- I have a new HS23 (7875-E8U) blade with 2 mirrored 256G SSDs (90Y8643). I have tried to load WIndows 2012 R2 on it twice. Once without ServerGuide and once with ServerGuide. Both complete the install without issue, but upon first boot, give me an 0xC0000001 missing boot device failure.
- I rebooted a Dell PowerEdge T620 running Windows Server 2012 Standard. Upon boot up and logon, I am receiving a message regarding 'Activate Windows'. When I go to System, the Windows Activation reports that Windows is not activated. When I click on 'View details in Windows Activation, I am not given an option to enter a different Product Key.
- 0xc004f00f Windows Server 2012 R2 Server
- 0xc004f00f Windows Server 2012 R2 Download Iso
- 0xc004f00f Windows Server 2012 R2 Download
- 0xc004f00f Windows Server 2012 R2 Sp1
The hardening checklists are based on the comprehensive checklists produced by CIS. The Information Security Office has distilled the CIS lists down to the most critical steps for your systems, with a particular focus on configuration issues that are unique to the computing environment at The University of Texas at Austin.
How to use the checklist
I'd almost bet on that.net native update (I searched my 2012R2 server's logs, and my WSUS catalog, and don't see that update ID anywhere) To positively ID it, open the server's windowsupdate.log in notepad, and search for that update ID starting from the top. The first hit should have the KB number. Tech support scams are an industry-wide issue where scammers trick you into paying for unnecessary technical support services. You can help protect yourself from scammers by verifying that the contact is a Microsoft Agent or Microsoft Employee and that the phone number is an official Microsoft global customer service number.
Print the checklist and check off each item you complete to ensure that you cover the critical steps for securing your server. The Information Security Office uses this checklist during risk assessments as part of the process to verify that servers are secure.
How to read the checklist
Step - The step number in the procedure. If there is a UT Note for this step, the note number corresponds to the step number.
Check (√) - This is for administrators to check off when she/he completes this portion.
To Do - Basic instructions on what to do to harden the respective system
CIS - Reference number in the Center for Internet Security Windows Server 2012 R2 Benchmark v1.1.0. The CIS document outlines in much greater detail how to complete each step.
UT Note - The UT Note at the bottom of the page provides additional detail about the step for the university computing environment.
Cat I - For systems that include Category-I data , required steps are denoted with the ! symbol. All steps are recommended.
Cat II/III - For systems that include Category-II or -III data , all steps are recommended, and some are required (denoted by the !).
Min Std - This column links to the specific requirement for the university in the Minimum Security Standards for Systems document.
Check (√) - This is for administrators to check off when she/he completes this portion.
To Do - Basic instructions on what to do to harden the respective system
CIS - Reference number in the Center for Internet Security Windows Server 2012 R2 Benchmark v1.1.0. The CIS document outlines in much greater detail how to complete each step.
UT Note - The UT Note at the bottom of the page provides additional detail about the step for the university computing environment.
Cat I - For systems that include Category-I data , required steps are denoted with the ! symbol. All steps are recommended.
Cat II/III - For systems that include Category-II or -III data , all steps are recommended, and some are required (denoted by the !).
Min Std - This column links to the specific requirement for the university in the Minimum Security Standards for Systems document.
Server Information
MAC Address |
---|
IP Address |
Machine Name |
Asset Tag |
Administrator Name |
Date |
Checklist
Step | √ | To Do | MFD | UT Note | Cat I | Cat II/III | Min Std |
---|---|---|---|---|---|---|---|
Preparation and Installation | |||||||
1 | If machine is a new install, protect it from hostile network traffic, until the operating system is installed and hardened. | § | ! | ! | 4.5.1 | ||
2 | Consider using the Security Configuration Wizard to assist in hardening the host. | § | |||||
Service Packs and Hotfixes | |||||||
3 | Install the latest service packs and hotfixes from Microsoft. | § | ! | ! | 4.5.2 | ||
4 | Enable automatic notification of patch availability. | § | ! | ! | 4.5.5 | ||
User Account Policies | |||||||
5 | Set minimum password length. | 1.1.4 | § | ! | ! | ||
6 | Enable password complexity requirements. | 1.1.5 | § | ! | |||
7 | Do not store passwords using reversible encryption. (Default) | 1.1.6 | § | ! | ! | ||
8 | Configure account lockout policy. | 1.2 | § | ! | ! | ||
User Rights Assignment | |||||||
9 | Restrict the ability to access this computer from the network to Administrators and Authenticated Users. | 2.2.2 | |||||
10 | Do not grant any users the 'act as part of the operating system' right. (Default) | 2.2.3 | ! | ! | |||
11 | Restrict local logon access to Administrators. | 2.2.6 | § | ||||
12 | Deny guest accounts the ability to logon as a service, a batch job, locally, or via RDP. | 2.2.18-21 | ! | ||||
Security Settings | |||||||
13 | Place the University warning banner in the Message Text for users attempting to log on. | 2.3.7.4 | § | ! | ! | 4.5.10 | |
14 | Disallow users from creating and logging in with Microsoft accounts. | 2.3.1.1 | § | ! | ! | ||
15 | Disable the guest account. (Default) | 2.3.1.2 | ! | ! | |||
16 | Require Ctrl+Alt+Del for interactive logins. (Default) | 2.3.7.2 | ! | ! | |||
17 | Configure machine inactivity limit to protect idle interactive sessions. | 2.3.7.3 | ! | ! | |||
18 | Configure Microsoft Network Client to always digitally sign communications. | 2.3.8.1 | ! | ||||
19 | Configure Microsoft Network Client to digitally sign communications if server agrees. (Default) | 2.3.8.2 | ! | ! | |||
20 | Disable the sending of unencrypted passwords to third party SMB servers. | 2.3.8.3 | ! | ! | 4.5.6 | ||
21 | Configure Microsoft Network Server to always digitally sign communications. | 2.3.9.2 | ! | ||||
22 | Configure Microsoft Network Server to digitally sign communications if client agrees. | 2.3.9.3 | ! | ||||
Network Access Controls | |||||||
23 | Disable anonymous SID/Name translation. (Default) | 2.3.11.1 | ! | ! | |||
24 | Do not allow anonymous enumeration of SAM accounts. (Default) | 2.3.11.2 | ! | ! | 4.5.5 | ||
25 | Do not allow anonymous enumeration of SAM accounts and shares. | 2.3.11.3 | ! | 4.5.5 | |||
26 | Do not allow everyone permissions to apply to anonymous users. (Default) | 2.3.11.4 | ! | ! | 4.5.12 | ||
27 | Do not allow any named pipes to be accessed anonymously. | 2.3.11.5 | ! | 4.5.12 | |||
28 | Restrict anonymous access to named pipes and shares. (Default) | 2.3.11.8 | ! | ! | 4.5.12 | ||
29 | Do not allow any shares to be accessed anonymously. | 2.3.11.9 | ! | ||||
30 | Require the 'Classic' sharing and security model for local accounts. (Default) | 2.3.11.10 | ! | ! | 4.5.12 | ||
Network Security Settings | |||||||
31 | Allow Local System to use computer identity for NTLM. | 2.3.12.1 | |||||
32 | Disable Local System NULL session fallback. | 2.3.12.2 | |||||
33 | Configure allowable encryption types for Kerberos. | 2.3.12.4 | |||||
34 | Do not store LAN Manager hash values. | 2.3.12.5 | ! | ! | 4.5.13 | ||
35 | Set LAN Manager authentication level to only allow NTLMv2 and refuse LM and NTLM. | 2.3.12.7 | ! | 4.5.13 | |||
36 | Enable the Windows Firewall in all profiles (domain, private, public). (Default) | 9.{{1-3}}.1 | ! | ! | 4.5.5 | ||
37 | Configure the Windows Firewall in all profiles to block inbound traffic by default. (Default) | 9.{{1-3}}.2 | ! | ! | |||
Active Directory Domain Member Security Settings | |||||||
38 | Digitally encrypt or sign secure channel data (always). (Default) | 2.3.6.1 | ! | 4.5.6 | |||
39 | Digitally encrypt secure channel data (when possible). (Default) | 2.3.6.2 | ! | ! | 4.5.6 | ||
40 | Digitally sign secure channel data (when possible). (Default) | 2.3.6.3 | ! | ! | 4.5.6 | ||
41 | Require strong (Windows 2000 or later) session keys. | 2.3.6.6 | ! | ||||
42 | Configure the number of previous logons to cache. | 2.3.7.6 | § | ||||
Audit Policy Settings | |||||||
43 | Configure Account Logon audit policy. | 17.1 | § | ! | |||
44 | Configure Account Management audit policy. | 17.2 | § | ! | ! | ||
45 | Configure Logon/Logoff audit policy. | 17.5 | § | ! | ! | ||
46 | Configure Policy Change audit policy. | 17.7 | § | ! | ! | ||
47 | Configure Privilege Use audit policy. | 17.8 | § | ! | |||
Event Log Settings | |||||||
48 | Configure Event Log retention method and size. | 18.7.19 | § | ! | ! | 4.6.1 | |
49 | Configure log shipping (e.g. to Splunk). | § | |||||
Additional Security Protection | |||||||
50 | Disable or uninstall unused services. | ! | |||||
51 | Disable or delete unused users. | ! | |||||
52 | Configure user rights to be as secure as possible. | § | ! | ||||
53 | Ensure all volumes are using the NTFS file system. | § | ! | ||||
54 | Configure file system permissions. | § | ! | ||||
55 | Configure registry permissions. | § | ! | ||||
56 | Disallow remote registry access if not required. | 2.3.11.6 | § | ||||
Additional Steps | |||||||
57 | Set the system date/time and configure it to synchronize against campus time servers. | § | ! | ||||
58 | Install and enable anti-virus software. | § | ! | ! | |||
59 | Install and enable anti-spyware software. | § | ! | ||||
60 | Configure anti-virus software to update daily. | § | ! | ! | |||
61 | Configure anti-spyware software to update daily. | § | ! | ||||
62 | Provide secure storage for Confidential (category-I) Data as required. Security can be provided by means such as, but not limited to, encryption, access controls, filesystem audits, physically securing the storage media, or any combination thereof as deemed appropriate. | § | ! | ||||
63 | Install software to check the integrity of critical operating system files. | § | ! | ||||
64 | If RDP is utilized, set RDP connection encryption level to high. Make sure to restrict RDP access to local VPNgroup and local campus management subnets. Do not allow RDP to be available to the Internet at large. | § | ! | ||||
Physical Security | |||||||
65 | Set a BIOS/firmware password to prevent alterations in system start up settings. | 4.4.1 | |||||
66 | Disable automatic administrative logon to recovery console. | 2.3.13.1 | ! | ||||
67 | Do not allow the system to be shut down without having to log on. (Default) | 2.3.14.1 | ! | ! | |||
68 | Configure the device boot order to prevent unauthorized booting from alternate media. | ! | 4.4.1 | ||||
69 | Configure a screen-saver to lock the console's screen automatically if the host is left unattended. | § | ! | ! |
UT Note: Addendum
This list provides specific tasks related to the computing environment at The University of Texas at Austin.
1 | If other alternatives are unavailable, this can be accomplished by installing a SOHO router/firewall in between the network and the host to be protected. |
---|---|
2 | The Security Configuration Wizard can greatly simplify the hardening of the server. Once the role for the host is defined, the Security Configuration Wizard can help create a system configuration based specifically on that role. It does not completely get rid of the need to make other configuration changes, though. More information is available at: Security Configuration Wizard. |
3 | There are several methods available to assist you in applying patches in a timely fashion: Microsoft Update Service
Windows AutoUpdate via WSUS ITS offers a Windows Server Update Services Server for campus use using Microsoft's own update servers. It includes updates for additional Microsoft products, just like Microsoft Update, and provides additional administrative control for software deployment. Microsoft Baseline Security Analyzer This is a free host-based application that is available to download from Microsoft. In addition to detailing missing patches, this tool also performs checks on basic security settings and provides information on remediating any issues found. |
4 | Configure Automatic Updates from the Automatic Updates control panel
|
5 | Configuring the minimum password length settings is important only if another method of ensuring compliance with university password standards is not in place. The Information Resources Use and Security Policy requires passwords be a minimum of 8 characters in length. It is strongly recommended that passwords be at least 14 characters in length (which is also the recommendation of CIS). Longer passwords (e.g., more than 20 characters) offer much more protection (entropy) in the event a password hash is obtained and an attacker is attempting to crack it. |
6 | Configuring the password complexity setting is important only if another method of ensuring compliance with university password standards is not in place. The Information Resources Use and Security Policy requires that passwords contain letters, numbers, and special characters. |
7 | If this option is enabled, the system will store passwords using a weak form of encryption that is susceptible to compromise. This configuration is disabled by default. |
8 | Instead of the CIS recommended values, the account lockout policy should be configured as follows:
|
11 | Any account with this role is permitted to log in to the console. By default, this includes users in the Administrators, Users, and Backup Operators groups. It's unlikely that non-administrative users require this level of access and, in cases where the server is not physically secured, granting this right may facilitate a compromise of the device. |
13 | The text of the university's official warning banner can be found on the ISO's web site. You may add localized information to the banner as long as the university banner is included. |
14 | The use of Microsoft accounts can be blocked by configuring the group policy object at: Computer ConfigurationWindows SettingsSecurity SettingsLocal Policies Security OptionsAccounts: Block Microsoft accounts This setting can be verified by auditing the registry key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystemNoConnectedUser |
42 | Logon information for domain accounts can be cached locally to allow users who have previously authenticated to do so again even if a domain controller cannot be contacted. By default 10 accounts will be cached locally, but there is a risk that in the event of a compromise an attacker could locate the cached credentials and use a brute force attack to discover the passwords. Therefore, it is recommended that this value be reduced so that fewer credentials will be placed at risk, and credentials will be cached for shorter periods of time in the case of devices that are logged into frequently by multiple users. The group policy object below should be set to 4 or fewer logins: Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Number of previous logons to cache (in case domain controller is not available) |
43 | The Account Logon audit policy logs the results of validation tests of credentials submitted for user account logon requests. The server that is authoritative for the credentials must have this audit policy enabled. For domain member machines, this policy will only log events for local user accounts. Configure the group policy object below to match the listed audit settings: Computer ConfigurationWindows SettingsSecurity Settings Advanced Audit Policy ConfigurationAudit PoliciesAccount Logon
|
44 | Configure the group policy object below to match the listed audit settings: Computer ConfigurationWindows SettingsSecurity Settings Advanced Audit Policy ConfigurationAudit PoliciesAccount Management
|
45 | Configure the group policy object below to match the listed audit settings: Computer ConfigurationWindows SettingsSecurity Settings Advanced Audit Policy ConfigurationAudit PoliciesLogon/Logoff
|
46 | Configure the group policy object below to match the listed audit settings: Computer ConfigurationWindows SettingsSecurity Settings Advanced Audit Policy ConfigurationAudit PoliciesPolicy Change
|
47 | Configure the group policy object below to match the listed audit settings: Computer ConfigurationWindows SettingsSecurity Settings Advanced Audit Policy ConfigurationAudit PoliciesPrivilege Use
|
48 | The university requires the following event log settings instead of those recommended by the CIS Benchmark:
The recommended retention method for all logs is: Overwrite events older than 14 days These are minimum requirements. The most important log here is the security log. 100 MB is a suggested minimum, but if you have a high-volume service, make the file as large as necessary to make sure at least 14 days of security logs are available. You may increase the number of days that you keep, or you may set the log files to not overwrite events. Note that if the event log reaches its maximum size and no events older than the number of days you specified exist to be deleted, or if you have disabled overwriting of events, no new events will be logged. This may happen deliberately as an attempt by an attacker to cover his tracks. For critical services working with Cat 1 or other sensitive data, you should use Syslog, Splunk, Intrust, or a similar service to ship logs to another device. Another option is to configure Windows to rotate event log files automatically when an event log reaches its maximum size as described in the article http://support.microsoft.com/kb/312571 using the AutoBackupLogFiles registry entry. |
49 | It is highly recommended that logs are shipped from any Category I devices to a service like Splunk, which provides log aggregation, processing, and real-time monitoring of events among many other things. This helps to ensure that logs are preserved and unaltered in the event of a compromise, in addition to allowing proactive log analysis of multiple devices. The ISO maintains a centrally-managed Splunk service that may be leveraged. Please see the on-boarding form for more details. |
52 | Configure user rights to be as secure as possible, following the recommendations in section 2.2 of the CIS benchmark. Every attempt should be made to remove Guest, Everyone, and ANONYMOUS LOGON from the user rights lists. |
53 | Volumes formatted as FAT or FAT32 can be converted to NTFS, by using the convert.exe utility provided by Microsoft. Microsoft has provided instructions on how to perform the conversion.Windows servers used with Category I data must use the NTFS file system for all partitions where Category I data is to be stored. |
54 | Be extremely careful, as setting incorrect permissions on system files and folders can render a system unusable. |
55 | Be extremely careful, as setting incorrect permissions on registry entries can render a system unusable. |
56 | Some remote administration tools, such as Microsoft Systems Management Server, require remote registry access to managed devices. Disabling remote registry access may cause such services to fail. If remote registry access is not required, it is recommended that the remote registry service be stopped and disabled. If remote registry access is required, the remotely accessible registry paths should still be configured to be as restrictive as possible. The group policy object below controls which registry paths are available remotely: Computer ConfigurationWindows SettingsSecurity SettingsLocal Policies Security OptionsNetwork access: Remotely accessible registry paths This object should be set to allow access only to:
Further restrictions on the registry paths and subpaths that are remotely accessible can be configured with the group policy object: Computer ConfigurationWindows SettingsSecurity SettingsLocal Policies Security OptionsNetwork access: Remotely accessible registry paths and sub-paths |
57 | By default, domain members synchronize their time with domain controllers using Microsoft's Windows Time Service. The domain controller should be configured to synchronize its time with an external time source, such as the university's network time servers. ITS Networking operates two stratum 2 NTPv4 (NTP version 4) servers for network time synchronization services for university network administrators. |
58 | ISO provides Cisco AMP, a managed, cloud-based malware protection service, free of charge for all university-owned devices. More information about obtaining and using AMP is at https://security.utexas.edu/education-outreach/anti-virus. |
59 | Anti-spyware software is only required to be installed if the server is used to browse Web sites not specifically related to the administration of the server, which is not recommended. At a minimum, SpyBot Search and Destroy should be installed. Consider installing a secondary anti-spyware application, such as SpyWare Blaster, EMS Free Surfer, or AdAware. An additional measure that can be taken is to install Firefox with the NoScript and uBlock add-ons. |
60 | Cisco AMP is the recommended anti-virus solution. Microsoft Forefront may also be used, and can be configured directly or through the use of GPOs, which can simplify the management of multiple servers. |
61 | Spyware Blaster - Enabling auto-update functionality requires the purchase of an additional subscription. SpyBot Search and Destroy - Automatic update tasks can be created inside the program itself and are scheduled using the Windows Task Scheduler.
|
62 | Windows provides the Encrypting File System as a built-in mechanism to allow the encryption of individual users' files and folders. Be aware of the caveats involved in the use of EFS before implementing it for general use, though. Other options such as PGP and GNUPG also exist. Another encryption option to consider is whole-disk encryption, which encrypts the entire contents of the drive instead of just specific files and folders. Windows comes with BitLocker for this. If encryption is being used in conjunction with Category I data, one of the solutions listed in the Approved Encryption Methods (EID required) must be implemented. |
63 | Windows has a feature called Windows Resource Protection which automatically checks certain key files and replaces them if they become corrupted. It is enabled by default. You can audit in much more in depth using Tripwire. Modern versions of Tripwire require the purchase of licenses in order to use it. The Tripwire management console can be very helpful for managing more complex installations. |
64 | This setting is configured by group policy object at: Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostSecurity This policy object should be configured as below:
|
69 |
|
This article describes the hotfixes and updates that are currently available for Remote Desktop Services in Microsoft Windows Server 2012 R2.
Original product version: Windows Server 2012 R2
Original KB number: 3147099
Original KB number: 3147099
Summary
This article describes the currently available fixes that are highly recommended for Remote Desktop Services in Windows Server 2012 R2 environments. These fixes have prerequisites for all Remote Desktop Services roles, and they apply to the following areas for Remote Desktop Services 2012 R2:
- Remote Desktop Connection Brokers
- Remote Desktop Gateway
- Remote Desktop Licensing
- Remote Desktop Session Hosts
- Remote Desktop Virtualization Hosts
- Remote Desktop Web Access
Additional Remote Desktop client information is introduced:
- RDP 8.1 updates for Windows 7
- RDP 8.1 and 8.0 new features
Note
We recommend that you install these fixes to ensure the highest level of reliability.
For a complete list of all available fixes, see Available Updates for Remote Desktop Services in Windows Server 2012 R2.
Prerequisites
Before you install the hotfix for any Remote Desktop Services role, you must have the following updates installed.
Date the update was added | Related Knowledge Base article | Title | Component | Why we recommend this update |
---|---|---|---|---|
Ongoing | Any remaining Windows updates | N/A | Multiple | The most recent Windows updates and fixes outside of normal security updates, in addition to the rollup packages that are listed in this table. |
December 2014 | 3013769 | December 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 | Multiple | An update rollup package that resolves issues and includes performance and reliability improvements. Available from Windows Update and for individual download from the Microsoft Download Center. To apply this update, you must first install the update 2919355 on Windows Server 2012 R2. |
November 2014 | 3000850 | November 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 | Multiple | A cumulative update that includes the security updates and non-security updates (including for Remote Desktop Services) that were released between April 2014 and November 2014. Available from Windows Update and for individual download from the Microsoft Download Center. To apply this update, you must first install the update 2919355 on Windows Server 2012 R2. |
Updates and hotfixes for Remote Desktop Connection Brokers
Note
See the prerequisites table before you install any update or hotfix for this server role.
Date the update was added | Related Knowledge Base article | Title | Component | Why we recommend this update |
---|---|---|---|---|
November 2015 | 3091411 | User connection fails when many connections are made to Windows Server 2012 R2-based RD Connection Broker | Multiple | This rollup contains the following improvements:
|
December 2014 | 3020474 | Communication issues occur when Remote Desktop Connection Broker connects to SQL Server in Windows Server 2012 R2 | script | If you are using RD Connection Broker High Availability, make sure that you watch for the security events that are described in the Knowledge Base article that indicate communication issues between the RD Connection Brokers and SQL Server. You have to enable auditing for failure events by using the script auditpol /set /subcategory:'Filtering Platform Connection' /success:disable /failure:enable This script unblocks only UDP port 1434 from a Windows level. If you have a network device that also blocks this port, you must unblock at this level, too. |
Updates and hotfixes for Remote Desktop Gateway
Note
See the prerequisites table before you install any update or hotfix for this server role.
Date the update was added | Related Knowledge Base article | Title | Component | Why we recommend this update |
---|---|---|---|---|
March 2016 | 3123913 | Remote Desktop Gateway server crashes during certain user disconnect scenarios in Windows Server 2012 R2 | aaedge.dll | Latest version of Aaedge.dll that resolves several issues in which the RD Gateway service crashes and causes user disconnections. Also includes 3042843. |
0xc004f00f Windows Server 2012 R2 Server
Updates and hotfixes for Remote Desktop Licensing
Note
See the prerequisites table before you install any update or hotfix for this server role.
Date the update was added | Related Knowledge Base article | Title | Component | Why we recommend this update |
---|---|---|---|---|
March 2016 | 3108326 | Licensing servers become deadlocked under high load in Windows Server 2012 R2 | lserver.dll | Latest version of Lserver.dll that resolves an issue in which multiple RD Licensing servers crash or restart on high load. Any RDSH that is configured in Per-Device mode would refuse all connections requests while their LS is in this state. Also includes 3092695 and 3084952 |
January 2015 | 3013108 | RDS License Manager shows no issued free or temporary client access licenses in Windows Server 2012 R2 | licmgr.exe | Latest version of Licmgr.exe that fixes an issue in which the RDS License Manager shows no issued free or temporary client access licenses in Windows Server 2012 R2. |
Updates and hotfixes for Remote Desktop Session Hosts
Note
0xc004f00f Windows Server 2012 R2 Download Iso
See the prerequisites table before you install any update or hotfix for this server role.
Date the update was added | Related Knowledge Base article | Title | Component | Why we recommend this update |
---|---|---|---|---|
April 2016 | 3146978 | RDS redirected resources showing degraded performance in Windows 8.1 or Windows Server 2012 R2 | Multiple | This update resolves slow RDP performance issues when you use redirected resources (drives, printers, and ports). |
December 2015 | 3127673 | Stop error 0x000000C2 or 0x0000003B when you're running Remote Desktop Services in Windows Server 2012 R2 | win32k.sys & dxgkrnl.sys | This article describes a hotfix package that fixes a problem that causes Windows Server 2012 R2 to crash when you're running Microsoft Remote Desktop Services (RDS). |
October 2015 | 3103000 | RemoteApp windows disappear and screen flickers when you switch between windows in Windows 8.1 or Windows Server 2012 R2 | rdpshell.exe | This update contains the latest RemoteApp server side components (mainly Rdpinit.exe/Rdpshell.exe) and includes all other RemoteApp section fixes that are listed in 2933664. There may also be fixes on the client side for RemoteApp. These fixes are listed again in 2933664 in the Remote Desktop Client section. |
September 2015 | 3092688 | UPD profiles corrupted when a network connectivity issue occurs in Windows Server 2012 R2 | sessenv.dll | Latest version of Sessenv.dll. This update resolves an issue in which UPDs become corrupted when network connectivity issue occurs. |
July 2015 | 3078676 | Event 1530 is logged and ProfSvc leaks paged pool memory and handles in Windows 8.1 or Windows Server 2012 R2 | profsvc.dll | Latest version of Profsvc.dll. This article describes an issue in which event 1530 is logged, and the User Profile Service (ProfSvc) leaks paged pool memory and handles. |
July 2015 | 3073630 | Remote Desktop Easy Print runs slowly in Windows Server 2012 R2 | Multiple | Resolves an issue in which it takes a long time to print through a redirected printer that uses Remote Desktop Easy Print. |
July 2015 | 3073629 | Redirected printers go offline after print spooler is restarted on a Windows Server 2012 R2-based RD Session Host server | Multiple | Resolves an issue in which redirected printers go offline after the print spooler is restarted on a Windows Server 2012 R2-based RD Session Host server. Also includes 3055615. |
Updates and hotfixes for Remote Desktop Virtualization Hosts
Note
0xc004f00f Windows Server 2012 R2 Download
See the prerequisites table before you install any update or hotfix for this server role.
Date the update was added | Related Knowledge Base article | Title | Component | Why we recommend this update |
---|---|---|---|---|
November 2015 | 3092688 | UPD profiles corrupted when a network connectivity issue occurs in Windows Server 2012 R2 | sessenv.dll | Latest version of Sessenv.dll. This update resolves an issue in which UPDs become corrupted when network connectivity issue occurs. If the VDI guest VMs are running Windows 8.1, you must also install this within the guest virtual machines. |
Updates and hotfixes for Remote Desktop Web Access
Note
See the prerequisites table before you install any update or hotfix for this server role.
Date the update was added | Related Knowledge Base article | Title | Component | Why we recommend this update |
---|---|---|---|---|
November 2015 | 3069129 | Blank page is displayed when you try to access RemoteApps on a Windows-based RD Web Access server | Multiple | Resolves an issue in which the RD Web Access server displays a blank web page if the number of published RemoteApps is greater than 999. Also includes the update 2957984. |
Remote Desktop clients (mstsc.exe)
0xc004f00f Windows Server 2012 R2 Sp1
- RDP 8.1 updates for Windows 7These fixes update the Remote Desktop Services server-side roles and components that are built around Remote Desktop Protocol (RDP) 8.1. However, although updates are performed on the server-side infrastructure, the Remote Desktop Clients are often left untouched. This can cause performance and reliability issues. By default, older clients such as Windows 7 Service Pack 1 (SP1) are restricted to RDP 7.1 and do not provide the new features and improvements that are available in RDP 8.1. Therefore, we have released the RDP 8.1 client for Windows 7 to provide significant performance and reliability improvements when these clients are connected to RDS 2012 R2 environments. To enable RDP 8.1 on Windows 7, follow these steps:
- Verify which version of RDP you're using. To do this, start the Remote Desktop Connection client program (mstsc.exe), click the small Remote Desktop icon in the top-left corner of the application dialog box, and then select About. Verify that the About message indicates Remote Desktop Protocol 8.1 supported.
- If the About message indicates Remote Desktop Protocol 7.1 supported, install the following updates for RDP 8.1:
- 2574819: An update is available that adds support for DTLS in Windows 7 SP1 and Windows Server 2008 R2 SP1
- 2857650: Update that improves the RemoteApp and Desktop Connections features is available for Windows 7
- 2830477: Update for RemoteApp and Desktop Connections feature is available for Windows
- 2913751: Smart card redirection in remote sessions fails in a Windows 7 SP1-based RDP 8.1 client
- 2923545: Update for RDP 8.1 is available for Windows 7 SP1.31255
- 3125574: Convenience rollup update for Windows 7 SP1 and Windows Server 2008 R2 SP1
- Install any outstanding Windows Updates.
- RDP 8.1 and RDP 8.0 new featuresFor a list of features that were introduced in RDP 8.1, see Update for RemoteApp and Desktop Connections feature is available for Windows.For a list of features that were introduced in RDP 8.0, see Remote Desktop clients.