ANAVEM
EnglishFrancais
ANAVEM
Languagefr
How to Enable/Disable Remote Desktop Access Using Microsoft Intune

How to Enable/Disable Remote Desktop Access Using Microsoft Intune

Learn to centrally manage RDP access across Windows devices using Intune custom policies, PowerShell remediation, and the official Remote Help alternative for secure enterprise remote access.

Evan MaelEvan Mael
March 26, 2026 15 min
mediumintune 8 steps 15 min

Why Manage Remote Desktop Access Through Microsoft Intune?

Managing Remote Desktop Protocol (RDP) access across enterprise Windows devices traditionally required manual configuration on each machine or complex Group Policy deployments. Microsoft Intune offers a centralized approach to enable or disable RDP access, though it requires custom configuration due to the lack of native RDP toggles in standard Intune profiles.

What Are the Current Limitations of RDP Management in Intune?

As of March 2026, Microsoft Intune doesn't provide direct RDP management through standard configuration profiles. Instead, organizations must use custom OMA-URI policies combined with PowerShell remediation scripts to achieve reliable RDP configuration. The Settings app on managed devices often displays misleading status information, showing "Disabled" even when RDP is properly configured through Intune policies.

What Is Microsoft's Recommended Alternative to Traditional RDP?

Microsoft strongly recommends using Intune Remote Help as the primary remote access solution for enterprise environments. Remote Help provides secure, cloud-based remote assistance with granular role-based access control, session logging, and integration with Entra ID authentication. Unlike traditional RDP, Remote Help doesn't require firewall modifications or VPN connectivity, making it more suitable for modern zero-trust architectures.

This tutorial will guide you through both approaches: implementing traditional RDP management using Intune's custom policies and PowerShell scripts, as well as configuring the more secure Remote Help alternative. You'll learn to create configuration profiles, manage firewall rules, implement proper authentication, and establish monitoring procedures for enterprise-scale remote access management.

Implementation Guide

Full Procedure

01

Create Custom OMA-URI Policy for RDP

Navigate to the Microsoft Intune admin center and create a custom configuration profile. Traditional RDP isn't directly supported through standard Intune profiles, so we'll use OMA-URI settings.

Sign in to Microsoft Intune admin center at endpoint.microsoft.com. Go to Devices > Configuration > Create > New policy.

Select Windows 10 and later as the platform and Custom as the profile type. Name your policy something descriptive like "Enable RDP Access".

Click Add to create OMA-URI settings. Add the following two configurations:

NameOMA-URIData TypeValue
AllowRemoteConnections./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/AllowUsersToConnectRemotelyString<enabled/>
Firewall RDP Rule./Vendor/MSFT/Policy/Config/Firewall/FirewallRules/RemoteDesktop-UserMode-In-TCPString<enabled/>

Save the configuration and proceed to assignments.

Warning: This OMA-URI approach has known limitations and may not fully enable RDP on all devices. The Settings app might still show "Disabled" even after successful deployment.
02

Assign Policy to Device Groups

Configure the assignment scope for your RDP policy to target specific device groups or users.

In the policy creation wizard, click Assignments. Select Add groups and choose the appropriate device groups that should have RDP enabled. You can also use filters to target specific device types or operating system versions.

For security purposes, avoid assigning to "All devices" unless your organization specifically requires universal RDP access. Instead, create targeted groups like "IT Admin Devices" or "Remote Work Laptops".

Review your assignments and click Create to deploy the policy.

Verification: Navigate to Devices > Monitor > Device configuration to track deployment status. The policy should show as "Succeeded" on target devices within 8 hours.

Pro tip: Create separate policies for enabling and disabling RDP. This allows you to quickly switch access without editing existing policies.
03

Deploy PowerShell Remediation Script

Due to Intune's limitations with RDP configuration, deploy a PowerShell script to ensure proper registry and firewall settings.

Go to Devices > Scripts > Add > Windows 10 and later. Create a new PowerShell script with the following content:

# Enable Remote Desktop Registry Setting
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0 -Force

# Enable Network Level Authentication (recommended for security)
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "UserAuthentication" -Value 1 -Force

# Enable Remote Desktop Firewall Rules
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

# Verify settings
$rdpEnabled = Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections"
$firewallRules = Get-NetFirewallRule -DisplayGroup "Remote Desktop" | Where-Object {$_.Enabled -eq "True"}

if ($rdpEnabled.fDenyTSConnections -eq 0 -and $firewallRules.Count -gt 0) {
    Write-Output "RDP successfully enabled"
    exit 0
} else {
    Write-Output "RDP configuration failed"
    exit 1
}

Configure the script to run in System context and set PowerShell execution policy to Bypass. Assign to the same device groups as your OMA-URI policy.

Verification: Check script execution results in Devices > Monitor > Device compliance. Successful execution should return exit code 0.

04

Configure Entra ID Authentication for RDP

Enable web account sign-in for Entra ID joined devices to allow domain authentication over RDP connections.

Create another custom OMA-URI policy specifically for Entra ID authentication. Use the following settings:

NameOMA-URIData TypeValue
EnableWebAuth./Device/Vendor/MSFT/Policy/Config/CredentialProviders/AllowPINLogonInteger1
WebAccountProvider./Device/Vendor/MSFT/Policy/Config/Authentication/EnableWebSignInInteger1

Additionally, deploy a registry script to enable the "Use a web account to sign in" option:

# Enable web account sign-in for RDP
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableWebSignIn" -Value 1 -PropertyType DWORD -Force

# Restart Remote Desktop Services
Restart-Service -Name "TermService" -Force

Write-Output "Web authentication enabled for RDP"

Verification: On target devices, open Settings > System > Remote Desktop > Advanced settings. The "Require devices to use Network Level Authentication" should be enabled, and web account sign-in should be available.

Warning: Entra ID joined devices connecting via RDP over the internet require VPN connectivity. Direct internet RDP connections may fail due to certificate and name resolution issues.
05

Test RDP Connectivity and Authentication

Verify that RDP is properly configured and accessible from client devices using the correct authentication format.

From a client machine, open Remote Desktop Connection (mstsc.exe). Enter the target computer's hostname (not IP address) in the format: computername.domain.com

When prompted for credentials, use the Entra ID format:

Username: AzureAD\user@yourdomain.com
Password: [Entra ID password]

Alternatively, you can use the UPN format directly: user@yourdomain.com

Test the connection and verify that you can successfully authenticate and access the remote desktop.

Verification commands to run on the target device:

# Check RDP service status
Get-Service -Name "TermService" | Select-Object Name, Status

# Verify RDP registry setting
Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections"

# Check firewall rules
Get-NetFirewallRule -DisplayGroup "Remote Desktop" | Where-Object {$_.Enabled -eq "True"} | Select-Object DisplayName, Enabled

# Test RDP port accessibility
Test-NetConnection -ComputerName localhost -Port 3389
Pro tip: Deploy the Windows App (successor to Remote Desktop Connection) via Intune for a more modern RDP client experience. It's available in the Microsoft Store for Business.
06

Configure Intune Remote Help as Alternative

Set up Microsoft's official Remote Help solution as a more secure alternative to traditional RDP for IT support scenarios.

Navigate to Tenant administration > Roles in the Intune admin center. Assign built-in roles like Help Desk Operator to users who need remote access capabilities.

Configure Remote Help permissions for each role:

  • View screen: Read-only access to user's screen
  • Full control: Complete remote control capabilities
  • Elevation: Ability to handle UAC prompts
  • Unattended: Connect without user interaction (Android fully managed devices only)

Enable Remote Help tenant-wide by going to Devices > Configuration > Create > Administrative templates. Search for "Remote Help" and enable the appropriate settings.

Create a PowerShell script to verify Remote Help availability:

# Check if Remote Help is available
$remoteHelpApp = Get-AppxPackage -Name "Microsoft.RemoteHelp" -AllUsers
if ($remoteHelpApp) {
    Write-Output "Remote Help app is installed: $($remoteHelpApp.Version)"
} else {
    Write-Output "Remote Help app not found - will auto-install after policy deployment"
}

# Check Intune enrollment status
$enrollmentStatus = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Enrollments\*" -Name "EnrollmentType" -ErrorAction SilentlyContinue
if ($enrollmentStatus) {
    Write-Output "Device is Intune enrolled"
} else {
    Write-Output "Device enrollment status unclear"
}

Verification: Help desk operators can initiate Remote Help sessions directly from the Intune portal under Devices > All devices > [select device] > Remote Help.

07

Create Disable RDP Policy for Security

Implement a policy to disable RDP access when remote access is no longer needed, following security best practices.

Create a new custom OMA-URI policy named "Disable RDP Access" with the following settings:

NameOMA-URIData TypeValue
DisallowRemoteConnections./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/AllowUsersToConnectRemotelyString<disabled/>
Disable Firewall RDP./Vendor/MSFT/Policy/Config/Firewall/FirewallRules/RemoteDesktop-UserMode-In-TCPString<disabled/>

Create a corresponding PowerShell script to ensure complete RDP disabling:

# Disable Remote Desktop Registry Setting
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 1 -Force

# Disable Remote Desktop Firewall Rules
Disable-NetFirewallRule -DisplayGroup "Remote Desktop"

# Stop Remote Desktop Services
Stop-Service -Name "TermService" -Force
Set-Service -Name "TermService" -StartupType Disabled

# Verify settings
$rdpDisabled = Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections"
$firewallRules = Get-NetFirewallRule -DisplayGroup "Remote Desktop" | Where-Object {$_.Enabled -eq "False"}

if ($rdpDisabled.fDenyTSConnections -eq 1 -and $firewallRules.Count -gt 0) {
    Write-Output "RDP successfully disabled"
    exit 0
} else {
    Write-Output "RDP disable configuration failed"
    exit 1
}

Verification: Test that RDP connections are rejected by attempting to connect from a client machine. The connection should fail immediately or timeout.

Warning: Always test disable policies on non-production devices first. Incorrectly configured policies could lock administrators out of remote systems.
08

Monitor and Troubleshoot RDP Deployment

Implement monitoring and troubleshooting procedures to ensure RDP policies are working correctly across your device fleet.

Use Intune's built-in reporting to monitor policy compliance. Navigate to Devices > Monitor > Device configuration to view deployment status.

Create a comprehensive troubleshooting script that can be deployed on-demand:

# RDP Troubleshooting and Status Check Script

# Check RDP service
$rdpService = Get-Service -Name "TermService"
Write-Output "RDP Service Status: $($rdpService.Status)"

# Check registry settings
$rdpRegistry = Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections"
Write-Output "RDP Registry Setting (0=Enabled, 1=Disabled): $($rdpRegistry.fDenyTSConnections)"

# Check firewall rules
$firewallRules = Get-NetFirewallRule -DisplayGroup "Remote Desktop"
foreach ($rule in $firewallRules) {
    Write-Output "Firewall Rule: $($rule.DisplayName) - Enabled: $($rule.Enabled)"
}

# Check network connectivity
$rdpPort = Test-NetConnection -ComputerName localhost -Port 3389 -WarningAction SilentlyContinue
Write-Output "RDP Port 3389 Accessible: $($rdpPort.TcpTestSucceeded)"

# Check Intune management
$intuneStatus = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Enrollments\*" -Name "EnrollmentType" -ErrorAction SilentlyContinue
if ($intuneStatus) {
    Write-Output "Intune Enrollment: Active"
} else {
    Write-Output "Intune Enrollment: Not detected"
}

# Generate summary report
Write-Output "\n=== RDP Configuration Summary ==="
if ($rdpRegistry.fDenyTSConnections -eq 0 -and $rdpService.Status -eq "Running" -and $rdpPort.TcpTestSucceeded) {
    Write-Output "Status: RDP is properly configured and accessible"
} else {
    Write-Output "Status: RDP configuration issues detected"
    Write-Output "Recommended: Re-run RDP enable script or check Intune policy assignment"
}

Deploy this script to devices experiencing RDP issues for quick diagnostics.

Common troubleshooting steps:

  • Verify device is Intune-enrolled and compliant
  • Check that policies are assigned to correct device groups
  • Ensure PowerShell execution policy allows script execution
  • Confirm network connectivity and VPN requirements for Entra ID devices
  • Review Windows Event Logs for Remote Desktop Services errors
Pro tip: Set up automated compliance reporting using Intune's custom compliance policies to continuously monitor RDP configuration status across your device fleet.

Frequently Asked Questions

Why doesn't Microsoft Intune have a direct toggle for enabling RDP access?+
Microsoft Intune lacks native RDP management because Microsoft prioritizes their cloud-based Remote Help solution over traditional RDP for security reasons. RDP requires firewall modifications and poses security risks, while Remote Help provides secure, audited remote access without network configuration changes. Organizations must use custom OMA-URI policies and PowerShell scripts as workarounds for traditional RDP management.
What's the difference between Intune Remote Help and traditional RDP access?+
Intune Remote Help is a cloud-based solution that works through the Intune service with role-based access control, session logging, and no firewall requirements. Traditional RDP requires direct network connectivity, firewall configuration, and poses greater security risks. Remote Help supports cross-platform access and integrates with Entra ID authentication, while RDP is limited to Windows-to-Windows connections and requires VPN for internet access.
Why does the Windows Settings app show RDP as disabled even after Intune policy deployment?+
This is a known limitation where Intune's OMA-URI policies don't properly update the Settings app interface, even when RDP is functionally enabled. The Settings app displays 'Some settings managed by organization' but shows RDP as disabled. The actual RDP functionality works correctly despite the misleading interface. PowerShell remediation scripts help ensure proper registry and firewall configuration regardless of the Settings app display.
Can Entra ID joined devices use RDP without VPN connectivity?+
No, Entra ID joined devices typically require VPN connectivity for RDP access over the internet due to certificate validation and name resolution requirements. Direct internet RDP connections often fail because the devices can't properly authenticate domain credentials without secure network connectivity. Organizations should implement VPN solutions or use Intune Remote Help, which works without VPN requirements through Microsoft's cloud infrastructure.
How do I troubleshoot RDP connections that fail after Intune policy deployment?+
Start by verifying the device is properly enrolled in Intune and the policy shows as 'Succeeded' in the admin center. Run PowerShell commands to check registry settings (fDenyTSConnections should be 0), verify the TermService is running, and confirm firewall rules are enabled. Test local connectivity using Test-NetConnection on port 3389. For Entra ID devices, ensure proper credential format (AzureAD\user@domain.com) and VPN connectivity for internet-based connections.
Evan Mael
Written by

Evan Mael

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#intune#rdp#remote-desktop

Further Intelligence

Deepen your knowledge with related resources

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
tutorial
Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive
How to Set PowerShell Execution Policy Using Intune and Group Policy
tutorial
DevOps

How to Set PowerShell Execution Policy Using Intune and Group Policy

Deep Dive
How to Deploy Bitwarden Password Manager Using Microsoft Intune
tutorial
Cybersecurity

How to Deploy Bitwarden Password Manager Using Microsoft Intune

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account