Possible Cause: The Remote Desktop Gateway server can’t reach the Virtual machine (VM). This could be because the VM is not running or responding on the RDP port.
Possible Troubleshooting Steps:
VM status in Control and Cloud: Ensure the Virtual machine is in the ready state in the Control and running state in the Cloud. If Pause and Resume are enabled, make sure the VM is resumed when the user tries to launch the desktop.
Client Communication to PRS Service: Ensure the Client can access https://service.workspot.com and https://Control.us.workspot.com. Here is the PowerShell command to test connectivity:
Test-NetConnection service.workspot.com -Port 443
Test-NetConnection control.us.workspot.com -Port 443 (Control is US)
Test-NetConnection control.eu.workspot.com -Port 443 (Control in EU)
Control Communication to Azure: Ensure Control and Cloud Communication. In the case of Azure, ensure the service principal App secret is not expired under Azure > Entra > App Registration > App ID (used by Workspot Control); otherwise, Workspot Control will not be able to communicate and manage resources on Azure.
Capacity issue: Ensure the VM starts (Azure) or resumes (GCP) on a cloud platform without any capacity issues. Look in the Watch for Resume Failure alarms.
Firewall: Ensure Windows Firewall is not blocking incoming connections from the Gateway on port 3389.
VM reachability: If the VM is running, ensure the VM is responding to RDP through MSTSC > VM IP from the RD gateway server. If not, there could be additional steps that can be taken, depending on the Cloud, to troubleshoot:
Replacing the NIC of the VM (Only Azure Cloud)
Enabling RDP from Azure Run Command.
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name fDenyTSConnections -Value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
Restart-Service TermService
Disabling NLA
DNS reset
SCHANNEL errors: VDI’s system event logs may have SCHANNEL errors with event code 36871 and state 10013.
This error indicates the system is missing a valid certificate with an associated private key for TLS.
As a result, RDP logins may fail intermittently. If Windows can’t load a TLS server certificate (required for encrypting RDP sessions), secure connection setup fails.
Steps to Troubleshoot:
Reset SCHANNEL State
Run the following command in an elevated Command Prompt to reset SCHANNEL:
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /f
Re-enable Default TLS
Run the following command in an elevated PowerShell window to re-enable default TLS settings:
New-ItemProperty -Path "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Name "Enabled" -Value 1 -PropertyType DWORD -Force
Reset TLS/RDP Certificate [If issue persists]
Back up the registry key before deletion.
Delete the current RDP Certificate hash using the following PowerShell command:
Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name SSLCertificateSHA1Hash
Then, reboot the VDI.
Windows will auto-generate a new self-signed certificate and bind it to RDP.