Articles on: Technical Support

TruGrid SecureRDP - Windows Toolkit

In this article



Summary


The TruGrid SecureRDP Toolkit is a single-executable Windows application that collects diagnostic information about your TruGrid SecureRDP deployment and applies common fixes for known issues. It is intended for IT administrators, MSP technicians, and end users troubleshooting TruGrid SecureRDP.


The Toolkit produces HTML reports you can review on screen and attach to support tickets. It does not transmit data automatically. Everything stays on the machine where you run it until you choose to send a report to support.


Use the Toolkit when:


  • A user is experiencing intermittent RDP disconnects
  • A user cannot connect to their assigned desktop at all
  • The TruGrid Connector fails to install
  • An RDP file launch produces an "Unverified Publisher" warning
  • You need a structured snapshot of TruGrid Sentry, Secure Connect, or Connector logs to share with support
  • You want to monitor the quality of the RDP connection
  • UDP transport is not working and you need to diagnose why


Requirements


For a Mac OS version of the Toolkit, see this article: TruGrid SecureRDP - Mac Toolkit


  • Windows 10, Windows 11, or Windows Server 2016 through 2025
  • Approximately 80 MB of free disk space
  • Administrator rights for some remediations (the Toolkit will prompt for elevation via UAC when needed)
  • TruGrid subscription


The Toolkit is self-contained. It does not require .NET Framework, a specific PowerShell version, or any other prerequisites.


How to get the Toolkit


You can get the Toolkit from this download link.


Toolkit updates


As of version 1.14.3, the Toolkit will check and notify you that there is an update available. You can simply use the link in order to get the latest version:


he new version downloads, you can delete the old one and keep on using the new.


RDP Session Quality


Note: The RDP Session Quality panel is an evolving feature. Incoming session metrics rely on Windows RemoteFX performance counters, which can under-report frame rate when the remote host screen is static. Treat the readings as directional indicators rather than absolute measurements, and use Capture Reports together with the Network Monitor and Trace Route diagnostics for fuller picture.


The RDP Session Quality panel shows live performance metrics for active RDP sessions involving this machine. The Tracking dropdown lists every incoming and outgoing session, and selecting one displays its current state in real time.


For incoming sessions (this machine as host), the panel reads local RemoteFX Graphics and RemoteFX Network performance counters and surfaces frame rate (in/out), round-trip time, bandwidth, and frame drop percentage. A status bulb summarizes overall quality: green for healthy, amber for degraded, red for poor.


For outgoing sessions (this machine as client), the panel measures ICMP round-trip time to the destination. Frame rate and bandwidth aren't measurable client-side; the data lives in the destination host's counters, not here. Sessions tunneled through the TruGrid relay show as info-only since pinging a loopback target wouldn't reflect the actual end-to-end path.


Incoming sessions (RemoteFX counter-based):

State

Thresholds

Grey - Warming

First ~30s while the rolling buffer fills

Green - Healthy

drop % ≤ 10% AND P95 RTT ≤ 50ms AND FPS ratio ≥ 0.9

Amber - Degraded

drop % ≤ 30% AND P95 RTT ≤ 150ms AND FPS ratio ≥ 0.7

Red - Poor

Anything worse than amber

FPS ratio = output FPS / input FPS. P95 RTT = the value the worst 5% of probes in the rolling buffer experienced.


Outgoing sessions (ICMP-based):

State

Thresholds

Grey - Info only

Loopback destination (TruGrid relay), or destination not responding to ICMP

Green - Healthy

RTT ≤ 50ms

Amber - Degraded

RTT ≤ 150ms

Red - Poor

RTT > 150ms

Rolling buffer is 60 seconds (30 samples at 2-second interval). Verdict re-evaluates each tick once the buffer has at least 10 samples.


When to use it

Use this when you want to confirm whether a "session feels slow" complaint is network, server, or client side, with measurable evidence. The panel runs continuously while the toolkit is open. Click Capture Report to record a window (60 seconds, 5 minutes, or custom) and produce an HTML report for sharing with support.



UDP Transport check and enable


The UDP Transport check verifies that RDP UDP transport (3389/UDP) can be used between this machine and the other end of a session. RDP UDP transport delivers significantly better performance than TCP-only for graphics-heavy workloads, but it's silently blocked by several common configuration mistakes. The toolkit checks all known blockers and offers a one-click fix.


When to use it


  • A session feels noticeably worse than it should on a healthy network, and you suspect UDP transport isn't being negotiated.
  • After a Group Policy refresh or new image deployment, to confirm UDP isn't disabled by accident.
  • Before reporting a performance problem to support, to rule out the most common preventable cause.
  • As a baseline check on any new host or client in a TruGrid deployment.


What it checks


The UDP Transport indicator in the Component Status panel reflects the current state of four registry and firewall conditions:

Setting

Where

Blocking value

fClientDisableUDP (machine policy)

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client

1

fClientDisableUDP (user setting)

HKCU\SOFTWARE\Microsoft\Terminal Server Client

1

SelectTransport (host policy)

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services

1 (TCP only)

Inbound firewall rule allowing UDP 3389

Windows Firewall

absent or disabled


If all four are clear, the indicator shows Ready. If any are blocking, it shows the specific issues and the Enable UDP Transport button becomes available in the Tools row.


What the Enable button does

Clicking Enable UDP Transport opens a confirmation dialog listing only the fixes that actually apply to this machine. Reviewing the list, accepting the prompt triggers an elevated PowerShell payload that:

  • Clears fClientDisableUDP from both HKLM and HKCU paths if set
  • Clears SelectTransport from the host policy path if set to TCP-only
  • Adds an inbound firewall rule named TruGrid UDP 3389 Allow if no UDP 3389 inbound rule already exists; re-enables an existing rule if one is present but disabled

Every change is logged to %TEMP%\TruGridToolkit\udp-policy-changes.log with a timestamp, before-and-after values, and the user account that triggered the change. The check re-runs immediately after the fixes apply and the indicator should flip to Ready.

Sessions already established won't get UDP applied retroactively; the next new session after the fix will negotiate UDP normally.


Running diagnostics


When you launch the Toolkit, it detects which TruGrid components are installed on the current machine and displays their status in the Component Status section. The Diagnostics section contains four read-only probes that gather information without changing the system.


All the reports will be saved to a newly created folder: %userprofile%\Desktop\TruGrid Reports\reports


Broker Reachability


Tests network reachability and configuration from a TruGrid Sentry or Secure Connect host. Run this diagnostic on the broker machine itself, not on a user workstation.

The probe verifies:

  • Reachability to TruGrid static endpoints (ws.trugrid.com plus telemetry endpoints), including TLS handshake and certificate chain validation
  • The latest relay IP found in the broker log, probed three ways: ICMP, TCP 443 with TLS handshake, and IP geolocation
  • WinHTTP proxy configuration on the host


The HTML report is saved to the Desktop with a filename starting with TruGridBrokerReachability_. Attach this report to a support ticket when reporting broker-side connectivity issues.


Host Event Check


The Host Event Check scans this machine's Windows event logs for recent RDP-related events that indicate session, authentication, or transport problems on the host side. It pulls from the standard Remote Desktop event channels (TerminalServices-LocalSessionManager/Operational, TerminalServices-RemoteConnectionManager/Operational, RemoteDesktopServices-RdpCoreTS/Operational) and surfaces the most relevant entries with their event IDs and timestamps.


When to use it


Run this when a user reports session failures, disconnections, or authentication errors and you want to see what the host actually logged about those attempts, without manually navigating Event Viewer's nested channels. It's faster than digging through Event Viewer and more focused than a full log export, since the diagnostic filters down to the events that typically explain RDP-side failures.


What it produces


An HTML report listing the recent matching events with their full descriptions, parameters, and source channel, ordered chronologically. The report links each event to its source log so you can pivot to Event Viewer for deeper context if needed.


Connector Reachability


Tests network reachability and configuration from a TruGrid Connector workstation. Run on the affected user's machine, signed in as the affected user. Do not run as Administrator. The Toolkit needs to read the user's own Connector logs to identify the latest relay IP.


The probe verifies the same static endpoints and latest relay IP as Broker Reachability, plus:

  • Winsock loopback sanity check, which detects LSP issues that can break the Connector's local RDP forwarding
  • A known-issue scan of recent Connector logs


The HTML report is saved to the Desktop with a filename starting with TruGridConnectorReachability_.


Network Monitor


Continuously probes internet reachability (Cloudflare 1.1.1.1, Google 8.8.8.8), the local gateway, the TruGrid front end, and the current TruGrid relay IP. Use this when a user is experiencing intermittent disconnects and you need to identify which layer is failing.


Click "Run Network Monitor" to start. Continue working normally. The Toolkit samples every two seconds in the background. When the user experiences a disconnect, return to the Toolkit and click "Stop Network Monitor & Show Report." The HTML report opens in your browser, with time-series charts showing exactly when each probed target failed and a correlation verdict explaining the likely cause (LAN issue, ISP issue, TruGrid-specific issue, etc.).


The monitor automatically stops after four hours, ten detected outage events, or when you click Stop, whichever comes first.


For more on the methodology, see How to troubleshoot user RDP disconnects.


Read Logs


Walks TruGrid Sentry, Secure Connect, and Connector logs from the last several hours and produces an HTML summary of warnings, errors, and notable events. Useful as a first-pass triage when you know something has gone wrong but the specific failure is not yet clear.


You can learn more about how to interpret and read these logs here: How to read TruGrid Sentry, SecureConnect, and Windows Connector logs


Cross-Reference Logs


A new diagnostic that loads TruGrid Sentry, Secure Connect, and Windows Connector logs across a chosen time window, correlates events across the three sources, and produces a single HTML report that connects what the user's Connector saw with what the server side reported.


Run Cross-Reference Logs when an incident is visible in more than one log source and you want to see it on a single timeline, or when you want a structured view of activity across all components without grepping multiple files by hand. It is also the right tool when a customer sends in their Connector log and you have a matching Sentry or Secure Connect log on hand from the same window.


Click Cross-Reference Logs in the Client / Connector row. The dialog auto-discovers logs from the native installation paths and from the Desktop\TruGrid Reports\imported-logs\ folder. To bring in logs from another machine, drop them into the imported-logs folder before opening the dialog, or use the Browse button to pick files from anywhere. Check the logs to include, choose a time window, and click Run. The report is written to Desktop\TruGrid Reports\reports\ and opens automatically.




The report is organized into three tabs. Cross-Reference shows auto-categorized patterns surfaced across components, an event distribution chart by hour of day, paired sessions, known-issue signatures, failure cascades, and reconnect storms. Host Errors lists WARN and ERROR events from Sentry and Secure Connect logs with event-type classification and a per-component breakdown. Client Errors covers the same for the Windows Connector log.


Detected patterns include client internet outages (definitive proof the user side lost upstream connectivity), authentication failures across multiple components, the known async disposal race in the relay tunnel client, sustained network instability versus single clean failures, and sessions that completed normally with no significant errors (useful for ruling the toolkit out of the picture). Each pattern card includes a suggested next step and an expandable list of the supporting log lines with copy-to-clipboard.


Trace Route


The Trace Route diagnostic maps the network path from this machine to the TruGrid Frontend (ws.trugrid.com) and the most recent TruGrid Relay, then measures per-hop latency, jitter, and packet loss across a 30-second probe window. Each hop's results are color-coded by loss: green under 5%, amber 5-20%, red above 20%.



When to use it


Run this when sessions feel slow or unstable and you've already confirmed local connectivity is fine, or when you need evidence of where in the network path a problem is sitting. Trace Route also auto-fires on its own when Connector Reachability, Broker Reachability, or Network Monitor detect an outage, so you typically don't have to run it manually during an incident. Auto-fire is rate-limited to 5 runs with a 5-minute cooldown between fires.


What it produces


An HTML report covering both Frontend and Relay, with a hop discovery section (every router on the path with its IP, hostname when available, and a single-probe RTT) and an MTR-lite section (30 probes per hop showing sent/received counts, loss percentage, best/worst/average/last RTT, and jitter).


Tools


The Remediations section contains actions that change the state of the system. Each remediation requires a confirmation before it runs.


Trust TruGrid RDP Signing Cert


Adds the TruGrid signing certificate thumbprint to the Windows Trusted Publisher policy. This suppresses the "Unverified Publisher" warning introduced by the April 2026 Windows security update for RDP file launches.


When you click this button:

  • If the Toolkit is running as Administrator, the registry change is applied immediately and the button label changes to "TruGrid Signing Cert Trusted."
  • If the Toolkit is running as a regular user, Windows displays a User Account Control prompt. After you approve, the change is applied and the button updates.


To remove the trust at any time, click the "Remove" link next to the Trusted status.


This action is per-machine and persists across reboots. It only suppresses the warning for connections to TruGrid SecureRDP. Warnings for other RDP connections are unaffected.


For more on the underlying registry policy, see How to suppress the "Unverified Publisher" Security Warnings.


Fix Connector Install Issues


Cleans up the per-user ClickOnce cache and TruGrid Connector residue to resolve failed Connector installations. Use this when:

  • The Connector installer reports an error during the download or patching phase
  • The Connector has been uninstalled but cannot be reinstalled
  • The Connector launches but immediately closes or behaves erratically


The remediation runs as the logged-in user, not as Administrator, because ClickOnce stores are per-user. If the Toolkit is currently running with elevated privileges, the button is disabled with a tooltip explaining the requirement.


The remediation deletes:

  • The ClickOnce cache (%LOCALAPPDATA%\Apps\2.0), but only if no non-TruGrid ClickOnce applications are present
  • TruGrid Connector folders under %LOCALAPPDATA% and %APPDATA%
  • Two registry keys under HKCU\Software\Classes related to TruGrid file associations


Other ClickOnce applications on the machine are preserved.


For more, see Resolving issues with TruGrid Windows Connector Installation.




Sending reports to support



You can also contact support directly from any of the HTML reports as they will contain the Chat button.


The Contact Support button at the right of the Remediations section starts a guided workflow for sharing reports with TruGrid support.

  1. Click Contact Support. A dialog opens listing all reports in the Past Reports section, with checkboxes. The most recent of each report type is pre-selected.
  2. Adjust the selection if needed, then click "Prepare ZIP."
  3. The Toolkit packages your selected reports into a ZIP file in your temporary folder, then, it will take the zip file and attempt to attach it to an email to helpfiles@trugrid.com
  4. If no email client is present on the device, you can copy paste the files manually and email them to helpfiles@trugrid.com


No data is uploaded automatically. You control which reports are included and when they are sent.


What the Toolkit collects and what it sends


The Toolkit collects information local to the machine on which it runs:

  • Operating system version, PowerShell version, .NET Framework version
  • TruGrid component installation paths and service states
  • Network connectivity probe results (latency, certificate issuers)
  • Excerpts from TruGrid component logs (timestamps, log levels, message text)


For relay IPs found in your logs, the public IP address is sent to ip-api.com to look up the geographic location and Azure region. This is the only outbound network connection the Toolkit makes during a diagnostic run.


No customer data, no usernames or passwords, no contents of files outside the TruGrid component log directories, and no other personally identifiable information are collected. Sending reports to support is always manual. The Toolkit does not auto-upload, phone home, or transmit any report content without your explicit action.


Frequently asked questions


Do I need to install the Toolkit?

No. It is a single self-contained executable. Save it to your Desktop or any folder you choose and double-click to run.


Does the Toolkit require Administrator rights?

Most diagnostics run without Administrator rights. The Trust TruGrid RDP Signing Cert remediation requires elevation. The Toolkit will prompt for it via UAC.


Can I run the Toolkit on a server that does not have a TruGrid component installed?

Yes. The Toolkit displays which components are detected and disables diagnostics that do not apply. The Network Monitor can be run on any machine to test connectivity.


Will reports contain anything I would not want sent to support?

Reports contain hostname, user account name (the Windows account name, not credentials), OS version, network configuration excerpts, and TruGrid log excerpts. Review the HTML report on screen before attaching it to a support conversation if you have any concerns about included information.


How long does a diagnostic take?

Broker Reachability, Connector Reachability, and Read Logs typically complete in under 30 seconds. Network Monitor runs until you stop it, up to four hours.


My machine displayed "Windows protected your PC" when I tried to open the Toolkit. Is that safe to bypass?

For newly released signed software, SmartScreen warnings appear until the executable accrues reputation across many installs. Verify the file's digital signature in Properties > Digital Signatures and confirm the signer is TruGrid, then choose "More info" and "Run anyway."


Where are reports stored?

All reports are HTML files saved to your Desktop. The Toolkit's Past Reports section lists every report on your Desktop. You can also open the Reports folder from the Toolkit footer.


Can I delete old reports?

Yes. Reports are standalone HTML files. Delete them from your Desktop or from the toolkit using the X buttons. The Past Reports list refreshes automatically.



Contact

For help obtaining the Toolkit, reporting issues, or providing feedback, contact TruGrid support at help@trugrid.com or use the Chat with us option on this help center.

Updated on: 01/06/2026

Was this article helpful?

Share your feedback

Cancel

Thank you!