The easiest way to enable Remote Desktop RD on the Windows OS family is to use the GUI. To do this, you need to open the “System” Control Panel item, go to the “Remote Settings” tab and enable the “Allow remote connections to this computer” option in the Remote Desktop section. However, this requires local access to the computer on which you want to enable RD. You can usually ask user for this (need administrator privileges), or local technical support. However, what to do if there is no one in the remote office who could enable the Remote Desktop locally? By default, remote desktop is disabled in both desktop versions of Windows and in Windows Server.
If you want to remotely enable Remote Desktop (RDP) on the remote host (server or computer), but you have not access to the local device console, we will show you how to do it by using PowerShell. To do this, the WinRM service (Windows Remote Management) must be enabled on the remote computer. The WinRM service is enabled by default in all versions of Windows Server starting with Windows Server 2012 (however, WinRM is disabled by default in client operating systems such as Windows 10). Thus, to enable RD remotely via PowerShell, the remote computer must meet the following requirements:
- The WinRM service should be started;
- You must have administrator permissions on the remote device;
- Windows Firewall must be disabled or the rules that allow remote access through PowerShell Remoting should be enabled.
Enable Remote Desktop Remotely Using PowerShell
Suppose you want to remotely enable RDP on Windows Server 2012 R2/2016/ 2019. On your computer, open the PowerShell console and run the following command to connect to your server remotely:
Enter-PSSession -ComputerName server.domain.local -Credential domain\administrator
So, you have established a remote session with a computer and now you can execute PowerShell commands on it. To enable Remote Desktop, you just need to change registry parameter fDenyTSConnections from 1 to 0 on the remote machine. Run the command:
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
When RDP is enabled in this way (as opposed to the GUI method), the rule that allows remote RDP connections is not enabled in the Windows Firewall rules. To allow incoming RDP connections in Windows Firewall, run the command:
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
If for some reason this firewall rule is deleted, you can create it manually:
netsh advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow
If you need to enable secure RDP authentication (NLA – Network Level Authentication), run the command:
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1
Now from your computer, you can check that TCP 3389 port on the remote host has become available. Run the command:
Test-NetConnection 192.168.1.11 -CommonTCPPort rdp
There should be a result like this:
ComputerName : 192.168.1.11
RemoteAddress : 192.168.1.11
RemotePort : 3389
InterfaceAlias : Ethernet0
SourceAddress : 192.168.1.90
TcpTestSucceeded : True
This means that RDP on the remote host is enabled and you can establish a remote desktop connection using mstsc client.
Note. By default, only members of the local Administrators group can connect via the RDP remotely. To allow RDP connections for common users, just add them to the local Remote Desktop Users group.
How to Enable Remote Desktop over WMI?
If you want to enable RDP on a remote computer where WInRM is disabled (for example, on a regular computer with Windows 10), you can use WMI PowerShell command.
To check if RDP access is enabled on the remote computer 192.168.1.90, run the command (see the value of the AllowTSConnections property):
Get-WmiObject -Class Win32_TerminalServiceSetting -Namespace root\CIMV2\TerminalServices -Computer 192.168.1.90 -Authentication 6
To enable RDP and add a Windows Firewall exception rule, run the following command:
(Get-WmiObject -Class Win32_TerminalServiceSetting -Namespace root\CIMV2\TerminalServices -Computer 192.168.1.90 -Authentication 6).SetAllowTSConnections(1,1)