How to Fix Remote Desktop Connection Error Code 0x904 The Remote Desktop Connection Error Code 0x904 (often accompanied by extended error code 0x7) is a common issue in Windows 10, 11, and Windows Server environments. It typically signifies a failure to establish a secure TLS tunnel, often due to expired RDP certificates, unstable network connections, or firewall misconfigurations. 1. Renew Expired RDP Certificates
Expired self-signed certificates are a primary cause of error 0x904. Windows generates these for RDP connections, but they do not always renew automatically.
Step 1: Log into the affected remote server locally or via an alternative access method.
Step 2: Press Win + R, type certlm.msc, and press Enter to open the Certificates MMC snap-in. Step 3: Navigate to Remote Desktop > Certificates.
Step 4: Check the expiration date. If expired, right-click and Delete the old certificate.
Step 5: Open Command Prompt as Administrator and run: restart-service termserv -force.
Result: Windows will automatically generate a new, valid self-signed certificate upon restart. 2. Fix Certificate Corruption (Azure VMs)
If you encounter this error on an Azure Virtual Machine, the certificate store might be corrupt.
Step 1: Access the VM via the Azure Portal and select Run command > RunPowerShellScript.
Step 2: Execute: Rename-Item -path "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" -NewName "MachineKeys_old".
Step 3: Reboot the server. This forces the system to recreate the necessary key folders. 3. Verify Firewall and Security Settings
A misconfigured firewall can block the TLS handshake necessary for the connection.
Allow RDP Apps: Go to "Allow an app through Windows Firewall" and ensure both Remote Desktop and Remote Desktop (WebSocket) are checked for Private and Public networks.
Exception for MSTSC: Add C:\Windows\System32\mstsc.exe to the allowed list on both the client and host.
Port Check: Use PowerShell to ensure port 3389 is open: Test-NetConnection [server_name] -Port 3389. 4. Network and VPN Stability
Error 0x904 is frequently linked to "dodgy" or unstable network paths, especially over VPNs.
Use IP Instead of Hostname: Try connecting using the remote computer's IP address (e.g., 192.168.1.100) rather than its name to bypass potential DNS resolution issues.
Check VPN Bandwidth: Ensure your VPN provides sufficient bandwidth and isn't dropping packets.
Security Layer Adjustment: If the connection still fails, you can try lowering the security requirements via Group Policy. Navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security and set the "Security Layer" to RDP. 5. Alternative Connection Tools
If standard RDP remains broken, consider using alternative remote access tools like AnyViewer or the Microsoft Remote Desktop app from the Microsoft Store, which can sometimes bypass legacy protocol errors.
The Remote Desktop error code 0x904 (often accompanied by extended error 0x7) is a common hurdle for IT admins and remote workers. It typically signals a communication breakdown between your computer and the remote host, often due to expired security certificates or network instability.
Here is a short story of how an admin might encounter and solve this issue: The "Silent Expiration" Mystery
Imagine a Tuesday morning where everything seems normal until you try to log into a critical Windows Server. Instead of the familiar desktop, you're hit with a popup: "This computer can't connect to the remote computer. Error code: 0x904".
You check the server—it’s online. You check other servers on the same subnet, and they work perfectly. This "random" behavior is the first clue. As documented by experts at TheITBros.com, this error often stems from unstable network paths or VPN bottlenecks, but when it's specific to just one machine, the culprit is usually deeper. The Investigation
After digging through Reddit, you realize the issue might be an expired self-signed certificate. RDP uses these certificates to secure the "tunnel" between machines. If the certificate expires—which happens silently without warning—the connection simply drops.
To resolve this, you might follow these steps used by seasoned sysadmins:
Renew the Certificate: Log in locally (or via another remote tool) and open the Certificates manager (certlm.msc). Under Remote Desktop > Certificates, you find the expired one, delete it, and restart the Remote Desktop Services. Windows then automatically generates a fresh, valid certificate.
Firewall Check: Sometimes, a simple rule change is needed. As suggested by users on Spiceworks Community, you verify that both "Remote Desktop" and "Remote Desktop (WebSocket)" are allowed through the Windows Firewall on both ends.
The Windows 11 Workaround: If you are on Windows 11 and still stuck, a known fix discussed on the Devolutions Forum is to connect using the server's IP address instead of its hostname, or to switch to the Microsoft Store version of the Remote Desktop app. i remote desktop connection error code 0x904 install
Once the new certificate is in place and the network path is clear, the connection is restored, and the 0x904 error vanishes as quickly as it appeared. Unable to RDP into some Windows Servers - Error code: 0x904
To resolve the Remote Desktop Connection error code 0x904 (extended error 0x7), start by renewing expired RDP certificates on the host machine, as this is the most common cause for IT professionals. This error typically signifies that a connection was attempted but blocked due to expired security certificates, firewall restrictions, or network instability. Primary Fixes for Error 0x904 1. Renew Expired RDP Certificates
Fix: The 0x904 error often stems from expired self-signed certificates.
Steps: Open certlm.msc, navigate to Remote Desktop/Personal Certificates, and delete the expired certificate. Restart the terminal services (restart-service termserv -force) to regenerate it. 2. Configure Firewall and Antivirus
Fix: Ensure Windows Firewall allows mstsc.exe and that third-party antivirus software is not blocking the connection.
Steps: Enable Remote Desktop in "Allow an app through Windows Firewall" for both Public/Private networks. Add mstsc.exe to antivirus exclusions if needed. 3. Fix for Azure Virtual Machines Fix: Corrupt MachineKeys on Azure VMs can cause this error.
Steps: Use Azure Portal's Run command to rename C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys to MachineKeys_old, then reboot the server. Quick Troubleshooting Workarounds
Use IP Address: Connect directly via the IP address instead of the hostname.
Microsoft Store App: Use the dedicated Microsoft Remote Desktop app, which often bypasses this bug.
Registry Tweak: Increase connections by running: REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v MaxOutstandingConnections /t REG_DWORD /d 65536.
Enable TLS 1.2: Ensure TLS 1.2 is enabled in Group Policy (GPO). Unable to RDP into some Windows Servers - Error code: 0x904
Remote Desktop connection error (often accompanied by extended error code
typically signals a failure in the initial handshake between the client and host
. While it often appears as a generic network issue, it is frequently caused by expired security certificates, firewall blocks, or network instability. Common Root Causes Expired RDP Certificates:
Self-signed certificates used by Remote Desktop Services often fail to renew automatically, leading to a silent connection failure. Network Instability:
Low bandwidth, high packet loss, or slow VPN connections can trigger this timeout. Firewall & Antivirus Blocks: Security software may block even if RDP is technically enabled. Azure VM Corruption: In Azure environments, a corrupt MachineKeys
store can prevent the creation of necessary RDP certificates. www.remoteaccesspcdesktop.com Step-by-Step Fixes 1. Renew Expired RDP Certificates
This is the most common resolution for persistent 0x904 errors on physical servers. www.remoteaccesspcdesktop.com
Access the host machine locally or via an alternative remote tool. Certificates MMC snap-in certlm.msc Navigate to Remote Desktop > Certificates
Check the expiration date; if it has passed, delete the expired certificate. Restart the Remote Desktop Services
via Command Prompt (Admin) to force Windows to generate a new certificate: restart-service termserv -force www.remoteaccesspcdesktop.com 2. Fix Azure VM Certificate Corruption For Azure VMs, use the Run command feature in the portal to rename the MachineKeys C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys ) to force a certificate regeneration, then restart the VM. www.remoteaccesspcdesktop.com 3. Update Firewall and Network Rules
is permitted through the Windows Firewall for all network types, specifically checking for port 3389. www.remoteaccesspcdesktop.com Unable to RDP into some Windows Servers - Error code: 0x904
Remote Desktop error code 0x904 (often accompanied by extended error code 0x7) typically signifies a failure to establish a secure connection, often due to expired RDP certificates, network instability, or firewall misconfigurations. Common Fixes for Error 0x904
Renew Expired Certificates: This is a frequent cause when some servers on a network work while others don't. Log into the server and run certlm.msc.
Check for expired certificates under Remote Desktop > Certificates.
Delete the expired certificate and restart the Remote Desktop Services (TermService) to trigger the auto-generation of a new one.
Connect via IP Address: Windows 11 updates sometimes cause hostname resolution issues. Using the server's direct IP address instead of its name often bypasses the 0x904 error.
Fix Corrupt MachineKeys (Azure VMs): For Azure environments, rename the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder and reboot. This forces Windows to recreate a clean certificate store. How to Fix Remote Desktop Connection Error Code
Adjust Firewall Settings: Ensure that both Remote Desktop and Remote Desktop (WebSocket) are allowed through the Windows Defender Firewall on both the client and server.
Increase Connection Limits: If the server is dropping requests, you can increase the MaxOutstandingConnections in the registry at HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server. Troubleshooting the "Dodgy" Connection
If the above system fixes don't work, the error may be environmental:
Network Stability: Check for high packet loss or insufficient bandwidth, especially over slow VPNs.
Use the Microsoft Store App: Users on Microsoft Q&A report that the modern Remote Desktop app from the Windows Store often avoids bugs present in the legacy built-in client.
Are you connecting to a local server or a cloud-based virtual machine? After Windows 11 Upgrade RDP Error 0x904 extended error 0x7
Error code 0x904 in Remote Desktop Connection (RDP) typically signals that a connection could not be established due to expired or corrupt security certificates network instability firewall blocks
. While it often mimics a general "can't connect" message, 0x904 is frequently linked to a specific failure in the encryption handshake between the client and server. Core Causes of Error 0x904 Expired Self-Signed Certificates:
The server's RDP certificate has expired and failed to renew automatically. Certificate Store Corruption: Common on Azure VMs, where the MachineKeys
folder becomes corrupt, preventing new certificate generation. Network Instability:
Insufficient bandwidth, high packet loss, or slow VPN connections. TLS/Cipher Mismatches:
Windows 11 clients may fail to connect to older servers if TLS 1.2 is not enabled or if encryption suites do not match. Step-by-Step Troubleshooting Guide 1. Renew Expired RDP Certificates
This is the most common fix for 0x904 when only specific servers are affected.
Log into the affected server locally or via an alternative remote tool. certlm.msc
, and hit Enter to open the Certificate Manager for the local machine. Navigate to Remote Desktop > Certificates (or Personal > Certificates). Identify the Remote Desktop certificate , check its expiration date, and if it has expired. Open an elevated Command Prompt and run: restart-service termserv -force
Windows will automatically generate a fresh self-signed certificate upon service restart. 2. Fix Certificate Store Corruption (Azure & Local)
If Windows cannot create a new certificate, you may need to clear the certificate key store. For Azure VMs: Use the "Run Command" feature in the Azure Portal. For Local Servers: Run PowerShell as an Administrator. Execute the following command to rename the key folder:
Rename-Item -path "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" -NewName "MachineKeys_old" Reboot the server. Windows will recreate the folder and repair the store. 3. Bypass DNS with IP Address (Windows 11 Fix)
Windows 11 builds (22H2 and later) sometimes have hostname resolution bugs that trigger 0x904. In the Remote Desktop Connection window, enter the IP address of the target machine (e.g., 192.168.1.50 ) instead of the computer name. Alternatively, use the Microsoft Store Remote Desktop app
, which uses a different network stack and often bypasses this specific bug. 4. Adjust Firewall and Network Profiles Allow WebSocket: Ensure both Remote Desktop Remote Desktop (WebSocket)
are allowed through the Windows Firewall for both Private and Public profiles. Switch Profile: If your network is set to "Public," change it to in Windows Settings to allow RDP traffic more easily. Test the Port:
Use PowerShell to verify the RDP port (3389) is actually reachable: Test-NetConnection [ServerIP] -Port 3389 5. Disable Network Level Authentication (NLA) for Testing
If encryption mismatches persist, you can temporarily lower the security requirement to verify the connection. Group Policy Editor gpedit.msc
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
"Require use of specific security layer for remote (RDP) connections" and select as the layer.
"Require user authentication for remote connections by using Network Level Authentication". Restart the machine.
Did the 0x904 error appear immediately after a Windows Update, or has the server been unreachable for an extended period? Fix Remote Desktop Error Code 0x904: 4 Working Solutions 10 Dec 2025 —
Remote Desktop connection error 0x904 (often accompanied by extended error code 0x7) typically indicates a network instability or a certificate authentication failure during the "installation" or handshake phase of the connection. Important Note: The error code 0x904 is relatively
Below is a complete guide to understanding and fixing this error. Common Causes
Expired or Corrupt Certificates: The most common trigger occurs when the self-signed RDP certificate on the host machine has expired and failed to renew automatically.
Network Instability: High latency, packet loss, or insufficient bandwidth, especially when connecting over a VPN.
Windows 11 Compatibility: A known bug in certain Windows 11 updates (like 22H2) can trigger this error when using hostnames instead of IP addresses.
Firewall Blockage: Security software (like Bitdefender) or Windows Defender Firewall may block the RDP executable (mstsc.exe) or port 3389. Solutions to Fix Error 0x904 1. Renew the Remote Desktop Certificate
If your connection fails suddenly while other servers on the same network work, an expired certificate is likely the culprit.
Access the remote server locally or via an alternative method.
Press Win + R, type certlm.msc, and hit Enter to open the Certificates console. Navigate to Remote Desktop > Certificates. Right-click the expired certificate and select Delete.
Open Command Prompt as administrator and run: net stop termservice then net start termservice.
Windows will automatically generate a new, valid self-signed certificate. 2. Connect via IP Address instead of Hostname
DNS resolution issues often cause 0x904. Bypassing the hostname can establish a more stable link. Open the Remote Desktop Connection client.
In the "Computer" field, enter the IP address (e.g., 192.168.1.50) instead of the computer name. 3. Fix Corrupt MachineKeys (Azure VMs)
For those using Azure, a corrupt certificate store often prevents new certificates from being created.
In the Azure Portal, go to your VM and select Run Command > RunPowerShellScript.
Enter the following command to rename the key folder:Rename-Item -path "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" -NewName "MachineKeys_old". Reboot the server to regenerate the keys. 4. Configure Firewall Exceptions
Ensure that both the RDP service and the application are allowed through your firewall.
Search for "Allow an app through Windows Firewall" in the Start menu.
Click Change settings and ensure Remote Desktop and Remote Desktop (WebSocket) are checked for both Private and Public networks.
If using third-party security like Bitdefender, add C:\Windows\System32\mstsc.exe to the exception list. 5. Use the Microsoft Store RDP App
Many users find that the Microsoft Remote Desktop app from the Microsoft Store is more resilient to the 0x904 bug than the classic mstsc.exe client.
Important Note: The error code
0x904is relatively rare and is not a standard Microsoft RDP client error (like 0x4, 0x7, 0x104, etc.). In Windows core networking,0x904is often interpreted asERROR_WRITE_PROTECT(The media is write protected) or a derived RDP-specific internal session error. In the context of "install" and "RDP," it typically points to a prerequisite installation failure (e.g., RDP 8.0/8.1 update, licensing component, or a graphics stack update) that then prevents RDP connections.
If you cannot change the server certificate (e.g., connecting to a legacy machine), you must tell the client to ignore the error.
.rdp file in Notepad.authentication level:i:0
(Standard is usually 2. Setting to 0 disables server authentication warnings).Before diving into registry edits and policy changes, perform these "low-hanging fruit" checks to rule out simple network issues.
dism /online /add-capability /capabilityname:App.Support.RemoteDesktop~~~~0.0.1.0
dism /online /add-package /packagepath:C:\Windows\WinSxS\amd64_microsoft-windows-terminal* /norestart
Because mstsc.exe runs as a child process of explorer.exe, a buggy shell extension can cause the RDP client to fail with code 0x904. The primary culprits are NVIDIA Display Container LS and Intel Graphics Shell Extension.
Temporary fix (to test):
Ctrl + Shift + Esc to open Task Manager.mstsc.exe and check "Create this task with administrative privileges".0x904 error. If it works, a shell extension is the cause.Permanent fix: Use Autoruns from Microsoft Sysinternals to disable all non-Microsoft shell extensions.
| Component | Role | Failure point with 0x904 |
|-----------|------|---------------------------|
| tscupgrd.exe | Upgrades RDP client version | Writing new mstscax.dll to System32 |
| licmgr.exe | Manages RDP licenses | Creating MSLicensing registry hive |
| RDPActiveX.msi | Installs RDP web control | Extracting to %ProgramFiles%\Remote Desktop |
| dism.exe / cbs.dll | Servicing stack | Finalizing RDP feature installation (FOD) |
Call stack (typical):
ntdll!NtSetInformationFile
msi!MsiDatabaseCommit
tscupgrd!BeginInstall
rdpinstall!CInstallManager::CommitChanges
---> ERROR_MEDIA_WRITE_PROTECTED (0x904)
When this error occurs, users often experience the following:
Event Viewer > Applications and Services Logs > Microsoft > Windows > TerminalServices-Client, you will see Event ID 1024 or 2050.