Remote Desktop is the preferred method for accessing Windows computers remotely in an interactive session. The feature is disabled by default and can be enabled in various ways. These include the settings app, group policies, Windows Admin Center, and WMI using PowerShell.

As with previous versions, Windows 11 requires a PC to be running the Pro, Education, or Enterprise editions to function as a Remote Desktop host. In contrast, a Remote Desktop can be accessed from all editions, including Home.

The license for Windows 11 allows only one incoming RDP connection. A locally logged-in user's desktop is locked as soon as a remote user connects to the system.

Windows Server, on the other hand, allows two simultaneous Remote Desktop sessions for administrative tasks, and they don't require Remote Desktop Services to be installed. The procedure to activate Remote Desktop there is essentially the same as for Windows 11.

Required permissions ^

By default, the Remote Desktop feature is disabled, so you have to activate it before you can access a computer. You need administrative permissions for this.

The same applies if you want to establish a Remote Desktop session from a client. Without admin rights on the target computer, access is denied. If you want standard users to benefit from this feature, you have to add them to the local Remote Desktop Users group.

Turn on remote desktop via the GUI ^

Since Windows 10 1709, you can allow Remote Desktop connections via the Settings app. This is also the preferred GUI method and the only one that shows up in the Windows 11 desktop search.

The respective option can be found under System > Remote Desktop. The app has the serious disadvantage that you cannot start it with elevated privileges using runas. Rather, you must first log into Windows as an admin to activate Remote Desktop.

Remote Desktop can only be activated in the Settings app if you are logged in as an admin on the computer

Remote Desktop can only be activated in the Settings app if you are logged in as an admin on the computer

Instead of logging out and in again, you can use the old applet from the Control Panel for this task. To do this, enter sysdm.cpl on the command line or in the search bar. After elevating your permissions, Remote Desktop can be activated in the Remote tab.

The system applet from the control panel is still on board in Windows 11

The system applet from the control panel is still on board in Windows 11

There, you can also select the users you want to add to the Remote Desktop Users group. Theoretically, the Settings app also offers this option, but in practice, you still end up in the System Properties applet instead.

The Settings app opens the same dialog for adding users as the System Properties applet.

The Settings app opens the same dialog for adding users as the System Properties applet.

Both the Settings app and the Control Panel contain a checkbox to enable network-level authentication (NLA).

Activation via the Windows Admin Center ^

If you manage a PC using Windows Admin Center (WAC), you will be provided with an additional GUI option to activate Remote Desktop. Its advantage is that you can configure the feature remotely with WAC.

After connecting to the Windows 11 PC, go to the Settings page.

Activate Remote Desktop via the settings of a computer in the Windows Admin Center

Activate Remote Desktop via the settings of a computer in the Windows Admin Center

There, you will find the link to Remote Desktop, where the corresponding dialog box offers the same settings as the other two GUI options.

Adding accounts to the Remote Desktop Users group is possible via the Local Users and Groups menu item in the left navigation pane.

Enabling Remote Desktop via PowerShell ^

PowerShell doesn't provide its own cmdlet to turn Remote Desktop on or off. Rather, you have to use WMI, which not only works locally, but also remotely via the ComputerName parameter.

To obtain the current status of Remote Desktop, retrieve the AllowTSConnections property:

Get-CimInstance -Namespace "root\cimv2\TerminalServices" -Class win32_terminalservicesetting | select ServerName, AllowTSConnections

If the value of AllowTSConnections is 1, the Remote Desktop feature is active; with 0, it's inactive.

To change the status of Remote Desktop, invoke the SetAllowTSConnections function. The first parameter enables RDP connections if it has a value of 1, and 0 blocks them. The second parameter determines whether the firewall rules for Remote Desktop should be activated on the target computer.

$rd = Get-CimInstance -Namespace "root/cimv2/TerminalServices" `
-ClassName "Win32_TerminalServiceSetting" -ComputerName <Remote-PC>

$rd | Invoke-CimMethod -MethodName "SetAllowTSConnections" `
-Arguments @{AllowTSConnections=1;ModifyFirewallException=1}
Enable Remote Desktop via PowerShell and WMI

Enable Remote Desktop via PowerShell and WMI

A return value of 0 means that the operation was successful.

Enabling Remote Desktop via GPO ^

In centrally managed environments, the remote desktop feature will be controlled using group policies.

The setting to enable Remote Desktop can be found in the GPO editor under Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections.

Group policy to enable remote desktop connections

Group policy to enable remote desktop connections

It's called Allow users to connect remotely using Remote Desktop Services. Contrary to what its name suggests, this setting is also suitable for servers without installed RDS and for Windows 10 / 11.

The firewall rule for Remote Desktop must be explicitly activated by another setting, called Windows Defender Firewall: Allow inbound Remote Desktop exceptions. It is located under Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Defender Firewall > Domain Profile.

The firewall exception for Remote Desktop can also be created via group policy

The firewall exception for Remote Desktop can also be created via group policy

Conclusion ^

Microsoft provides several methods to enable or disable the Remote Desktop feature on Windows 11 or Server 2022. Three of them are GUI-based, whereby the Settings app is a step backward compared to the old control panel.

WAC is the only one of the three GUI tools capable of managing the Remote Desktop setting on remote computers. PowerShell also has this capability when used in conjunction with WMI.

Subscribe to 4sysops newsletter!

In managed environments, group policies are usually used for this task. You should not forget to enable the necessary firewall rule as an additional setting.

0 Comments

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account