As many of you know I’m re-creating my Microsoft Endpoint Manager Configuration Manager (MEMCM / MECM) formerly System Center Configuration Manager (SCCM / CM) lab, as such there are things that I’m re-doing and as such I thought that I would document the task. If you are like me, you create a new virtual machine (vm) on Hyper-v then switch over to Remote Desktop Connection Manager (RDCM) as soon as the vm has joined the domain. But there is the problem, I almost always forget to enable Remote Desktop, so, when I try to connect, It will fail. To solve this problem I will create a GPO to allow RDP and a few other setting too. This step-by-step blog will show you How to Enable Remote Desktop via GPO. This will prevent getting access denied when RDPing to a newly created VM.

How to Enable Remote Desktop via GPO

Group Policy Management in Start menu

Start by launching Group Policy Management (GPM) generally on a Domain Controller (DC).

Creating blank GPO

Within GPM window, expand your Forest node and locate your Domain. Then right click and select Create a GPO in this domain, and Link it here… menu item.

Naming the GPO

Give the GPO a Name in my case Remote Desktop and Click OK to create an empty GPO.

GPO Popup message

Click the empty GPO, if you get the popup, optionally click the Check box Do not show this message again. Then click OK to continue.

Editing the GPO

Again, right click the GPO and select Edit…

Connection Node within GPME

Within Group Policy Management Editor (GPME), browse to Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Connections, then double click Allow users to connect remotely using Remote Desktop Services.

Enabling RDP GPO

Select Enable before clicking OK.

You would think that is all you need to do, as this is all you need to do when you manually do this task. But no, you also need open firewall ports too.

How to open Remove Desktop Firewall ports

With the GPM still open, browse to Computer Configuration | Policies | Administrative Templates | Network | Network Connection | Windows Defender Firewall | Domain Profile then double click Windows Defender firewall: Allow inbound Remote Desktop Exceptions.

Defining IP subnet for firewall rule.

Select Enabled then in the text box you can use a * to allow all IP to connect to remote desktop (RD) BUT it would be better to limit this to your just your network. Therefore, I use 192.168.84.0/24 to allow any computer on this network to connect via RD. Click OK to apply.

How to open ICMP Firewall ports

Locating ICMP (Ping) firewall rule

Since I’m doing RD firewall ports, I thought that I would open the ICMP ports aka ping ports. With the GPME still open, I double clicked Windows Defended Firewall: Allow ICMP Exceptions.

Enabling and allowing inbound echo requests

Select Enable and Allow inbound echo request, click OK to close windows. Then close GPME and GPM.

Now that the GPO has been created as each computer joins the domain, it will download and apply the GPO and enable Remote Desktop along with Ping settings. This allows me to RDP to them as soon as they come online, thereby removing one of my frustrations when creating a new VM.

I hope you found it useful on How to Enable Remote Desktop via GPO. If you have any questions, please feel free to touch base @Garthmj.