Policy
Windows Defender Firewall: Allow inbound Remote Desktop exceptions
Windows 11 25H2
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10, Windows10RT, Windows11, Windows7, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2008, WindowsServer2012, WindowsServer2012R2, WindowsServer2016, WindowsVista, WindowsXP
Allows this computer to receive inbound Remote Desktop requests. To do this, Windows Defender Firewall opens TCP port 3389. If you enable this policy setting, Windows Defender Firewall opens this port so that this computer can receive Remote Desktop requests. You must specify the IP addresses or subnets from which these incoming messages are allowed. In the Windows Defender Firewall component of Control Panel, the "Remote Desktop" check box is selected and administrators cannot clear it. If you disable this policy setting, Windows Defender Firewall blocks this port, which prevents this computer from receiving Remote Desktop requests. If an administrator attempts to open this port by adding it to a local port exceptions list, Windows Defender Firewall does not open the port. In the Windows Defender Firewall component of Control Panel, the "Remote Desktop" check box is cleared and administrators cannot select it. If you do not configure this policy setting, Windows Defender Firewall does not open this port. Therefore, the computer cannot receive Remote Desktop requests unless an administrator uses other policy settings to open the port. In the Windows Defender Firewall component of Control Panel, the "Remote Desktop" check box is cleared. Administrators can change this check box."
Registry values
How enabled and disabled states update the registry.
| Registry location | Type | Enabled value | Disabled value |
|---|---|---|---|
| HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop\Enabled | REG_DWORD | 1 | 0 |
Policy elements
Inputs and configuration options exposed by this policy.
| Element | Type | Registry mapping | Constraints & behavior |
|---|---|---|---|
Allow unsolicited incoming messages from these IP addresses: ID WF_Scope_Name | text | HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop\RemoteAddresses Type REG_SZ | None |
Other policies in this category
Explore related policies at the same level.
- ComputerWindows Defender Firewall: Allow ICMP exceptionsAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Allow inbound file and printer sharing exceptionAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Allow inbound remote administration exceptionAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Allow inbound UPnP framework exceptionsAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Allow local port exceptionsAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Allow local program exceptionsAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Allow loggingAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Define inbound port exceptionsAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Define inbound program exceptionsAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Do not allow exceptionsAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Prohibit notificationsAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Prohibit unicast response to multicast or broadcast requestsAt least Windows XP Professional with SP2