Issue to RDP on server 2025

Question

Issue to RDP on server 2025

Scott Huang 3,511

HI,

It is enabled below to RDP on Local server but I cannot access it using RDP. Any reasons?

User's image

0 comments

3 answers

Your answer

Answer 1

Welcome to Microsoft Q&A Forum!

Based on your description, even if Remote Desktop is enabled and port 3389 is allowed in Windows Firewall, RDP may still fail because other components required for connectivity are missing or blocked. The most common causes are:

Network connectivity / reachability issue: The server may not be reachable from the client (DNS, routing, VLAN, or external firewall/NAT issues). Even with port 3389 open locally, traffic may not reach the server.
Firewall profile mismatch: The rule can be enabled, but not for the active profile (Public/Private/Domain). RDP rules must be enabled for the correct profile, otherwise connections are still blocked.
RDP service (TermService) not running or not listening: Remote Desktop requires the service to be running and listening on port 3389. If nothing is listening, the port rule alone doesn’t help.
Port or listening configuration mismatch: RDP uses port 3389 by default. If it was changed in the registry, connecting without specifying the custom port will fail.
Network Level Authentication (NLA) or permission issues: Misconfigured NLA or lack of user permissions can prevent connection even when RDP is enabled.
Group Policy or external security controls: Domain GPO, antivirus, or network devices (NSG, firewall, router) can still block RDP traffic.

Reference: Remote Desktop Can't Connect to the Remote Computer - Windows Server | Microsoft Learn

Change Remote Desktop listening port on Windows and Windows Server | Microsoft Learn

I would like to share the following recommended solutions that may help resolve the issue.

1. Test connectivity from client

Run Test-NetConnection <server/IP> -Port 3389 in PowerShell to confirm port accessibility.

Use ping <ServerName> and nslookup <ServerName> to verify DNS resolution and network reachability

2. Confirm RDP is actually listening

The RDP-Tcp listener may not be active. On the server, open Command Prompt and run:

qwinsta (look for "rdp-tcp" with state “Listen” in the output)
netstat -ano | findstr "3389" (should show the server listening on port 3389)

If the listener is missing, restart the Remote Desktop Services service

3. Check user permissions

The user must be a member of the "Remote Desktop Users" group. Check via lusrmgr.msc and add the user if needed

4. Confirm group policy restrictions

Local or domain GPOs may restrict RDP access. Kindly check:

Path: gpedit.msc → Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment
Then, ensure "Allow logon through Remote Desktop Services" includes the correct users/groups

5. Check Network Level Authentication (NLA)

If NLA is enabled, clients must support it. You can disable NLA temporarily for testing:

Open sysdm.cpl → Choose Remote tab → Uncheck "Allow connections only from computers running Remote Desktop with Network Level Authentication”

6. Verify RDP Certificate

If there are certificate or TLS issues, the RDP listener may fail. Check the Certificates MMC snap-in (certlm.msc) under Remote Desktop, delete the self-signed certificate, and restart the Remote Desktop Services service to regenerate it.

I hope this information is helpful and thank you for choosing Microsoft Q&A to raise your concern.

Scott Huang 3,511 Reputation points

2026-05-08T03:25:02.1266667+00:00

I got TCPtest false below

but it was enabled to remote RDP below. What to adjust?
Daphne Huynh (WICLOUD CORPORATION) 660 Reputation points Microsoft External Staff Moderator

2026-05-08T07:40:14.0333333+00:00

Thank you for sharing the test results and screenshots, they help clarify the situation.

From the Test-NetConnection output, it shows:

PingSucceeded : True, the server is reachable over the network

TcpTestSucceeded : False, Port 3389 is not reachable

This confirms that the issue is not related to RDP configuration itself, but rather something is blocking TCP port 3389 connectivity.

Here is the information I believe you can follow to adjust and troubleshoot.

1. Check RDP Enablement in Registry

Policy path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server

fDenyTSConnections should be set to 0 (RDP enabled)

2. Firewall and Port

From your screenshot, the rule is enabled, but it may not apply to the current network profile. Verify:

The rule is enabled for the active profile (Domain / Private / Public)

The Scope tab does not restrict remote IP ranges (should allow “Any” for testing as I recommend above)

Confirm Windows Firewall allows inbound TCP/UDP 3389.

If using a third-party firewall or appliance, ensure port 3389 is open

3. Group Policy

Check GPO settings and confirm correct users/groups are included on the policy below:

"Allow logon through Remote Desktop Services"

"Access this computer from the network"

Path: Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment

4. RDP-Tcp Listener Registry

Check whether the RDP listener is configured correctly:

Registry path: HKLM\System\CurrentControlSet\Control\TerminalServer\Winstations\RDP-Tcp

Ensure PortNumber is set to 3389
Scott Huang 3,511 Reputation points

2026-05-08T07:54:32.7733333+00:00

Thanks a lot. Any advice as I do not see the one for RDP below

Sorry to that I now cannot ping "www.google.com" within such server.

Answer 2

Jason Nguyen Tran 18,720 Independent Advisor

Hi Scott Huang,

There are a few common reasons this can happen. First, please check that the Windows Defender Firewall is allowing inbound RDP traffic (TCP port 3389). Even if Remote Desktop is enabled, the firewall may still block external connections. Second, confirm that the server’s network settings are correct, if the IP address is assigned via DHCP, it may have changed, so make sure you’re connecting to the right address. Third, ensure that your user account has permission to log in via Remote Desktop; only members of the Remote Desktop Users group or administrators can connect.

It’s also worth verifying that no group policy or security configuration is restricting RDP access. In some environments, enhanced security settings or network-level authentication requirements can prevent successful connections. Lastly, if you’re attempting to connect from outside the local subnet, check that routing and NAT rules are properly configured.

I hope these suggestions help you narrow down the issue and get RDP working as expected. If this answer is helpful, please don’t forget to hit “Accept Answer”.

Jason.

Scott Huang 3,511 Reputation points

2026-05-06T06:44:56.49+00:00

Firewall is enabled that on the port 3389. I see that DHCP is enabled. And I'm not sure about the reason of this. Any help?
Jason Nguyen Tran 18,720 Reputation points Independent Advisor

2026-05-06T07:13:21.25+00:00

One possibility is that DHCP may be assigning a new IP address to the server, which can cause confusion if you’re trying to connect using an old or cached address. I recommend verifying the current IP address of the server and ensuring that’s the one you’re using for the RDP client. Another common issue is that while port 3389 is open, the firewall profile (Public, Private, or Domain) may not be aligned with your network type, so double-check that the inbound rule applies to the correct profile.

It’s also important to confirm that your user account has Remote Desktop permissions. Only administrators or members of the Remote Desktop Users group can log in remotely. If you’re connecting from outside the local subnet, routing or NAT rules may need to be configured to allow the traffic through.

Lastly, please make sure that Network Level Authentication (NLA) is either supported by your client or temporarily disabled for testing, as mismatches here can block connections.

I hope these steps help you pinpoint the root cause and get RDP working smoothly. If this answer is helpful, please don’t forget to hit “Accept Answer”.
Scott Huang 3,511 Reputation points

2026-05-06T07:25:51.15+00:00

the firewall profile (Public, Private, or Domain) may not be aligned with your network type, so double-check that the inbound rule applies to the correct profile.

Which rule to check?

I'm using administrator account for this.
Jason Nguyen Tran 18,720 Reputation points Independent Advisor

2026-05-06T07:35:34.8066667+00:00

Since you’re using an administrator account, you already have the right level of access to review and adjust these settings. The key is to make sure that the inbound rule for Remote Desktop (TCP port 3389) is applied to the correct firewall profile, Public, Private, or Domain, depending on how your server’s network is classified.

For example, if your server is joined to a domain, the Domain profile will apply, and the rule must be enabled there. If it’s on a private LAN without domain membership, the Private profile is the one to check. And if the server is treating the network as untrusted, the Public profile will be active. You can confirm which profile is currently in use by opening the Windows Defender Firewall with Advanced Security console and looking at the active profile in the overview section.

Once you know the active profile, verify that the “Remote Desktop (TCP-In)” rule is enabled for that profile. If it’s not, you can edit the rule’s properties and check the boxes for the appropriate profiles. This ensures that the firewall is actually allowing RDP traffic under the conditions your server is operating in.
Scott Huang 3,511 Reputation points

2026-05-06T08:16:35.42+00:00

3389 rule is enabled like
Scott Huang 3,511 Reputation points

2026-05-07T01:47:04.5933333+00:00

Any help?
Scott Huang 3,511 Reputation points

2026-05-07T08:10:27.8566667+00:00

Any help?
Scott Huang 3,511 Reputation points

2026-05-11T01:50:59.92+00:00

Any help?

Answer 3

Even though Remote Desktop shows as Enabled on the local server, several other conditions must be correct before RDP connections succeed. Use the following checks in order:

Confirm RDP is actually enabled in the registry

On the server, open Registry Editor and go to:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
Verify the fDenyTSConnections value:
- 0 = RDP enabled
- 1 = RDP disabled
If it is 1, change it to 0.

Verify the RDP services are running On the server, open Services and confirm these services are Running:

Remote Desktop Services (TermService)
Remote Desktop Services UserMode Port Redirector (UmRdpService) Start them if they are stopped.

Check that the RDP listener and port are correct

In Registry Editor, go to:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
Confirm PortNumber is 0x00000d3d (3389).
If a different port is configured, connect using servername:port.

Test local RDP and listener behavior

On the server console, run mstsc and connect to localhost.
- If this fails, the problem is on the server (RDP listener/configuration).
- If this works, the problem is likely network/firewall.

Verify firewall rules for RDP On the server, open wf.msc and check Inbound Rules:

Ensure Remote Desktop - User Mode (TCP-In) and Remote Desktop - User Mode (UDP-In) are Enabled for all profiles.

Or in elevated PowerShell:

  Get-NetFirewallRule -DisplayGroup "Remote Desktop" | Set-NetFirewallRule -Enabled True

If still failing, temporarily disable the firewall to test:

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

(Enable it again after testing.)

Test network connectivity to port 3389 from another machine From a machine in the same network, run in elevated PowerShell:

Test-NetConnection -ComputerName <server-name-or-ip> -Port 3389 -InformationLevel Detailed

If TcpTestSucceeded = False, there is a network or firewall/NSG issue between client and server.
If True, focus on server configuration (steps 1–4 and 7–8).

Check for another process using port 3389 On the server, run:

tasklist /svc | findstr TermService
netstat -anob | findstr 3389

Confirm the PID for TermService matches the process listening on port 3389.
If another process is using 3389, stop that process and restart Remote Desktop Services.

Validate RDP certificate and roles

In MMC → Certificates (Computer account) → Remote Desktop, delete the RDP self-signed certificate and restart Remote Desktop Services so it is recreated.
In Server Manager → Manage → Remove Roles and Features, check Remote Desktop Services roles. Remove unnecessary RDS roles (for example, Connection Broker) if this is not an RDS deployment, then restart the server.

If all these checks pass and RDP still fails, collect logs and contact Microsoft Support as indicated in the documentation.

References:

Share via

Issue to RDP on server 2025

3 answers

Your answer