Remote Desktop is an essential tool for system administrators and support personnel to connect and interactively manage remote Windows PCs or servers as if sitting in front of the console or monitor. By default, Remote Desktop Services (RDP) is disabled on Windows systems by default.

In order to use Remote Desktop Connection (RDC) to connect to a remote network computer, Remote Desktop must be enabled on the remote system. If the Remote Desktop service is not already turned on, then it may be a hassle or inconvenience to go to the remote computer to turn on Remote Desktop.

Microsoft provides several ways to remotely enable the Remote Desktop, and one of the methods available is by using Windows PowerShell, which is natively available in Windows client and Windows Server operating systems since Windows 7 and Windows Server 2008 R2, including in the latest Windows 10 and Windows Server 2016.

This tutorial shows how to enable and turn on Remote Desktop on a remote computer using PowerShell commands. The PowerShell scripts manipulate the following two WMI objects from within the root\CIMV2\TerminalServices namespace:

  • Win32_TerminalServiceSetting via the SetAllowTSConnections method.
  • Win32_TSGeneralSetting via the SetUserAuthenticationRequired method.

To check the status of Remote Desktop access, use the following command in PowerShell:

Get-WmiObject -Class Win32_TerminalServiceSetting -Namespace root\CIMV2\TerminalServices -Computer $Computer -Authentication 6

Replace $Computer with a single computer name, or multiple computer names separated by commas, which you want to enable the Remote Desktop.

The parameter -authentication is required because the Win32_TerminalServiceSetting WMI class requires packet-level authentication for remote access. Authentication level 6 (PacketPrivacy) provides such authentication level. Otherwise, “Access Denied” error may occur even if you have administrative rights on the remote computer.

To enable Remote Desktop, run the following PowerShell command:

(Get-WmiObject -Class Win32_TerminalServiceSetting -Namespace root\CIMV2\TerminalServices -Computer $Computer -Authentication 6).SetAllowTsConnections(1)

SetAllowTSConnections() method actually accepts two arguments. The first one specifies whether new Remote Desktop connections are allowed (0 – disable; 1 – enable), and the second one specifies whether the firewall exception setting for Remote Desktop will be modified to the state specified by the AllowTSConnections parameter (0 – do not modify firewall exception setting; 1 – modify firewall exception setting). If you want to automatically configure the firewall to allow Remote Desktop RDP ports too, use the following command:

(Get-WmiObject -Class Win32_TerminalServiceSetting -Namespace root\CIMV2\TerminalServices -Computer $Computer -Authentication 6).SetAllowTSConnections(1,1)

In addition, the Win32_TSGeneralSetting class which is closely related to Remote Desktop supports another method called SetUserAuthenticationRequired, which can be used to enable or disable the requirement that users must be authenticated at connection time (0 – Disable requirement that user must be authenticated; 1 – Enables requirement that user must be authenticated), which basically means the NLA (Network Level Authentication). When this option is enabled (the default setting), users have to authenticate themselves to the network before they can connect to your PC.

Allowing connections only from computers running Remote Desktop with NLA is a more secure authentication method that can help protect the computer from malicious users and software. Thus, useless you have RDP client older than version 6.0, the setting needs not be changed. However, if needed, the syntax to disable the NLA is as follow:

(Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\CIMV2\terminalservices -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)