Symptoms
Assume that you use the inbox Windows Internal Database (WID) in Windows Server. If you disable Transport Layer Security (TLS) 1.0 when you configure security settings, you experience the following issues:
- The Remote Desktop service (RDS) may fail.
- An existing RDS deployment that uses Remote Desktop Connection Broker and WID may fail.
- The Remote Desktop Management service (RDMS) does not start.
- You receive the following error message when you try to start the RDMS:
“The Remote Desktop Management service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other services or programs.”
- The Remote Desktop Connection Broker role cannot be installed.
Cause
This is expected behavior. This is because of the current dependencies between RDS and Windows Internal Database. RDMS and Connection Broker depend on TLS 1.0 to authenticate with the database. WID does not currently support TLS 1.2. Therefore, disabling TLS 1.0 breaks this communication.
Note RDS deployments that use Connection Broker have to establish an encrypted channel to WID by using one of the following methods:
- TLS
- SSL 3.0
- FIPS
Resolution
To fix this issue, use one of the following methods:
- Set up RDS without Connection Broker for a single server installation.
- Do not disable TLS 1.0 on a single Connection Broker deployment.
- Configure a high availability Connection Broker deployment that uses dedicated SQL Server.Note Microsoft has released an update to enable SQL Server communication to use TLS 1.2.
