RemoteApp constantly prompting after start due to group policy setting

[codeart1st]

Windows build number:

22621.586

Your Distribution version:

20.04

Your WSL versions:

WSL version: 0.66.2.0 Kernel version: 5.15.57.1 WSLg version: 1.0.42 MSRDC version: 1.2.3401 Direct3D version: 1.606.4 DXCore version: 10.0.25131.1002-220531-1700.rs-onecore-base2-hyp Windows version: 10.0.22621.586

Steps to reproduce:

Restart WSL with WSLg. (Happens after Windows Boot or manual WSL Restart)

WSL logs:

No response

WSL dumps:

No response

Expected behavior:

No prompts after WSL with WSLg startup or maybe an option to accept the prompt for the future.

Actual behavior:

After every restart of WSL I get constantly this prompt three times in a row. This is the second laptop from my company I getting this error with WSLg. I think it's caused by a Group Policy, but didn't which one. I can't find any reports on the internet for this behavior. I don't think it's related to WSLg in thirst place, but maybe someone has a workaround.

[hideyukn88]

@codeart1st. would you please share output from reg QUERY "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /S on Windows's command prompt?

[codeart1st]

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
    AuthenticationLevel    REG_DWORD    0x2
    fDenyTSConnections    REG_DWORD    0x0
    LoggingEnabled    REG_DWORD    0x1
    UseBandwidthOptimization    REG_DWORD    0x1
    OptimizeBandwidth    REG_DWORD    0x0
    UseCustomMessages    REG_DWORD    0x0
    fAllowToGetHelp    REG_DWORD    0x1
    fAllowFullControl    REG_DWORD    0x1
    MaxTicketExpiry    REG_DWORD    0x1
    MaxTicketExpiryUnits    REG_DWORD    0x1
    fUseMailto    REG_DWORD    0x1
    fAllowUnsolicited    REG_DWORD    0x1
    fAllowUnsolicitedFullControl    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client
    fEnableUsbBlockDeviceBySetupClass    REG_DWORD    0x1
    fEnableUsbNoAckIsochWriteToDevice    REG_DWORD    0x50
    fEnableUsbSelectDeviceByInterface    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbBlockDeviceBySetupClasses
    1000    REG_SZ    {3376f4ce-ff8d-40a2-a80f-bb4359d1415c}

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbSelectDeviceByInterfaces
    1000    REG_SZ    {6bdd1fc6-810f-11d0-bec7-08002be2092f}

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
    foobar\administratoren    REG_SZ    foobar\administratoren
    FOOBAR\admins    REG_SZ    FOOBAR\admins

Changed the domain to foobar.

[hideyukn88]

@codeart1st, thanks for info, yes, it looks like you have below policy set which causing server side authentication and WSLg's server side is Linux thus it is not using that by default.

AuthenticationLevel REG_DWORD 0x2

By default, authentication level is specified at https://github.com/microsoft/wslg/blob/690c91c25400bc53aab708187452d4b31d991023/package/wslg.rdp#L2

I would like to double check if you press yes to continue, does WSLg works expectedly? thanks!

[codeart1st]

@hideyukn88 first of all, yes WSLg works correctly after I accept the prompts. I also checked what happen with value 0x0 for AuthenticationLevel . As you supposed, my problem is gone and this should be the root cause.

https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_SERVER_AUTH

For now, I'm not sure if I can daily drive my company laptop with this setting.

[hideyukn88]

@codeart1st, thanks for confirming. We will address this issue. but the fix will be in RDP client software, which requires longer cycle to release the fix, thanks!

[thomasdoerr]

Hello @codeart1st,

We will address this issue. but the fix will be in RDP client software, which requires longer cycle to release the fix, thanks!

this problem still exists on my machine. All available update / patches are installed (Windows and WSL). I'm using Windows 11. But I'm still blocked to use WSLg.

Do you know where I can see the progress of the RDP client fix or a release in which it has been fixed or will be fixed?

Thanks! Thomas

[hideyukn88]

@thomasdoerr, unfortunately we have not yet agreed on the approach for fix with the team owns RDP client software.

But I'm still blocked to use WSLg.

Does WSLg work by clicking "yes" at the dialog?

Btw, you can check the update of RDP client software at https://learn.microsoft.com/en-us/azure/virtual-desktop/whats-new-client-windows, and you can see which version of msrdc.exe is included in WSLg by wsl --version from Windows's command prompt, thanks!

[thomasdoerr]

@hideyukn88 thanks for the answer. Yes it works, connects correctly and the dialog disappears, but several new ones are constantly showing up. So it is not an option to work with this bug. Thanks!

[codeart1st]

Yeah, still waiting for a patch.

[ericbl]

Same issue here (same RemoteApp window 4 times after I switch on the computer) on a company laptop running Windows 10 Entreprise 21H2. Same AuthenticationLevel REG_DWORD 0x2 in the given reg key. I changed it to 0x0 in the registry, but it is likely to be overwritten by the group policies from the domain.

Since I am not using any GUI on Linux, I however just disabled it by adding

[wsl2]
guiApplications=false

in the %userprofile%/.wslconfig

Seems to be ok now. I got the issue after upgrading wsl from the shell.

from Powershell: wsl --version

WSL version: 1.0.3.0
Kernel version: 5.15.79.1
WSLg version: 1.0.47
MSRDC version: 1.2.3575
Direct3D version: 1.606.4
DXCore version: 10.0.25131.1002-220531-1700.rs-onecore-base2-hyp
Windows version: 10.0.19044.2486

[zbalkan]

Just to understand the situation: it means the WSL tries to connect to the VM over RDP and there is no authentication for WSL VMs, so RDP fails to authenticate and warns the users based on the GPO/Registry value. What is the expected situation here then? Create an exception for WSL for RDP connections? Or developing a capability to authenticate for WSL VMs over negotiation?

[hideyukn88]

@zbalkan, thanks for inquiry, and the solution you listed are being considered, ideally authentication to be done properly, but this incurs additional development cost currently not scheduled. On the other hand, silently make exception for WSL might cause some confusion in system administrators by not honoring the policy. Thus, current behavior is considered as the best "compromise" since it informs it's not meeting the group policy deployed by your admin, but still offers a way for WSLg to work. Any feedbacks are welcome, thanks!

[zbalkan]

Hi @hideyukn88 ,

As a former sysadmin, a long term dev and a current cybersecurity person, I would vote on the on a decision which would not sacrifice security for the sake of usability.

My suggestion would be adding this exception for WSL2 but making it manageable via a GPO. So that sysadmins can explicitly create an exception for WSL in the corporate environment. It is secure, manageable and does not affect usability.

[joehni]

This is definitely more than annoying. We work with the Docker Desktop integration for WSL and IntelliJ. When Docker starts it containers you'll get 3 or 4 of this dialogs and for every project IntelliJ tries to open in WSL environment you get another one. So you end up sometimes with 20 to 30 of these dialogs a day often pooling up behind your active windows.

[Maxim-Mazurok]

I'm running WSL on a corporate laptop and the setting that causes these dialogs is controlled by Group Policy and our admins aren't going to relax these settings due to security reasons. As mentioned by @joehni I'm getting a lot of these notifications, working with VS Code integrated with WSL. Having these popups is very annoying, please schedule a proper fix for this issue, thank you!

[tonyvscode]

I'm running WSL on a corporate laptop and the setting that causes these dialogs is controlled by Group Policy and our admins aren't going to relax these settings due to security reasons.

^^ This. And it's driving me nuts 🙃

[Maxim-Mazurok]

~~I actually haven't seen this popup in a while now, not sure what changed, but I'll unsubscribe, cheers!~~

Update 23 Nov 2023: I didn't see it because I had wslg disabled. Once enabled I see it again. Also if I hybernate and then power on laptop - I get spammed with these notifications in an infinite loop nonstop. I have to end the process and then I get one notification that I can accept.

[florianm]

I'm seeing the same error on a company laptop with pretty strict group policies. I'm using VS Code with WSL2 Ubuntu, Docker extension, running a docker daemon inside WSL2. I do not use GUI apps under WSL2. The popups seem more abundant (every 1-2 minutes) when I haven't started VS Code yet.

C:\Users\XXX>reg QUERY "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /S

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
    fDenyTSConnections    REG_DWORD    0x0
    AuthenticationLevel    REG_DWORD    0x2
    DisablePasswordSaving    REG_DWORD    0x1
    fDisableClip    REG_DWORD    0x1
    fDisableCdm    REG_DWORD    0x1
    fPromptForPassword    REG_DWORD    0x1
    fWritableTSCCPermTab    REG_DWORD    0x0
    fEncryptRPCTraffic    REG_DWORD    0x1
    SecurityLayer    REG_DWORD    0x2
    UserAuthentication    REG_DWORD    0x1
    MinEncryptionLevel    REG_DWORD    0x3
    fAllowUnsolicited    REG_DWORD    0x1
    fAllowUnsolicitedFullControl    REG_DWORD    0x1
    CreateEncryptedOnlyTickets    REG_DWORD    0x1
    fAllowToGetHelp    REG_DWORD    0x1
    fAllowFullControl    REG_DWORD    0x1
    MaxTicketExpiry    REG_DWORD    0x1
    MaxTicketExpiryUnits    REG_DWORD    0x1
    fUseMailto    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client
    fEnableUsbBlockDeviceBySetupClass    REG_DWORD    0x1
    fEnableUsbNoAckIsochWriteToDevice    REG_DWORD    0x50
    fEnableUsbSelectDeviceByInterface    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbBlockDeviceBySetupClasses
    1000    REG_SZ    {3376f4ce-ff8d-40a2-a80f-bb4359d1415c}

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbSelectDeviceByInterfaces
    1000    REG_SZ    {6bdd1fc6-810f-11d0-bec7-08002be2092f}

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
    itb-helpdesk    REG_SZ    itb-helpdesk
    trimremoteassisthelpers    REG_SZ    trimremoteassisthelpers


C:\Users\XXX> wsl --version
WSL version: 1.2.5.0
Kernel version: 5.15.90.1
WSLg version: 1.0.51
MSRDC version: 1.2.3770
Direct3D version: 1.608.2-61064218
DXCore version: 10.0.25131.1002-220531-1700.rs-onecore-base2-hyp
Windows version: 10.0.19044.3448

As helpfully recommended by @ericbl I've created a %USERPROFILE%/.wslconfig with the contents

[wsl2]
guiApplications=false

and after a restart it seems the popups are gone.

Ideally I'd love to run GUI apps from WSL2 and still not see these popups.

[Corbie-42]

I have the same issue, but adding this to %USERPROFILE%\.wslconfig (and also to /etc/wsl.conf)

[wsl2]
guiApplications=false

did not work for me. I also have to confirm the dialog four times, until it disappears. If I don't, it keeps popping up. This feels very insecure.

My reg QUERY "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /S:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
    DisablePasswordSaving    REG_DWORD    0x1
    MinEncryptionLevel    REG_DWORD    0x3
    SecurityLayer    REG_DWORD    0x2
    UserAuthentication    REG_DWORD    0x1
    fDenyTSConnections    REG_DWORD    0x1
    CertTemplateName    REG_SZ    Machine Certificate
    CreateEncryptedOnlyTickets    REG_DWORD    0x1
    LoggingEnabled    REG_DWORD    0x1
    fAllowToGetHelp    REG_DWORD    0x1
    fAllowFullControl    REG_DWORD    0x1
    MaxTicketExpiry    REG_DWORD    0x1e
    MaxTicketExpiryUnits    REG_DWORD    0x0
    fUseMailto    REG_DWORD    0x1
    AuthenticationLevel    REG_DWORD    0x2
    fPromptForPassword    REG_DWORD    0x1
    fAllowUnsolicited    REG_DWORD    0x1
    fAllowUnsolicitedFullControl    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client
    fEnableUsbBlockDeviceBySetupClass    REG_DWORD    0x1
    fEnableUsbNoAckIsochWriteToDevice    REG_DWORD    0x50
    fEnableUsbSelectDeviceByInterface    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbBlockDeviceBySetupClasses
    1000    REG_SZ    {3376f4ce-ff8d-40a2-a80f-bb4359d1415c}

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbSelectDeviceByInterfaces
    1000    REG_SZ    {6bdd1fc6-810f-11d0-bec7-08002be2092f}

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
    NT AUTHORITY\Authenticated Users    REG_SZ    NT AUTHORITY\Authenticated Users

[dalai4git]

In my case, starting a WSL terminal and keeping it open means no additional popups. Still have to get 2-3 out of the way in the beginning, but at least nothing after that.

[michaelkebe]

Using this in corporate environments where the group policy dictates the AuthenticationLevel is quiet annoying. The workaround with the %USERPROFILE%\.wslconfig is possible, but what if yout want to use GUI applications? This should really be handled with a higher priority.

[zbalkan]

This papercut requires a solution, not a workaround. A properly manageable solution which may work in both enterprise and home users.

If we need RDP with TLS for WSL, just generate a new self signed certificate locally and add it to the local certificate store. If there's a problem, allow us to reset. We don't need more.

[codeart1st]

Also since I started this issue back in 2022, now the dialog prompts are flicker for me without any visible text sometimes. That's even more annoying.

[michaelkebe]

Yeah, got the flickering to.

[dalai4git]

I had the flickering when I changed networks.

[ngg]

Constantly flickering for me as well, really annoying.

[yaoengine]

Yes, I've also met this pop up window problem, I think the main problem is that it keeps popping, can it be changed to while the user do the confirm, it will not popping again and again for the same address?

[nickschurch]

I get this - the popups, the flickering - and the worst part is that sometimes multiple running RemoteApp popups really start degrading the performance of other software.

[NoInfraForYou]

One of our dev is struggling with his script because of that particular pop up that does not let him launch his instance.

I don't want to remove our policy regarding this pop-up and modify the register, and as mentioned, we should not sacrifice security for practicality. A quick workaround for that would be nice..!

[zetixzetix]

This issue from 2022 is everyday annoyance in any corporate IT environment with group policies and it prohibits widespread use of WSL+WSLg as better and more (with Windows) integrated alternative to virtual machines with Linux guest OS. I could not fathom why it is still not fixed.