🟠 High   ⏱ 5–30 min  Last verified: 30 May 2026
Affected versions: Windows Server 2016

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution β€” Primary Fix
  7. Solution β€” Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Remote administration is unavailable because RDP sessions cannot connect.

Environment & Reproduction

After firewall baseline updates or profile drift to Public.

Test-NetConnection localhost -Port 3389
Get-NetFirewallRule -DisplayGroup 'Remote Desktop'

Root Cause Analysis

RDP listener is active but inbound firewall rule is disabled or wrong profile scoped.

Quick Triage

Check termservice status, listener port, and effective firewall profile.

Get-Service TermService
Get-NetConnectionProfile

Step-by-Step Diagnosis

Review firewall logs and rule precedence from ActiveStore.

Get-NetFirewallRule -PolicyStore ActiveStore | Where-Object DisplayGroup -eq 'Remote Desktop'
Get-WinEvent -LogName 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' -MaxEvents 80
Illustrative mockup for windows-server-2016 β€” terminal_or_powershell
RDP firewall and listener diagnostics β€” Illustrative mockup β€” Progressive Robot

Solution β€” Primary Fix

Enable Remote Desktop rule group for Domain profile and refresh policy.

Still having issues? Our Network Design team can diagnose and resolve this for you. Get in touch for a free consultation.

Enable-NetFirewallRule -DisplayGroup 'Remote Desktop'
Set-NetFirewallRule -DisplayGroup 'Remote Desktop' -Profile Domain -Action Allow
gpupdate /force
Illustrative mockup for windows-server-2016 β€” event_or_log_viewer
Blocked inbound RDP events β€” Illustrative mockup β€” Progressive Robot

Solution β€” Alternative Approaches

Create narrowly scoped allow rule for management subnet.

New-NetFirewallRule -DisplayName 'Allow RDP Mgmt' -Direction Inbound -Protocol TCP -LocalPort 3389 -RemoteAddress 10.0.0.0/16 -Action Allow

Verification & Acceptance Criteria

RDP responds from authorized source and unauthorized ranges stay blocked.

Test-NetConnection server01.contoso.local -Port 3389

Rollback Plan

Disable temporary allow rule if broad exposure is detected.

Disable-NetFirewallRule -DisplayName 'Allow RDP Mgmt'

Prevention & Hardening

Audit firewall policy changes and enforce change review for remote-access ports.

Get-NetFirewallRule -DisplayGroup 'Remote Desktop' | Select DisplayName,Enabled,Profile

Related to NLA failures and Remote Desktop Services misconfiguration.

Related tutorial: View the step-by-step tutorial for Windows Server 2016.

View all Windows Server 2016 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Remote Desktop and Windows Firewall administration documentation.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.