This tutorial will show you how to enable or disable allowing Remote Desktop connections to your Windows 11 PC.
You can use Remote Desktop to connect to and control your PC from a remote device by using a Microsoft Remote Desktop client (available for Windows, iOS, macOS and Android). When you allow remote connections to your PC, you can use another device to connect to your PC and have access to all of your apps, files, and network resources as if you were sitting at your desk.
Should I enable Remote Desktop?
If you only want to access your PC when you are physically using it, you don't need to enable Remote Desktop. Enabling Remote Desktop opens a port on your PC that is visible to your local network. You should only enable Remote Desktop in trusted networks, such as your home. You also don't want to enable Remote Desktop on any PC where access is tightly controlled.
Be aware that when you enable access to Remote Desktop, you are granting anyone in the Administrators group, as well as any additional users you select, the ability to remotely access their accounts on the computer.
You should ensure that every account that has access to your PC is configured with a strong password.
Why allow connections only with Network Level Authentication?
If you want to restrict who can access your PC, choose to allow access only with Network Level Authentication (NLA). When you enable this option, users have to authenticate themselves to the network before they can connect to your PC. Allowing connections only from computers running Remote Desktop with NLA is a more secure authentication method that can help protect your computer from malicious users and software. To learn more about NLA and Remote Desktop, check out Configure NLA for RDS Connections.
If you're remotely connecting to a PC on your home network from outside of that network, don't select this option.
To be able to create a remote connection, you will first need to enable the Remote Desktop feature.
Reference:
How to use Remote Desktop - Microsoft Support
You must be signed in as an administrator to enable or disable Remote Desktop.
You can't connect to computers running a Home edition of Windows, but you can connect to Pro, Enterprise, and Education editions of Windows from any edition.
- Option One: Turn On or Off Remote Desktop in Settings
- Option Two: Turn On or Off Remote Desktop in Control Panel
- Option Three: Turn On or Off Remote Desktop using REG file
- Option Four: Enable or Disable Remote Desktop with Policy in Local Group Policy Editor
- Option Five: Enable or Disable Remote Desktop with Policy using REG file
1 Open Settings (Win+I).
2 Click/tap on System on the left side, and click/tap on Remote Desktop on the right side. (see screenshot below)
Open Remote Desktop settings
3 Turn On or Off (default) Remote Desktop for what you want on the right side. (see screenshot below)
4 Click/tap on Confirm. (see screenshots below)
5 You can now close Settings if you like.
1 Open the Control Panel (category view).
2 Click/tap on the System and Security link. (see screenshot below)
3 Click/tap on the Allow remote access link to open SystemPropertiesRemote.exe. (see screenshot below)
4 Do step 5 (enable) or step 6 (disable) below for what you want.
This is the default setting.
7 You can close the Control Panel and System Properties if you like.
This changes the same settings in Option One and Option Two.
1 Do step 2 (enable with Network Level Authentication), step 3 (enable without Network Level Authentication), step 4 (disable) below for what you would like to do.
(Contents of REG file for reference)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
"fDenyTSConnections"=dword:00000000
"updateRDStatus"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
"UserAuthentication"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"RemoteDesktop-UserMode-In-TCP"="v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=3389|App=%SystemRoot%\\system32\\svchost.exe|Svc=termservice|Name=@FirewallAPI.dll,-28775|Desc=@FirewallAPI.dll,-28756|EmbedCtxt=@FirewallAPI.dll,-28752|"
"RemoteDesktop-UserMode-In-UDP"="v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=3389|App=%SystemRoot%\\system32\\svchost.exe|Svc=termservice|Name=@FirewallAPI.dll,-28776|Desc=@FirewallAPI.dll,-28777|EmbedCtxt=@FirewallAPI.dll,-28752|"
"RemoteDesktop-Shadow-In-TCP"="v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=6|App=%SystemRoot%\\system32\\RdpSa.exe|Name=@FirewallAPI.dll,-28778|Desc=@FirewallAPI.dll,-28779|EmbedCtxt=@FirewallAPI.dll,-28752|Edge=TRUE|Defer=App|"
(Contents of REG file for reference)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
"fDenyTSConnections"=dword:00000000
"updateRDStatus"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
"UserAuthentication"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"RemoteDesktop-UserMode-In-TCP"="v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=3389|App=%SystemRoot%\\system32\\svchost.exe|Svc=termservice|Name=@FirewallAPI.dll,-28775|Desc=@FirewallAPI.dll,-28756|EmbedCtxt=@FirewallAPI.dll,-28752|"
"RemoteDesktop-UserMode-In-UDP"="v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=3389|App=%SystemRoot%\\system32\\svchost.exe|Svc=termservice|Name=@FirewallAPI.dll,-28776|Desc=@FirewallAPI.dll,-28777|EmbedCtxt=@FirewallAPI.dll,-28752|"
"RemoteDesktop-Shadow-In-TCP"="v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=6|App=%SystemRoot%\\system32\\RdpSa.exe|Name=@FirewallAPI.dll,-28778|Desc=@FirewallAPI.dll,-28779|EmbedCtxt=@FirewallAPI.dll,-28752|Edge=TRUE|Defer=App|"
This is the default setting.
(Contents of REG file for reference)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
"fDenyTSConnections"=dword:00000001
"updateRDStatus"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"RemoteDesktop-UserMode-In-TCP"="v2.33|Action=Allow|Active=FALSE|Dir=In|Protocol=6|LPort=3389|App=%SystemRoot%\\system32\\svchost.exe|Svc=termservice|Name=@FirewallAPI.dll,-28775|Desc=@FirewallAPI.dll,-28756|EmbedCtxt=@FirewallAPI.dll,-28752|"
"RemoteDesktop-UserMode-In-UDP"="v2.33|Action=Allow|Active=FALSE|Dir=In|Protocol=17|LPort=3389|App=%SystemRoot%\\system32\\svchost.exe|Svc=termservice|Name=@FirewallAPI.dll,-28776|Desc=@FirewallAPI.dll,-28777|EmbedCtxt=@FirewallAPI.dll,-28752|"
"RemoteDesktop-Shadow-In-TCP"="v2.33|Action=Allow|Active=FALSE|Dir=In|Protocol=6|App=%SystemRoot%\\system32\\RdpSa.exe|Name=@FirewallAPI.dll,-28778|Desc=@FirewallAPI.dll,-28779|EmbedCtxt=@FirewallAPI.dll,-28752|Edge=TRUE|Defer=App|"
5 Save the .reg file to your desktop.
6 Double click/tap on the downloaded .reg file to merge it.
7 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.
8 You can now delete the downloaded .reg file if you like.
The Local Group Policy Editor is only available in the Windows 11 Pro, Enterprise, and Education editions.
All editions can use Option Five to configure the same policy.
1 Open the Local Group Policy Editor (gpedit.msc).
2 Navigate to the policy location below in the left pane of the Local Group Policy Editor. (see screenshot below)
3 In the right pane of Connections in the Local Group Policy Editor, double click/tap on the Allow users to connect remotely by using Remote Desktop Services policy to edit it. (see screenshot above)
4 Do step 5 (not configured), step 6 (always enabled), or step 7 (always disabled) below for what you want.
This will allow using Option One, Option Two, and Option Three.
This will override and prevent using Option One, Option Two, and Option Three.
This will override and prevent using Option One, Option Two, and Option Three.
8 When finished, you can close the Local Group Policy Editor if you like.
This option configures the same policy in Option Four.
1 Do step 2 (not configured), step 3 (always enabled), or step 4 (always disabled) below for what you would like to do.
This will allow using Option One, Option Two, and Option Three.
(Contents of REG file for reference)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"fDenyTSConnections"=-
This will override and prevent using Option One, Option Two, and Option Three.
(Contents of REG file for reference)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"fDenyTSConnections"=dword:00000000
This will override and prevent using Option One, Option Two, and Option Three.
(Contents of REG file for reference)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"fDenyTSConnections"=dword:00000001
5 Save the .reg file to your desktop.
6 Double click/tap on the downloaded .reg file to merge it.
7 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.
8 You can now delete the downloaded .reg file if you like.
That's it,
Shawn Brink
Attachments
-
Always_Disable_Remote_Desktop.reg642 bytes · Views: 394
-
Always_Enable_Remote_Desktop.reg642 bytes · Views: 334
-
Default_Not_Configured_Remote_Desktop.reg616 bytes · Views: 277
-
Disable_Remote_Desktop.reg2.4 KB · Views: 82
-
Enable_Remote_Desktop_with_Network_Level_Authentication.reg2.6 KB · Views: 115
-
Enable_Remote_Desktop_without_Network_Level_Authentication.reg2.6 KB · Views: 73