I've been experiencing an RDP issue whenever TLS 1.0 is disabled in my environment. I've seen many others report the same issues across the web.
In November 2018, Microsoft released a patch for Server 2012 R2 that fixed a silent bug wherein FIPS policy would silently re-enable TLS1.0/1.1 support.
A Server 2012R2 or 2016 server running Remote Desktop Services will fail to allow non-console connections when TLS 1.0/1.1 is turned off.
The above linked article proposes:
a. Not using RDS with a Connection Broker, which breaks our use case
b. Not disabling TLS 1.0, which breaks our security posture
c. Configure a HA Connection Broker on a dedicated SQL server, which seems like a large effort with additional cost we'd prefer to avoid.
Has anyone else resolved this issue any other way?
Or, is it possible to set up a HA connection broker without actually having a second RDS Server?
We could place the SQL connection on a server that already exists in the environment in that case.
Best Answer
You probably already found the answer, but here it is for others in the future. The WID doesn't support TLS1.2, so you have to use an SQL server to run the connection.
https://support.microsoft.com/en-us/help/4036954/disabling-tls1-0-can-cause-rds-connection-broker-or-rdms-to-fail