If the error is due to a DNS failure or a corrupted hostname resolution in the VPN, try connecting to the directly. Summary of Solutions Expired Certificate Delete certificate in mmc and restart RD Services. Outdated Client Update the RDP app via Microsoft Store. VPN Disconnect Check network speed and allow LAN connections. Azure VM 0x904 Use "Run Command" to rename MachineKeys folder.
A well-documented bug in Windows 11 updates drops secure sessions when routing via DNS hostnames. Unable to RDP into some Windows Servers - Error code: 0x904
Then the issue is likely a corrupted RDP listener. Uninstall and reinstall the :
If you are still unable to connect, it is recommended to check the Event Viewer on the server under for more detailed error codes.
When this error occurs, users often experience the following: i remote desktop connection error code 0x904 install
On the local client machine, navigate to gpedit.msc → Computer Configuration → Administrative Templates → System → Credentials Delegation. Locate “Encryption Oracle Remediation.” Set it to Vulnerable (temporarily) or Mitigated . If set to “Force Updated,” the client will refuse connections to unpatched servers, triggering 0x904. After changing this, run gpupdate /force and retry the connection.
Go to the Microsoft Store and install the latest Remote Desktop App.
If you can connect locally but not remotely, or if the server has a corrupted certificate, follow these steps to force a renewal: Access the server (via console, IPMI, or Azure/AWS portal). Open (Microsoft Management Console). Add the Certificates snap-in (Computer account). Navigate to Remote Desktop > Certificates . Delete the existing self-signed certificate. Restart Remote Desktop Services from services.msc .
If you are using RDP Wrapper to enable remote desktop on Windows Home editions, an outdated or incorrectly installed rdpwrap.ini file can trigger this error. If the error is due to a DNS
Security hardening or system modifications can block the NETWORK SERVICE account from reading the RDP certificate's private key.
: In cloud deployments like Azure VMs, the machine's local encryption container ( MachineKeys ) can corrupt, preventing Windows from creating or reading the required RDP handshake keys.
While it is frequently categorized as a general network instability bug, its real-world root causes are often tied to .
| Cause Category | Description | |:---------------|:-------------| | | Insufficient bandwidth, packet loss, or an unstable internet connection | | Firewall or security software | RDP traffic is being blocked on TCP port 3389, often by a Windows Firewall or third-party antivirus solution | | TLS/CredSSP mismatches | Incompatible encryption cipher suites between client and server | | Certificate issues | Expired or corrupted RDP certificates, often related to the MachineKeys folder | | VPN or network environment | A sluggish VPN connection can cause authentication or session timeouts | | Windows Update compatibility | Specific updates or OS builds can introduce RDP compatibility issues | VPN Disconnect Check network speed and allow LAN connections
Below is a complete guide to understanding and fixing this error. Common Causes
If you are using third-party antivirus software, you will need to consult its specific documentation to create an exception for TCP port 3389 and for . In many cases, you can temporarily disable the third-party firewall entirely to test if it is causing the issue.
Because error 0x904 can be triggered by either client-side misconfigurations or server-side security layer failures, work through these vetted technical solutions sequentially. 1. Re-Generate Expired Remote Desktop Certificates
: Reboot the VM. Windows will rebuild the store upon restart. 3. Verify Firewall & Antivirus Exceptions
Open Command Prompt as Administrator and run net stop TermService .