How to Enable RDP on Windows Server (2025, 2022, 2019, 2016)

Every fresh install ships with Remote Desktop turned off, which means the first real task on any new box is to enable RDP (on Windows Server this takes all of 45 seconds through Server Manager). Local Server tab, click “Disabled” next to Remote Desktop, switch to “Allow remote connections,” OK, done.

Probably set this up on 200+ machines by now. OVH racks, random Dell Optiplexes shoved under someone’s desk pretending to be servers, forgotten Hyper-V guests. Doesn’t really matter what version you’re running. 2025, 2022, 2019, 2016, it’s all the same process.

What follows: GUI method, PowerShell method, CMD method. Then firewall stuff (which trips everybody up at least once), NLA, and security. The security section is long, I know. A client of mine got ransomwared through an open 3389 port back in 2021, spent the whole weekend rebuilding their file server from tape backups. So yeah, not cutting that part short.

Detail	Info
Default RDP status	Disabled on all editions
Default port	TCP 3389
Admin sessions without RDS	2 concurrent
Registry key	HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections
Firewall rule group	Remote Desktop
Works on	Server 2025, 2022, 2019, 2016 (Standard, Datacenter, Essentials)

Before You Enable RDP on Windows Server

Admin account required. Sounds obvious, right? Got a ticket from a junior tech once who couldn’t figure out why the Remote Desktop toggle was greyed out. Logged in with his regular domain user. That was the whole problem.

Second thing, and this matters way more: you need a backup way to reach the box. iDRAC, iLO, IPMI, one of those KVM-over-IP dongles, something. I messed up a firewall rule on a colocation server about three years ago and ended up driving 400 km because I had no other way in. Two-line fix. Eight-hour round trip. So yeah, make sure you’ve got a fallback.

Cloud VMs are a different situation. Azure, AWS, Hetzner, all of them give you console access through their web portal. Most of them enable RDP during provisioning anyway. This guide is mainly for bare-metal boxes, freshly installed VMs, or that one server where Remote Desktop mysteriously turned itself off (spoiler: it was probably a GPO).

Method 1: Enable RDP via Server Manager

Most direct way to enable RDP on Windows Server when you can see the desktop.

1. Fire up Server Manager. It auto-launches after login on most installs. If yours doesn’t, hit Start, type ServerManager.
2. Click Local Server in the left pane.
3. Find “Remote Desktop” in the properties. Should say “Disabled.” Click it.
4. System Properties pops open on the Remote tab. Pick “Allow remote connections to this computer.”
5. That NLA checkbox underneath? Leave it on. It says something about “Network Level Authentication.” You want that. I’ll explain why later.
6. OK. A warning about firewall rules appears. OK again. Windows creates the port 3389 rules on its own.
7. F5 in Server Manager to refresh. Should now say “Enabled.”

Done. Whole thing took a minute, probably less.

Server Manager sometimes doesn’t refresh the status right away. I’ve stared at “Disabled” for a solid 30 seconds after already changing it. Just hit F5 or close the whole thing and reopen. The setting is applied, the UI just lags behind.

Shortcut that saves me a lot of waiting: Win+R, SystemPropertiesRemote, Enter. Jumps to the Remote tab instantly. On a VM with 2 GB of RAM, Server Manager can take 20+ seconds to even finish loading. This skips all of that.

Prefer to watch it happen? This 3-minute walkthrough from “Must be Noob” covers Server 2025 specifically, and the steps are identical on 2022/2019/2016:

Method 2: Windows Server Enable RDP via PowerShell

Faster than clicking around in Server Manager. And if you’re on Server Core, this is your only real option besides CMD.

Right-click PowerShell, run as admin:

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0

That just flips the registry bit. Firewall is still blocking 3389 though, most people get tripped up right here. You also need:

Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

NLA too, turn it on now so you don’t forget later:

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "UserAuthentication" -Value 1

Sanity check after all three commands:

Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections"

0 means it worked. If you see 1, a GPO is overriding you. I cover that fix further down.

Copy-Paste Script (All-in-One)

Drop this into Notepad, save as enable-rdp.ps1, right-click and “Run with PowerShell.” Does everything in one go:

# Windows Server Enable RDP - Complete Setup
# Run as Administrator

# 1. Enable Remote Desktop in registry
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0

# 2. Force NLA on
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "UserAuthentication" -Value 1

# 3. Open the firewall
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

# 4. Make sure the service is actually running
Set-Service -Name TermService -StartupType Automatic
Start-Service -Name TermService

# 5. Confirm everything worked
Write-Host "RDP Status:" (Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections").fDenyTSConnections
Write-Host "NLA Status:" (Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "UserAuthentication").UserAuthentication
Write-Host "Service Status:" (Get-Service TermService).Status

Expected output: RDP Status 0, NLA Status 1, Service Status Running. If TermService is Stopped? That’s why your RDP doesn’t work even after enabling it. More on that in the troubleshooting section.

Side note: I’ve got these three commands saved in a .ps1 file on a USB stick that goes everywhere with me. Been carrying that thing since my MSP days when I was setting up 4 or 5 servers in a week. Old habits.

Method 3: Enable RDP on Windows Server via CMD

Some people just prefer CMD. Fair. Also, PowerShell on a fresh Server Core install sometimes sits there for 30+ seconds doing its .NET assembly compilation thing on first launch. CMD starts instantly.

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Firewall:

netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

Output should say “Updated 3 rules.” That’s Domain, Private, Public profiles, all three getting opened at once.

Enable RDP on Server Core (No GUI)

No desktop. No Start menu. No Server Manager. Just a blinking cursor. But you can still enable RDP on Windows Server Core through a text-based tool called SConfig.

Type SConfig, hit Enter. Numbered menu pops up. Pick 7 for Remote Desktop, then E to enable, then 1 for “more secure clients only” (that’s NLA). Confirm. Registry value is set.

But here’s where I wasted 20 minutes once. SConfig flips the registry key but it doesn’t always touch the firewall. I configured RDP through SConfig on a Server 2019 Core machine, closed my iLO session, opened mstsc, and… nothing. Couldn’t connect. Pinged it, fine. Telneted to 3389, refused. Turns out the firewall rules were still disabled.

So after running SConfig, go back to the command line (it’s option 15 on the menu) and type:

netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

Won’t forget this step again. Cost me 20 minutes of debugging the first time.

Verify Firewall After You Enable RDP

Doesn’t matter how you chose to enable RDP on Windows Server. Verify the firewall separately. Got stung by this too many times.

PowerShell check:

Get-NetFirewallRule -DisplayGroup "Remote Desktop" | Format-Table Name, Enabled, Direction

Should be 3 rules, all Inbound, all Enabled = True. See a False? Run this:

Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

Or do it through the GUI: Windows Defender Firewall with Advanced Security, Inbound Rules, find the Remote Desktop ones, right-click, Enable. Not complicated, just easy to skip.

And one more thing, because this got me on a client site last year. Windows Firewall only covers the OS itself. If there’s a Sophos box, a pfSense, a Cisco ASA, an AWS Security Group, or an Azure NSG sitting between your laptop and the server, 3389 has to be open there too. You can have perfect Windows Firewall rules and still get “connection timed out” because something upstream is blocking it.

Grant RDP Access on Windows Server to Other Users

Only the Administrators group gets RDP access on a fresh install. Everyone else is blocked.

GUI way: System Properties > Remote tab > “Select Users” > Add > type username > Check Names > OK.

In PowerShell:

Add-LocalGroupMember -Group "Remote Desktop Users" -Member "DOMAIN\jsmith"

In CMD:

net localgroup "Remote Desktop Users" /add "DOMAIN\jsmith"

One thing I feel strongly about: don’t share the built-in Administrator password between three people. It seems fine until someone deletes a critical DNS zone at 2am and you can’t tell from Event Viewer which admin did it because they all logged in as “Administrator.” Separate accounts fix that. Our Windows Server access guide goes deeper on this.

NLA: Required When You Enable RDP on Windows Server

Network Level Authentication makes the client prove its identity before the server bothers setting up an RDP session. Without NLA, any random scanner hitting port 3389 gets a full Windows login screen served to them. The server allocates memory, spins up a session, renders the UI. All before checking if the person has valid credentials.

With NLA turned on? Credentials go through CredSSP first, at the network layer. Fail the check and the server drops you instantly. No resources wasted. Brute-force attempts bounce off way faster this way.

Leave it on. I can’t think of a legitimate reason to disable it in 2026. Maybe if you somehow still have a Windows XP machine connecting, but at that point you’ve got bigger problems. Any time you enable RDP on a Windows Server box, NLA should come with it. Microsoft’s own docs say the same thing.

Want to verify NLA is on? Quick PowerShell one-liner:

Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "UserAuthentication"

Returns 1? Good, NLA is active. Returns 0? Go fix it.

Secure Windows Server After You Enable RDP

Look, I get it. You wanted to enable RDP on Windows Server and move on to whatever you were actually doing. But exposed Remote Desktop is the number one way ransomware gets into servers. Browse r/sysadmin for five minutes and you’ll find someone who got hit this week. It’s that common.

Swap the port number. Bots and script kiddies scan 3389 around the clock. Pick a random high port, something like 47293, and change it in the registry: HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp, PortNumber value. You’ll need to update your firewall rule for the new port too. We wrote a separate walkthrough on changing the RDP port with all the details.

Whitelist source IPs. Go into Windows Defender Firewall, find the Remote Desktop inbound rule, open it, Scope tab, add your office IP or VPN subnet under “Remote IP addresses.” Now only those addresses can even attempt to connect.

Or just use a VPN and keep RDP off the internet entirely. WireGuard, OpenVPN, IPsec tunnel, whatever your shop runs. VPN in, then RDP over the internal network. I do this on every production box I’m responsible for. Zero RDP ports facing the internet.

Password complexity + lockout. In Group Policy: Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy. Set minimum length to 12, turn complexity on. Under Account Lockout Policy, lock out after 5 bad attempts. Basic stuff but a shocking number of servers in the wild don’t have it configured.

Turn on login auditing. Same GPO area: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy > Logon/Logoff. Flip both success and failure to enabled. Go check your Security log after a week. Even servers on a private network usually have a surprising pile of failed logon entries.

Here’s what to look for in Event Viewer once auditing is on. These are the Event IDs you actually care about for RDP monitoring:

Event ID	Log	Meaning
4624	Security	Successful logon. Filter for Logon Type 10 (RemoteInteractive) to see only RDP.
4625	Security	Failed logon. Watch for repeated attempts from the same IP.
1149	TerminalServices-RemoteConnectionManager/Operational	RDP network connection authenticated (user, source IP included).
21	TerminalServices-LocalSessionManager/Operational	Session logon succeeded.
24	TerminalServices-LocalSessionManager/Operational	Session disconnected.
25	TerminalServices-LocalSessionManager/Operational	Session reconnected.

Quick PowerShell to see all successful RDP logons in the last 24 hours:

Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624;StartTime=(Get-Date).AddDays(-1)} | Where-Object {$_.Properties[8].Value -eq 10} | Format-Table TimeCreated, @{N='User';E={$_.Properties[5].Value}}, @{N='SourceIP';E={$_.Properties[18].Value}}

Filter by Event ID 4625 instead of 4624 to see failed attempts. If you see more than a handful from unknown IPs, your RDP port is getting hammered by scanners.

Enable RDP via Windows Admin Center (WAC)

Everyone skips this method. Nobody I know actually uses Windows Admin Center, but it’s free, browser-based, and handles RDP toggling without PowerShell or RDP-ing into the box first. Handy for environments where you’ve got WAC running on a jumpbox.

Download WAC from Microsoft’s site, install on your workstation or a dedicated management server. Opens in your browser at https://your-wac-host:443.

1. Add the target server to WAC (Add > Servers > enter name or IP).
2. Click the server name in the list.
3. Scroll the left panel to Settings.
4. Click Remote Desktop.
5. Toggle “Allow remote connections” to On.
6. Check “Require Network Level Authentication” (it’s on by default in newer WAC versions).
7. Save.

Benefit over RDP-ing in: WAC does everything over WinRM/HTTPS (port 5985 or 443), which is often open when 3389 isn’t. Plus the whole session is logged. Good for compliance-heavy environments.

Catch: WAC needs to be on a machine you already trust, and the target server needs PowerShell Remoting enabled. Not the right tool if you’re just flipping RDP on a single box.

Enable RDP on Multiple Windows Servers via GPO

Clicking through Server Manager to enable RDP on 30 boxes individually? Absolutely not.

1. gpmc.msc to open Group Policy Management.
2. Either make a new GPO or grab an existing one. Link it to your servers OU.
3. Drill down: Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections.
4. Find “Allow users to connect remotely by using Remote Desktop Services” and set it to Enabled.
5. One folder up, open Security. Enable “Require user authentication for remote connections by using Network Level Authentication.”
6. Push it out: gpupdate /force on each target. Or just wait the 90 minutes for automatic refresh.

Clean, consistent, repeatable. I took over a client environment once where maybe 12 of their 25 servers had NLA turned on. The other 13? Off. Nobody knew why. No documentation. One GPO and 10 minutes later, all 25 matched.

Remote Registry Tricks When RDP Is Off

RDP is off and RDP was your plan for getting in. Annoying, but there are other ways to enable RDP on Windows Server remotely if you’ve got network access and admin creds.

WinRM / PowerShell Remoting. On domain-joined boxes, WinRM is usually already running. Enter-PSSession -ComputerName SERVER01 opens a remote shell. Run the Set-ItemProperty commands from there. WinRM runs on 5985, nothing to do with 3389.

PsExec (Sysinternals). Sends commands over SMB on port 445. Open on most domain networks.

PsExec.exe \\SERVER01 reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Remote Registry. Fire up the Remote Registry service on the target box (sc command works), then connect from your workstation via regedit and manually set fDenyTSConnections to 0.

If none of those ports are open either? Out-of-band management (iDRAC/iLO) or a physical visit. Pack a laptop and buy the NOC guy a coffee.

Windows Server Enable RDP Troubleshooting

All of these have cost me at least an hour. Some closer to three.

“Remote Desktop can’t find the computer.” Nine times out of ten, DNS. Just plug in the IP address directly instead of the hostname. Get the correct IP from ipconfig on the server console.

Times out, never connects. Firewall, 99% of the time. Check Windows Firewall. Check the network firewall. Check cloud security groups. Port 3389 TCP inbound. Or whatever custom port you set.

“The remote computer requires Network Level Authentication” error. Few things cause this. Wrong credentials (double-check the DOMAIN\username format, or use .\username for local accounts). Clock skew between your machine and the server (CredSSP is picky about time sync, like 5+ minutes off and it refuses). Expired certificates on the server side.

Server Manager shows “Disabled” even though you changed it. Just slow to update. F5, or close and reopen. I’ve seen it lag for almost a minute on overloaded boxes. The actual setting already applied, Server Manager’s UI just hasn’t caught up yet.

“An internal error has occurred.” Dealt with this on a 2022 box maybe eight months ago. Spent way too long on it. The self-signed certificate that RDP uses had gotten corrupted (still don’t know how). Fix was simple once I figured it out: certlm.msc, go to Personal > Certificates, nuke the RDP cert, restart Remote Desktop Services. Windows regenerates a fresh cert on its own. Worth also running qwinsta to make sure the RDP listener is actually responding.

Keeps flipping back to Disabled. GPO is overwriting your local setting. Run gpresult /r, scroll through the output, look for anything mentioning “Allow users to connect remotely by using Remote Desktop Services” in the Remote Desktop Session Host policies. Whatever GPO has it set to Disabled wins over your manual change every single policy refresh.

Everything looks right but still can’t connect. Check if the Remote Desktop Services service is actually running. Yeah, sounds dumb, but I’ve seen it stopped on servers that had RDP “enabled” in the registry. Run Get-Service TermService. Status should say Running. If it’s Stopped, start it: Start-Service TermService. If it won’t start or keeps stopping, check the System event log for errors from TermService or RdpSessionManager. Usually it’s a certificate issue or a corrupted listener binding.

Disabling Remote Desktop on Windows Server

Server getting decommissioned, or you’re going WinRM-only, or whatever.

Through the GUI: Server Manager, Local Server, click “Enabled” next to Remote Desktop, switch to “Don’t allow remote connections.”

Through PowerShell:

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 1

Disable-NetFirewallRule -DisplayGroup "Remote Desktop"

Just… don’t run this if RDP is your only way into the box. The session you’re in stays alive, but once you close it, that’s it. No getting back in. Drove four hours round trip to a datacenter in 2019 because I made this exact mistake. Still annoyed about it.

RDP Session Limits on Windows Server

When you enable RDP on Windows Server without installing the RDS role, you’re capped at 2 concurrent admin sessions. Both are admin sessions. No extra license needed beyond the base Windows Server CALs.

Want 3 or more people connected simultaneously? That’s where RDS comes in. You install the Remote Desktop Session Host role, configure a license server, and buy RDS CALs (completely separate from regular Windows Server CALs, and yes, they cost extra). Per user or per device, your choice. Microsoft licensing at its finest.

Honestly though, for most small and mid-size setups, 2 sessions is fine. Log in, do your thing, log out. If you need a Windows Server license, we’ve got Standard and Datacenter with instant delivery.

Connecting to Windows Server After You Enable RDP

Windows. Win+R, mstsc, type in the IP, hit Connect. Everyone knows this one.

Mac. Download “Microsoft Remote Desktop” from the App Store. Free. Add a new PC, enter the IP.

Linux. xfreerdp /v:192.168.1.100 /u:Administrator from the terminal. Remmina is the GUI option if you prefer clicking.

Using a custom port? Tack it on with a colon: 192.168.1.100:47293

One thing I always do in mstsc: click “Show Options” before connecting, go to Local Resources tab, check clipboard sharing. Bare minimum. If I’m moving files, I’ll map my local C: drive too. Way quicker than messing with SMB shares for a quick file transfer.

Enable RDP on Windows Server by Version

Windows Server 2025

Same process to enable RDP on Windows Server 2025 as every version before it. Microsoft didn’t change the workflow. What’s new is built-in brute-force protection that auto-blocks IPs after too many failed RDP login attempts. Enabled out of the box. About time they added that. Need a license? Server 2025 Standard keys are in stock.

Windows Server 2022

Microsoft added TLS 1.3 for RDP connections, so the initial handshake is encrypted better than on older versions. Steps to enable Remote Desktop haven’t changed at all though. If you’re still on the 180-day eval, convert to Standard before going production. Activation acting weird? Try the DISM method.

Windows Server 2019 and 2016

Nothing different. Same clicks, same PowerShell commands, same registry keys. Everything covered in the sections above works identically. If you’ve got Windows Admin Center set up, the WAC method (see above) works on these too, going all the way back to Server 2016.

FAQ

How do I enable RDP on Windows Server?

Server Manager, Local Server, click Disabled next to Remote Desktop, select “Allow remote connections to this computer,” check the NLA box, OK. Firewall opens port 3389 on its own.

Why is Remote Desktop disabled by default on Windows Server?

Because port 3389 is target #1 for bots and ransomware gangs. Microsoft figured it’s safer to ship with it off and let admins turn it on deliberately.

What PowerShell command enables Remote Desktop on Windows Server?

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name fDenyTSConnections -Value 0 as admin. Then Enable-NetFirewallRule -DisplayGroup "Remote Desktop" for the firewall.

Can I enable RDP on Windows Server Core without a GUI?

Yep. SConfig, option 7, enable. Or the same PowerShell/reg add commands as any other edition. Just remember to open the firewall too.

How many users can RDP into Windows Server at once?

Two. That’s the limit without RDS licensing. Install the Remote Desktop Services role and buy RDS CALs if you need more.

What port does RDP use and should I change it?

3389 TCP. And yeah, change it. Every bot on the internet probes 3389. Switch to something random above 10000. Registry key: HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp, PortNumber value.

What is Network Level Authentication and should I enable it?

NLA checks your credentials before the server creates a session. Without it, the server wastes resources showing a login screen to anyone who connects. Keep it enabled. Only disable if your RDP clients are ancient (pre-Vista era).

Last updated: January 2026