Windows Multipoint Manager Won’t Open – WMS Server 2016

Resolved: Cannot open MultiPoint Dashboard: Application Error 1000, WmsDashboard.exe, Kernelbase.dll

1. You will need your local host name. If you don’t know that, you can run the command “hostname” from a command prompt and it will tell you the computer’s host name.
2. From a command prompt run “Net stop wms”. You will need to be running in an elevated command prompt as an administrator.
3. From a command prompt run “mmc.exe”. You will also need to be running in an elevated command prompt as an administrator.
4. CTRL+M to add a new snap-in
From the list of available snap-ins on the left, choose certificates, then add it to the list. There will be a popup dialog. Choose computer account from the three options, then choose local computer
5. Find “MultiPoint Services Certificates” in the list of certificates for the local computer. Delete all the certificates where “Issued By” is the local host name.
6. Now run “net start wms”. When the MultiPoint service starts, it will create a new certificate for you. This should fix the problem.

Thanks to Juan Carlos !!!

Windows server thinks its on a public network.


Thanks Evan!

Windows Server – Force Your Network Connection to Where it Belongs

Microsoft uses Network Location Awareness (NLA) to determine if a network connection is on a public LAN, private LAN, or domain network. Often, it gets it wrong. The issue with wrong placement is that the firewall rules that get used are based on the connection’s location.

There are circumstances where the location can be corrected from within the “Network and Sharing Center”. Often such changes do not survive a reboot or other network changes. You cannot use this method to move a connection to a less secure location (e.g. move Public to Private as Private usually has more relaxed firewall rules).

Below are steps you can take to help NLA properly recognize the connections location. The instructions are based on Windows 2008 R2 but they will work on other versions with little modification.

“Unidentified” Network – Move From Public to Private or Domain

If NLA can’t determine a connections location, it names it “Unidentified” and marks the location as Public. It chooses Public because that is most secure and you wouldn’t want anything less if the connection is on the DMZ.

There are two easy ways to fix this. One uses the Local Security Policy to change the default location of unidentified networks. The second method uses a change to the network connection properties to give NLA the information it needs to properly place the location.

Using Local Security Policy

This should only be used if the computer will never have any connections on the Public LAN. Otherwise, you run the risk of having a less secure firewall profile applied to your public connection.

  1. Open “Local Security Policy”.
  2. Click on “Network List Manager Policies” in the left pane. (This selection is buried in older versions of Windows.)
  3. Double-click on “Unidentified Networks” in the right pane.
  4. For computers that only exist on the private network, it is OK to set “Location type” to “private”.

Using Network Connection Properties

This is not about adding a gateway IP as that doesn’t work properly on a multi-homed server. Instead we will be adding a DNS suffix so that NLA can properly locate the domain controller which is how it knows to mark the location as “Domain network”.

  1. Go to Network Connections (from the Network and Sharing Center, click on “Change adapter settings”.)
  2. Go to the properties of one network connection marked as “Unidentified” but on the private LAN.
  3. Go to the properties for IPv4.
  4. Click the “Advanced…” button.
  5. Select the DNS tab.
  6. Enter your domain name into the text box for “DNS suffix for this connection:”.
  7. Disable and then enable the connection to get NLA to re-identify the location.

After enabling the connection, the Status should change to the domain name and Network Category to “Domain network”. Depending on your setup, it is likely that you only need to “fix” one connection to get all the related connections to see the domain.

Move From Private to Public

Usually, just setting the gateway IP on one of the public connections is enough to get NLA to set the location properly. If that doesn’t work, there are more drastic steps available. However, this is usually an indication of an improper and possibly unsecure network setup as NLA is seeing something that shouldn’t be there. For example, your domain controller should never be accessible on the public LAN.

There are two common ways to force NLA to mark a connection as public. One is to use a firewall rule to block NLA so that it has no choice but to use the default location. The other is to use the registry to disable NLA on the connection.

Using the Firewall

I haven’t tested this but the theory seems sound.

  1. Open “Windows Firewall with Advanced Security”.
  2. Go to Outbound rules.
  3. Click on “New Rule…”.
  4. Use these settings:
    Rule Type: Custom
    Program: Select “All programs” and then click on “Customize…”. Select “Network Location Awareness” (short name is NlaSvc).
    Protocol and Ports: Protocol type = Any.
    Scope: Local IPs = Enter all your public IPs. Double-check for connections with multiple IPs.
    Action: Block
    Profile: All
  5. Once rule is enabled, disable and then enable the network connection to get NLA to re-identify the location.

Using the Registry

I have not had this work for me but my circumstance may be different from yours. Finding the correct connection number is a bit hit or miss as there are a lot more entries than you would expect.

  1. Run regedit
  2. Go to HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
  3. Underneath you should see several keys labeled 0000, 0001, 0002 etc… Look through these and find the adapters where you want to disable NLA.
  4. For each of the adapters, add a new DWORD value named “*NdisDeviceType” and set it to 1 (make sure you get the * at the beginning of the name).

Getting Drastic

The location profiles are housed in the registry and it seems harmless to delete them and let Windows rebuild them. You will definitely want to backup the registry first and you will likely need to be connected to the server via KVM rather than remote (RDP). I will not take any responsibility if you choose this step as I am primarily putting this here for reference.

The location of the profiles is:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

Windows Multipoint Server Issue SRCShell.exe (WMS 2011) WMSShell.exe (WMS 2012)

The problem:

Mulitpoint boots up and “auto-logs-in” as WMSShell user however the stations do not initiate a session and the blank default windows desktop is viewable. Its like its stuck in maintenance mode.

The fix:

As it turns out Multipoint server 2011 or 2012 autologs the local user WMSShell in and then autostarts the multipoint interface which is located at: C:\Program Files\Windows MultiPoint Server\SRCShell.exe. (WMS 2011) or C:\Program Files\Windows MultiPoint Server\WMSShell.exe (WMS2012)

The C:\Program Files\Windows MultiPoint Server\SRCShell.exe is the missing part. if you run the EXE (locally) it will start the familiar Multipoint Login Screen.

ok fixed right.. no….not quite…

To make this work after a reboot a little more work is needed. The problem is that the C:\Program Files\Windows MultiPoint Server\SRCShell.exe is called from the WMSShell local user profile. To edit this you must remote into the system as another user and log the WMSShell user off using task manager / users / logoff, then use regedit to open the NTUser.dat file for the WMSShell users profile located in c:\users\WMSShell\NTUser.dat


  1. Open regedit.exe
  2. make sure HKEY_LOCAL_MACHINE is selected on the left panel
  3. click File -> Load Hive in the main menu
  4. open ntuser.dat file in common dialog
  5. specify some temporary name, like USER1
  6. There should be a string key named Shell with the path to the SRCShell.exe however it dissapeered on mine hence the problem so Add a new String Key to HKEY_LOCAL_MACHINE\USER1\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ called Shell with the path to C:\Program Files\Windows MultiPoint Server\WMSShell.exeshell
  7. Make sure HKEY_LOCAL_MACHINE\USER1 is selected on the left panel and then unload hive from main menu
  8. reboot.


If anyone knows the reson why this disapeers let me know!!!!