SFC reporting hash mismatch for files LServer_PKConfig.xml & tls_branding_config.xml

[rmatlock]

Hello,

I've seen this issue appear before on this forum, but I'm hoping I can get some assistance specific to our environment. We have a Windows 2019 server that serves as a session broker for our terminal server farm, and occasionally, it will not accept RDP connections via hostname, only the IP address works.

Through troubleshooting, I checked for corrupt files with SFC /scannow and it found corrupt files related to Terminal Services, but it was unable to repair. DISM also fails. I've attached the CBS logs with this post. Could someone please help? I've seen the SFCFix on this forum and was hoping someone might be able to help provide a fix through this tool.

2024-03-28 09:53:43, Info CSI 000066f6 Hashes for file member [l:20]'LServer_PKConfig.xml' do not match.
Expected: {l:32 ml:4096 b:a68ced28a12c6d3a25c153e76217f1830e2d94b9c71e4f9b2ebb2b01335af2b6}.
Actual: {l:32 b:b45d90e43527e118b400d87486820dd8460912fabd1ef147e654b1afc0d4378c}.
2024-03-28 09:53:43, Info CSI 000066f7 [SR] Cannot repair member file [l:20]'LServer_PKConfig.xml' of Microsoft-Windows-TerminalServices-LicenseServer-LRWIZDLL, version 10.0.17763.1, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35} in the store, hash mismatch
2024-03-28 09:53:43, Info CSI 000066f8@2024/3/28:13:53:43.810 Primitive installers committed for repair
2024-03-28 09:53:43, Info CSI 000066f9 Hashes for file member [l:20]'LServer_PKConfig.xml' do not match.
Expected: {l:32 ml:4096 b:a68ced28a12c6d3a25c153e76217f1830e2d94b9c71e4f9b2ebb2b01335af2b6}.
Actual: {l:32 b:b45d90e43527e118b400d87486820dd8460912fabd1ef147e654b1afc0d4378c}.

Thank you!!

 

[Maxstar]

Hi and welcome to Sysnative,

Step 1. Download

SFCFix and save it to your desktop.

Warning: This fix was written specifically for this system. Do not run this fix on another system.

• Save any work you have open, and close all programs.
• Download the attachment SFCFix.zip and save it to your desktop.
• Drag the SFCFix.zip file over the SFCFix.exe executable and release it.

• SFCFix will launch, let it complete.
• Once done, a file will appear on your desktop, called SFCFix.txt.
• Post the logfile (SFCFix.txt) as attachment in your next reply.

Step 2. Run the System File Checker and post the result. If it fails attach a new copy of the CBS log.

SFC /Scannow

 

[rmatlock]

Thank you so much, Maxstar! SFC completed without any errors afterwards. I've attached the log with this post.

 

[Maxstar]

Hi,

Please run the following DISM command and post the result. If it fails attach a new copy of the CBS log.

DISM /online /cleanup-image /RestoreHealth

 

[rmatlock]

Hi Max, unfortunately DISM failed I've attached the DISM log and CBS log with this post.

 

[Maxstar]

Hi,

Here's the next fix.

Step 1.
Warning: This fix was written specifically for this system. Do not run this fix on another system.

• Save any work you have open, and close all programs.
• Download the attachment SFCFix.zip and save it to your desktop.
• Drag the SFCFix.zip file over the SFCFix.exe executable and release it.

• SFCFix will launch, let it complete.
• Once done, a file will appear on your desktop, called SFCFix.txt.
• Post the logfile (SFCFix.txt) as attachment in your next reply.

Step 2. Run the following DISM command and post the result. If it fails attach a new copy of the CBS log.

DISM /online /cleanup-image /RestoreHealth

 

[rmatlock]

Maxstar, thank you so much, that also worked! DISM completed successfully afterwards, and I've attached the SFCFix output with this post. Does that mean we're all set or should I check anything else?

 

[Maxstar]

Hi,

You're welcome. I would suggest to check if everything is up-to-date, and if there are no remaining issues with Terminal Server (RDP) sessions. If not we can mark this thread as solved.

 

[rmatlock]

As far as I can tell everything is working well now, except for the Start Menu. Users can only see it properly when they log in for the first time. Administrators can see it every log in.



From what I can tell, this seems to be a common problem with Server 2019. Do you know of any way to fix this? Since the start menu loads with icons for admins, I'm guessing there must be sort of permissions issue going on. If you're not sure what this issue might be, we can definitely close this thread. This has been going on for a while, however, so I figured I'd ask!

 

[Maxstar]

Hi,

Please take a look at this article about roaming start menu settings.

Applications pinned to the Start menu might disappear on the following operating systems after several logons:

 

[rmatlock]

Thank you, Maxstar! However, we don't use Citrix profile management. Do you think there's any way to fix this without Citrix?

 

[Maxstar]

Okay, let's check the following key to see if the value "DeleteUserAppContainersOnLogoff" exists.
Open an elevated prompt, run the following command and copy and paste the result in your next post.

reg query "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy"

 

[rmatlock]

Sure thing! Here's the output from one of the terminal servers:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
DisableStatefulFTP REG_DWORD 0x1
DisableStatefulPPTP REG_DWORD 0x1
IPSecExempt REG_DWORD 0x9
PolicyVersion REG_DWORD 0x21d
DeleteUserAppContainersOnLogoff REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Mdm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedInterfaces
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

 

[Maxstar]

Please check the following keys to see how many entries are listed?

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules

 

[rmatlock]

Hi Max,

Look like there are a lot of entries. When I had looked at this in the past, the start menu would not load at all, and I stumbled across a couple posts talking about cleaning up the firewall rules, so I'm familiar with that process. Not sure if that's related but figured it might be helpful. Attached is the output of the two queries.

 

[Maxstar]

This doesn't look problematic at all, both keys are not filled up with thousands of entries. What you could try is to change the following DWORD entry to see what happens.

reg add HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy /v DeleteUserAppContainersOnLogoff /t REG_DWORD /d 0x0 /f

 

[rmatlock]

Thank you! I can give that a try tonight. Is there a corresponding group policy for this setting, or should I use the registry?

 

[Maxstar]

Yes, please check the following GPO-Path to check how the policies are set.

Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment

I would suggest to change the REG-value on one server first to see what happens. Despite this is a well-known bug it is no longer necessary to set "DeleteUserAppContainersOnLogoff" to "0x1" on servers which have enough resources to handle RDP sessions without any performance issues.