Policy

Windows Defender Firewall: Allow inbound Remote Desktop exceptions

Microsoft Windows

Back to Standard ProfileBack to main
Windows Defender Firewall: Allow inbound Remote Desktop exceptions
Jump to overview

Policy overview

Key metadata and intent for this policy.

Computer
Category
Windows Defender Firewall > Standard Profile
Supported on
At least Windows XP Professional with SP2

Supported OS tags: Windows10, Windows10RT, Windows11, Windows7, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2008, WindowsServer2012, WindowsServer2012R2, WindowsServer2016, WindowsVista, WindowsXP

Allows this computer to receive inbound Remote Desktop requests. To do this, Windows Defender Firewall opens TCP port 3389. If you enable this policy setting, Windows Defender Firewall opens this port so that this computer can receive Remote Desktop requests. You must specify the IP addresses or subnets from which these incoming messages are allowed. In the Windows Defender Firewall component of Control Panel, the "Remote Desktop" check box is selected and administrators cannot clear it. If you disable this policy setting, Windows Defender Firewall blocks this port, which prevents this computer from receiving Remote Desktop requests. If an administrator attempts to open this port by adding it to a local port exceptions list, Windows Defender Firewall does not open the port. In the Windows Defender Firewall component of Control Panel, the "Remote Desktop" check box is cleared and administrators cannot select it. If you do not configure this policy setting, Windows Defender Firewall does not open this port. Therefore, the computer cannot receive Remote Desktop requests unless an administrator uses other policy settings to open the port. In the Windows Defender Firewall component of Control Panel, the "Remote Desktop" check box is cleared. Administrators can change this check box."

Internal name
WF_RemoteDesktop_Name_2
Policy ID
247167f365de
Elements
1

Registry values

How enabled and disabled states update the registry.

ScopeRegistry locationTypeEnabled valueDisabled valueCopy
Computer
Path
SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\RemoteDesktop
Value name
Enabled
REG_DWORD
HKLM
1
HKLM
0
Registry location
Type REG_DWORD · Computer
Path
SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\RemoteDesktop
Value name
Enabled
Hive
HKLM
Enabled value
1
Disabled value
0

Policy elements

Inputs and configuration options exposed by this policy.

ScopeElementTypeRegistry mappingConstraints & behaviorCopy
Computer
Allow unsolicited incoming messages from these IP addresses:
ID WF_Scope_Name
text
Path
SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\RemoteDesktop
Value name
RemoteAddresses
Type
REG_SZ
None
Allow unsolicited incoming messages from these IP addresses:
Computer · Type text
Registry mapping
Path
SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\RemoteDesktop
Value name
RemoteAddresses
Type
REG_SZ
DetailsNone