How to Enable Remote Desktop (RDP) Remotely?

The most intuitive way to enable Remote Desktop on Windows is to use a GUI. To enable RDP on a local computer, you need to open the “System” Control Panel item, go to the “Remote Settings” tab and enable the Allow remote connections to this computer option in the Remote Desktop section. However, this requires local access to the computer on which you want to enable RDP. You can usually ask the user for this (local administrator permissions required), or local technical support. However, what to do if no one in the remote branch office could enable the Remote Desktop locally? By default, Remote Desktop is disabled on both desktop versions of Windows and Windows Server.

enable remote desktop remotely

If you want to remotely enable Remote Desktop (RDP) on a remote host (server or computer), but you don’t have access to the local device console, we’ll show you how to do it using PowerShell.

Enable RDP Using Remote Registry Service

You can enable Remote Desktop on a remote computer using Registry Editor. This requires:

  • The remote computer must be accessible over the network;
  • You must know the credentials of an account with local administrator permissions on the remote computer;
  • The Remote Registry service must be running on the remote computer (you can enable it through the services.msc snap-in or GPO).

enable rdp remotely

So, to enable the remote desktop via remote registry, follow these steps:

  1. Press the Win + R key combination and in the Run window type regedit.exe > OK;
    powershell enable remote desktop
  2. In the Registry Editor select File > Connect Network Registry;
    enable remote desktop windows 10 remotely
  3. Specify the hostname or IP address of the remote computer. If the remote computer could not authorize you as the current user, you will be prompted to enter credentials;
    remotely enable remote desktop windows 10
  4. The registry of the remote computer will appear in the registry editor (only HKLM and HKEY_Users hives are accessible);
    enable rdp remotely windows 10
  5. Go to the following reg key on the remote computer: HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server. Change the DWORD value of the fDenyTSConnections parameter from 1 to 0;
    remotely enable rdp
  6. If a firewall is enabled on the remote computer, you must enable the rule that allows remote desktop connections. You can enable it via GPO, via PowerShell Remoting (described in the next section of this guide), or using Psexec. In the latter case, the following commands are used:
    PsExec.exe \\server1 -u contoso\admin -p password cmd
    
    netsh advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow
    
    shutdown –f –r –t 0
  7. After rebooting, try to connect to the remote computer via RDP.

How to Enable RDP Remotely Using Psexec Tool?

You can use the PSExec command-line tool to enable Remote Desktop on a remote Windows device.

Download the PsExec toolkit from the Microsoft website and extract the PSTools.zip archive to a local folder. Open a command prompt and go to the PSTools directory:

CD c:\PS\PStools

In order to enable RDP on a remote computer in your domain using PSExec, run the command:

PsExec.exe /accepteula \\RemoteComputerNameorIP reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Then enable the rule to access RDP port in Windows Defender Firewall:

PsExec.exe /accepteula \\RemoteComputerNameorIP netsh firewall set service RemoteDesktop enable

If the remote computer is in a different domain or workgroup, you can provide a username with administrator permissions to connect to remote computer:

PsExec.exe /accepteula \\remote_computer -u administrator reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

remotely enable remote desktop

Enable Remote Desktop Remotely Using PowerShell

To enable RDP remotely, you need to configure and run the WinRM service (Windows Remote Management) on the remote computer. The WinRM service is enabled by default in all versions of Windows Server starting with Windows Server 2012. However, WinRM is disabled by default in client operating systems such as Windows 10.

You can enable WinRM on domain-joined computers using GPO or locally using PowerShell. The easiest way to enable the WinRM service on Windows 10/11 and allow access via PowerShell Remoting is using the command:

Enable-PSRemoting

WinRM has been updated to receive requests.

WinRM service type changed successfully.

WinRM service started.

enable remote desktop powershell

Next, you need to check if WinRM is enabled on the remote computer and connections via PSRemoting are allowed. Run the command:

Test-WsMan 192.168.31.102

If the WinRM service on the remote computer responds, you will receive this response:

how to enable remote desktop remotely

If the service is disabled or access is blocked by Windows Defender Firewall, an error will appear:

Test-WsMan WSManFault: WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet.

Thus, to enable Remote Desktop remotely via PowerShell, the remote computer must meet the following requirements:

  1. The WinRM service should be started;
  2. You must have administrator permissions on the remote device;
  3. Windows Defender Firewall with Advanced Security must be disabled or the rules that allow remote access through PowerShell Remoting should be enabled.

Suppose you want to remotely enable RDP on Windows Server 2012 R2/2016/ 2019. Open the PowerShell console on your computer and run the following command to connect to your server remotely:

Enter-PSSession -ComputerName server.domain.local -Credential domainadministrator

Tip. The Enter-PSSession and Invoke-Command PowerShell cmdlets allow you to execute commands and run scripts on a remote computer through WinRM.

So, you have established a remote session with a computer and now you can execute PowerShell commands on it. To enable Remote Desktop, you just need to change the registry parameter fDenyTSConnections from 1 to 0 on the remote computer. Run the command:

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0

powershell enable rdp

When RDP is enabled in this way (as opposed to the GUI method), the rule that allows remote RDP connections is not enabled in the Windows Firewall rules. To allow incoming RDP connections in Windows Firewall, run the command:

Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

Hint. By default, TCP/3389 port is used for incoming Remote Desktop connections on Windows. You can change the default RDP port number through the registry using the PortNumber parameter in the reg key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp.

If for some reason this firewall rule is missing, you can create it manually using netsh:

netsh advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow

or using Powershell:

New-NetFirewallRule -DisplayName 'Allow RemoteDesktop' -Profile @('Domain', 'Private') -Direction Inbound -Action Allow -Protocol TCP -LocalPort @('3389')

If you want to restrict hosts or subnets that are allowed to connect to Remote Desktop, you can create a custom rule that allows Windows Firewall to solely accept incoming RDP connections from specific IP addresses, subnets, or IP ranges. In this case, instead of the previous command, you need to use the following one:

New-NetFirewallRule -DisplayName “Restrict_RDP_access" -Direction Inbound -Protocol TCP -LocalPort 3389 -RemoteAddress 192.168.1.0/24,192.168.2.100 -Action Allow

If you need to enable secure RDP authentication (NLA – Network Level Authentication), run the command:

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1

Now you can check the availability of TCP port 3389 on the remote host from your computer. Run the command:

Test-NetConnection 192.168.1.11 -CommonTCPPort rdp

There should be a result like this:

ComputerName : 192.168.1.11

RemoteAddress : 192.168.1.11

RemotePort : 3389

InterfaceAlias : Ethernet0

SourceAddress : 192.168.1.90

TcpTestSucceeded : True

enable rdp powershell

This means that RDP on the remote host is enabled and you can establish a remote desktop connection using mstsc.exe, RDCMan, or any alternative RDP client.

Hint. If you need to enable RDP on several remote computers at once, you can use the following PowerShell script:

$comps = “Server1”, “Server2”, “Server3”, “Server4”

Invoke-Command –Computername $comps –ScriptBlock {Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" –Value 0}

Invoke-Command –Computername $comps –ScriptBlock {Enable-NetFirewallRule -DisplayGroup "Remote Desktop"}

By default, only members of the local Administrators group can connect via the RDP remotely. To allow RDP connections for non-admin users, just add them to the local Remote Desktop Users group.

You can add the desired users to the Remote Desktop Users locally by using the Local Users and Groups MMC snap-in (LUSRMGR.MSC).

how to enable rdp remotely

Or you can change RD Users group membership remotely using the PowerShell Remoting inside the Enter-PSSession. Use the following command to add the domain user ASmith to the local group:

net localgroup "remote desktop users" /add "contoso\asmith”

Alternatively, instead of the Enter-PSSession cmdlet, you can use another PS Remoting command Invoke-Command:

Invoke-Command -Scriptblock {net localgroup "remote desktop users" /add "contoso\asmith”} -Computer Server1.contoso.com

How to Enable Remote Desktop over WMI?

If you want to enable RDP on a remote computer where WinRM is disabled (for example, on a regular computer with Windows 10), you can use the WMI PowerShell command.

Tip. To access the WMI namespace on the remote computer, TCP port 135 must be open, and the account must have WMI and DCOM access permissions.

To check if RDP access is enabled on the remote computer 192.168.1.90, run the command (see the value of the AllowTSConnections property):

Get-WmiObject -Class Win32_TerminalServiceSetting -Namespace root\CIMV2\TerminalServices -Computer 192.168.1.90 -Authentication 6

powershell enable remote desktop on remote computer

To enable RDP and add a Windows Firewall exception rule, run the following command:

(Get-WmiObject -Class Win32_TerminalServiceSetting -Namespace root\CIMV2\TerminalService
I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Cyril Kardashevsky

3 comments

  1. Thank you very much!
    Set-ItemProperty -Path ‘HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp’ -name “UserAuthentication” -Value 1
    I had to set the Value to 0 in order to be able access rdesktop on a windows 2016 server from an ubuntu 18.04 LTS. Perfect help, thanks!

    1. You can leave the NLA enabled for RDP from Ubuntu desktop if you use xfreeRDP rather than rdesktop.
      Here is an example: xfreerdp /u:user /v:computername /size:1600×900
      If you use a desktop launcher you will need to check “run in terminal” because it wants to first time ask about certificate.
      If you also include the /p:password to the xfreeRDP command and is not the first time then you don’t have to check the “run in terminal”
      I personally don’t put my passwords in the launch command as it seems too vulnerable and so let the terminal window come up to prompt for password and the terminal stays in background until session is closed which is not a big deal for me.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.