Remote desktop connection is sometimes stuck on the "Securing remote connection" screen

Applies to: Windows Vista BusinessWindows Vista EnterpriseWindows Vista Ultimate More

Symptoms


Assume a scenario in which you use a remote desktop connection for operating system Windows Vista or later versions of Windows. In this scenario, Remote desktop connection is stuck for several seconds when it displays the following texts:
Remote Desktop Connection
Connecting to:
Securing remote connection…

Cause


Remote desktop connection uses the highest possible security level encryption method between the source and destination.
In Windows Vista or later versions of Windows, the remote desktop connection uses the SSL (TLS 1.0) Protocol and the encryption is Certificate-based.
This means the authentication is performed by using self-signed certificates (default) or a certificate issued by a certification authority installed on the remote session host server (Terminal Server).
If you use a self-signed certificate, the system tries to retrieve the trusted certification authority list from the Internet to check the publish and revocation status of the certificate. Therefore, the "Securing remote connection" screen may appear for a while.

Workaround


To work around this behavior, use either of the following methods:   
Method 1
If you are using a self signed certificate, import the certificate to the source. To do this, perform the following on the destination:
  1. Log on as an administrator in the destination, click Start, enter mmc in the Search programs and files box and run Microsoft Management Console.
  2. On the File menu, click the Add/Remove Snap-in option.
  3. From the list of Available snap-ins, select Certificates and then click the Add button.
  4. On the Certificate Snap-in screen, select the Computer account check box and then click Next.
  5. On the Select Computer screen, select Local Computer and then click the Finish button.
  6. Go back to the Add/Remove Snap-In dialog box and then click the OK button.
  7. In the left pane of the console window, expand Console Route, Certificates (Local Computer), Remote Desktop, and Certificates.
  8. Double-click the Certificate in the middle pane to open it.
  9. On the Detail tab, click the Copy to File... button.
  10. The Certificate Export Wizard will open. Leave the default settings and then save the file in any folder.
  11. Copy the exported file to the source computer.
Then perform the following on the source:
  1. Log on as an administrator in the source, click Start, enter mmc in the Search programs and files box, and run the mmc.exe.
  2. Click the File menu and then click the Add/Remove Snap-in option.
  3. From the list of Available snap-ins, select Certificates and then click the Add button.
  4. On the Certificate Snap-in screen, select the Computer account check box and then click Next.
  5. On the Select Computer screen, select Local Computer and then click the Finish button.
  6. Go back to the Add/Remove Snap-In dialog box and then click the OK button.
  7. In the left pane of the console window, expand Certificates (Local Computer), Trusted Root Certification Authorities, and Certificates. Right-click to select All Tasks, and then click Import... from the menu.
  8. The Certificate Import Wizard will open. Follow the instructions in the wizard to start the import.
    1. In the Certificate file to import window, specify the file that was copied from the destination computer.
    2. In the Certificate store window, verify that Place all certificates in the following store is selected and that Certificate Store lists Trusted Root Certification Authorities.
Note By default, the self-signed certificate expires in six months. If it has expired, the certificate will be recreated. You must import the recreated certificate to the source again.
Method 2
Deploy a Group Policy Object to the client to turn off Automatic Root Certificates Update. To do this, follow these steps on a Windows 8.1 or a Windows Server 2012 R2-based computer:
  1. Open Group Policy Management Console. To do this, hold the Windows key and press the r key. Type Gpmc.msc in the Run box, and then click OK.
  2. Create a new Group Policy Object (GPO) or select an existing Group Policy Object (GPO) to change.
  3. Right-click the selected Group Policy Object (GPO) and then click Edit and browse to the following Group Policy:
    Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
  4. In the details pane, double-click Turn off Automatic Root Certificates Update, and then click Enabled.