep 27, 2022
@codeart1st
Copy link
Author

@hideyukn88 first of all, yes WSLg works correctly after I accept the prompts. I also checked what happen with value 0x0 for AuthenticationLevel . As you supposed, my problem is gone and this should be the root cause.

https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_SERVER_AUTH

For now, I'm not sure if I can daily drive my company laptop with this setting.

@hideyukn88
Copy link
Member

@codeart1st, thanks for confirming. We will address this issue. but the fix will be in RDP client software, which requires longer cycle to release the fix, thanks!

@thomasdoerr
Copy link

Hello @codeart1st,

We will address this issue. but the fix will be in RDP client software, which requires longer cycle to release the fix, thanks!

this problem still exists on my machine. All available update / patches are installed (Windows and WSL). I'm using Windows 11.
But I'm still blocked to use WSLg.

Do you know where I can see the progress of the RDP client fix or a release in which it has been fixed or will be fixed?

Thanks!
Thomas

@hideyukn88
Copy link
Member

@thomasdoerr, unfortunately we have not yet agreed on the approach for fix with the team
owns RDP client software.

But I'm still blocked to use WSLg.

Does WSLg work by clicking "yes" at the dialog?

Btw, you can check the update of RDP client software at https://learn.microsoft.com/en-us/azure/virtual-desktop/whats-new-client-windows, and you can see which version of msrdc.exe is included in WSLg by wsl --version from Windows's command prompt, thanks!

@thomasdoerr
Copy link

@hideyukn88 thanks for the answer.
Yes it works, connects correctly and the dialog disappears, but several new ones are constantly showing up. So it is not an option to work with this bug.
Thanks!

@codeart1st
Copy link
Author

Yeah, still waiting for a patch.

@ericbl
Copy link

ericbl commented Feb 6, 2023

Same issue here (same RemoteApp window 4 times after I switch on the computer) on a company laptop running Windows 10 Entreprise 21H2.
Same AuthenticationLevel REG_DWORD 0x2 in the given reg key.
I changed it to 0x0 in the registry, but it is likely to be overwritten by the group policies from the domain.

Since I am not using any GUI on Linux, I however just disabled it by adding

[wsl2]
guiApplications=false

in the %userprofile%/.wslconfig

Seems to be ok now.
I got the issue after upgrading wsl from the shell.

from Powershell: wsl --version

WSL version: 1.0.3.0
Kernel version: 5.15.79.1
WSLg version: 1.0.47
MSRDC version: 1.2.3575
Direct3D version: 1.606.4
DXCore version: 10.0.25131.1002-220531-1700.rs-onecore-base2-hyp
Windows version: 10.0.19044.2486

@zbalkan
Copy link

zbalkan commented Mar 21, 2023

Just to understand the situation: it means the WSL tries to connect to the VM over RDP and there is no authentication for WSL VMs, so RDP fails to authenticate and warns the users based on the GPO/Registry value. What is the expected situation here then? Create an exception for WSL for RDP connections? Or developing a capability to authenticate for WSL VMs over negotiation?

@hideyukn88
Copy link
Member

@zbalkan, thanks for inquiry, and the solution you listed are being considered, ideally authentication to be done properly, but this incurs additional development cost currently not scheduled. On the other hand, silently make exception for WSL might cause some confusion in system administrators by not honoring the policy. Thus, current behavior is considered as the best "compromise" since it informs it's not meeting the group policy deployed by your admin, but still offers a way for WSLg to work. Any feedbacks are welcome, thanks!

@zbalkan
Copy link

zbalkan commented Mar 21, 2023

Hi @hideyukn88 ,

As a former sysadmin, a long term dev and a current cybersecurity person, I would vote on the on a decision which would not sacrifice security for the sake of usability.

My suggestion would be adding this exception for WSL2 but making it manageable via a GPO. So that sysadmins can explicitly create an exception for WSL in the corporate environment. It is secure, manageable and does not affect usability.

@joehni
Copy link

joehni commented Mar 30, 2023

This is definitely more than annoying. We work with the Docker Desktop integration for WSL and IntelliJ. When Docker starts it containers you'll get 3 or 4 of this dialogs and for every project IntelliJ tries to open in WSL environment you get another one. So you end up sometimes with 20 to 30 of these dialogs a day often pooling up behind your active windows.

@Maxim-Mazurok
Copy link

I'm running WSL on a corporate laptop and the setting that causes these dialogs is controlled by Group Policy and our admins aren't going to relax these settings due to security reasons. As mentioned by @joehni I'm getting a lot of these notifications, working with VS Code integrated with WSL. Having these popups is very annoying, please schedule a proper fix for this issue, thank you!

@tonyvscode
Copy link

I'm running WSL on a corporate laptop and the setting that causes these dialogs is controlled by Group Policy and our admins aren't going to relax these settings due to security reasons.

^^ This. And it's driving me nuts 🙃

@Maxim-Mazurok
Copy link

Maxim-Mazurok commented Sep 17, 2023

I actually haven't seen this popup in a while now, not sure what changed, but I'll unsubscribe, cheers!

Update 23 Nov 2023: I didn't see it because I had wslg disabled. Once enabled I see it again. Also if I hybernate and then power on laptop - I get spammed with these notifications in an infinite loop nonstop. I have to end the process and then I get one notification that I can accept.

@florianm
Copy link

florianm commented Sep 27, 2023

I'm seeing the same error on a company laptop with pretty strict group policies.
I'm using VS Code with WSL2 Ubuntu, Docker extension, running a docker daemon inside WSL2. I do not use GUI apps under WSL2.
The popups seem more abundant (every 1-2 minutes) when I haven't started VS Code yet.

C:\Users\XXX>reg QUERY "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /S

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
    fDenyTSConnections    REG_DWORD    0x0
    AuthenticationLevel    REG_DWORD    0x2
    DisablePasswordSaving    REG_DWORD    0x1
    fDisableClip    REG_DWORD    0x1
    fDisableCdm    REG_DWORD    0x1
    fPromptForPassword    REG_DWORD    0x1
    fWritableTSCCPermTab    REG_DWORD    0x0
    fEncryptRPCTraffic    REG_DWORD    0x1
    SecurityLayer    REG_DWORD    0x2
    UserAuthentication    REG_DWORD    0x1
    MinEncryptionLevel    REG_DWORD    0x3
    fAllowUnsolicited    REG_DWORD    0x1
    fAllowUnsolicitedFullControl    REG_DWORD    0x1
    CreateEncryptedOnlyTickets    REG_DWORD    0x1
    fAllowToGetHelp    REG_DWORD    0x1
    fAllowFullControl    REG_DWORD    0x1
    MaxTicketExpiry    REG_DWORD    0x1
    MaxTicketExpiryUnits    REG_DWORD    0x1
    fUseMailto    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client
    fEnableUsbBlockDeviceBySetupClass    REG_DWORD    0x1
    fEnableUsbNoAckIsochWriteToDevice    REG_DWORD    0x50
    fEnableUsbSelectDeviceByInterface    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbBlockDeviceBySetupClasses
    1000    REG_SZ    {3376f4ce-ff8d-40a2-a80f-bb4359d1415c}

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbSelectDeviceByInterfaces
    1000    REG_SZ    {6bdd1fc6-810f-11d0-bec7-08002be2092f}

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
    itb-helpdesk    REG_SZ    itb-helpdesk
    trimremoteassisthelpers    REG_SZ    trimremoteassisthelpers


C:\Users\XXX> wsl --version
WSL version: 1.2.5.0
Kernel version: 5.15.90.1
WSLg version: 1.0.51
MSRDC version: 1.2.3770
Direct3D version: 1.608.2-61064218
DXCore version: 10.0.25131.1002-220531-1700.rs-onecore-base2-hyp
Windows version: 10.0.19044.3448

As helpfully recommended by @ericbl I've created a %USERPROFILE%/.wslconfig with the contents

[wsl2]
guiApplications=false

and after a restart it seems the popups are gone.

Ideally I'd love to run GUI apps from WSL2 and still not see these popups.

@Corbie-42
Copy link

Corbie-42 commented Nov 10, 2023

I have the same issue, but adding this to %USERPROFILE%\.wslconfig (and also to /etc/wsl.conf)

[wsl2]
guiApplications=false

did not work for me.
I also have to confirm the dialog four times, until it disappears. If I don't, it keeps popping up. This feels very insecure.

My reg QUERY "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /S:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
    DisablePasswordSaving    REG_DWORD    0x1
    MinEncryptionLevel    REG_DWORD    0x3
    SecurityLayer    REG_DWORD    0x2
    UserAuthentication    REG_DWORD    0x1
    fDenyTSConnections    REG_DWORD    0x1
    CertTemplateName    REG_SZ    Machine Certificate
    CreateEncryptedOnlyTickets    REG_DWORD    0x1
    LoggingEnabled    REG_DWORD    0x1
    fAllowToGetHelp    REG_DWORD    0x1
    fAllowFullControl    REG_DWORD    0x1
    MaxTicketExpiry    REG_DWORD    0x1e
    MaxTicketExpiryUnits    REG_DWORD    0x0
    fUseMailto    REG_DWORD    0x1
    AuthenticationLevel    REG_DWORD    0x2
    fPromptForPassword    REG_DWORD    0x1
    fAllowUnsolicited    REG_DWORD    0x1
    fAllowUnsolicitedFullControl    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client
    fEnableUsbBlockDeviceBySetupClass    REG_DWORD    0x1
    fEnableUsbNoAckIsochWriteToDevice    REG_DWORD    0x50
    fEnableUsbSelectDeviceByInterface    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbBlockDeviceBySetupClasses
    1000    REG_SZ    {3376f4ce-ff8d-40a2-a80f-bb4359d1415c}

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbSelectDeviceByInterfaces
    1000    REG_SZ    {6bdd1fc6-810f-11d0-bec7-08002be2092f}

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
    NT AUTHORITY\Authenticated Users    REG_SZ    NT AUTHORITY\Authenticated Users

@dalai4git
Copy link

In my case, starting a WSL terminal and keeping it open means no additional popups. Still have to get 2-3 out of the way in the beginning, but at least nothing after that.

@michaelkebe
Copy link

michaelkebe commented Dec 1, 2023

Using this in corporate environments where the group policy dictates the AuthenticationLevel is quiet annoying. The workaround with the %USERPROFILE%\.wslconfig is possible, but what if yout want to use GUI applications? This should really be handled with a higher priority.

@zbalkan
Copy link

zbalkan commented Dec 1, 2023

This papercut requires a solution, not a workaround. A properly manageable solution which may work in both enterprise and home users.

If we need RDP with TLS for WSL, just generate a new self signed certificate locally and add it to the local certificate store. If there's a problem, allow us to reset. We don't need more.

@codeart1st
Copy link
Author

codeart1st commented Dec 1, 2023

Also since I started this issue back in 2022, now the dialog prompts are flicker for me without any visible text sometimes. That's even more annoying.

@michaelkebe
Copy link

Yeah, got the flickering to.

@dalai4git
Copy link

I had the flickering when I changed networks.

@ngg
Copy link

ngg commented Dec 3, 2023

Constantly flickering for me as well, really annoying.

@yaoengine
Copy link

Yes, I've also met this pop up window problem, I think the main problem is that it keeps popping, can it be changed to while the user do the confirm, it will not popping again and again for the same address?

@nickschurch
Copy link

I get this - the popups, the flickering - and the worst part is that sometimes multiple running RemoteApp popups really start degrading the performance of other software.

@NoInfraForYou
Copy link

One of our dev is struggling with his script because of that particular pop up that does not let him launch his instance.

I don't want to remove our policy regarding this pop-up and modify the register, and as mentioned, we should not sacrifice security for practicality. A quick workaround for that would be nice..!

@zetixzetix
Copy link

This issue from 2022 is everyday annoyance in any corporate IT environment with group policies and it prohibits widespread use of WSL+WSLg as better and more (with Windows) integrated alternative to virtual machines with Linux guest OS. I could not fathom why it is still not fixed.

@hideyukn88
Copy link
Member

@zetixzetix, I added the support for this scenario in RDP client software (msrdc.exe), currently we have been waiting the general public release of msrdc.exe with that support to integrate with WSL release, thanks!

@codeart1st
Copy link
Author

@zetixzetix, I added the support for this scenario in RDP client software (msrdc.exe), currently we have been waiting the general public release of msrdc.exe with that support to integrate with WSL release, thanks!

Hi, do you know any timeplan for this?

@hideyukn88
Copy link
Member

@codeart1st, finally the msrdc version 1.2.5326 which we have been waiting, is publicly released (previously only to insiders) and we are integrating it with WSL, thanks!

https://learn.microsoft.com/en-us/azure/virtual-desktop/whats-new-client-windows?pivots=remote-desktop-msi#updates-for-version-125326

@travis-teitsch
Copy link

How do we leverage the new RDC with WSL? I installed the version at the system level from the URL above, but wsl --version is still reporting 1.2.5105 and WSL2 is still giving me RemoteApp warnings.

@codeart1st
Copy link
Author

I think it still needs to be integrated (in some kind) in WSL2. So we need to wait for a fix in WSL codebase. But I also hope, that it get's done shortly.

@resried
Copy link

resried commented Apr 25, 2024

I saw it is integrated into the last prerelease version of wsl: https://github.com/microsoft/WSL/releases
So I downloaded the wsl.2.2.3.0.x64.msi from there and installed that and it fixed the warnings.

@codeart1st
Copy link
Author

codeart1st commented Apr 25, 2024

I saw it is integrated into the last prerelease version of wsl: https://github.com/microsoft/WSL/releases So I downloaded the wsl.2.2.3.0.x64.msi from there and installed that and it fixed the warnings.

Thanks for the info 👍

Edit: works for me, too.

@bersbersbers
Copy link

wsl --update --pre does that for you :)

It certainly improves things, but there is still one (new) drawback left: while the prompt has stopped appearing, at the time the prompt would have appeared before, "something" happens in the system tray and steals your focus, which is annoying when you start up WSL and start typing a command.

To reproduce: wsl --shutdown && wsl and then just keep the Return key pressed. Input will stop scrolling after 3-4s until you focus WSL again.

@hideyukn88
Copy link
Member

@bersbersbers, would you please collect the log following the steps at #1212 (comment) ? Also are you on Windows 10 or 11? thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests