Hello all,
We are experiencing a behavior with RDP sessions via Password Safe initiated from machines with Windows 11.
The session has a slow image loading, appearing to load in rows of images and in blocks.
A simple movement of windows within the RDP session causes the image loading of this movement to be very slow.
This does not occur if the RDP session is direct with the destination server.
But if the connection is through Password Safe being Windows 11 > Resource Broker > Destination server, this slowness is noticed.
Has anyone else noticed this problem in your environments?
Additionally, this behavior does not occur in Windows 10.
Points that I have already checked:
- The software installed on the computers are the same between Windows 10 and 11;
- The network settings are the same. This behavior occurs on both wireless and wired networks;
- The GPOs of the Windows 10/11 stations, Resource Brokers and destination servers have already been checked. No Remote Desktop configurations that could impact the sessions;
The environment as a whole is the same. The only thing that changes is the Windows version.
I wonder if it could be something between the RDP on the Windows 11 machine and the RDP Proxy within the resource broker.
One workaround that I applied and significantly improved the RDP session was the addition of the gfx and gfx_caps_override registry keys to a resource broker in the environment.
However, the use of these two registry keys was advised against by BeyondTrust support as they were no longer necessary.
Could I simply apply these two keys to all resource brokers? Yes, I could. However, using them removes the Password Safe loading screen during the RDP connection, making it impossible to see if any error occurred.
I continue to investigate this behavior in my environment, but have not yet been successful in improving it.
Any thoughts here we'll be apreciated.
Hi rgkessel,
The behavior you're describing is similar to the one mentioned in the following BeyondTrust knowledge base article:
Remote Support / Privileged Remote Access - Windows 11 24H2 - RDP graphics issue - Little colored squares over everything (screen artifacting)
I hope you find it helpful.
Hello Lino,
Thanks for your comment.
The KB you mentioned is related to PRA, right?
My case is related to Password Safe.
And even though it is Password Safe, I have already seen a KB mentioning this issue. We had this issue in our environment, but it was fixed with the update to version 24.3.
But even after this update, the slowness continues when accessing servers via Password Safe, where the user's machine is Windows 11.
One workaround that I applied and significantly improved the RDP session was the addition of the gfx and gfx_caps_override registry keys to a resource broker in the environment.
However, the use of these two registry keys was advised against by BeyondTrust support as they were no longer necessary.
Could I simply apply these two keys to all resource brokers? Yes, I could. However, using them removes the Password Safe loading screen during the RDP connection, making it impossible to see if any error occurred.
Hi, I’ve used these two registry keys, and they have indeed improved performance in my lab. May I ask why BT support is against this? Was any reasoning provided? (I’m just curious — I’m not an employee.)
Hi, I’ve used these two registry keys, and they have indeed improved performance in my lab. May I ask why BT support is against this? Was any reasoning provided? (I’m just curious — I’m not an employee.)
Hello prakash,
They reported that these two registry keys were no longer needed because they were used as a workaround to fix an issue in Windows RDP.
This issue has been fixed in the most recent versions of Resource Brokers (in the case of Password Safe Cloud).
BeyondInsight / Password Safe - Windows 11 2024 version 24H2 update RDP graphics issue - Little colored squares over everything (screen artifacting)
Although my report is not the same problem as the KB above, these registry keys have greatly improved the performance of RDP sessions.
Hi @prakash.r It is not recommended as the registry keys removes functionality from Password Safe such as not showing the countdown timer, no splash screens can appear or screen overlays. For example the screen showing the session is locked shown in https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0019648. Have you ensured all the windows 11 updates have been done?
According to Microsoft Windows 11 has more visual effects, such as animations and shadows, which can consume more system resources. You can disable some visual effects in performance option to free up system resources. Consult Microsoft documentation for further information.
Hello Gloria,
Even if I disable features or leave visual effects at a minimum in the RDP settings, the slowness is still noticeable.
Today I tested access through a recently formatted Windows 11 machine, without being part of my network domain.
So the machine does not have any GPOs applied, security agents or other settings that could affect its performance in any way.
Even so, the slowness is noticeable.
So, I understand that the problem is not with our environment's settings.
Thanks,
Rudolf.
I know there is a issue with the gfx key, because if right now anyone try to acess a session with a resolution that ends with “50” like 1440x1050 or 1680x1050, the session resolution loses 2 pixels, the screen get the followings resolutions “1440x1048” and “1680x1048”, but when re-applying the gfx key on regedit, the session works with the normal resolution instead of losing 2 pixels.
I have this tested in at least 5 other enviroments with the same issue.
If you are still having issue, I would open a case with BeyondTrust Support and include the information at the bottom of this article: How to troubleshoot RDP or Application Session slowness
I know this is a different product but I’m wondering if our performance issues with BT Privileged Remote Access are related (perhaps it using the same bomgar rdp framework on back end?). There is pretty noticeable performance lag/slowness when using PRA to remote into Windows PC’s (this is not only on Windows 11 btw, we see it on Windows 10 also). However, if we select external tool BYOT RDP, the performance is amazing and we have no issues. The slowness is also present on the web only client also.
I have not tried any registry key modifications to troubleshoot this so I may try the ones mentioned here and see if anything improves. Thanks
Performance issues are often very hard to find a cause, and I’m sure everyone wants to blame the proxy. Before you write off Windows 11, note that this OS will enable UDP for RDP by default, which can cause unnecessary packet retries. Be sure usage of UDP for RDP connections is disabled across your enterprise (registry/GPO). Next, check network latency from client IP ranges to proxy, then check proxy to various target/managed systems. Next, check performance of the BI proxy itself. Do you have session recording enabled? What is the I/O wait of your servers/VM? Do you have dedicated Password safe node(s) that are not competing for CPU with the admin node?
Also, do you have similar issues with SSH connections (or SFTP transfers)? If not, the problem may be RDP specific. If so, then it’s the network or proxy itself.
Hello @MichaelF,
Thank you for your comment.
I forgot to mention in this thread that the issue doesn't only affect Windows 11. I've also seen this behavior on other colleagues' Windows 10.
However, many of them didn't report this as a problem because they thought the slowdown was normal due to RDP access. We know that RDP can have some standard slowdowns.
However, we've often noticed severe slowdowns, beyond the expected RDP protocol.
This behavior is significantly worse considering users we have outside of Brazil, in other countries.
During these times of severe slowdowns, I monitored the proxy server resources, and all were at less than 30% utilization.
I/O was fine, and network consumption was very low, well above the server adapters' limits.
With some information from the Knowledge Base and after contacting support, I understood that Password Safe uses the Bitmap codec as the default for images. Some research shows that Bitmap is an uncompressed codec that consumes a lot of network bandwidth and can suffer from low-speed or high-latency connections.
However, our connections have good speeds and low latency, and we still experience slow access.
Using the gfx and gfx_caps_override registry keys mentioned here, Password Safe now uses the H264 codec, which has an excellent compression ratio without losing image quality.
And with H264, everything works perfectly even for users in other countries, far from the data centers where the servers are hosted.
But it's not all sunshine and roses. H264 caused us problems when accessing some older servers that don't support this codec, and we also lost the session loading screen, which was replaced by a black screen before the server image was displayed.
So, I can't convert the entire environment to H264 right now.
I would like to thank @Paulo144 for the help on this case. With his help I was able to test and notice this same slowness in his test environment with default bitmap codec.
I think it would be great if FreeRDP had a way to negotiate the best codec during the RDP session connection.
But I also imagine that the Bitmap option is necessary for the entire solution to work, even if it works with H264.
I'm still trying to find a way to solve or at least improve the slowness in our environment.
