Windows Firewall: Remote Desktop block action by local policy
Solution 1
I had the same issue and found it was due to a space in the GPO comma delimited list. I documented this on my blog:
TLDR: Don’t put any spaces in the IP address list for the GPO setting for Computer/Admin Templates/Network/Network Connections/Windows Firewall/Domain Profile/Windows Firewall: Allow inbound Remote Desktop exceptions.
Solution 2
Try using the initial configuration tasks wizard to enable RDP access. It should the eighth option down. I believe Microsoft designed this to override Group Policy or any other settings so the system wouldn't automatically expose any ports/services (i.e. from GP rules) until all updates had a chance to be applied following a new install.
Related videos on Youtube
the-wabbit
Updated on September 18, 2022Comments
-
the-wabbit almost 2 years
On a fresh domain-joined Server 2012 R2 install I see a peculiarity where an enabled "Remote Desktop" rule is set to Block in the Domain profile:
As block rules take precedence over allow rules, I seem unable to effectively insert a firewall exception allowing RDP traffic to this machine. I cannot edit this rule as "This rule has been applied by the system administrator and cannot be modified". I also cannot override it by the "Remote Desktop" predefined rule in a Group Policy as this does not update the "Remote Desktop" rule but is introducing a new "Remote Desktop (TCP-In)" rule, with the "Remote Desktop" block rule still in place and taking precedence.
Contrary to what the Rule Source column (the first column in the screenshot above) is telling me, the rule is not defined in the machine's local policy:
Folks seem to have encountered this problem on older (Windows 7 / 2008 R2) installs as well, yet there seems to be no effective resolution documented in these cases.
So where does this come from and how to disable this block rule?
-
the-wabbit over 9 yearsI have not seen this in Server 2012 R2. The "Server Manager" is listing Remote Desktop (and Remote Management) as "Enabled" in the "Local Server" section. I am going to try running through an update cycle to see if this is to change things.
-
the-wabbit over 9 yearsSo the update cycle seems to have helped. Thank you for pointing me into the right direction.
-
Amin Hossain over 9 yearsNo problem, glad it's working for you!
-
the-wabbit over 9 yearsMh, but it only helped in terms that the rule is hard-coded to "allow" now. I am still looking for a way to disable it so I could craft my own rules (basically I aim to restrict the remote desktop access to a number of hosts and networks)
-
Amin Hossain over 9 yearsI don't think you can disable it, only override it. I believe that rule always exists - but remember that a deny takes precedence over an allow. So if it's set locally to deny, adding a GP rule to allow it won't work. But if it's set to allow locally, a GP rule to deny it WILL work. At least that's how I imagine it should work. We have it enabled everywhere in my environment, so I can't say for certain without testing.