針對一般遠端桌面連線進行疑難排解General Remote Desktop connection troubleshooting

當遠端桌面用戶端無法連線到遠端桌面,但未提供可協助找出原因的訊息或其他徵兆,請使用下列步驟。Use these steps when a Remote Desktop client can't connect to a remote desktop but doesn't provide messages or other symptoms that would help identify the cause.

檢查 RDP 通訊協定的狀態Check the status of the RDP protocol

檢查本機電腦上 RDP 通訊協定的狀態Check the status of the RDP protocol on a local computer

若要檢查並變更本機電腦上 RDP 通訊協定的狀態,請參閱如何啟用遠端桌面To check and change the status of the RDP protocol on a local computer, see How to enable Remote Desktop.

注意

若無法使用遠端桌面選項,請參閱檢查群組原則物件是否封鎖 RDPIf the remote desktop options are not available, see Check whether a Group Policy Object is blocking RDP.

檢查遠端電腦上 RDP 通訊協定的狀態Check the status of the RDP protocol on a remote computer

重要

請仔細遵循本節的指示。Follow this section's instructions carefully. 如果您未正確修改登錄,就會發生嚴重問題。Serious problems can occur if the registry is modified incorrectly. 在開始修改登錄之前,請先 備份登錄,以便在發生問題時進行還原。Before you start modifying the registry, back up the registry so you can restore it in case something goes wrong.

若要檢查並變更遠端電腦上 RDP 通訊協定的狀態,請使用網路登錄連線:To check and change the status of the RDP protocol on a remote computer, use a network registry connection:

  1. 首先,移至 [開始] 功能表,然後選取 [執行] 。First, go to the Start menu, then select Run. 在出現的文字方塊中輸入 regedt32In the text box that appears, enter regedt32.
  2. 在登錄編輯程式中,選取 [檔案] ,然後選取 [連線網路登錄] 。In the Registry Editor, select File, then select Connect Network Registry.
  3. 在 [選取電腦] 對話方塊中,輸入遠端電腦的名稱,選取 [檢查名稱] ,然後選取 [確定] 。In the Select Computer dialog box, enter the name of the remote computer, select Check Names, and then select OK.
  4. 巡覽至 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal ServerNavigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server.
    登錄編輯程式,顯示 fDenyTSConnections 項目Registry Editor, showing the fDenyTSConnections entry
    • 如果 fDenyTSConnections 金鑰值為 0,則會啟用 RDP。If the value of the fDenyTSConnections key is 0, then RDP is enabled.
    • 如果 fDenyTSConnections 金鑰值為 1,則會停用 RDP。If the value of the fDenyTSConnections key is 1, then RDP is disabled.
  5. 若要啟用 RDP,請將 fDenyTSConnections 的值從 1 變更為 0To enable RDP, change the value of fDenyTSConnections from 1 to 0.

檢查群組原則物件 (GPO) 是否會封鎖本機電腦上的 RDPCheck whether a Group Policy Object (GPO) is blocking RDP on a local computer

如果您無法開啟使用者介面中的 RDP,或 fDenyTSConnections 的值在您變更後還原成 1,則 GPO 可能覆寫電腦層級設定。If you can't turn on RDP in the user interface or the value of fDenyTSConnections reverts to 1 after you've changed it, a GPO may be overriding the computer-level settings.

若要檢查本機電腦上的群組原則設定,請以系統管理員身分開啟命令提示字元視窗,並輸入下列命令:To check the group policy configuration on a local computer, open a Command Prompt window as an administrator, and enter the following command:

gpresult /H c:\gpresult.html

此命令完成後,開啟 gpresult.html。After this command finishes, open gpresult.html. 電腦設定\系統管理範本\Windows 元件\遠端桌面服務\遠端桌面工作階段主機\連線 中,尋找 允許使用者使用遠端桌面服務從遠端連線 原則。In Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections, find the Allow users to connect remotely by using Remote Desktop Services policy.

  • 如果此原則的設定為 已啟用,則群組原則不會封鎖 RDP 連線。If the setting for this policy is Enabled, Group Policy is not blocking RDP connections.

  • 如果此原則的設定為 已停用,請檢查 優勢 GPOIf the setting for this policy is Disabled, check Winning GPO. 這是封鎖 RDP 連線的 GPO。This is the GPO that is blocking RDP connections. Gpresult.html 的範例區段,在其中網域層級 GPO 封鎖 RDP 會停用 RDP。An example segment of gpresult.html, in which the domain-level GPO Block RDP is disabling RDP.

    Gpresult.html 的範例區段,在其中 本機群組原則 會停用 RDP。

檢查 GPO 是否會封鎖遠端電腦上的 RDPCheck whether a GPO is blocking RDP on a remote computer

若要檢查遠端電腦上的群組原則設定,命令與用於本機電腦幾乎一樣:To check the Group Policy configuration on a remote computer, the command is almost the same as for a local computer:

gpresult /S <computer name> /H c:\gpresult-<computer name>.html

此命令產生的檔案 (gpresult-<computer name>.html) 與本機電腦版本 (gpresult.html) 會使用相同的資訊格式。The file that this command produces (gpresult-<computer name>.html) uses the same information format as the local computer version (gpresult.html) uses.

修改封鎖 GPOModifying a blocking GPO

您可以在群組原則物件編輯器 (GPE) 和群組原則管理主控台 (GPM) 中修改這些設定。You can modify these settings in the Group Policy Object Editor (GPE) and Group Policy Management Console (GPM). 如需如何使用群組原則的詳細資訊,請參閱進階群組原則管理For more information about how to use Group Policy, see Advanced Group Policy Management.

若要修改封鎖原則,請使用下列其中一種方法:To modify the blocking policy, use one of the following methods:

  • 在 GPE 中,存取適當的 GPO 層級 (例如本機或網域),並巡覽至 電腦設定 > 系統管理範本 > Windows 元件 > 遠端桌面服務 > 遠端桌面工作階段主機 > 連線 > 允許使用者使用遠端桌面服務從遠端連線In GPE, access the appropriate level of GPO (such as local or domain), and navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections > Allow users to connect remotely by using Remote Desktop Services.
    1. 將原則設為 已啟用未設定Set the policy to either Enabled or Not configured.
    2. 在受影響的電腦上,以系統管理員身分開啟命令提示字元視窗,並執行 gpupdate /force 命令。On the affected computers, open a command prompt window as an administrator, and run the gpupdate /force command.
  • 在 GPM 中巡覽到組織單位 (OU),其中的封鎖原則已套用至受影響的電腦,從 OU 中刪除該原則。In GPM, navigate to the organizational unit (OU) in which the blocking policy is applied to the affected computers and delete the policy from the OU.

檢查 RDP 服務的狀態Check the status of the RDP services

在本機 (用戶端) 電腦和遠端 (目標) 電腦上,應執行下列服務:On both the local (client) computer and the remote (target) computer, the following services should be running:

  • 遠端桌面服務 (TermService)Remote Desktop Services (TermService)
  • 遠端桌面服務使用者模式連接埠重新導向器 (UmRdpService)Remote Desktop Services UserMode Port Redirector (UmRdpService)

您可以使用 [服務] MMC 嵌入式管理單元,在本機或遠端管理服務。You can use the Services MMC snap-in to manage the services locally or remotely. 您也可以在本機或遠端使用 PowerShell 來管理服務 (如果遠端電腦設定為可接受遠端的 PowerShell Cmdlet)。You can also use PowerShell to manage the services locally or remotely (if the remote computer is configured to accept remote PowerShell cmdlets).

[服務] MMC 嵌入式管理單元中的遠端桌面服務。

在其中一台電腦上,如果其中一個或兩個服務皆未執行,請將其啟動。On either computer, if one or both services are not running, start them.

注意

如果您啟動「遠端桌面服務」服務,按一下 [是] 以自動重新啟動「遠端桌面服務使用者模式連接埠重新導向器」服務。If you start the Remote Desktop Services service, click Yes to automatically restart the Remote Desktop Services UserMode Port Redirector service.

檢查 RDP 接聽程式是否正常運作Check that the RDP listener is functioning

重要

請仔細遵循本節的指示。Follow this section's instructions carefully. 如果您未正確修改登錄,就會發生嚴重問題。Serious problems can occur if the registry is modified incorrectly. 在開始修改登錄之前,請先備份登錄,以便在發生問題時進行還原。Before you starty modifying the registry, back up the registry so you can restore it in case something goes wrong.

檢查 RDP 接聽程式的狀態Check the status of the RDP listener

針對此程序,使用具有系統管理權限的 PowerShell 執行個體。For this procedure, use a PowerShell instance that has administrative permissions. 針對本機電腦,您也可以使用具有系統管理權限的命令提示字元。For a local computer, you can also use a command prompt that has administrative permissions. 不過,此程序使用 PowerShell,因為相同的 Cmdlet 在本機和遠端皆可運作。However, this procedure uses PowerShell because the same cmdlets work both locally and remotely.

  1. 若要連線到遠端電腦,請執行下列 Cmdlet:To connect to a remote computer, run the following cmdlet:

    Enter-PSSession -ComputerName <computer name>
    
  2. 輸入 qwinstaEnter qwinsta. qwinsta 命令會列出電腦連接埠上接聽的處理程序。The qwinsta command lists the processes listening on the computer's ports.

  3. 如果清單包含 rdp-tcp 且狀態為 接聽,則 RDP 接聽程式運作正常。If the list includes rdp-tcp with a status of Listen, the RDP listener is working. 繼續檢查 RDP 接聽程式連接埠Proceed to Check the RDP listener port. 否則,請繼續執行步驟 4。Otherwise, continue at step 4.

  4. 從工作電腦匯出 RDP 接聽程式設定。Export the RDP listener configuration from a working computer.

    1. 登入與受影響電腦具有相同作業系統版本的電腦,並存取該電腦的登錄 (例如,藉由使用登錄編輯程式)。Sign in to a computer that has the same operating system version as the affected computer has, and access that computer's registry (for example, by using Registry Editor).
    2. 巡覽至下列登錄項目:Navigate to the following registry entry:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TcpHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
    3. 將項目匯出為 .reg 檔案。Export the entry to a .reg file. 例如,在登錄編輯程式中,以滑鼠右鍵按一下項目,選取 [匯出] ,然後輸入匯出設定的檔案名稱。For example, in Registry Editor, right-click the entry, select Export, and then enter a filename for the exported settings.
    4. 將匯出的 .reg 檔案複製到受影響的電腦。Copy the exported .reg file to the affected computer.
  5. 若要匯入 RDP 接聽程式設定,請在受影響的電腦上開啟具有系統管理權限的 PowerShell 視窗 (或開啟 PowerShell 視窗並從遠端連線到受影響的電腦)。To import the RDP listener configuration, open a PowerShell window that has administrative permissions on the affected computer (or open the PowerShell window and connect to the affected computer remotely).

    1. 若要備份現有的登錄項目,請輸入下列 Cmdlet:To back up the existing registry entry, enter the following cmdlet:

      cmd /c 'reg export "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-tcp" C:\Rdp-tcp-backup.reg'   
      
    2. 若要移除現有的登錄項目,請輸入下列 Cmdlet:To remove the existing registry entry, enter the following cmdlets:

      Remove-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-tcp' -Recurse -Force  
      
    3. 若要匯入新的登錄項目,並重新啟動服務,請輸入下列 Cmdlet:To import the new registry entry and then restart the service, enter the following cmdlets:

      cmd /c 'regedit /s c:\<filename>.reg'  
      Restart-Service TermService -Force  
      

      將 <filename> 取代為匯出的 .reg 檔案名稱。Replace <filename> with the name of the exported .reg file.

  6. 再次嘗試遠端桌面連線以測試設定。Test the configuration by trying the remote desktop connection again. 如果您仍然無法連線,請重新啟動受影響的電腦。If you still can't connect, restart the affected computer.

  7. 如果您仍然無法連線,請檢查 RDP 自我簽署憑證的狀態If you still can't connect, check the status of the RDP self-signed certificate.

檢查 RDP 自我簽署憑證的狀態Check the status of the RDP self-signed certificate

  1. 如果您仍然無法連線,請開啟 [憑證] MMC 嵌入式管理單元。If you still can't connect, open the Certificates MMC snap-in. 當系統提示您選取要管理的憑證存放區,請選取 電腦帳戶,然後選取受影響的電腦。When you are prompted to select the certificate store to manage, select Computer account, and then select the affected computer.
  2. 在 [遠端桌面] 下方的 [憑證] 資料夾中,刪除 RDP 自我簽署憑證。In the Certificates folder under Remote Desktop, delete the RDP self-signed certificate. MMC 憑證嵌入式管理單元中的遠端桌面憑證。Remote Desktop certificates in the MMC Certificates snap-in.
  3. 在受影響的電腦上,重新啟動「遠端桌面服務」服務。On the affected computer, restart the Remote Desktop Services service.
  4. 重新整理 [憑證] 嵌入式管理單元。Refresh the Certificates snap-in.
  5. 如果 RDP 自我簽署憑證尚未重建,請檢查 MachineKeys 資料夾的權限If the RDP self-signed certificate has not been recreated, check the permissions of the MachineKeys folder.

檢查 MachineKeys 資料夾的權限Check the permissions of the MachineKeys folder

  1. 在受影響的電腦上開啟 Explorer,然後巡覽至 C:\ProgramData\Microsoft\Crypto\RSA\On the affected computer, open Explorer, and then navigate to C:\ProgramData\Microsoft\Crypto\RSA\.
  2. 以滑鼠右鍵按一下 MachineKeys,選取 [屬性] ,選取 [安全性] ,然後選取 [進階] 。Right-click MachineKeys, select Properties, select Security, and then select Advanced.
  3. 確認已設定下列權限:Make sure that the following permissions are configured:
    • 內建\系統管理員:完全控制Builtin\Administrators: Full control
    • 所有人:讀取、寫入Everyone: Read, Write

檢查 RDP 接聽程式連接埠Check the RDP listener port

在本機 (用戶端) 電腦和遠端 (目標) 電腦上,RDP 接聽程式應在連接埠 3389 上進行接聽。On both the local (client) computer and the remote (target) computer, the RDP listener should be listening on port 3389. 其他應用程式不應使用此連接埠。No other applications should be using this port.

重要

請仔細遵循本節的指示。Follow this section's instructions carefully. 如果您未正確修改登錄,就會發生嚴重問題。Serious problems can occur if the registry is modified incorrectly. 在開始修改登錄之前,請先備份登錄,以便在發生問題時進行還原。Before you starty modifying the registry, back up the registry so you can restore it in case something goes wrong.

若要檢查或變更 RDP 連接埠,請使用登錄編輯程式:To check or change the RDP port, use the Registry Editor:

  1. 移至 [開始] 功能表並選取 [執行] ,然後在出現的文字方塊中輸入 regedt32Go to the Start menu, select Run, then enter regedt32 into the text box that appears.
    • 若要連線至遠端電腦,選取 [檔案] ,然後選取 [連線網路登錄] 。To connect to a remote computer, select File, and then select Connect Network Registry.
    • 在 [選取電腦] 對話方塊中,輸入遠端電腦的名稱,選取 [檢查名稱] ,然後選取 [確定] 。In the Select Computer dialog box, enter the name of the remote computer, select Check Names, and then select OK.
  2. 開啟登錄並巡覽至 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\<listener>Open the registry and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\<listener>. RDP 通訊協定的 PortNumber 子機碼。The PortNumber subkey for the RDP protocol.
  3. 如果 PortNumber 的值不是 3389,將其變更為 3389If PortNumber has a value other than 3389, change it to 3389.

    重要

    您可以使用其他連接埠來操作遠端桌面服務。You can operate Remote Desktop services using another port. 不過,我們不建議您這麼做。However, we don't recommend you do this. 本文並未說明如何對該類型的設定進行疑難排解。This article doesn't cover how to troubleshoot that type of configuration.

  4. 變更連接埠號碼之後,重新啟動「遠端桌面服務」服務。After you change the port number, restart the Remote Desktop Services service.

確認其他應用程式並未嘗試使用同一個連接埠Check that another application isn't trying to use the same port

針對此程序,使用具有系統管理權限的 PowerShell 執行個體。For this procedure, use a PowerShell instance that has administrative permissions. 針對本機電腦,您也可以使用具有系統管理權限的命令提示字元。For a local computer, you can also use a command prompt that has administrative permissions. 不過,此程序使用 PowerShell,因為相同的 Cmdlet 在本機和遠端皆可運作。However, this procedure uses PowerShell because the same cmdlets work locally and remotely.

  1. 開啟 PowerShell 視窗。Open a PowerShell window. 若要連線到遠端電腦,請輸入 Enter-PSSession -ComputerName <computer name>To connect to a remote computer, enter Enter-PSSession -ComputerName <computer name>.

  2. 輸入下列命令:Enter the following command:

    cmd /c 'netstat -ano | find "3389"'  
    

    Netstat 命令會產生連接埠和接聽服務的清單。

  3. 尋找具有 Listening 狀態之 TCP 連接埠 3389 (或指派的 RDP 連接埠) 的項目。Look for an entry for TCP port 3389 (or the assigned RDP port) with a status of Listening.

    注意

    對於使用該連接埠的處理程序或服務,其處理程序識別碼 (PID) 會顯示在 [PID] 欄位底下。The process identifier (PID) for the process or service using that port appears under the PID column.

  4. 若要判斷哪個應用程式正在使用連接埠 3389 (或指派的 RDP 連接埠),請輸入下列命令:To determine which application is using port 3389 (or the assigned RDP port), enter the following command:

    cmd /c 'tasklist /svc | find "<pid listening on 3389>"'  
    

    Tasklist 命令會回報特定處理程序的詳細資料。

  5. 尋找與此連接埠相關聯之 PID 號碼的項目 (根據 netstat 輸出)。Look for an entry for the PID number that is associated with the port (from the netstat output). 與該 PID 相關聯的服務或處理程序會顯示在右欄。The services or processes that are associated with that PID appear on the right column.

  6. 如果應用程式或遠端桌面服務 (TermServ.exe) 以外的服務正在使用該連接埠,您可以使用下列方法之一來解決衝突:If an application or service other than Remote Desktop Services (TermServ.exe) is using the port, you can resolve the conflict by using one of the following methods:

    • 設定其他應用程式或服務使用不同的連接埠 (建議)。Configure the other application or service to use a different port (recommended).
    • 解除安裝其他應用程式或服務。Uninstall the other application or service.
    • 設定 RDP 使用不同的連接埠,然後重新啟動「遠端桌面服務」服務 (不建議)。Configure RDP to use a different port, and then restart the Remote Desktop Services service (not recommended).

檢查防火牆是否封鎖 RDP 連接埠Check whether a firewall is blocking the RDP port

使用 psping 工具測試是否可藉由使用連接埠 3389 來觸達受影響的電腦。Use the psping tool to test whether you can reach the affected computer by using port 3389.

  1. 移至另一部未受影響的電腦,然後從 https://live.sysinternals.com/psping.exe 下載 pspingGo to a different computer that isn't affected and download psping from https://live.sysinternals.com/psping.exe.

  2. 以系統管理員身分開啟命令提示字元視窗,變更至您安裝 psping 所在的目錄,然後輸入下列命令:Open a command prompt window as an administrator, change to the directory in which you installed psping, and then enter the following command:

    psping -accepteula <computer IP>:3389  
    
  3. 檢查 psping 命令的輸出是否有如下結果:Check the output of the psping command for results such as the following:

    • 連線至<computer IP> :遠端電腦可連線。Connecting to <computer IP>: The remote computer is reachable.
    • (0% 遺失) :所有連線嘗試皆成功。(0% loss): All attempts to connect succeeded.
    • 遠端電腦拒絕網路連線:遠端電腦無法連線。The remote computer refused the network connection: The remote computer is not reachable.
    • (100% 遺失) :所有連線嘗試皆失敗。(100% loss): All attempts to connect failed.
  4. 在多部電腦上執行 psping 來測試能否連線到受影響的電腦。Run psping on multiple computers to test their ability to connect to the affected computer.

  5. 請注意受影響的電腦是否封鎖來自所有其他電腦、部分其他電腦,或者僅一部其他電腦的連線。Note whether the affected computer blocks connections from all other computers, some other computers, or only one other computer.

  6. 建議的後續步驟:Recommended next steps:

    • 請連絡網路系統管理員,確認網路允許 RDP 流量傳送到受影響的電腦。Engage your network administrators to verify that the network allows RDP traffic to the affected computer.
    • 調查來源電腦與受影響電腦之間的任何防火牆設定 (包括受影響電腦上的 Windows 防火牆),以判斷是否有防火牆封鎖 RDP 連接埠。Investigate the configurations of any firewalls between the source computers and the affected computer (including Windows Firewall on the affected computer) to determine whether a firewall is blocking the RDP port.