You just finished installing Windows Server, you're sitting at the console, and you need to RDP in from your workstation so you can finally close the KVM tab. Here's the fastest way.

The 30-second version

REM Enable RDP
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

REM Open the firewall
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

REM Add your user
net localgroup "Remote Desktop Users" john.doe /add

Done. Reconnect from your workstation. Below is what each piece does and the PowerShell equivalents.

Step 1 — Enable RDP in the registry

The GUI path is System Properties → Remote → Allow remote connections. Registry path:

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections

Value 0 = RDP enabled, 1 = disabled.

CMD:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

PowerShell:

Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 0

Step 2 — Open the Windows Firewall

RDP listens on TCP 3389. The rule group exists by default, it's just disabled.

CMD (legacy but works everywhere):

netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

PowerShell:

Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

If you want to restrict RDP to a specific subnet (highly recommended on internet-facing servers):

Set-NetFirewallRule -DisplayGroup "Remote Desktop" -RemoteAddress "10.0.0.0/8"

Step 3 — Require Network Level Authentication

NLA makes RDP significantly harder to brute-force because the auth happens before a session is spawned. Enable it:

Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Value 1

Leave this on. Disabling NLA is a mistake 99% of the time.

Step 4 — Grant login permission

Built-in Administrators can always RDP. Regular users need to be in the Remote Desktop Users group:

net localgroup "Remote Desktop Users" john.doe /add

Or PowerShell:

Add-LocalGroupMember -Group "Remote Desktop Users" -Member "john.doe"

Connect from your workstation

mstsc /v:192.168.1.50

Or just run mstsc and type the hostname/IP.

Change the RDP port (optional, debatable)

Changing the default 3389 reduces log noise from bots. It is not real security (port scanners find it in seconds), but in combination with NLA and firewall-scoping it's fine.

$port = 3390
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "PortNumber" -Value $port
New-NetFirewallRule -DisplayName "RDP-$port" -Direction Inbound -Protocol TCP -LocalPort $port -Action Allow
Restart-Service TermService -Force

Now connect with mstsc /v:server:3390.

Enable from a remote PowerShell session (bonus)

If you have PowerShell remoting enabled (Enable-PSRemoting) but not RDP:

Invoke-Command -ComputerName web01 -ScriptBlock {
    Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 0
    Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
    Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Value 1
}

Verify

Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name fDenyTSConnections
Get-NetFirewallRule -DisplayGroup "Remote Desktop" | Select DisplayName, Enabled
Test-NetConnection -ComputerName server01 -Port 3389

Gotchas

  • Server 2025 / 2022 Core: sconfig menu option 7 toggles RDP with one keypress — use that if you're on Server Core.
  • Cloud / hosted VMs: the provider's network firewall often blocks 3389 separately (AWS Security Group, Azure NSG, Hetzner Robot firewall). Check there too.
  • Domain environments: GPO can override the local setting. Look at Computer Configuration → Admin Templates → Windows Components → Remote Desktop Services.

That's the whole flow. Three commands, two minutes, you're in.