Group Policy enable Remote Desktop Firewall exception

Remote Desktop Exception in Firewall configured via GPO not taking effect

Archived Forums

>

Group Policy

• Question

• 2

  Sign in to vote

  Hello,

  I am having issues getting Remote Desktop connections through the firewall on both my Windows 2008R2 servers as well as my Windows 7 clients. I have enabled Remote Desktop connections via a GPO. I have also gone into the Windows Firewall with AdvancedSecurity GPO setting and created an Inbound Rule for Remote Desktop.

  I am not allowed to remotely login to either the clients or the servers after creating the GPO. If I login on the machine, I can go into the firewall settings and see that the GPO has been applied and there is a check mark next to Remote Desktop on the Inbound filters list.

  However if I perform the same steps on thelocal firewall and allow the Remote DesktopInbound exception, then it works fine.

  So my question is, why would the firewall exception being applied via a GPO not be good enough to enable Remote Desktop? Why do I still need to enable it on the localmachine as well?

  Thanks,

  -John

  Thursday, January 10, 2013 9:46 PM

All replies

• 2

  Sign in to vote

  Hello,

  Is your policy applied at all?
  Please use gpresult /h report.html to verify that.

  Please also have a look at this policy setting:
  
  Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > Windows Firewall: Allow Remote Desktop Exception

  MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!

  • Marked as answer by jdcox Friday, January 11, 2013 5:13 PM

  Thursday, January 10, 2013 9:52 PM

• 0

  Sign in to vote

  Thanks Matthias, that seems to have fixed my issue.

  -John

  Friday, January 11, 2013 9:41 PM

Enable Remote Desktop via Group Policy

The biggest problem you could be potentially faced with, is actual permissions to modify any GPOs. I’m going to assume you have the permissions so we’ll just continue on with a bullet list that’s easy peasy for you to understand.

• Open up Group Policy Management Console [GPMC].
• Create a New Group Policy Object and name it Enable Remote Desktop.
• Navigate to: Computer Configuration -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security -> Windows Firewall with Advanced Security -> Inbound Rules and Create a New Rule. Screenshot below.

• Select Port in the New Inbound Rule Wizard.
• Ensure TCP and Specific Local Port :3389

• Allow the Connection and only select Domain and Private Profiles.
• Name this rule –Inbound Rule for RDP Port 3389

Now that we have added the local ports, we’ll need to enable the Remote Desktop Session Host policies.

• Go to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Connections
• Allow users to connect remotely by using Remote Desktop ServicestoEnable.

• Now we’re going to enable Network Level Authentication. This is highly recommended and has many security advantages. However, that’s out of the scope of this article so I won’t go in to the details now.
• Go toComputer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security
• SetRequire user authentication for remote connections by using Network Level AuthenticationtoEnable.

• Last but certainly not least, we need to apply the newly created GPO to an Organizational Unit so it actually works.
• Close out of GPMC. There aren’t any more settings to configure.

MetaLAN

• Up and running in 5 minutes
• Agent less - No need to install anything on the endpoints
• Free download - No registration required

Learn More...

Problem

Rather than enabling on an ad-hoc basis, you want to turn on RDP for multiple machines via Group Policy.

What is Remote Desktop Group Policy

Almost all users who are interested in building safe connections between computers on the internet might have heard about RDP or VPN. RDP stands for the Remote Desktop Protocol. It is a network of communications protocol developed by Microsoft, to allow users to connect to another computer.

With RDP, one can connect to any computer that runs Windows. With RDP, you can connect to the remote PC, view the same display and interact as if you are working on that machine locally.

Some instances where you may need to use RDP include;

• When traveling or when on vacation and you need to access your work computer
• When you can’t go to your office due to certain reasons and you still need to fulfill your daily tasks
• When you are a system admin and you need to perform administrative duties on your PC such as computer troubleshooting, tune-up, ID protection setting, printer set-up, software installation, email setup, virus and spyware removal, among others.
• When you need to give a demo and you need to access data from a private device
• When you want to personalize your remote desktop on experiences such as resolution, connection setting, screen setting, toolbar, start menu, icons among others.

How to Enable Remote Desktop Remotely on Windows 10

The easiest way to enable Remote Desktop on the Windows operating system family is to use a Graphical User Interface [GUI]. To do this, you need to;

Open the “System” control panel, go to “Remote Setting” and enable the “Allow remote connection to this computer” option in the Remote Desktop section.

However, performing the above process will need local access to the computer on which you want to enable the RD.

By default, remote desktop is disabled in both desktop versions of Windows and in Windows Server.

How to Enable Remote Desktop Remotely Using PowerShell

Suppose you want to remotely enable RDP on Windows Server 2012 R2/2016/2019. Here is the procedure to achieve the same;

1. On your computer, open the PowerShell console and run the following commands to connect to your remote server.Enter-PSSession -ComputerName server.domain.local -Credential domain\administrator.
2. You will have established a remote session with a computer and now you can execute PowerShell commands on it. To enable Remote Desktop, you need to change registry parameter fDenyTSConnections from 1 to 0 on the remote machine. Run the command;Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
3. When RDP is enabled this way [as opposed to GUI method] the rule that allows remote RDP connections is not enabled in the Windows Firewall rules.
4. To allow incoming RDP connections in Windows Firewall, run the command;Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
5. If for some reason the firewall rule is deleted, you can create it manually using the following commands.netsh advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow
6. In case you need to allow secure RDP authentication [NLA – Network Level Authentication] run the command;Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1
7. Now from your computer, you can check the TCP 3389 port on the remote host to see if it has become available. To do so, run the command below’Test-NetConnection 192.168.1.11 -CommonTCPPort RDP.
8. If successful, you should get results similar to what is shown below’

The above results mean RDP on the remote host is enables and you can establish a remote desktop connection using mstsc client.

How to Enable/Disable Remote Desktop Using Group Policy

You can enable or disable remote desktop using group policy. To do so, perform the following steps

1. Search gpedit.msc in the Start menu. In the program list, click gpedit.msc as shown below;
2. After Local Group Policy Editor opens, expand Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Connections.
3. On the right-side panel. Double-click on Allow users to connect remotely using Remote Desktop Services. See below;
4. Select Enabled and click Apply if you want to enable Remote Desktop. Select Disabled and click Apply if you need to disable it.

Now you will have enabled or disabled remote desktop using group policy

Network Level Authentication NLA on the remote RDP server

Network Level Authentication is a method used to enhance RD Session Host server security by requiring that a user be authenticated to RD session Host Server before a session can be created.

If you want to restrict who can access your PC, you can choose to allow access only with Network Level Authentication [NLA]. NLA is an authentication tool used in RDP Server. When a user tries to establish a connection to a device that is NLA enabled, NLA will delegate the user’s credentials from the client-side Security Support Provider to the server for authentication, before creating a session.

The advantages of Network Level Authentication is;

• It requires fewer remote computer resources initially.
• It can provide better security by reducing the risk of denial of service attacks.

To configure Network Level Authentication for a connection, follow the steps below.

1. On the RD Session Host Server, open Remote Desktop Session Host Configuration. To do so, click Start>>Adminstrative Tools1>>Remote Desktop Services>> Remote Desktop Session Host Configuration.
2. Under Connections, right-click the name of the connection and then click Properties.
3. On the General tab, select Allow the connection only from computers running Remote Desktop with Network Level Authentication checkbox
4. Click OK

Note, under step 3, if the “Allow connections only from computers running a remote desktop with network-level authentication” checkbox is not enabled, the “Require user authentication for remote connections by using network-level authentication” Group Policy setting has to be enabled, and has been applied to the RD Session Host Server.

Remote Assistance Firewall Requirements

If you enable Configure Offer Remote Assistance setting, you should also enable firewall exceptions to allow Remote Assistance communications.

The firewall exceptions required to Offer [Unsolicited] Remote Assistance on Windows 10 include.

Enable the Remote Assistance exception for the domain profile. The exception must contain:
Port 135:TCP
%WINDIR%\System32\msra.exe
%WINDIR%\System32\raserver.exe

Let’s look at the steps to enable Remote Assistance using group policy

How to Enable Remote Assistance using Group Policy

To enable remote assistance using group policy.

• Login to a Domain controller or member server installed with Group Policy Management console.
• Launch the Group Policy Management console.
• You can either edit an existing Group Policy object or create a new one using the Group Policy Management Tool.
• Expand the Computer Configuration/Policies/Administrative Templates/System/Remote Assistance node.
• Enable Configure Offer Remote Assistance setting.

Alright let’s do this step by step. I would recommend creating a new group policy to configure remote assistance. Do not edit the default policy because it is not the recommended method.

Before you apply this policy, test the policy on a separate OU and then plan your GPO deployment accordingly. Since I am configuring the policy in my lab, I am applying it on a domain level.

In the Group Policy Management console, right click your domain and click Create a GPO in this domain and link it here.

Create a Group Policy to Enable Remote Assistance

Specify a name to the group policy such as Enable Remote Assistance. Click OK.

Create a Group Policy to Enable Remote Assistance

Go to Computer Configuration/Policies/Administrative Templates/System/Remote Assistance node. Right click Configure Offer Remote Assistance setting and click Edit.

Edit Configure Offer Remote Assistance Policy

On the Configure Offer Remote Assistance window, click Enabled. This enables the policy.

You must permit remote control of the computer. So from the drop-down, select Allow helpers to remotely control the computer.

Next to helpers, click Show button.

Edit Configure Offer Remote Assistance Policy

You can enter the names of the helpers. Add each user or group one by one. While adding helpers user or groups, use the following format.

• \
• \

Click OK.

Allow Helpers to remotely control the computers

Close the GPMC editor.

12 Replies

· · ·

Serrano

OP

JonosaurusRex

This person is a verified professional.

Verify your account to enable IT peers to see that you are a professional.

Nov 8, 2020 at 02:48 UTC

GPO based RDP policies supersede your local ability to adjust RDP settings. Which is why they get greyed out.

There could be a number of reasons this is not working . I’d suspect

1] you haven’t created the firewall rule
or
2] have NLA enabled

For the firewall rule - add an addition policy:

Computer Configuration -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security -> Windows Firewall with Advanced Security -> Inbound Rules

and Create a New Rule Add port TCP 3389 for ONLY your private or domain networks

2] For NLA:

Adminsitrative Tools->Remote Desktop Services-> Remote Desktop Session Host Configuration. Disable “Allow the connection only from computers running Remote Desktop with Network Level Authentication”

Try the firewall policy first if you still have difficulty then try disable NLA


Important note: be careful opening port 3389 via GP. Ensure it ONLY affects the sub group of devices you wish to have remote access to otherwise you cause a security risk.

Additional note: for RDS servers, installing the session host role opens up the necessary ports on the firewall automatically. Because no session host exists on PCs, and you’re using “Remote Desktop for Administration” mode this step isn’t applied

0

· · ·

Thai Pepper

OP

JRC

This person is a verified professional.

Verify your account to enable IT peers to see that you are a professional.

Nov 8, 2020 at 03:14 UTC

JonosaurusRex wrote:

For the firewall rule - add an addition policy:

Computer Configuration -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security -> Windows Firewall with Advanced Security -> Inbound Rules

and Create a New Rule Add port TCP 3389 for ONLY your private or domain networks

There is no need to open 3389 that way, there is a Firewall policy specifically for letting RDP through the firewall.

Computer Configuration > Administrative Templates > Network > Network Connections > Windows Defender Firewall > Domain Profile > Windows Firewall: Allow Remote Desktop Exception

That setting has been enabled, with no change.

I will try the NLA setting though I my gut says that won't make a difference. These policies are being applied, but they are just not turning RDP on.

0

· · ·

Thai Pepper

OP

JRC

This person is a verified professional.

Verify your account to enable IT peers to see that you are a professional.

Nov 8, 2020 at 03:27 UTC

I tried NLA both enabled and disabled. Still no dice. With it enabled/disabled the setting appears to be locked to on, but I cannot RDP in. The firewall has been set to allow connections on 3389, so that's not it either.

Just to make sure the firewall was not the issue here, I turned it off completely [locally, not via GPO] and tried to connect. Still could not connect.

Disable the NLA and Connection GPO policies, manually turn RDP on, and everything works just fine. Turn either or both on, and RDP no longer works.

EDIT: Correction, enabling RDP on the machine locally, then turn on the policies and it continues to work. turn off the policies, disable RDP locally and then turn the policies back on and it does not work. So flipping that switch [locally, not via GPO] is doing something the policies are not, and I have no idea what that is.

EDIT 2: I can just leave the NLA policy enabled and set the allow connection policy as "Not configured" and the user can then turn on or off RDP and when on it works fine. But if it is off and I then enable the connection policy, the button flips in control panel, is greyed out, but the connection cannot be made [so RDP does not work]. If it was set to on, by the user, then enabling the policy does not change anything, RDP continues to work.

Edited Nov 8, 2020 at 04:09 UTC

0

· · ·

Serrano

OP

JonosaurusRex

This person is a verified professional.

Verify your account to enable IT peers to see that you are a professional.

Nov 8, 2020 at 10:43 UTC

If you run gpresult /h To generate a report can you see your polices applying to the machine?

0

· · ·

Thai Pepper

OP

JRC

This person is a verified professional.

Verify your account to enable IT peers to see that you are a professional.

Nov 8, 2020 at 22:22 UTC

JonosaurusRex wrote:

If you run gpresult /h To generate a report can you see your polices applying to the machine?

Actually Windows 10 includes a much easy to use tool to see what policies are being applied, and where they are coming from. Start -> Run ->RSoP.msc [as administrator] is pretty great for this. I did use this make sure the policies are being applied [they are]. I have also used gpresult to double check the RSoP results. The correct policies are definitely being applied.

0

· · ·

Anaheim

OP

Deejerydoo Dec 1, 2020 at 07:21 UTC

D & F IT Consultancy Pty Ltd is an IT service provider.

I'm having the same issue. Did you manage to get anywhere with this, at all?

0

· · ·

Thai Pepper

OP

JRC

This person is a verified professional.

Verify your account to enable IT peers to see that you are a professional.

Dec 1, 2020 at 19:13 UTC

Deejerydoo wrote:

I'm having the same issue. Did you manage to get anywhere with this, at all?

I did not. I ended up disabling the GPO setting, enabling RDP on the workstation, then re-enabling the GPO setting to lock it in. This works in my setup, but that is mostly because I only have 5 machines to contend with.

0

· · ·

Tabasco

OP

Travis N

This person is a verified professional.

Verify your account to enable IT peers to see that you are a professional.

Jan 15, 2021 at 03:39 UTC

Sorry for bringing back an old topic, but I just came across this.

Here's the GPO settings I use that works with Windows 10 2004 & 20H2:

Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections: Allow users to connect remotely by using Remote Desktop Services: Enabled.

Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security: Require user authentication for remote connections by using Network Level Authentication: Enabled

Computer Configuration > Policies > Windows Firewall With Advanced Security > Inbound Rules > New Rule > I select the predefined "Remote Desktop" group and enable all 3 ports.

1

· · ·

Anaheim

OP

SBSBOX

This person is a verified professional.

Verify your account to enable IT peers to see that you are a professional.

Jan 28, 2021 at 05:07 UTC

1st Post

I'm just going to throw my findings out here since the OP's question was never really answered. Yes all the above applies in regards to firewall rules but the OP asked about the "button" behavior and from what I can find you cannot control this via GPO, but you can via registry entry.

There are 2 registry entries that control this "slider button" from what I can tell, so you would need remote registry access enabled, push these registry settings via GPO or via powershell. Settings are Boolean [1 or 0]

When the client [Windows 10] Settings > System > Enable Remote Desktop is ON [button slider]

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server

fDenyTSConnections 0

updateRDStatus 0

When the client [Windows 10] Settings > System > Enable Remote Desktop is OFF [button slider]

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server

fDenyTSConnections 1

updateRDStatus 1

Hope this helps JRC's original question.

0

· · ·

Thai Pepper

OP

JRC

This person is a verified professional.

Verify your account to enable IT peers to see that you are a professional.

Jan 28, 2021 at 21:52 UTC

Well the issue was so much the button, more that the client seemed to ignore the GPO setting in certain circumstances. I think this is a bug actually, but I don't know for sure and honestly did not have the time to dig deeper, I just set them all manually since I only have 5 clients, then enforced that setting via the GPO.

0

· · ·

Pimiento

OP

Justin8081 May 14, 2021 at 19:45 UTC

1st Post

Justin Carlson is an IT service provider.

I can confirm this is a UI bug. while the screen slider says its OFF it it actually on and works properly. Travis's reply works properly in all my locations but the slider just SAYS its off...

0

· · ·

Jalapeno

OP

AndyImtech

This person is a verified professional.

Verify your account to enable IT peers to see that you are a professional.

Jan 25, 2022 at 13:51 UTC

Travis N wrote:

Sorry for bringing back an old topic, but I just came across this.

Here's the GPO settings I use that works with Windows 10 2004 & 20H2:

Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections: Allow users to connect remotely by using Remote Desktop Services: Enabled.

Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security: Require user authentication for remote connections by using Network Level Authentication: Enabled

Computer Configuration > Policies > Windows Firewall With Advanced Security > Inbound Rules > New Rule > I select the predefined "Remote Desktop" group and enable all 3 ports.

Thanks Travis, I was also getting the switch set to 'Off' even when the policy was applied. It turned out I had to define the NLA one as well to get the switch turned 'On' and RDP then worked.

0

Oops, something's wrong below.

Text

• Quote Post

|Replace Attachment

Add link Text to display: Where should this link go?

Add Cancel

Insert code

Language Apache AppleScript Awk BASH Batchfile C C++ C# CSS ERB HTML Java JavaScript Lua ObjectiveC PHP Perl Text Powershell Python R Ruby Sass Scala SQL VB.net Vimscript XML YAML

Insert Cancel

Join me to this group

Reply