If the host computer has its network connection set to Public, Windows Firewall will block RDP connections by default for security reasons.
| Environment | Most likely fix |
|-------------|----------------|
| Domain-joined, mixed Windows 10/11 & Server 2016/2019 | Apply CredSSP updates + set AllowEncryptionOracle=2 on clients |
| Older Windows 7 client to Windows 10/11 host | Update Windows 7 with KB4490628 + KB4474419 + CredSSP patches |
| Third-party RDP client (Mac/Linux) | Switch to xfreerdp with --sec=nla or --sec=rdp flags |
| Virtual machine (Hyper-V/VMware) | Check VM’s RDP security template in Hyper‑V Manager or vSphere |
If you can share the OS versions of the client and remote machine, I can give a more precise fix.
Remote Desktop error 0x904 (Extended Error 0x7) typically indicates a network-level connection failure often caused by expired certificates, firewall blocks, or unstable network conditions. Quick Fixes
Connect via IP Address: Windows 11 hostname resolution can sometimes trigger this error. Try entering the IP address (e.g., 192.168.1.50) instead of the computer name.
Use the Modern Client: If the classic "Remote Desktop Connection" fails, try the Microsoft Remote Desktop app from the Microsoft Store.
Verify Port 3389: Use PowerShell to check if the remote port is reachable:Test-NetConnection [RemoteIP] -Port 3389. Detailed Troubleshooting Guide 1. Fix Expired RDP Certificates (Most Common)
RDP uses self-signed certificates that don't always auto-renew, causing connections to fail silently. Access the remote server (via console or another method). Press Win + R, type certlm.msc, and hit Enter. Go to Remote Desktop > Certificates.
Check for an expired certificate. If expired, right-click and Delete it.
Restart the service to generate a new one: Open Command Prompt as Admin and run:net stop termservice then net start termservice. 2. Resolve Azure VM Certificate Corruption
If you are using an Azure Virtual Machine, a corrupt MachineKeys folder can prevent RDP from functioning.
In the Azure Portal, go to your VM and select Run command > RunPowerShellScript.
Run this command:Rename-Item -path "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" -NewName "MachineKeys_old". Reboot the VM from the portal. 3. Configure Firewall & Antivirus Exceptions
Firewalls often block the specific RDP executable even if the general rule is enabled.
On both the client and host, go to Allow an app through Windows Firewall.
Click Change settings and ensure both Remote Desktop and Remote Desktop (WebSocket) are checked for Private and Public. If the host computer has its network connection
Click Allow another app, browse to C:\Windows\System32\mstsc.exe, and add it.
Antivirus Check: Ensure third-party security software (like Bitdefender) isn't blocking rdp.exe. 4. Increase Maximum Outstanding Connections
If the error occurs due to too many pending requests, adjust the registry. Open Command Prompt (Admin) on the host computer.
Run: REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v MaxOutstandingConnections /t REG_DWORD /d 65536. Restart the computer. 5. Adjust Security Layers (Legacy Support)
If there is an encryption cipher mismatch, lowering the security requirement can restore the connection. Open gpedit.msc on the host.
Navigate to Computer Configuration > Admin Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security.
Enable Require use of specific security layer for remote (RDP) connections and set the Security Layer to RDP.
Disable Require user authentication... using Network Level Authentication (NLA).
Are you connecting through a VPN or a local network when this error occurs? Fix Remote Desktop Error Code 0x904: 4 Working Solutions
Remote Desktop Error 0x904 (Extended Error 0x7) typically indicates a network connectivity failure often triggered by unstable connections, expired RDP certificates, or firewall interference Quick Fixes Connect via IP Address
: Instead of using the computer name (hostname), enter the target computer's internal IP address 192.168.1.100 Restart RDP Services
: On the remote machine, open Command Prompt as Administrator and run: restart-service termserv -force Use the Microsoft Store App : Users have reported that the Microsoft Remote Desktop app
from the Microsoft Store often works when the built-in Windows client fails. www.remoteaccesspcdesktop.com Primary Solutions 1. Renew Expired RDP Certificates
A common cause of 0x904 is an expired self-signed certificate that Windows failed to renew automatically. www.remoteaccesspcdesktop.com On the remote server, press certlm.msc , and hit Enter. Navigate to Remote Desktop Certificates Expiration Date . If expired, right-click and the old certificate.
Restart the Remote Desktop Service (using the command in Quick Fixes) to trigger Windows to generate a new certificate. www.remoteaccesspcdesktop.com 2. Fix Certificate Corruption (Azure VMs) For Azure Virtual Machines, a corrupt MachineKeys folder can prevent RDP from functioning. www.remoteaccesspcdesktop.com In the Azure Portal, go to your VM and select Run command RunPowerShellScript and enter: If you can share the OS versions of
Rename-Item -path "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" -NewName "MachineKeys_old" the server from the portal. 3. Verify Firewall & Security Software
Antivirus or firewalls may block RDP traffic even if rules appear active. Unable to RDP into some Windows Servers - Error code: 0x904
The Remote Desktop Connection error code 0x904 (Extended error code 0x7) is a generic network-related failure that prevents a client from establishing a session with a remote host. While it is often caused by unstable network conditions, it can also stem from expired security certificates, firewall blocks, or specific Windows 11 compatibility issues. Common Causes of Error 0x904
Unstable Network: Insufficient bandwidth, high packet loss, or a sluggish VPN connection.
Expired RDP Certificates: The self-signed certificate used by Remote Desktop Services has expired and failed to renew automatically.
Firewall Interference: Windows Defender or third-party antivirus software (like Bitdefender) blocking mstsc.exe or RDP traffic.
Certificate Store Corruption: This is particularly common on Azure VMs where the MachineKeys folder becomes corrupt, preventing new certificate generation. Step-by-Step Solutions 1. Renew Expired RDP Certificates
If you can connect to some servers but not others on the same network, an expired certificate is the most likely culprit.
Log into the remote server (via a console or alternative remote tool). Press Win + R, type certlm.msc, and press Enter. Navigate to Remote Desktop > Certificates.
Check the expiration date of the certificate. If it is expired, right-click and Delete it.
Open PowerShell as Administrator and run:Restart-Service TermService -Force
Windows will automatically generate a new, valid self-signed certificate. 2. Fix Corrupt MachineKeys (Azure VMs)
For users seeing this error on Azure Virtual Machines, renaming the key store folder can force Windows to rebuild the certificate environment. In the Azure Portal, go to your VM and select Run command.
Choose RunPowerShellScript and enter:Rename-Item -path "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" -NewName "MachineKeys_old" Reboot the server from the portal. 3. Configure Firewall Exceptions Ensure that both the client and host allow RDP traffic.
Search for "Allow an app through Windows Firewall" in the Start menu. Click Change settings. browse to C:\Windows\System32\mstsc.exe
Ensure both Remote Desktop and Remote Desktop (WebSocket) are checked for Private and Public networks.
Click Allow another app, browse to C:\Windows\System32\mstsc.exe, and add it to the list. 4. Adjust Security Layers (NLA Issues)
Sometimes, Network Level Authentication (NLA) or encryption mismatches cause the 0x904 error. On the remote host, open gpedit.msc.
Navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security.
Enable "Require use of specific security layer for remote (RDP) connections" and set it to RDP.
Disable "Require user authentication for remote connections by using Network Level Authentication". Troubleshooting Checklist Unable to RDP into some Windows Servers - Error code: 0x904
NLA requires the client to authenticate before a full RDP session is created. If the client OS (e.g., Windows 7, older Windows 10 build) or RDP client (Microsoft Remote Desktop for Mac) does not support the NLA version required by the host, error 0x904 + 0x7 appears.
On the client, open mstsc.exe → Advanced → uncheck “Only allow connections from computers running Remote Desktop with NLAâ€.
Or from Command Prompt (admin):
mstsc.exe /v:<remote_ip> /restrictedAdmin
Run date /t and time /t on both client and host. If skewed by >5 minutes, synchronize both to the same NTP server.
“Remote Desktop Connection cannot verify the identity of the remote computer. Do you want to connect anyway?â€
Followed by:
“An authentication error has occurred. The function requested is not supported. Remote computer: [IP or hostname]. Error code: 0x904. Extended error code: 0x7.â€
On the server (via console or remote PowerShell if possible):
Open gpedit.msc → Computer Configuration → Admin Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Security → Require use of specific security layer for remote (RDP) connections → Set to Negotiate or RDP.
Then restart TermService:
net stop TermService & net start TermService