How to Enable Remote Desktop (RDP) Remotely?

The most intuitive way to enable Remote Desktop on Windows is to use a GUI. To enable RDP on a local computer, you need to open the “System” Control Panel item, go to the “Remote Settings” tab and enable the Allow remote connections to this computer option in the Remote Desktop section. However, this requires local access to the computer on which you want to enable RDP. You can usually ask the user for this (local administrator permissions required), or local technical support. However, what to do if no one in the remote branch office could enable the Remote Desktop locally? By default, Remote Desktop is disabled on both desktop versions of Windows and Windows Server.

enable rdp remotely

If you want to remotely enable Remote Desktop (RDP) on a remote host (server or computer), but you don’t have access to the local device console, we’ll show how to do it using PowerShell.

Enable RDP Using Remote Registry Service

You can enable Remote Desktop on a remote computer using Registry Editor. This requires:

  • The remote computer must be accessible over the network;
  • You must know the credentials of an account with local administrator permissions on the remote computer;
  • The Remote Registry service must be running on the remote computer (you can enable it through the services.msc snap-in or GPO).

powershell enable remote desktop

So, to enable the remote desktop via remote registry, follow these steps:

  1. Press the Win + R key combination and in the Run window type regedit.exe > Ok;
    remotely enable remote desktop
  2. In the Registry Editor select File > Connect Network Registry;
    enable remote desktop remotely
  3. Specify the hostname or IP address of the remote computer.If the remote computer could not authorize you as the current user, you will be prompted to enter credentials;
    powershell enable rdp
  4. The registry of the remote computer will appear in the registry editor (only HKLM and HKEY_Users hives are accessible);
    enable remote desktop powershell
  5. Go to the following reg key on the remote computer: HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server. Change the DWORD value of the fDenyTSConnections parameter from 1 to 0;
    how to enable remote desktop remotely
  6. If a firewall is enabled on the remote computer, you must enable the rule that allows remote desktop connections. You can enable it via GPO, via PowerShell Remoting (described in the next section of this guide), or using Psexec. In the latter case, the following commands are used:
    PsExec.exe \\server1 -u contoso\admin -p password cmd
    
    netsh advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow
    
    shutdown –f –r –t 0
  7. After rebooting, try to connect to the remote computer via RDP.
READ ALSO  Change Default OU permissions in Active Directory

Enable Remote Desktop Remotely Using PowerShell

To enable RDP remotely, you need to configure and run the WinRM service (Windows Remote Management) on the remote computer. The WinRM service is enabled by default in all versions of Windows Server starting with Windows Server 2012. However, WinRM is disabled by default in client operating systems such as Windows 10. Thus, to enable Remote Desktop remotely via PowerShell, the remote computer must meet the following requirements:

  1. The WinRM service should be started;
  2. You must have administrator permissions on the remote device;
  3. Windows Defender Firewall with Advanced Security must be disabled or the rules that allow remote access through PowerShell Remoting should be enabled.

Suppose you want to remotely enable RDP on Windows Server 2012 R2/2016/ 2019. Open the PowerShell console on your computer and run the following command to connect to your server remotely:

Enter-PSSession -ComputerName server.domain.local -Credential domainadministrator

So, you have established a remote session with a computer and now you can execute PowerShell commands on it. To enable Remote Desktop, you just need to change registry parameter fDenyTSConnections from 1 to 0 on the remote computer. Run the command:

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0

enable rdp powershell

When RDP is enabled in this way (as opposed to the GUI method), the rule that allows remote RDP connections is not enabled in the Windows Firewall rules. To allow incoming RDP connections in Windows Firewall, run the command:

Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

Hint. By default, TCP/3389 port is used for incoming Remote Desktop connections on Windows. You can change the default RDP port number through the registry using the PortNumber parameter in the reg key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp.

If for some reason this firewall rule is missing, you can create it manually:

netsh advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow

If you want to restrict hosts or subnets that are allowed to connect to Remote Desktop, you can create a custom rule that allows Windows Firewall to solely accept incoming RDP connections from specific IP addresses, subnets, or IP ranges. In this case, instead of the previous command, you need to use the following one:

New-NetFirewallRule -DisplayName “Restrict_RDP_access" -Direction Inbound -Protocol TCP -LocalPort 3389 -RemoteAddress 192.168.1.0/24,192.168.2.100 -Action Allow

If you need to enable secure RDP authentication (NLA – Network Level Authentication), run the command:

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1

Now you can check the availability of TCP port 3389 on the remote host from your computer. Run the command:

Test-NetConnection 192.168.1.11 -CommonTCPPort rdp

There should be a result like this:

ComputerName : 192.168.1.11

RemoteAddress : 192.168.1.11

RemotePort : 3389

InterfaceAlias : Ethernet0

SourceAddress : 192.168.1.90

TcpTestSucceeded : True

enable remote desktop windows 10 remotely

This means that RDP on the remote host is enabled and you can establish a remote desktop connection using mstsc.exe, RDCMan, or any alternative RDP client.

Hint. If you need to enable RDP on several remote computers at once, you can use the following PowerShell script:

$comps = “Server1”, “Server2”, “Server3”, “Server4”

Invoke-Command –Computername $comps –ScriptBlock {Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" –Value 0}

Invoke-Command –Computername $comps –ScriptBlock {Enable-NetFirewallRule -DisplayGroup "Remote Desktop"}

By default, only members of the local Administrators group can connect via the RDP remotely. To allow RDP connections for non-admin users, just add them to the local Remote Desktop Users group.

READ ALSO  Hyper-V: Nested Virtualization on Windows Server 2016

You can add the desired users to the Remote Desktop Users locally by using the Local Users and Groups MMC snap-in (LUSRMGR.MSC).

how to enable rdp remotely

Or you can change RD Users group membership remotely using the PowerShell Remoting inside the Enter-PSSession. Use the following command to add the domain user ASmith to the local group:

net localgroup "remote desktop users" /add "contoso\asmith”

Alternatively, instead of the Enter-PSSession cmdlet, you can use another PS Remoting command Invoke-Command:

Invoke-Command -Scriptblock {net localgroup "remote desktop users" /add "contoso\asmith”

} -Computer Server1.contoso.com

How to Enable Remote Desktop over WMI?

If you want to enable RDP on a remote computer where WInRM is disabled (for example, on a regular computer with Windows 10), you can use the WMI PowerShell command.

To check if RDP access is enabled on the remote computer 192.168.1.90, run the command (see the value of the AllowTSConnections property):

Get-WmiObject -Class Win32_TerminalServiceSetting -Namespace root\CIMV2\TerminalServices -Computer 192.168.1.90 -Authentication 6

enable rdp remotely powershell

To enable RDP and add a Windows Firewall exception rule, run the following command:

(Get-WmiObject -Class Win32_TerminalServiceSetting -Namespace root\CIMV2\TerminalService
Cyril Kardashevsky
READ ALSO  Configuring Live Migration in Hyper-V

3 comments

  1. Thank you very much!
    Set-ItemProperty -Path ‘HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp’ -name “UserAuthentication” -Value 1
    I had to set the Value to 0 in order to be able access rdesktop on a windows 2016 server from an ubuntu 18.04 LTS. Perfect help, thanks!

    1. You can leave the NLA enabled for RDP from Ubuntu desktop if you use xfreeRDP rather than rdesktop.
      Here is an example: xfreerdp /u:user /v:computername /size:1600×900
      If you use a desktop launcher you will need to check “run in terminal” because it wants to first time ask about certificate.
      If you also include the /p:password to the xfreeRDP command and is not the first time then you don’t have to check the “run in terminal”
      I personally don’t put my passwords in the launch command as it seems too vulnerable and so let the terminal window come up to prompt for password and the terminal stays in background until session is closed which is not a big deal for me.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.