As I start to roll out Windows Server 2016 to replace Windows Server 2008 R2 RDP Servers, I’ve been encountering issues that just didn’t exist with Server 2008 R2. Today’s issue is that by default, if a new user account is created, or if the user’s password expires, or if an admin simply checks the Active Directory “User must change password at next login” property, when the user attempts to connect via RDP instead of getting a password change prompt they instead see this error:
Title: Remote Desktop Connection
You must change your password before logging on the first time. Please update your password or contact your system administrator or technical support.
This has the unusual effect of preventing the user from changing their password themselves, leaving the administrator with one of two undesirable options:
- Turn off the “User must change password at next login” property.
or - Change the password to some other password yourself, and also make sure that property is not set.
In either case, the implication is that some person other than that user now knows what that user’s password.
How to solve the issue – Change the RDP Security Layer
To solve the issue, you have to edit the Session Collection, Security, Configure Security settings and then change the Security Layer setting from Auto-Negotiate to RDP Security Layer.
Once that change has been applied, remote RDP users return to being able to set a new password.
As an added bonus, this RDP Security Layer is actually more secure, and is also PCI Compliant (at least as of this writing anyway).
Darren Myher's Blog 
Hi,
i tried this solution and i still get the same error
Hi Eric.
Just try to disable the option “Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)” on RDS server and add “enablecredsspsupport:i:0” in RDP-file on client.
Screenshots can be viewed here: https://blog.it-kb.ru/2017/12/24/ways-to-change-or-reset-user-account-password-in-the-rdp-session/
A simple and effective solution for the warning “You must change your password before logging on the first time. Please update your password or contact your system administrator or technical support.”
I made a VBscript which solved the problem which is executed after user Log on. To know how to make a Scheduled Task go here -> https://superuser.com/questions/15596/automatically-run-a-script-when-i-log-on-to-windows
[This script is executed once the user has changed the password and to remove the warning in his next login]
Things to do.
1. You are on the Windows server 2016/2012 and logged in.
2. Tick “User must change password at next login”.
3. Open Regedit and set the following value to ‘0’,
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer4. Open a notepad and create a script.vbs file(The icon of the file will change from text file to vbs script) and paste the following code.
//copy from next line
Set objShell = WScript.CreateObject("WScript.Shell")
If WScript.Arguments.Length = 0 Then
Set ObjShell = CreateObject("Shell.Application")
ObjShell.ShellExecute "wscript.exe" _
, """" & WScript.ScriptFullName & """ RunAsAdministrator", , "runas", 1
WScript.Quit
End if
Set WshShell = CreateObject("WScript.Shell")
myKey = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer"
WshShell.RegWrite myKey,2,"REG_DWORD"
//copy till above line end
5. Create a Windows after Log on Task which should be executed after the user has changed the password and logged in for the first time to the server.
6. Set the script path to the After Log on task and don’t forget to set Name, Trigger & Action in the Scheduled task settings.
7.Reboot PC.
8. Connect the server with IP and a window screen will pop up ‘without’ the warning “You must change your password before logging on the first time.Please update your password or contact your system administrator or technical support.”
9. Enter default login credentials and set up new password and login to the server within that window.
10.Now the script will automatically execute and set the Security Layer value to 2 in the registry.
11. Reboot the server.
12. Connect to the server with IP and you will be asked to enter your username and password without the window session.
13. You should be logged on to your server now after successful authentication.
it does not work guys
I can not locate that screen on my WIn 2016 DC though? Is there an alternate way to set it up. We only enabled RDS Host and RDP Licensing. We can RDP, but RDP users can not change initial passwords!
It works for me. Thank you, you saved my day!
Just login in as the new username and password on the main login in screen. it will prompt you to change your password. Don’t try to remote in because it wont give you an option to change your password. Hit the windows icon, search for your name, log out. Sign in as the user you want password changed.
Thank you very much, it worked!
In short! Here’s the solution!
1. Make an account that will not be in any group of the domain, or rather make the group empty and put it the main user, removing even from the group domain users.
2. We add this user to the remote desktop group on the farm gateway only.
3. Then we write in ANY client properties of this user together with login, password, domain, ONLY in the gateway section.
4. In the same connection settings write the PC (usually the 1st PC in the farm), which needs to connect.
Everything. Profit. Thank you all. The solution was found by the collective mind of my team, for which she and I, including a BIG THANK YOU!
You can just have the users login on the RDS web version. Once the sign in it will say “password has expired, click here to create a new one.
Hello, my friend. Thank you for your suggestion, it was very helpful for me. There are a lot of suggestions on different sites from different users, but none of them solved my problem. Thanks a lot