How to Enable Remote Desktop on Windows Server 2012 R2
Remote Desktop Protocol (RDP) is one of the most essential tools in a Windows Server administrator’s arsenal. It allows you to connect to and manage a server from any network-connected machine without needing physical access to the hardware. On Windows Server 2012 R2, Remote Desktop is disabled by default as a security precaution, meaning you must explicitly enable it before you can use it.
This guide walks through every method of enabling Remote Desktop on Windows Server 2012 R2 — via the GUI, PowerShell, and the registry — along with configuring firewall rules, NLA (Network Level Authentication), and managing user access. By the end you will have a fully functional, securely configured RDP endpoint.
Prerequisites
Before you begin, confirm the following:
- You are logged into the server locally or via an existing management session (IPMI, iDRAC, KVM).
- Your account is a member of the local Administrators group.
- Windows Firewall is enabled (recommended) or you have a perimeter firewall managing inbound TCP 3389.
- You know the server’s IP address or hostname for the initial test connection.
Method 1: Enable Remote Desktop via Server Manager
The graphical method is the quickest way to enable RDP for administrators unfamiliar with PowerShell.
Open Server Manager from the taskbar. In the left pane, click Local Server. Locate the Remote Desktop property — it will read “Disabled.” Click on it to open the System Properties dialog on the Remote tab.
Select “Allow remote connections to this computer”. You will see a warning about firewall rules being created automatically — click OK. Ensure “Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)” is checked for maximum security.
Click Apply, then OK. Windows will automatically create the necessary Windows Firewall exception for TCP 3389.
Method 2: Enable Remote Desktop via PowerShell
PowerShell gives you scriptable, repeatable control. The following commands enable RDP, enforce NLA, and open the firewall rule in a single session.
Open an elevated PowerShell console (right-click PowerShell → Run as Administrator) and run:
# Enable Remote Desktop by setting the registry value to 0
Set-ItemProperty -Path 'HKLM:SystemCurrentControlSetControlTerminal Server' `
-Name "fDenyTSConnections" -Value 0
# Enable Network Level Authentication
Set-ItemProperty -Path 'HKLM:SystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp' `
-Name "UserAuthentication" -Value 1
# Create the Windows Firewall exception for RDP
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
# Confirm RDP is enabled
Get-ItemProperty -Path 'HKLM:SystemCurrentControlSetControlTerminal Server' `
-Name "fDenyTSConnections"A value of 0 for fDenyTSConnections confirms Remote Desktop is enabled. A value of 1 means it is disabled.
Method 3: Enable Remote Desktop via Registry Editor
If you need to enable RDP on a remote server whose registry you can access over a network share (or via another RDP session), you can edit the registry directly.
REG ADD "HKLMSystemCurrentControlSetControlTerminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
REG ADD "HKLMSystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" /v UserAuthentication /t REG_DWORD /d 1 /fThese commands can also be executed remotely using reg add \ServerNameHKLM... if the Remote Registry service is running on the target.
Configuring the Windows Firewall for RDP
Even when you enable RDP, Windows Firewall must allow inbound connections on TCP 3389. The Server Manager method handles this automatically, but if you need to verify or configure rules manually, use PowerShell:
# Verify the Remote Desktop firewall rule group is enabled
Get-NetFirewallRule -DisplayGroup "Remote Desktop" | Select-Object DisplayName, Enabled, Direction
# If the rule is not enabled, enable it
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
# To restrict RDP to a specific subnet (e.g., management network only)
Set-NetFirewallRule -DisplayName "Remote Desktop - User Mode (TCP-In)" `
-RemoteAddress 192.168.10.0/24
# Verify the change
Get-NetFirewallRule -DisplayName "Remote Desktop - User Mode (TCP-In)" |
Get-NetFirewallAddressFilterRestricting RDP to a management subnet is a critical hardening measure. Never leave TCP 3389 open to 0.0.0.0/0 on internet-facing servers.
Managing Remote Desktop Users
By default, only members of the local Administrators group can connect via RDP. To allow non-administrative users, add them to the Remote Desktop Users local group.
# Add a domain user to the Remote Desktop Users local group
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "DOMAINjsmith"
# Add a local user
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "localuser"
# List current members of the Remote Desktop Users group
Get-LocalGroupMember -Group "Remote Desktop Users"
# Remove a user
Remove-LocalGroupMember -Group "Remote Desktop Users" -Member "DOMAINjsmith"Remember: adding a user to Remote Desktop Users does not grant them administrative privileges — they get a standard user session only.
Configuring RDP Session Limits and Timeouts
On a production server, stale disconnected RDP sessions waste memory and user session licences. Configure timeouts via Group Policy or directly via the registry:
# Set disconnected session timeout to 30 minutes (in milliseconds: 1800000)
$tsPath = "HKLM:SOFTWAREPoliciesMicrosoftWindows NTTerminal Services"
New-Item -Path $tsPath -Force | Out-Null
Set-ItemProperty -Path $tsPath -Name "MaxDisconnectionTime" -Value 1800000 -Type DWord
Set-ItemProperty -Path $tsPath -Name "MaxIdleTime" -Value 3600000 -Type DWord
# Set maximum active session time (8 hours = 28800000 ms)
Set-ItemProperty -Path $tsPath -Name "MaxConnectionTime" -Value 28800000 -Type DWordChanging the Default RDP Port
Changing the default port from 3389 to a non-standard port is a common (though minor) hardening measure that reduces automated scanning noise in your logs.
# Change RDP port to 33890 (example — choose your own)
$rdpPort = 33890
Set-ItemProperty -Path 'HKLM:SystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp' `
-Name "PortNumber" -Value $rdpPort -Type DWord
# Add a new firewall rule for the custom port
New-NetFirewallRule -DisplayName "RDP Custom Port" `
-Direction Inbound -Protocol TCP -LocalPort $rdpPort `
-Action Allow -Profile Any
# Disable the default RDP firewall rule
Disable-NetFirewallRule -DisplayGroup "Remote Desktop"
# Restart the Remote Desktop service to apply the port change
Restart-Service -Name TermService -ForceAfter changing the port, connect using mstsc /v:servername:33890.
Verifying Remote Desktop is Working
From any Windows machine on the same network, open the Run dialog (Win+R) and type mstsc. Enter the server’s IP address or hostname and click Connect. You should reach the Windows login screen.
For a quick network-level test before attempting a full GUI session:
# Test TCP connectivity to RDP port from PowerShell (PS 4.0+)
Test-NetConnection -ComputerName 192.168.1.10 -Port 3389
# From CMD, use telnet or PortQry
telnet 192.168.1.10 3389
# Check if RDP listener is active on the local server
netstat -ano | findstr :3389A TcpTestSucceeded : True result from Test-NetConnection confirms the port is reachable and the service is listening.
Summary
Enabling Remote Desktop on Windows Server 2012 R2 is a straightforward process but one that should be accompanied by proper security controls. The key steps are: set the fDenyTSConnections registry value to 0, enable Network Level Authentication, create or enable the Windows Firewall exception for TCP 3389, and restrict access to the Remote Desktop Users group and appropriate source IP ranges. Using PowerShell makes these steps scriptable and deployable across multiple servers simultaneously, which is essential in enterprise environments where dozens or hundreds of servers need consistent RDP configuration.
