Issue:
Why does Remote Desktop Protocol (RDP) connection not work when Elements Endpoint Protection or Business Suite Client Security / Server Security Application Control rules are active on a Windows server 2022?
Resolution:
Make sure that you do not have active Application Control rules with the Event type "File access" which only have a Target SHA1 or SHA256 hash value as the sole condition in the rule. The event type “File access” is known to be problematic, since this event reduces efficiency of caching and triggers aggressive file IO interception. An RDP connection could then slow down the file IO operation when nearly every file needs to be checked against a hash value. Due to the performance penalty for this operation being unavoidable, any file based hash black lists should only be used as a temporary solution until an engine detection is added. VirusTotal can be used to check if a hash value is flagged as malicious.
If you experience issues with RDP connectivity, we recommend to not use and remove any Application Control block action rules with the Event type "File access", which use a hash value as the only condition. Such rules should only be used when enabling them due not cause issues. Alternatively, excluding with hash values can be done using the "Application start" or "module load" event types, instead of "File Access".
If you do not have Application Control rules matching the above description and you are still experiencing RDP connectivity issues, the issue can be caused by a race condition bug in the Desktop Window Manager (dwm.exe).
To workaround the issue, we suggest to exclude dwm.exe from all security features. Example how to create the exclusion for Elements Endpoint Protection:
- Log in to the Elements Security Center portal: https://elements.withsecure.com
- Open the Security Configurations section from the menu on the left
- Go to the Profiles page
- Select the profile that is in use on the devices
- Note: Only non-default profiles can be edited.
- Go to the General settings page
- Scroll down to the Exclude folders and files from all security scans section and click Add exclusion
- Add the path: C:/Windows/System32/dwm.exe
- Click Save and publish
You can also exclude C:\Windows\System32\winlogon.exe if dwm.exe alone is not enough, since winlogon.exe is the parent process for dwm.exe.
Article no: 000042409