How to enable RDP remotely with several different methods

How to enable RDP if you have physical access to the desktop

Before using RDP, you must ensure the firewall is configured for RDP use. RDP uses port 3389 for communication, and that might be closed by default on your external firewall or Windows Firewall. For Windows, you can make a firewall rule using Group Policy Objects. The firewall GPO settings are in Computer Configuration > Policies > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security (Figure 1).

Here, you can create an inbound rule for RDP by right-clicking and selecting New Rule. A predefined rule for RDP is called Remote Desktop.

After this, you can click next Next > Finish, which automatically creates a rule to allow RDP communication through Windows Firewall.

After setting up the firewall, you can turn on RDP. You can do this in system settings and enable Remote Desktop (Figure 2).

This does require you to have physical access to the machine, but of course, in many cases, you do not. Even so, there are still plenty of options.

How to use GPO to enable RDP remotely

In the same way, you have set the firewall rules. In this case, you can use Group Policy Management to create a GPO to enable RDP access on the computers. This does require the computers to be domain-joined. To enable RDP with GPO, enable the Allow users to connect remotely by using Remote Desktop Services option after navigating to Remote Desktop Services > Remote Desktop Session Host > Connections.

After setting this GPO, the remote computer does need to reboot or have a GPO update take place. You can script this with the gpupdate /force command.

How to use the remote registry to enable RDP

You can also enable RDP remotely with a remote registry. To do this, you need to change the following registry settings in key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server

Then, change the REG_DWORD of fDenyTSConnections to 0 (Figure 3).

You need to use a remote registry to do this from a remote computer. Remote registry is a service that runs on Windows computers. By default, this is running, but if the remote computer doesn't have remote registry enabled, you can also enable this remotely with remote services. Search for services.mmc, and start the Services Management pane. Here, connect to a remote computer by right-clicking on the services -- local -- and selecting Connect to another computer.

When connected, look for the remote registry service, enable the service and ensure it's running (Figure 4).

Now that the remote registry is turned on, you can connect to the registry of the remote computer. To do this, open REGEDIT.exe, click on the file and select Connect Network Registry. Enter the name of the remote computer, and now, you can edit registry keys on a remote computer and enable RDP this way.

How to use endpoint management to enable RDP

Another way to enable RDP is to use an endpoint manager, such as Microsoft Intune. A big plus for this platform is that the remote computer doesn't have to be on the same network or domain-joined. Most endpoint management platforms support PowerShell tasks. This means you can script the enablement of the registry key in a PowerShell script. This script requires administrative privileges:

# Define the registry key path and value
$RegistryPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server"
$RegistryName = "fDenyTSConnections"
$RegistryValue = "0"

try {
    # Check if the registry key exists
    if (Test-Path "$RegistryPath\$RegistryName") {
        Write-Host "Registry key found. Updating value..." -ForegroundColor Green
    } else {
        Write-Host "Registry key not found. Creating key and setting value..." -ForegroundColor Yellow
    }

    # Set the registry value
    Set-ItemProperty -Path $RegistryPath -Name $RegistryName -Value $RegistryValue -Type DWORD

    Write-Host "Registry key updated successfully." -ForegroundColor Green
} catch {
    Write-Host "An error occurred: $_" -ForegroundColor Red
}

How to use local security groups to enable RDP

Enabling RDP on a remote computer does not mean that any user on the network can just sign in to the remote computer and take over the desktop or get a remote session. Only users authorized to connect to the machine can start an RDP session. These users can be found in the local security group named Remote Desktop Users (Figure 5).

It is possible to use Computer Management, just like Service Management, to connect to another remote computer. This way, you can add accounts to the Remote Desktop Users group.

Of course, local group management is also part of Group Policy Management. You can create a GPO to add a default set of users to the Remote Desktop Users local security group. The settings are located at Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups.

Make sure to create an update group action with an ADD action (Figure 6).

In this example, the user Chris is added to the local Remote Desktop Users group. Like the earlier changes to GPO, this requires a reboot or a gpupdate /force command on the remote computer.

How to use Server Manager to enable RDP

The last way to enable RDP remotely is in a server environment. With Microsoft Server Manager, you can manage other servers than the local server. By clicking on Manage, you can add servers on your network that you also want to manage.

After adding a server, you can manage it and its roles with the Add Roles and Features function under the Manage tab. You can install the Remote Desktop Services role or install a completely RDS-based environment with connection brokers, gateways and licensing servers, all remotely from Server Manager.

Chris Twiest works as technology officer at RawWorks in the Netherlands, focusing on the future Workspace and Cloud technologies for the end user.