, , , ,

Windows Server 2022 Group Policy – Enable Remote Desktop

Published by

Sam Swinson

on

Time to read:

4–7 minutes

In this post we are going to cover how you can enable RDP (Remote Desktop Protocol)1 properly using group policy. In my example I am going to be using a Windows Server 2022 (Datacenter Edition) as the base for my DC (Domain Controller).

NOTE: to be able to carry out this process you will need to make sure you have the correct permissions to be able to create and modify GPOs (Group Policy Objects) that are located on your DC.

  1. SECTION I – Create Group Policy Object
    1. FIGURE 1 – Locate Group Policy Management
    2. FIGURE 2 – New GPO
    3. FIGURE 3 – Edit New GPO
  2. SECTION II – Configure Firewall Entry
    1. FIGURE 4 – Inbound Rules
    2. FIGURE 5 – Rule Type
    3. FIGURE 6 – Program
    4. FIGURE 7 – Protocol and Ports
    5. FIGURE 8 – Scope
    6. FIGURE 9 – Action
    7. FIGURE 10 – Profile
  3. SECTION III – Configure Host RDP Policies
    1. FIGURE 11 – Allow RDP Connection
    2. FIGURE 12 – Require Network Level Authentication
  4. SECTION IV – Apply GPO
    1. FIGURE 13 – Link an Existing GPO
    2. FIGURE 14 – Select GPO
  5. SECTION V – Verification
    1. SECTION V – A – Pull Group Policy
      1. FIGURE 15 – Group Policy Update
      2. FIGURE 16 – Policy Update Command Prompt
    2. SECTION V – B – Check GPO Has Been Applied
      1. FIGURE 17 – Local Server Manager
      2. FIGURE 18 – Inbound Rules
  6. SECTION VI – Footnotes

SECTION I – Create Group Policy Object

The first thing we need to do is to create a new GPO that we can then configure.

  1. Remote onto your DC.
  2. Open up the Group Policy Management application.
    3. FIGURE 1 – Locate Group Policy Management
  3. Expand the Group Policy Objects Folder.
  4. Right click and select New.
    5. FIGURE 2 – New GPO
  5. Give the new GPO an appropriate name – in my example I am going to use ‘COMPUTER:Enable Remote Desktop’.
  6. Right click on your newly created GPO and select Edit.
FIGURE 3 – Edit New GPO

Now that your GPO is created and you are in the correct place to edit it you can carry out Section II and Section III in either order.

SECTION II – Configure Firewall Entry

We need to allow the host based firewall on each device that we want to enable RDP on to be able to receive the RDP traffic. By default RDP is set to use TCP port 3389 so that is the port we will be opening within the firewall settings.

NOTE: in my example I am going to be setting up the firewall rule so that port 3389 is open only from a specific IP (Internet Protocol) address which will be the IP of my RDS (Remote Desktop Services) server.

  1. Navigate to the following policy location:

    2. Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security\Inbound Rules

    FIGURE 4 – Inbound Rules
  2. Right click anywhere in the main right hand pane of the windows and select New Rule.
  3. Select the Custom Rule radio button and then click Next.
    4. FIGURE 5 – Rule Type
  4. Select the All Programs radio button and then click Next.
    5. FIGURE 6 – Program
  5. On the Protocols and Ports page set the following then click Next:
    • Protocol Type: TCP
    • Local Port: Specific Ports from the drop down and then enter 3389 in the box underneath
    • Remote Port: All Ports
    6. FIGURE 7 – Protocol and Ports
  6. On the Scope page set the following and then click the Next button:
    • Local IP addresses: select the These IP Addresses radio button then click the Add button and then add the source IP address that you would expect RDP traffic from
    • Remote IP addresses: select the Any IP Address radio button
    7. FIGURE 8 – Scope
  7. Select the Allow the connection radio button then click the next button.
    8. FIGURE 9 – Action
  8. Tick only the Domain profile and then click the next button
    9. FIGURE 10 – Profile
  9. Give your firewall rule an appropriate name – in my example I am going to use ‘RDP’.

SECTION III – Configure Host RDP Policies

We need to configure the remote desktop policy on the host to allow it to receive an RDP connection.

  1. Navigate to the following policy location:

    2. Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections

  2. Locate the Allow users to connect remotely by using Remote Desktop Services policy, double click, select the Enabled radio button and then click the Ok button.
FIGURE 11 – Allow RDP Connection

We need to configure the remote desktop policy on the host configure a security policy for the authentication that we do not want to be used.

  1. Navigate to the following policy location:

    2. Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security

  2. Locate the Require user authentication for remote connections by using Network Level Authentication policy, double click, select the Disabled radio button and then click the Ok button.
FIGURE 12 – Require Network Level Authentication

SECTION IV – Apply GPO

Now that our GPO has been configured with all the policies we need to allow RDP we now need to apply that GPO to applicable Windows components.

  1. Within the Group Policy Management application locate any OUs (Organisational Units) that you would like to apply your enable RDP GPO to. NOTE: In my example I am going to use the OU NOC-SERVERS
  2. Right click on the OU and select the Link an Existing GPO option.
    3. FIGURE 13 – Link an Existing GPO
  3. Find and Select the GPO you have created and then click the Ok button.
FIGURE 14 – Select GPO

SECTION V – Verification

SECTION V – A – Pull Group Policy

  1. Establish a connection to a computer that should have been affected by the new GPO – in my example I am going to log onto the ‘NOC01CA01’ server because it is in my ‘NOC_SERVERS’ OU that I have applied this group policy to.
  2. Click the Windows button and enter the following gpupdate /force and then press enter. This will open a command prompt window and run the command which will pull the latest group policy from the DC.
    3. FIGURE 15 – Group Policy Update
  3. Once the group policy is updated you will see the message Computer Policy update has completed successfully, then the command prompt window will close.
    4. FIGURE 16 – Policy Update Command Prompt
  4. Restart the computer you are on, to make sure that all changes are applied.

SECTION V – B – Check GPO Has Been Applied

Confirm remote desktop is enabled:

  1. Navigate to Server Manager.
  2. Navigate to Local Server.
  3. Next to Remote Desktop it should say Enabled.
FIGURE 17 – Local Server Manager

Confirm the firewall is properly configured:

  1. Navigate to ‘Windows Defender Firewall’.
  2. Click the ‘Advanced settings’ button.
  3. Select ‘Inbound Rules’.
  4. Click the ‘Name’ tab once to order alphabetically.
  5. In the list of rules you should find the one you applied in your GPO.
FIGURE 18 – Inbound Rules

SECTION VI – Footnotes

  1. RDP – the most commonly remote access protocol used within a Windows enterprise environment. This protocol allows you to remotely administer any enabled device as if you were directly connected. ↩︎

Leave a comment

Previous Post
Next Post