Microsoft-Windows-TerminalServices-RemoteConnectionManager
195 events across 5 channels
Event ID 256 — Remote Desktop Services Remote Connection Manager is starting up
Description
Remote Desktop Services Remote Connection Manager is starting up.
Message #
Event ID 257 — Remote Desktop Services Remote Connection Manager has finished start up.
Event ID 258 — Listener http://schemas.
#Description
Listener has started listening.
Message #
Fields #
| Name | Description |
|---|---|
EventXML.xmlns:auto-ns2 | — |
EventXML.listenerName | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-RemoteConnectionManager",
"guid": "C76BAA63-AE81-421C-B425-340B4B24157F",
"event_source_name": "",
"event_id": 258,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2019-02-13T17:18:30.771694+00:00",
"event_record_id": 221,
"correlation": {
"ActivityID": "00000000-0244-0000-C48E-2E890BC4D401"
},
"execution": {
"process_id": 1280,
"thread_id": 1548
},
"channel": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational",
"computer": "PC01.example.corp",
"security": {
"user_id": "S-1-5-20"
}
},
"user_data": {
"EventXML": {
"xmlns:auto-ns2": "http://schemas.microsoft.com/win/2004/08/events",
"listenerName": "RDP-Tcp"
}
},
"message": "Listener http://schemas.microsoft.com/win/2004/08/events has started listening"
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 259 — Listener listenerName has stopped listening.
Event ID 260 — Listener listenerName failed while listening.
Event ID 261 — Listener http://schemas.
#Description
Listener received a connection.
Message #
Fields #
| Name | Description |
|---|---|
EventXML.xmlns:auto-ns2 | — |
EventXML.listenerName | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-RemoteConnectionManager",
"guid": "C76BAA63-AE81-421C-B425-340B4B24157F",
"event_source_name": "",
"event_id": 261,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2019-02-13T18:04:45.905782+00:00",
"event_record_id": 227,
"correlation": {},
"execution": {
"process_id": 1280,
"thread_id": 1876
},
"channel": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational",
"computer": "PC01.example.corp",
"security": {
"user_id": "S-1-5-20"
}
},
"user_data": {
"EventXML": {
"xmlns:auto-ns2": "http://schemas.microsoft.com/win/2004/08/events",
"listenerName": "RDP-Tcp"
}
},
"message": "Listener http://schemas.microsoft.com/win/2004/08/events received a connection"
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 262 — Listener listenerName has been asked to stop listening.
Event ID 263 — WDDM graphics mode is enabled
Description
WDDM graphics mode is enabled.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-RemoteConnectionManager",
"guid": "C76BAA63-AE81-421C-B425-340B4B24157F",
"event_source_name": "",
"event_id": 263,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2026-03-11T06:27:38.404213+00:00",
"event_record_id": 253,
"correlation": {
"ActivityID": "F4626F1C-FB1F-4005-81D8-895393540000"
},
"execution": {
"process_id": 1536,
"thread_id": 2316
},
"channel": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {},
"message": ""
}
Event ID 272 — Connection with ID Param1 has started.
Event ID 273 — Connection with ID Param1 for session Param2 has completed, total time Param3 (ms), stack time Param4 (ms).
Event ID 274 — Reconnect connection ID Param1 to session Param2 took Param3 (ms).
Event ID 1003 — The remote desktop client 'Param1' has provided an invalid license.
Event ID 1004 — The Remote Desktop Session Host server cannot issue a client license.
Message #
Event ID 1006 — The RD Session Host server received large number of incomplete connections.
Description
The RD Session Host server received large number of incomplete connections. The system may be under attack.
Message #
Event ID 1011 — The remote session could not be established from remote desktop client Param1 because its temporary license has expired.
Event ID 1012 —
Event ID 1022 —
Event ID 1024 —
Event ID 1035 —
Event ID 1036 —
Event ID 1041 —
Event ID 1046 —
Event ID 1050 —
Event ID 1051 —
Event ID 1052 —
Event ID 1053 —
Event ID 1054 —
Event ID 1055 —
Event ID 1056 —
Event ID 1056 —
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-RemoteConnectionManager",
"guid": "{C76BAA63-AE81-421C-B425-340B4B24157F}",
"event_source_name": "TermService",
"event_id": 1056,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2013-10-23T21:47:52.000000Z",
"event_record_id": 2660,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "System",
"computer": "IE8Win7",
"security": {
"user_id": ""
}
},
"event_data": {}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1057 —
Event ID 1058 —
Event ID 1059 —
Event ID 1060 —
Event ID 1062 —
Event ID 1063 —
Event ID 1064 —
Event ID 1065 —
Event ID 1066 —
Event ID 1067 —
Event ID 1068 — The RD Licensing mode has not been configured.
Description
The RD Licensing mode has not been configured.
Message #
Event ID 1069 — The RD Licensing grace period has expired and Licensing mode for the Remote Desktop Session Host server has not been configured.
Description
The RD Licensing grace period has expired and Licensing mode for the Remote Desktop Session Host server has not been configured. Licensing mode must be configured for continuous operation.
Message #
Event ID 1070 —
Event ID 1071 —
Event ID 1072 —
Event ID 1073 —
Event ID 1136 — RD Session Host Server role is not installed.
#Description
RD Session Host Server role is not installed.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-RemoteConnectionManager",
"guid": "C76BAA63-AE81-421C-B425-340B4B24157F",
"event_source_name": "",
"event_id": 1136,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2019-02-13T17:18:41.657347+00:00",
"event_record_id": 222,
"correlation": {},
"execution": {
"process_id": 1008,
"thread_id": 2440
},
"channel": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational",
"computer": "PC01.example.corp",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": "RD Session Host Server role is not installed."
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 1137 — The roaming user profile cache manager for Remote Desktop Services could not start.
Event ID 1138 — The roaming user profile cache manager for Remote Desktop Services could not start because an incorrect value was specified for the monitoring inte...
Event ID 1139 — The roaming user profile cache manager for Remote Desktop Services could not start because an incorrect value was specified for the maximum cache s...
Event ID 1140 — The "Limit the size of the entire roaming user profile cache" Group Policy setting has been enabled, but the roaming user profile cache manager for...
Event ID 1141 — The "Limit the size of the entire roaming user profile cache" Group Policy setting has been disabled, but the roaming user profile cache manager fo...
Event ID 1142 — The "Limit the size of the entire roaming user profile cache" Group Policy setting has been enabled.
Description
The "Limit the size of the entire roaming user profile cache" Group Policy setting has been enabled.
Message #
Event ID 1143 — The "Limit the size of the entire roaming user profile cache" Group Policy setting has been disabled.
Description
The "Limit the size of the entire roaming user profile cache" Group Policy setting has been disabled.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-RemoteConnectionManager",
"guid": "C76BAA63-AE81-421C-B425-340B4B24157F",
"event_source_name": "",
"event_id": 1143,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2026-03-13T18:27:00.338529+00:00",
"event_record_id": 177,
"correlation": {},
"execution": {
"process_id": 2248,
"thread_id": 10044
},
"channel": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 1144 — The roaming user profile cache manager for Remote Desktop Services could not delete the roaming user profile for the user Param1.
Event ID 1145 — The roaming user profile cache manager for Remote Desktop Services deleted the roaming user profile for the user Param1 because the roaming user profil...
Event ID 1146 — Remote Desktop Services: Remote control session initiated.
Event ID 1147 — Remote Desktop Services: Remote control session connection succeeded.
Event ID 1148 — Remote Desktop Services: Remote control session connection failed.
Event ID 1149 — Remote Desktop Services: User authentication succeeded.
#Description
Remote Desktop Services: User authentication succeeded.
Message #
Fields #
| Name | Description |
|---|---|
EventXML.xmlns:auto-ns2 | — |
EventXML.Param1 | — |
EventXML.Param2 | — |
EventXML.Param3 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-RemoteConnectionManager",
"guid": "C76BAA63-AE81-421C-B425-340B4B24157F",
"event_source_name": "",
"event_id": 1149,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2019-02-13T18:04:57.452387+00:00",
"event_record_id": 228,
"correlation": {},
"execution": {
"process_id": 1280,
"thread_id": 2748
},
"channel": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational",
"computer": "PC01.example.corp",
"security": {
"user_id": "S-1-5-20"
}
},
"user_data": {
"EventXML": {
"xmlns:auto-ns2": "http://schemas.microsoft.com/win/2004/08/events",
"Param1": "admin01",
"Param2": "example",
"Param3": "127.0.0.1"
}
},
"message": "Remote Desktop Services: User authentication succeeded:\n\nUser: http://schemas.microsoft.com/win/2004/08/events\nDomain: admin01\nSource Network Address: example"
}
Community Notes #
RDP user auth succeeded, combine with 4624 (successful logon)/4625 (logoff) to track lateral movement.
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Windows RDP Connection Successful source: The following analytic detects successful Remote Desktop Protocol (RDP) connections by monitoring EventCode 1149 from the Windows TerminalServices RemoteConnectionManager Operational log. This detection is significant as successful RDP connections can indicate remote access to a system, which may be leveraged by attackers to control or exfiltrate data. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further lateral movement within the network. Monitoring successful RDP connections is crucial for identifying potential security breaches and mitigating risks promptly.
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 1150 — Remote Desktop Services: User config data have been merged.
Event ID 1151 — The remote user's connection was declined by the logged on user.
Event ID 1152 — Failed to create KVP sessions string.
Event ID 1153 — Failed to write KVP sessions string.
Event ID 1154 — Failed to open KVP registry key.
Event ID 1155 — The Remote Connection Manager selected Kernel mode RDP protocol stack.
#Description
The Remote Connection Manager selected Kernel mode RDP protocol stack.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-RemoteConnectionManager",
"guid": "C76BAA63-AE81-421C-B425-340B4B24157F",
"event_source_name": "",
"event_id": 1155,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2019-02-13T17:18:28.040385+00:00",
"event_record_id": 220,
"correlation": {
"ActivityID": "8F0C0C22-A5AA-4F83-B10F-0880AB96471F"
},
"execution": {
"process_id": 1280,
"thread_id": 1548
},
"channel": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational",
"computer": "PC01.example.corp",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {},
"message": "The Remote Connection Manager selected Kernel mode RDP protocol stack."
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 1156 — The Remote Connection Manager selected User mode RDP protocol stack.
Description
The Remote Connection Manager selected User mode RDP protocol stack.
Message #
Event ID 1157 — The listener named listenerName has modified some configuration settings.
Event ID 1158 — Remote Desktop Services accepted a connection from IP address EventXML.Param1.
Description
Remote Desktop Services accepted a connection from IP address EventXML.Param1.
Message #
Fields #
| Name | Description |
|---|---|
EventXML.Param1 UnicodeString | — |
Param1 UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-RemoteConnectionManager",
"guid": "C76BAA63-AE81-421C-B425-340B4B24157F",
"event_source_name": "",
"event_id": 1158,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-03-13T16:46:57.106454+00:00",
"event_record_id": 4,
"correlation": {
"ActivityID": "F420602A-491C-41CA-97CE-1A07AEAA0000"
},
"execution": {
"process_id": 1472,
"thread_id": 4588
},
"channel": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-20"
}
},
"user_data": {
"EventXML": {
"Param1": "198.51.100.2"
}
},
"message": ""
}
Event ID 1280 — Remote Desktop Configuration service could not remove user Param1\Param2 from administrators group, error Code: Param3.
Event ID 1281 — Remote Desktop Configuration service could not remove user Param1\Param2 from Remote Desktop Users group, error Code: Param3.
Event ID 1282 — Remote Desktop Configuration service could not remove user with SID Param1 from administrators group, error Code: Param2.
Event ID 1283 — Remote Desktop Configuration service could not remove user with SID Param1 from Remote Desktop Users group, error Code: Param2.
Event ID 1284 — Remote Desktop Configuration service has added user Param1\Param2 to administrators group.
Event ID 1285 — Remote Desktop Configuration service has added user Param1\Param2 to Remote Desktop Users group.
Event ID 1286 — Remote Desktop Configuration service has removed user with SID Param1 from administrators group.
Event ID 1287 — Remote Desktop Configuration service has removed user with SID Param1 from Remote Desktop Users group.
Event ID 1288 — Remote Desktop Configuration service has removed user Param1\Param2 from administrators group.
Event ID 1289 — Remote Desktop Configuration service has removed user Param1\Param2 from Remote Desktop Users group.
Event ID 2304 —
Fields #
| Name | Description |
|---|---|
Param1 Int32 | — |
Event ID 2305 —
Fields #
| Name | Description |
|---|---|
Param1 Int32 | — |
Event ID 2306 —
Fields #
| Name | Description |
|---|---|
Param1 Int32 | — |
Param2 UnicodeString | — |
Event ID 2307 —
Fields #
| Name | Description |
|---|---|
Param1 Int32 | — |
Param2 UnicodeString | — |
Event ID 20480 — Remote Desktop Services Network Fair Share started.
Description
Remote Desktop Services Network Fair Share started.
Message #
Event ID 20481 — Remote Desktop Services Network Fair Share stopped.
Description
Remote Desktop Services Network Fair Share stopped.
Message #
Event ID 20482 — Remote Desktop Services Network Fair Share was enabled for the user account Param1 with a weight of Param2.
Event ID 20483 — Remote Desktop Service Network Fairshare has been enabled for connection on session Param1 with weight of Param2.
Event ID 20484 — Remote Desktop Services could not enable Network Fair Share for the user account Param1.
Event ID 20485 — Remote Desktop Services could not enable Network Fair Share for the connection on session Param1.
Event ID 20486 — Remote Desktop Services could not enable Network Fair Share for session Param1.
Event ID 20487 — Remote Desktop Services Network Fair Share was disabled for the user account Param1.
Event ID 20488 — Remote Desktop Services Network Fair Share was disabled for the connection on session Param1.
Event ID 20489 — Remote Desktop Services could not disable Network Fair Share for the user account Param1.
Event ID 20490 — Remote Desktop Services could not disable Network Fair Share for the connection on session Param1.
Event ID 20491 — Remote Desktop Services could not disconnect a user disk for the user account with a SID of Param1.
Event ID 20492 — Remote Desktop Services could not detach a user disk for the user account with a SID of Param1.
Event ID 20493 — Remote Desktop Services could not apply a user desktop for a user account with a SID of Param1.
Event ID 20494 — Remote Desktop Services could not obtain a user profile disk for the user account with a SID of Param1.
Event ID 20495 — Remote Desktop Services could not attach a user profile disk for a user account with a SID of Param1.
Event ID 20496 — Remote Desktop Services could not apply a user desktop for a user account with a SID of Param1.
Event ID 20497 — The RD Licensing has taken too long to process the client license
Description
The RD Licensing has taken too long to process the client license.
Message #
Event ID 20498 — Remote Desktop Services has taken too long to complete the client connection
Description
Remote Desktop Services has taken too long to complete the client connection.
Message #
Event ID 20499 — Remote Desktop Services has taken too long to load the user configuration from server UserName for user ServerName.
Event ID 20500 — Remote Desktop Services took time milliseconds to load the user configuration from server UserName for user ServerName.
Event ID 20501 — Remote Desktop Services failed to shutdown within the time allocated
Description
Remote Desktop Services failed to shutdown within the time allocated.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-RemoteConnectionManager",
"guid": "C76BAA63-AE81-421C-B425-340B4B24157F",
"event_source_name": "",
"event_id": 20501,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-03-13T18:32:00.352717+00:00",
"event_record_id": 7,
"correlation": {},
"execution": {
"process_id": 1480,
"thread_id": 12992
},
"channel": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {},
"message": ""
}
Event ID 20502 — Remote Desktop Services failed to retrieve information about a connection for session Session within the time allocated.
Event ID 20503 — Shadow View Session Started.
Event ID 20504 — Shadow View Session Stopped.
Event ID 20506 — Shadow Control Session Started.
Event ID 20507 — Shadow Control Session Stopped.
Event ID 20508 — Shadow View Permission Granted.
Event ID 20509 — Shadow View Permission Denied.
Event ID 20510 — Shadow Control Permission Granted.
Event ID 20511 — Shadow Control Permission Denied.
Event ID 20512 — Shadow Session Failure.
Event ID 20513 — Shadow Session Failure.
Event ID 20514 — Shadow Session Failure.
Event ID 20515 — Session Session has been idle over its time limit, and was logged off.
Event ID 20516 — Session Session has been idle over its time limit, and was disconnected.
Event ID 20517 — Session Session has exceeded its time limit, and was logged off.
Event ID 20518 — Session Session has exceeded its time limit, and was disconnected.
Event ID 20519 — Session Session has exceeded its disconnect time limit, and was logged off.
Event ID 20520 — User config info will be loaded from domain controller for this Param1 connection.
Event ID 20521 — User config info will be loaded from local machine for this EventXML.Param1 connection.
Description
User config info will be loaded from local machine for this EventXML.Param1 connection.
Message #
Fields #
| Name | Description |
|---|---|
EventXML.Param1 UnicodeString | — |
Param1 UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-RemoteConnectionManager",
"guid": "C76BAA63-AE81-421C-B425-340B4B24157F",
"event_source_name": "",
"event_id": 20521,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-03-11T06:31:11.531699+00:00",
"event_record_id": 16,
"correlation": {
"ActivityID": "F420649C-F05B-4253-B980-683E9A630000"
},
"execution": {
"process_id": 1536,
"thread_id": 2316
},
"channel": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-20"
}
},
"user_data": {
"EventXML": {
"Param1": "RDP-Tcp"
}
},
"message": ""
}
Event ID 20522 — Shadow Session Clipboard Copy Request.
Event ID 20523 — Connection from listener EventXML.ListenerName will have terminal class of EventXML.Class.
Description
Connection from listener EventXML.ListenerName will have terminal class of EventXML.Class.
Message #
Fields #
| Name | Description |
|---|---|
EventXML.ListenerName UnicodeString | — |
EventXML.Class GUID | — |
ListenerName UnicodeString | — |
Class GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-RemoteConnectionManager",
"guid": "C76BAA63-AE81-421C-B425-340B4B24157F",
"event_source_name": "",
"event_id": 20523,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2026-03-11T06:27:24.766379+00:00",
"event_record_id": 244,
"correlation": {
"ActivityID": "F462B7C1-94B7-4A0B-B9BF-0F6B56B60000"
},
"execution": {
"process_id": 1536,
"thread_id": 1836
},
"channel": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-20"
}
},
"user_data": {
"EventXML": {
"ListenerName": "31C5CE94259D4006A9E4",
"Class": "D5993EAE-8D06-4A05-9CB4-94CEA280DC6B"
}
},
"message": ""
}
Event ID 20524 — Supplemental Kerberos credentials are not configured
Description
Supplemental Kerberos credentials are not configured.
Message #
Event ID 20525 — Successfully updated supplemental Kerberos credential Param1 in Param2 logon session.
Event ID 20526 — Successfully removed supplemental Kerberos credential Param1 from Param2 logon session.
Event ID 20527 — Failed to update supplemental Kerberos credentials.
Event ID 20528 — Failed to update supplemental Kerberos credential Param1 in Param2 logon session.
Event ID 20529 — Failed to remove supplemental Kerberos credential Param1 from Param2 logon session.
Event ID 20530 — Supplemental Kerberos credential Param1 configuration is invalid.
Event ID 20531 — Remote Desktop Service's Threadpool is in terminated state.
Message #
Event ID 24576 — Remote Desktop Configuration service could not remove user {Param1}\{Param2} from administrators group; error Code: {Param3}.
Event ID 24577 — Remote Desktop Configuration service could not remove user with SID {Param1} from administrators group; error Code: {Param2}.
Event ID 24578 — Remote Desktop Configuration service has added user {Param1}\{Param2} to administrators group.
Event ID 50180 — The remote session could not be established from remote desktop client Param1 because its license could not be renewed.
Event ID 50195 — The Remote Desktop Session Host server cannot communicate with the Remote Desktop license server Param1.
Event ID 50213 — Remote Desktop Session Host server was unable to retrieve users licensing information from AD.
Event ID 50214 — Remote Desktop Session Host server was successfully validated errorCode licensing information from AAD.
Event ID 50215 — Remote Desktop Session Host server was unable to retrieve user licensing information from AAD.
Event ID 50216 — Remote Desktop Session Host server was unable to validate RDS license.
Event ID 50280 — The RD Licensing grace period has expired and the service has not registered with a license server with installed licenses.
Message #
Event ID 50281 — The RD Licensing grace period is about to expire on Param1 and the service has not registered with a license server with installed licenses.
Event ID 50282 — The Remote Desktop Session Host server does not have a Remote Desktop license server specified.
Message #
Event ID 50283 — The Remote Desktop Session Host server could not contact the Remote Desktop license server Param1.
Event ID 50284 — The Remote Desktop license server Param1 does not support the version of the operating system running on the Remote Desktop Session Host server.
Event ID 50285 — The certificate issued by the Remote Desktop license server to the Remote Desktop Session Host server is not valid.
Message #
Event ID 50304 — The Remote Desktop Virtualization Host server cannot issue a client license.
Message #
Event ID 50305 — The RD Licensing grace period has expired and Licensing mode for the Remote Desktop Virtualization Host server has not been configured.
Description
The RD Licensing grace period has expired and Licensing mode for the Remote Desktop Virtualization Host server has not been configured. Licensing mode must be configured for continuous operation.
Message #
Event ID 50306 — The RD Licensing grace period has expired and the service has not registered with a license server with installed licenses.
Message #
Event ID 50307 — The RD Licensing grace period is about to expire on Param1 and the service has not registered with a license server with installed licenses.
Event ID 50308 — The Remote Desktop Virtualization Host server does not have a Remote Desktop license server specified.
Message #
Event ID 50309 — The Remote Desktop Virtualization Host server could not contact the Remote Desktop license server Param1.
Event ID 50310 — The Remote Desktop license server Param1 does not support the version of the operating system running on the Remote Desktop Virtualization Host server.
Event ID 50311 — The certificate issued by the Remote Desktop license server to the Remote Desktop Virtualization Host server is not valid.
Message #
Event ID 50312 — The Remote Desktop Virtualization Host server cannot communicate with the Remote Desktop license server Param1.
Event ID 1073742836 — Remote session from client name %1 exceeded the maximum allowed failed logon attempts.
Description
Remote session from client name exceeded the maximum allowed failed logon attempts. The session was forcibly terminated.
Message #
Event ID 3221226494 — TermService clustering failed to redirect a client to an alternate clustered server, ntstatus=.
Description
TermService clustering failed to redirect a client to an alternate clustered server, ntstatus=.
Message #
Event ID 3221226496 — TermService clustering failed to initialize because the Session Directory Provider failed to initialize, hresult=.
Description
TermService clustering failed to initialize because the Session Directory Provider failed to initialize, hresult=.
Message #
Event ID 3221226507 — RD Session Host Server listener stack was down.
Description
RD Session Host Server listener stack was down. The relevant status code .
Message #
Event ID 3221226508 — RD Session Host Server session creation failed.
Description
RD Session Host Server session creation failed. The relevant status code was .
Message #
Event ID 3221226513 — Autoreconnect failed to reconnect user to session because authentication failed.
Description
Autoreconnect failed to reconnect user to session because authentication failed. ().
Message #
Event ID 3221226518 — Failed to load RD Session Host Server Profile path.
Description
Failed to load RD Session Host Server Profile path. Note that the profile path must be less than 256 characters in length. User Name: Domain.
Message #
Event ID 3221226522 — The RD Session Host Server listener %1 is configured with inconsistent authentication and encryption settings.
Message #
Event ID 3221226523 — The RD Session Host Server is configured to use SSL with user selected certificate, however, no usable certificate was found on the server.
Message #
Event ID 3221226524 — The RD Session Host Server is configured to use a certificate that will expire in %2 days.
Message #
Event ID 3221226525 — The RD Session Host Server is configured to use a certificate that is expired.
Message #
Event ID 3221226526 — The RD Session Host Server is configured to use a certificate that does not contain an Enhanced Key Usage attribute of Server Authentication.
Message #
Event ID 3221226527 — The RD Session Host Server is configured to use a certificate but is unable to access the private key associated with this certificate.
Message #
Event ID 3221226528 — A new self signed certificate to be used for RD Session Host Server authentication on SSL connections was generated.
Message #
Event ID 3221226529 — The RD Session Host Server has failed to create a new self signed certificate to be used for RD Session Host Server authentication on SSL connections.
Description
The RD Session Host Server has failed to create a new self signed certificate to be used for RD Session Host Server authentication on SSL connections. The relevant status code was .
Message #
Event ID 3221226530 — The RD Session Host Server has failed to replace the expired self signed certificate used for RD Session Host Server authentication on SSL connecti...
Description
The RD Session Host Server has failed to replace the expired self signed certificate used for RD Session Host Server authentication on SSL connections. The relevant status code was .
Message #
Event ID 3221226531 — The RD Session Host Server authentication certificate configuration data was invalid and the service reset it.
Message #
Event ID 3221226532 — The Remote Desktop Services User Home Directory was not set because the path specified does not exist or not accessible.
Description
The Remote Desktop Services User Home Directory was not set because the path specified does not exist or not accessible. The default Home Directory Path was used instead. User Name: Domain.
Message #
Event ID 3221226533 — Remote Desktop Session Host server was unable to retrieve users Licensing information from AD.
Event ID 3221226534 — The RD Session Host server is configured to use a template-based certificate for Transport Layer Security (TLS) 1.
Message #
Event ID 3221226535 — A new template-based certificate to be used by the RD Session Host server for Transport Layer Security (TLS) 1.
Message #
Event ID 3221226536 — The RD Session Host server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.
Message #
Event ID 3221226537 — The template-based certificate that is being used by the RD Session Host server for Transport Layer Security (TLS) 1.
Message #
Event ID 3221226538 — RD Session Host Server was unable to process session arbitration request.
Description
RD Session Host Server was unable to process session arbitration request. Error.
Message #
Event ID 3221226539 — The RD Session Host server cannot register 'TERMSRV' Service Principal Name to be used for server authentication.
Description
The RD Session Host server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: .
Message #
Event ID 3221226542 — A logon request was denied because the RD Session Host server is currently in drain mode and therefore not accepting new user logons.
Message #
Event ID 3221226543 — A connection request was denied because the RD Session Host server is currently configured to not accept connections.
Description
A connection request was denied because the RD Session Host server is currently configured to not accept connections. To configure the server to allow connections, use the chglogon command-line tool.
Message #
Event ID 3221226544 — The cn column for the template-based certificate %1 returned an unknown data type %2.
Description
The cn column for the template-based certificate returned an unknown data type .
Message #
Event ID 3221226545 — The msPKI-Cert-Template-OID column for the template-based certificate %1 returned an unknown data type %2.
Description
The msPKI-Cert-Template-OID column for the template-based certificate returned an unknown data type .