Remote desktop connection PowerShell script

The most intuitive way to enable Remote Desktop on Windows is to use a GUI. To enable RDP on a local computer, you need to open the System Control Panel item, go to the Remote Settings tab and enable the Allow remote connections to this computeroption in the Remote Desktop section. However, this requires local access to the computer on which you want to enable RDP. You can usually ask the user for this (local administrator permissions required), or local technical support. However, what to do if no one in the remote branch office could enable the Remote Desktop locally? By default, Remote Desktop is disabled on both desktop versions of Windows and Windows Server.

If you want to remotely enable Remote Desktop (RDP) on a remote host (server or computer), but you dont have access to the local device console, well show how to do it using PowerShell.

Enable RDP Using Remote Registry Service

You can enable Remote Desktop on a remote computer using Registry Editor. This requires:

• The remote computer must be accessible over the network;
• You must know the credentials of an account with local administrator permissions on the remote computer;
• The Remote Registry service must be running on the remote computer (you can enable it through the services.msc snap-in or GPO).

So, to enable the remote desktop via remote registry, follow these steps:

1. Press the Win + R key combination and in the Run window type regedit.exe > Ok;
   
2. In the Registry Editor select File > Connect Network Registry;
   
3. Specify the hostname or IP address of the remote computer.If the remote computer could not authorize you as the current user, you will be prompted to enter credentials;
   
4. The registry of the remote computer will appear in the registry editor (only HKLM and HKEY_Users hives are accessible);
   
5. Go to the following reg key on the remote computer: HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server. Change the DWORD value of the fDenyTSConnections parameter from 1 to 0;
   
6. If a firewall is enabled on the remote computer, you must enable the rule that allows remote desktop connections. You can enable it via GPO, via PowerShell Remoting (described in the next section of this guide), or using Psexec. In the latter case, the following commands are used:PsExec.exe \\server1 -u contoso\admin -p password cmd netsh advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow shutdown f r t 0
7. After rebooting, try to connect to the remote computer via RDP.

Enable Remote Desktop Remotely Using PowerShell

To enable RDP remotely, you need to configure and run the WinRM service (Windows Remote Management) on the remote computer. The WinRM service is enabled by default in all versions of Windows Server starting with Windows Server 2012. However, WinRM is disabled by default in client operating systems such as Windows 10. Thus, to enable Remote Desktop remotely via PowerShell, the remote computer must meet the following requirements:

1. The WinRM service should be started;
2. You must have administrator permissions on the remote device;
3. Windows Defender Firewall with Advanced Security must be disabled or the rules that allow remote access through PowerShell Remoting should be enabled.

Suppose you want to remotely enable RDP on Windows Server 2012 R2/2016/ 2019. Open the PowerShell console on your computer and run the following command to connect to your server remotely:

So, you have established a remote session with a computer and now you can execute PowerShell commands on it. To enable Remote Desktop, you just need to change registry parameter fDenyTSConnections from 1 to 0 on the remote computer. Run the command:

When RDP is enabled in this way (as opposed to the GUI method), the rule that allows remote RDP connections is not enabled in the Windows Firewall rules. To allow incoming RDP connections in Windows Firewall, run the command:

Hint. By default, TCP/3389 port is used for incoming Remote Desktop connections on Windows. You can change the default RDP port number through the registry using the PortNumber parameter in the reg key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp.

If for some reason this firewall rule is missing, you can create it manually:

If you want to restrict hosts or subnets that are allowed to connect to Remote Desktop, you can create a custom rule that allows Windows Firewall to solely accept incoming RDP connections from specific IP addresses, subnets, or IP ranges. In this case, instead of the previous command, you need to use the following one:

If you need to enable secure RDP authentication (NLA Network Level Authentication), run the command:

Now you can check the availability of TCP port 3389 on the remote host from your computer. Run the command:

There should be a result like this:

ComputerName : 192.168.1.11

RemoteAddress : 192.168.1.11

RemotePort : 3389

InterfaceAlias : Ethernet0

SourceAddress : 192.168.1.90

TcpTestSucceeded : True

This means that RDP on the remote host is enabled and you can establish a remote desktop connection using mstsc.exe, RDCMan, or any alternative RDP client.

Hint. If you need to enable RDP on several remote computers at once, you can use the following PowerShell script:

$comps = Server1, Server2, Server3, Server4 Invoke-Command Computername $comps ScriptBlock {Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" Value 0} Invoke-Command Computername $comps ScriptBlock {Enable-NetFirewallRule -DisplayGroup "Remote Desktop"}

By default, only members of the local Administrators group can connect via the RDP remotely. To allow RDP connections for non-admin users, just add them to the local Remote Desktop Users group.

You can add the desired users to the Remote Desktop Users locally by using the Local Users and Groups MMC snap-in (LUSRMGR.MSC).

Or you can change RD Users group membership remotely using the PowerShell Remoting inside the Enter-PSSession. Use the following command to add the domain user ASmith to the local group:

Alternatively, instead of the Enter-PSSession cmdlet, you can use another PS Remoting command Invoke-Command:

How to Enable Remote Desktop over WMI?

If you want to enable RDP on a remote computer where WInRM is disabled (for example, on a regular computer with Windows 10), you can use the WMI PowerShell command.

To check if RDP access is enabled on the remote computer 192.168.1.90, run the command (see the value of the AllowTSConnections property):

To enable RDP and add a Windows Firewall exception rule, run the following command:

Related Post

• How to Check CPU Temperature in Windows?

  You need to monitor CPU temperatures in Windows to prevent your system from overheating and

• HTTP/HTTPS Requests via Invoke-WebRequest PowerShell Cmdlet

  The Invoke-WebRequest cmdlet allows you to send HTTP/HTTPS/FTP requests, receive and process responses, and return

• How to Reserve IP Address on Windows Server DHCP?

  DHCP reservation is the creation of a special entry on the DHCP server. Thanks to

• Active Directory

Enable/Disable MFA in Azure Active Directory

It used to be that username and password were the most secure way to authenticate

• Operating System
• Windows

How to Delete COM Port In Use?

Every time you plug in a COM or USB device to your computer, Plug-n-Play service

• Active Directory

ADSI Edit: How to View and Change Active Directory Object Properties?

The ADSI Edit tool (Active Directory Service Interface Editor) is a special mmc snap-in. It

• Office 365

How to Disable Multi Factor Authentication (MFA) in Office 365?

Multi Factor Authentication (MFA) in Microsoft 365 (Office 365) is an authentication method that requires

• Miscellaneous

Configure NTP Time Sync Using Group Policy

The Windows Time service is the basis for the normal functioning of the Active Directory

• Active Directory

Active Directory Organizational Unit (OU): Ultimate Guide

Organizational Unit (OU) is a container in the Active Directory domain that can contain different