The Remote Desktop Protocol (RDP) allows you to remotely connect to the desktop of a computer running Windows and work with it as if it is your local computer. By default, Remote Desktop access is disabled in Windows. In this article, we’ll show how to enable and configure RDP access on Windows 10/11 and Windows Server 2019/2022.
How to Enable and Use the Remote Desktop Connection on Windows 10 or 11?
The easiest way to enable Remote Desktop Connection in Windows is to use the Control Panel GUI.
Open the system properties in the Control Panel or run the SystemPropertiesRemote
command.
Open the Remote Settings tab and enable the Allow remote connection to this computer option.
For security reasons, it is recommended to allow connections only for RDP clients with NLA support (Allow connections only from computers running Remote Desktop with Network Level Authentication
).
Save the changes by clicking OK.
By default, only the members of the local Administrators
group can remotely connect to a computer over RDP. If you want to allow RDP access for other users, click Select Users.
net localgroup "Remote Desktop Users"
Members in this group are granted the right to logon remotely.
To add a new user to the RDP access group, run the command below:
net localgroup "Remote Desktop Users" /add a.williams
In current builds of Windows 10 and Windows 11, the classic System Properties dialog for enabling RDP access is hidden, and Microsoft recommends using the new Settings panel:
- Open Settings -> System —> Remote Desktop;
- Switch Enable Remote Desktop to ON;
- Confirm enabling RDP on the computer.
You can enable RDP on Windows 11 using the modern Settings app. Go to System -> Remote Desktop -> Turn on the Remote Desktop using the toggle button.
Note that by default two options are enabled when you enable Remote Desktop:
- Keep my PC awake for connection when it is plugged in
- Make my PC discoverable on private networks to enable automatic connection from a remote device
Click Advanced settings. Here you can enable Network Level Authentication for your RDP connection (recommended).
If Windows Defender Firewall is enabled on a computer, make sure that it allows incoming RDP connections. By default, TCP port 3389 is used for RDP connections, and the latest Windows builds also use UDP 3389 (see the article about the case when a black screen appears instead of the desktop during an RDP connection).
Open the Control Panel and select Windows Defender Firewall. Open a list of default Windows Firewall rules by clicking the Allow an app or feature through Windows Firewall in the left column.
Make sure that the Remote Desktop rule is enabled for the Private profile (home or corporate network) and for the Public one (public networks) if needed.
If you want, you can set a limit (timeout) on the duration of RDP sessions using GPO.
Now you can remotely connect to this computer using an RDP client. Windows has a built-in RDP client – mstsc.exe
. It keeps the history of RDP connections and supports copying files between local and remote computers via the RDP clipboard.
You can also use RDP connection managers, like RDCMan or mRemoteNG, as well as alternative clients.
To make it easier for the users, you can save your RDP connection password in Windows Credential Manager.
Enabling RDP on Windows Using PowerShell
You can quickly enable RDP access on Windows using a couple of PowerShell commands.
- Run
PowerShell.exe
as administrator; - Enable RDP access through the registry using the Set-ItemProperty cmdlet:
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
In order to disable RDP, change thefDenyTSConnections
value to 1. - Allow RDP connections to the computer in Windows Defender Firewall. To do it, enable the following firewall rule:
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
- If you want to add a user to the local RDP access group, run this command:
Add-LocalGroupMember -Group "Remote Desktop Users" -Member a.williams
To make sure that the RDP port is open on the computer, use the Test-NetConnection cmdlet:
Test-NetConnection -ComputerName wksde133 -CommonTCPPort RDP
Enable Remote Desktop Connections on Windows Server 2022/2019
Unlike desktop Windows 10 (11) versions, Windows Server supports two concurrent RDP connections by default. These connections are used by administrators to manage the server.
RDP is enabled on Windows Server in the same way: using the SystemPropertiesRemote, Server Manager, or PowerShell commands described above.
You can use Windows Server as a terminal server. In this case, multiple users can simultaneously connect to their own desktops on the server. To do it, install and configure the Remote Desktop Session Host (RDSH) role on the server. To use it, you must purchase and activate special RDS licenses (CALs). Learn more about RDS licensing.
Also, you can use SSL/TLS certificates to secure your RDP connections.
How to Enable RDP via Group Policy (GPO) in an Active Directory Domain?
If you need to enable Remote Desktop on multiple computers at once, you can use Group Policy (GPO). We assume that all computers are joined to an Active Directory domain.
- Run the Group Policy Management console (
gpmc.msc
); - Create a new Group Policy Object (or edit an existing one) and link it to a target OU containing computers or servers;
- Switch to the policy edit mode and go to the GPO section Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Connections;
- Find and enable the Allow Users to connect remotely by using Remote Desktop Services parameter;
- Update GPO settings on the clients;
- After applying the policy, you will be able to connect to all computers via RDP (the policy will be applied both to desktop clients running Windows 10/11 and Windows Server). If needed, you can target the RDP policy to specific computers using the WMI GPO filters;
- If Windows Defender Firewall is enabled on computers, you need to allow RDP traffic for the domain profile in the same GPO. To do it, activate the Windows Firewall: Allow inbound Remote Desktop Exceptions rule (located in Computer Configuration -> Administrative Templates -> Network -> Network Connections -> Windows Firewall -> Domain Profile).
Enabling Remote Desktop (RDP) Remotely on Windows
Also, you can enable RDP remotely on any computer running Windows. To do it, you must have remote access to the computer (via PowerShell or WMI) and your account must be a member of the local Administrators group on the remote computer.
You can enable RDP remotely via the registry. To do it, the Remote Registry service must be enabled on the remote computer (it is disabled by default). To run the service:
- Open the service management console (
services.msc
); - Select Connect to another computer and specify the name of the remote computer;
- Find the Remote Registry service in the list, change the startup type to Manual, and start the service.
The same can be done remotely from the command prompt using the built-in sc
tool (it allows to create, manage, and remove Windows services):
sc \\wksde133 config RemoteRegistry start= demand
sc \\wksde133 start RemoteRegistry
Then on the local computer:
- Run the Registry Editor (
regedit.exe
); - Select Connect Network Registry in the File menu;
- Specify the name or IP address of the remote computer you want to enable RDP on;
- Go to the reg key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server;
- Find the fDenyTSConnections parameter (REG_DWORD). If you cannot find it, create it. Change its value to 0 to enable RDP.
Then the remote computer becomes accessible over RDP immediately without a restart.
But it is much faster to enable RDP in the registry of the remote computer via the command prompt:
REG ADD "\\wksde133\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
If PowerShell remoting is configured on a remote computer, you can run a remote command on it via Invoke-Command:
Invoke-Command -Computername wksde133 -ScriptBlock {Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" –Value 0}
Also, you can connect to a remote computer and enable RDP via WMI:
$computername = “wksde133”
(Get-WmiObject -Class Win32_TerminalServiceSetting -Namespace root\CIMV2\TerminalServices -Computer $computername -Authentication 6).SetAllowTSConnections(1,1)