So I am trying to enable RDP on some new Windows 10 Pro machines via a GPO I have deployed, but it's not working.
I go to:
Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Connections
And then set Allow users to connect remotely by using Remote Desktop Services to Enable.
But this does not actually seem to turn on the RDP option in Windows 10, in fact it seems to lock that setting to "Off" with a message saying the setting is controlled by the organization [the one in the Settings App -> Remote Desktop Settings ] and you cannot connect.
If I disable the GPO, then toggle that setting, it allows connections without issue. If I then re-enable the GPO the setting remains on, and cannot be turned off.
What am I missing here? Is there another GPO policy I need to enable? If there is, no Google searches have helped me find it.
- Where do you stack up against other IT pros? Take the Challenge »
- Uknown volume storing temp files
- CaseWare Workingpapers
- deny logon localy script
The help desk software for IT. Free.
Track users' IT needs, easily, and with only the features you need.
12 Replies
GPO based RDP policies supersede your local ability to adjust RDP settings. Which is why they get greyed out.
There could be a number of reasons this is not working . Id suspect
1] you havent created the firewall rule
or
2] have NLA enabled
For the firewall rule - add an addition policy:
Computer Configuration -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security -> Windows Firewall with Advanced Security -> Inbound Rules
and Create a New Rule Add port TCP 3389 for ONLY your private or domain networks
2] For NLA:
Adminsitrative Tools->Remote Desktop Services-> Remote Desktop Session Host Configuration. Disable Allow the connection only from computers running Remote Desktop with Network Level Authentication
Try the firewall policy first if you still have difficulty then try disable NLA
Important note: be careful opening port 3389 via GP. Ensure it ONLY affects the sub group of devices you wish to have remote access to otherwise you cause a security risk.
Additional note: for RDS servers, installing the session host role opens up the necessary ports on the firewall automatically. Because no session host exists on PCs, and youre using Remote Desktop for Administration mode this step isnt applied
JonosaurusRex wrote:
For the firewall rule - add an addition policy:
Computer Configuration -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security -> Windows Firewall with Advanced Security -> Inbound Rules
and Create a New Rule Add port TCP 3389 for ONLY your private or domain networks
There is no need to open 3389 that way, there is a Firewall policy specifically for letting RDP through the firewall.
Computer Configuration > Administrative Templates > Network > Network Connections > Windows Defender Firewall > Domain Profile > Windows Firewall: Allow Remote Desktop Exception
That setting has been enabled, with no change.
I will try the NLA setting though I my gut says that won't make a difference. These policies are being applied, but they are just not turning RDP on.
I tried NLA both enabled and disabled. Still no dice. With it enabled/disabled the setting appears to be locked to on, but I cannot RDP in. The firewall has been set to allow connections on 3389, so that's not it either.
Just to make sure the firewall was not the issue here, I turned it off completely [locally, not via GPO] and tried to connect. Still could not connect.
Disable the NLA and Connection GPO policies, manually turn RDP on, and everything works just fine. Turn either or both on, and RDP no longer works.
EDIT: Correction, enabling RDP on the machine locally, then turn on the policies and it continues to work. turn off the policies, disable RDP locally and then turn the policies back on and it does not work. So flipping that switch [locally, not via GPO] is doing something the policies are not, and I have no idea what that is.
EDIT 2: I can just leave the NLA policy enabled and set the allow connection policy as "Not configured" and the user can then turn on or off RDP and when on it works fine. But if it is off and I then enable the connection policy, the button flips in control panel, is greyed out, but the connection cannot be made [so RDP does not work]. If it was set to on, by the user, then enabling the policy does not change anything, RDP continues to work.
Edited Nov 8, 2020 at 04:09 UTCJonosaurusRex wrote:
If you run gpresult /h To generate a report can you see your polices applying to the machine?
Actually Windows 10 includes a much easy to use tool to see what policies are being applied, and where they are coming from. Start -> Run ->RSoP.msc [as administrator] is pretty great for this. I did use this make sure the policies are being applied [they are]. I have also used gpresult to double check the RSoP results. The correct policies are definitely being applied.
D & F IT Consultancy Pty Ltd is an IT service provider.
I'm having the same issue. Did you manage to get anywhere with this, at all?
Deejerydoo wrote:
I'm having the same issue. Did you manage to get anywhere with this, at all?
I did not. I ended up disabling the GPO setting, enabling RDP on the workstation, then re-enabling the GPO setting to lock it in. This works in my setup, but that is mostly because I only have 5 machines to contend with.
Sorry for bringing back an old topic, but I just came across this.
Here's the GPO settings I use that works with Windows 10 2004 & 20H2:
Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections: Allow users to connect remotely by using Remote Desktop Services: Enabled.
Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security: Require user authentication for remote connections by using Network Level Authentication: Enabled
Computer Configuration > Policies >
Windows Firewall With Advanced Security > Inbound Rules > New Rule > I select the predefined "Remote Desktop" group and enable all 3 ports.
I'm just going to throw my findings out here since the OP's question was never really answered. Yes all the above applies in regards to firewall rules but the OP asked about the "button" behavior and from what I can find you cannot control this via GPO, but you can via registry entry.
There are 2 registry entries that control this "slider button" from what I can tell, so you would need remote registry access enabled, push these registry settings via GPO or via powershell. Settings are Boolean [1 or 0]
When the client [Windows 10] Settings > System > Enable Remote Desktop is ON [button slider]
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
fDenyTSConnections 0
updateRDStatus 0
When the client [Windows 10] Settings > System > Enable Remote Desktop is OFF [button slider]
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
fDenyTSConnections 1
updateRDStatus 1
Well the issue was so much the button, more that the client seemed to ignore the GPO setting in certain circumstances. I think this is a bug actually, but I don't know for sure and honestly did not have the time to dig deeper, I just set them all manually since I only have 5 clients, then enforced that setting via the GPO.
Justin Carlson is an IT service provider.
I can confirm this is a UI bug. while the screen slider says its OFF it it actually on and works properly. Travis's reply works properly in all my locations but the slider just SAYS its off...
Travis N wrote:
Sorry for bringing back an old topic, but I just came across this.
Here's the GPO settings I use that works with Windows 10 2004 & 20H2:
Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections: Allow users to connect remotely by using Remote Desktop Services: Enabled.
Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security: Require user authentication for remote connections by using Network Level Authentication: Enabled
Computer Configuration > Policies > Windows Firewall With Advanced Security > Inbound Rules > New Rule > I select the predefined "Remote Desktop" group and enable all 3 ports.
Thanks Travis, I was also getting the switch set to 'Off' even when the policy was applied. It turned out I had to define the NLA one as well to get the switch turned 'On' and RDP then worked.
-
-
-
Quote Post