Enable/Disable RDP GPO From regedit
I'm trying to enable/disable the Group Policy Object "Allow users to connect remotely using Remote Desktop Services", found at the following path, by way of regedit and/or CLI: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\ I've tried changing the following two [2] registry keys: HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections When I change the values, no matter if I do a "gpupdate /force", or reboot, the GPO doesn't change. The value does always stay what I set it at, but the GPO isn't changing. I can manually go in and change the GPO and it does change the system/remote settings appropriately. I am joined to a Domain - this is to notify. I would think that if this was a Domain-related issue, I wouldn't be able to manually change the GPO, or the registry values change wouldn't ever save. My end goal here is to be able to disable RDP connections to the machine from CLI or a batch file. Can someone advise? This machine is running the following: Windows 10 v20H2 [Build 19042.844] Thanks.
remote-desktop-servicesComment
Comment · Show 1
Comment
5 |1600 characters needed characters left characters exceeded
▼
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
GraceHE-MSFT · Mar 15, 2021 at 02:17 AM
Hi,
We are looking forward to your reply and ready for help.
---If the suggestions above are helpful, please ACCEPT ANSWER. Really appreciate. This will also help others with similar issue to find this post quickly. ---
0 Votes 0 ·
GraceHE-MSFT answered • Mar 9, '21 | MikeKachar-5611 commented • Mar 9, '21
Hi,
Thank you for posting your query. Here are some suggestions.
type LOCAL SECURITY POLICY in the search box -> open local security policy -> local policies ->user rights assignments -> deny log on through Remote Desktop Service
![75831-microsoftteams-image.png][1]
---If the suggestions above are helpful, please ACCEPT ANSWER. Really appreciate. This will also help others with similar issue to find this post quickly. ---
[1]: /answers/storage/attachments/75831-microsoftteams-image.png
microsoftteams-image.png [116.5 KiB]
Comment
Comment · Show 1
Comment
5 |1600 characters needed characters left characters exceeded
▼
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
MikeKachar-5611 · Mar 09, 2021 at 08:16 PM
This option/setting is to configure what users and groups are prohibited from logging on as a Remote Desktop Services client.
You can see this info when you double-click on the policy, and then go to the "Explain" tab:
Deny log on through Remote Desktop Services
This security setting determines which users and groups are prohibited from logging on as a Remote Desktop Services client.
Default: None.
Important
This setting does not have any effect on Windows 2000 computers that have not been updated to Service Pack 2.
I'm looking to specifically know how to disable the ability to Enable/Disable Remote Desktop via regedit and/or CLI [so I can batch it out], and have it actually modify the Group Policy Object I listed in the original question: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Allow users to connect remotely using Remote Desktop Services
0 Votes 0 ·
GraceHE-MSFT answered • Mar 11, '21
Hi,
As your description and query, you are finding a way to enable/disable via REGEDIT. If so, here are some ideas for this.
type REGEDIT in the search box to start REGISTRY EDITOR.
navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server. Then on the right-side pane, double-click on the fSingleSessionPerUser.
![76559-image.png][1]Set the value data to 0 and click OK if you want to enable Remote Desktop. Set the value to 1 and click OK if you need to disable it.
![76653-image.png][2]
Enabling RDP through the registry will not configure the Windows Firewall with the appropriate ports to allow RDP connections.
Type the following in an administrative command prompt:
Netsh advfirewall firewall set rule group=”remote desktop” new enable=yes
---If the suggestions above are helpful, please ACCEPT ANSWER. Really appreciate. This will also help others with similar issue to find this post quickly. ---
[1]: /answers/storage/attachments/76559-image.png
[2]: /answers/storage/attachments/76653-image.png
image.png [175.7 KiB]
image.png [111.8 KiB]
Comment
Comment Show 0
Comment
5 |1600 characters needed characters left characters exceeded
▼
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
Change the listening port for Remote Desktop on your computer
- Article
- 12/23/2021
- 2 minutes to read
- 9 contributors
Is this page helpful?
Yes No
Any additional feedback?
Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services. Privacy policy.
Submit
Thank you.
In this article
Applies to: Windows Server 2022, Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2008 R2
When you connect to a computer [either a Windows client or Windows Server] through the Remote Desktop client, the Remote Desktop feature on your computer "hears" the connection request through a defined listening port [3389 by default]. You can change that listening port on Windows computers by modifying the registry.
- Start the registry editor. [Type regedit in the Search box.]
- Navigate to the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
- Find PortNumber
- Click Edit > Modify, and then click Decimal.
- Type the new port number, and then click OK.
- Close the registry editor, and restart your computer.
The next time you connect to this computer by using the Remote Desktop connection, you must type the new port. If you're using a firewall, make sure to configure your firewall to permit connections to the new port number.
You can check the current port by running the following PowerShell command:
Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber"For example:
PortNumber : 3389 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations PSChildName : RDP-Tcp PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\RegistryYou can also change the RDP port by running the following PowerShell command. In this command, we'll specify the new RDP port as 3390.
To add a new RDP Port to the registry:
$portvalue = 3390 Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value $portvalue New-NetFirewallRule -DisplayName 'RDPPORTLatest-TCP-In' -Profile 'Public' -Direction Inbound -Action Allow -Protocol TCP -LocalPort $portvalue New-NetFirewallRule -DisplayName 'RDPPORTLatest-UDP-In' -Profile 'Public' -Direction Inbound -Action Allow -Protocol UDP -LocalPort $portvalueRemotely Enable Remote Desktop on Windows 10
/ / Information Technology
We’ve all been there – we’ve finished at a customer’s site, and need to quickly remote in later on to finish/fix something. Trouble is, Windows doesn’t enable Remote Desktop Protocol by default. There are four steps needed toremotelyenable RDP connections in Windows 10. This guide relies on you being on the same LAN as the remote PC you wish to access – you may already have RDP’ed into another server on that LAN. You must also have Windows administrativeprivilegesfor the remote computer. These instructions work well in a domain environment. Note: If you have access to the computer, you can follow the standard procedure for enabling Remote Desktop. Is there a script to remotely enable remote desktop on Windows Server 2016? Previously we’ve covered how to turn on remote desktop protocol [RDP] using the GUI interface, but those methods don’t work in some scenarios where you do not have physical access to the computer on which you want to enable RDP. In this tutorial we’ll show you how to enable remote desktop remotely using Registry, PowerShell or Command Prompt. Method 1: Enable Remote Desktop Using Registry Tweak Once you are connected to the remote machine’s registry, navigate to the location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server. In the right pane, double-click the DWORD fDenyTSConnections and change its value from 1 to 0.How to Enable Remote Desktop with Registry, PowerShell or Command Prompt
September 19th, 2019 by Leave a reply »
Reboot your machine and remote desktop should now be accessible. If you need to disable remote desktop in future, just set the value of fDenyTSConnections to 1.
Method 2: Enable Remote Desktop Using PowerShell
Before getting started, you need to establish a session with the remote computer using PowerShell. Once connected, run the following PowerShell commands to enable remote desktop:
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
The first command will turn on remote desktop, while the second command will activate the firewall rules that allow remote desktop connections.
When you need to disable remote desktop later, run the following commands instead:
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 1
Disable-NetFirewallRule -DisplayGroup "Remote Desktop"
Method 3: Enable Remote Desktop Using Command Prompt
If you can open a remote Command Prompt window via SSH, PsExec or WinRS, run the following commands to enable remote desktop and configure Windows Firewall to allow remote desktop connections:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=yes
To disable remote desktop, execute the below commands:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=No
That’s all!
Related posts:
- 2 Ways to Enable Remote Assistance in Windows 10 / 8 / 7
- Tutorial: Run PowerShell Commands on Remote Computer
- Disable Command Prompt Using Group Policy or Registry Trick
- How to Create System Restore Points with Command Prompt or PowerShell
- Previous Post: How to Speed Up Windows 10 Menu Animations with Ease
- Next Post: Tutorial: Run PowerShell Commands on Remote Computer
Posted in Others, Tips & Tricks, Windows 10, Windows 7, Windows 8
Tags: enable remote desktop command line enable remote desktop powershell enable remote desktop registry remotely enable remote desktop windows 10
Steps
Part 1
Part 1 of 2:
Enabling Remote Desktop Remotely
-
1
Understand the risks. As always, be aware that editing the registry risks causing major problems. Make a backup before you begin, and do not make any unnecessary changes.
- Only follow this guide if you do not have physical access to the computer. If you do, use the standard user tools to enable remote desktop without editing the registry.
-
2
Open the Services Microsoft Management Console. Run services.msc from the Start menu search box.[1] X Research source Go to source You can also find the Services MMC through Control Panel → Administrative Tools → Services.
- You only need the MMC to start Remote Registry. If the remote computer is running Windows XP, this is probably already running.[2] X Research source Go to source Skip down to "connect to the remote registry."
-
3
Start the Remote Registry Service on the remote computer. In the Services MMC, right-click "Services [Local]" and select "Connect to another computer." Enter the name of your remote machine. Once connected, find the Remote Registry service in the MMC and start it, if it isn't already running.
-
4
Connect to the remote registry. Open regedit. Select File → Connect Network Registry.... Type the remote computer name under "Select Computer" and click Check Names.[3] X Research source Go to source
-
5
Find the Terminal Server key. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server.
-
6
Set fDenyTSConnections to 0. Look for the REG_WORD value named fDenyTSConnections in the Terminal Server details pane. Double click this to open the EDIT DWORD Value box. In this box, set the Value Data field to 0.[4] X Research source Go to source
-
7
Test Remote Desktop. Some systems give you immediate access, and some require you to restart the remote computer first. Attempt to connect to Remote Desktop to check. [If you left the MMC open, you can quickly start Remote Desktop from there.]
-
8
Reboot the remote computer if necessary. There are several ways to do this. The simplest is to open Command Prompt and enter shutdown /i. In the dialog box that opens, select "Restart" from the drop down menu, and enter the name of the remote computer.[5] X Research source Go to source Try accessing Remote Desktop again once the computer is done restarting.
Part 2
Part 2 of 2:
Troubleshooting
-
1
Confirm you have administrator access. You must have administrator privileges on the remote computer.
-
2
Bypass the firewall. If you are trying to access the remote computer from a different network, the firewall may be blocking you. There are two routes around this:
- If the firewall is blocking Remote Registry but not Remote Desktop, connect to a computer on the same network as the target computer, then use it to access the target computer.
- If the firewall is blocking Remote Desktop, download PSExec from Sysinternals. Use it to gain remote access to the remote computer's command line and make a Remote Desktop exception for the firewall.[6] X Research source Go to source [Enter netsh advfirewall firewall add rule? for instructions.[7] X Trustworthy Source Microsoft Support Technical support and product information from Microsoft. Go to source ]
26 Replies
· · ·
Mace
OP
Apr 22, 2011 at 11:58 UTC
Try this. I have had to do this sometimes.
//thebackroomtech.com/2007/05/18/how-to-enable-remote-desktop-on-a-windows-xp-machine-remotely/
0
· · ·
Mace
OP
Apr 22, 2011 at 12:01 UTC
If there is a user at the remote computer you can get connected using join.me and then enable it yourself.
0
· · ·
Serrano
OP
Apr 22, 2011 at 12:01 UTC
Use this script. Works wonders
//community.spiceworks.com/scripts/show/302-enable-or-disable-rdp-remote-desktop-on-remote-system-vbs
0
· · ·
Mace
OP
Apr 22, 2011 at 12:24 UTC
I think you have all ready been pointed the right way, there are script that will enable RDP on a system as long as you have remote registry access. It looks like a couple of people have pointed you to scripts all ready.
0
· · ·
Jalapeno
OP
Apr 22, 2011 at 12:30 UTC
trying the script but it says "make sure you type the right machine name" i have and doesn't work..tried IP, name and nothing
0
· · ·
Chipotle
OP
Apr 22, 2011 at 12:31 UTC
did you run the script from your PC at home or the server that you are RDPed into?
0
· · ·
Jalapeno
OP
Apr 22, 2011 at 12:54 UTC
Yea from remote location.
0
· · ·
Serrano
OP
Best Answer
Apr 22, 2011 at 13:08 UTC
From the onsite computer run Regedit.
In Regedit:
File-->Connect Network Registry
In the 'Select Computer' dialogue make sure that the 'Look In' location is correct[should be your domain if applicable]type in the computer name or IP that you want to connect to then click Ok.
Now expand:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
Once you've opened that key look for fDenyTSConnection
Set it to a value of 0