FIX - RDP Session Disconnecting Randomly

We had an issue where domain users would lose their RDP connections randomly.

In our SOE, Remote Desktop is disabled by default and by design we only want to enable it for machine that are joined to the domain and receiving our Computer policies. Those policies also define specific Domain Security Groups that are member of the "BUILTIN\Remote Desktop Users" group allowing only specific users to use Remote Desktop Connections.

We asked some of the affected users to take note of the time when the issue occurred.
By looking at the event log at the given times no error nor warning where found, but we did notice that this was a large number of SceCli informational events taking place. As per this MS Knowledge Article the processing of the Security Setting Extension is how the Security policies are implemented on the machine.

This drove us to think that this issue was caused by the GPO refresh cycles.
When the refresh takes place the security policies registry key gets deleted to then be rewritten which leaves the machines - for a brief moment of time - without policy settings which in turn causes the user to loose their remote desktop connection. This can actually be seen in the GPSVC.log.

Since the registry key that control the Remote Desktop feature are written in two different locations when applied by the Policies than when applied by the Operating System, the refresh mecanism would cause the O.S. settings to be the only one present and enforced at the time when the users were getting disconnected.

Here are both locations for the fDenyTsConnections value:

O.S value location.: 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
\fDenyTSConnections

Group Policies value location: 
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections

After manually setting the O.S.  registry key to 0 the problem disappeared.
To permanently automate this fix across the whole platform we added this registry entry to our policies.

As a result when the policy refresh occurs RDC rights are no longer lossed and our restricted group policy setting still ensure that  only users of the "BUILTIN\Remote Desktop Users" are authorized to RDC.

FIX - Windows Features showing blank and Patch error 0x800B0101 2148204801

Back in Noberber 2012 Microsoft released KB2749655 "to address an issue in which the digital signature on files produced and signed by Microsoft will expire prematurely" as described in Microsoft Security Advisory (2749655).

Here are some real life scenarios where this patch did help fixing the following issues: 

• "Turn Windows features on or off" showing blank:
  
  
  Users are no longer able to view the installed Windows 7 features on their machine, nor could they enable or disable them. Actually if you try to list, add or remove the features with DISM you would also get an exit code 0x800B0101 (-2146762495) and the DISM.log would redirect you to the CBS.log as descripted bellow. 

• Uninstalling badly signed patches would throw a Windows Update Standalone Installer error reading:
  
   "Installer encountered an error: 0x800B0101 A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file."

• Installing  badly signed patches (i.e.: KB2705219)  would throw the error HRESULT = 0x800B0101 - CERT_E_EXPIRED]  in CBS.log.
  And the error: 2148204801 would appear in the event viewer with the description "A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file." 

Hopefully this will be of help for you too and if you do get across additional scenarios, please add them in the comment sections for everyone's benefit !!