categories
Updated on in How to, Remote access

How To Enable Remote Desktop Via Group Policy Objects (GPO)

Author: Robert Agar
Robert Agar Article author

IT administrators can leverage the functionality of Remote Desktop access to manage multiple networked computers efficiently. Configuring each machine manually can be tedious and time-consuming. Microsoft Active Directory Group Policy Objects (GPO) provide a centralized solution to enable Remote Desktop across a target group of Windows systems. Using GPO saves time and guarantees consistent configuration throughout the environment.

This article discusses the steps to enable Remote Desktop via GPO and ensure correct configuration for all your remote Windows computers.

Enable Remote Desktop via Group Policy

You must have specific permissions to modify a Group Policy Object (GPO) and enable Remote Desktop. You need to obtain administrative privileges from your system administrator to enable Remote Desktop wth GPO.
These steps apply to Windows 10, Windows 11 Pro/Enterprise, and Windows Server 2016/2019/2022. Use the same Group Policy settings that enable Remote Desktop in newer versions of the OS, though the interface may be slightly different.

How to Use Group Policy to Create a Firewall Rule

The following list of essential points outlines the steps necessary to update the Remote Desktop Group Policy to allow remote control to be implemented on the associated computers.

  1. Open the Group Policy Management Console (GPMC).

    group policy management console

  2. Create a new Group Policy Object called Enable Remote Desktop.

  3. Navigate through the following settings so you can create a new rule:
    Computer Configuration -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security -> Windows Firewall with Advanced Security -> Inbound Rules

    Now choose to Create a New Rule. The screenshot below shows you where you should be in the Windows configuration screens.

    group policy inbound firewall rule

  4. In the New Inbound Rule Wizard, select the Port parameter.

  5. Make sure TCP is selected and the Specific local port parameter is set at 3389.

    create inbound firewall rule

  6. Click Next and allow the Connection. Limit the connection to Domain and Private Profiles.

  7. Give the rule a meaningful name like – Inbound Rule for RDP Port 3389.

Remote Desktop Group Policy Settings for IT Administrators

Once you have added the local ports, you must update additional Remote Desktop Group Policy settings to enable the Remote Desktop Session Host policies.

NLA is enabled by default in Windows 11 and Server 2019/2022. Verifying that NLA is enabled when using GPO to implement Remote Desktop is good security practice.

Check NLA: 
1. Open Group Policy Editor: Press Windows + R, type gpedit.msc, and press Enter.
2. Expand: Computer Configuration → Policies.
3. Navigate to: Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Security.
4. Locate “Require user authentication for remote connections by using NLA” and ensure it is set to Enabled.

  1. Go to: Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Connections

  2. Enable the setting to Allow users to connect remotely by using Remote Desktop Services.

    Allow users to connect remotely by using Remote Desktop Services

  3. Before we finish modifying Group Policy to allow Remote Desktop, we are going to enable Network Level Authentication. While this is not a necessary part of enabling RDP Group Policy, it is highly recommended as it provides enhanced security for your remote sessions.

  4. Navigate to: Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security.

  5. Enable the Require user authentication for remote connections by using Network Level Authentication setting.

    group policy enable Network Level Authentication

  6. The last step and arguably the most important is to apply the Group Policy Object we just created to an Organizational Unit. Without this step, the policy will exist but not be used for accessing any remote machines.

  7. Close the GPMC as you are finished. No more settings need to be modified to implement Remote Desktop using a Group Policy.

Additional Remote Desktop Options

You can optimize Windows and Windows Server GPO Remote Desktop sessions with additional Remote Desktop Session Host policy options. 

  • • Redirect Local Devices: Manage the use of local devices during Remote Desktop sessions.
  • • Session Timeouts: Disconnect inactive sessions and free resources after a designated time.
  • • Session Compression & Graphics Quality: Compress data to optimize bandwidth and network performance.
  • • Limit Concurrent Sessions: Limit the number of simultaneous RDP connections.

To configure these:

  1. Open Group Policy Editor: Press Windows + R, type gpedit.msc, and press Enter.
  2. Expand: Computer Configuration → Policies.
  3. Navigate to: Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host.
  4. Adjust Settings: Configure the desired policies under Remote Desktop Session Host.

Bonus: HelpWire Enhances IT Administrator Efficiency

IT administrators must have Remote Desktop access to manage a network of multiple computers. HelpWire is a remote support GPO alternative that streamlines IT admin tasks for enhanced efficiency and productivity.

HelpWire’s advanced features for comprehensive remote support and intuitive interface let teams establish secure and stable remote connections quickly.

HelpWire Benefits:

  • • Enable remote support without configuring Group Policies (GPO) or firewalls;
  • • Easy installation with a user-friendly interface;
  • • Secure connectivity with no complex configurations;
  • • Unattended Remote Access;
  • • Cross-platform support for the Windows, macOS, and Linux operating systems. 
Tags:
RDP, Windows