Cannot RDP to Windows 11 PC or VM after InTune enrollment

Question

Hello,

I will try to be as precise as I can, don't hesitate to ask questions or guide me if you want more details.

I have an Azure Tenant A. In this tenant I am creating VMs to test Intune settings for each of my customer.

Tenant B,C,D,... are all customer tenants with pretty much the same settings. Most of the Intune settings are Microsoft Templates preconfigure, I only add a few apps and OneDrive configuration profile.

When I create the VM (Vanilla Windows 11 Enterprise), I can connect to it with RDP, no problem.
I can turn on or off the RDP Switch.

Then I join that machine to EntraID (AzureAD) in Tenant B.
I can still connect for a few minutes but as soon as Intune kicks in, the RDP switch is set to OFF.

When I try to turn it on, I get this ...

I confirm and it goes back to off !!!
And I can't connect to it.
I can reproduce this using an HyperV machine on a PC, enhance the screenshots using the HyperV console.

Otherwise I loose access to that machine completely.

I even tried to install an unattended version of TeamViewer so I could get access and troubleshoot but as soon as the machine is joined and Intune connected... no remote access at all.

And before you ask, yes the firewall is open :)

I've gone thru the settings on the configuration profiles, Endpoint Security and the works, I couldn't find a setting about RDP nor Firewall preventing connection.

With the help of a MS tech, we even created a configuration profile with the specific OMA setting :

./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/AllowUsersToConnectRemotely

Set to

<enabled />

... to no avail.

I can easily reproduce that behaviour and/or recreate a new machine.

I read a few things here and there but no real answer to this issue that several persons have.

Any hint/help/solution would be awesome.

Have fun, keep cool and take care.

Answer 1

Hi Fabian! I assume that your VMs are local Hyper-V only, not in Azure infrastructure, right?

Based on my experience, that modern Settings -> Remote Desktop OFF settings does not have actual meaning. In my Intune Cloud-only enviroment RDP works fine this setting being turned off. But what you need to check is this:

This must be enabled and policy affecting this is:

Another object you need to control is firewall. If you have MS Security Baseline in place, your local Firewall rules are not honored by default (you can create them but effect is 0), because in baseline, merging Intune and local firewall rules are not allowed. I explain this in more details here: https://www.linkedin.com/pulse/intune-security-baselines-firewall-rules-pavel-mirochnitchenko

And when creating Firewall rules in Intune, as surprise, you need to identify TCP and UDP ports separably, ANY protocol rule does not work. Here is my RDP rules in Intune.

Specifying Protocol is important here. Do same for UDP. Also please be informed, that with this setup I only connect physical machines, not virtual. I haven't test this with VMs but is should work.

Answer 2

I added the recommended settings creating a Firewall rule in Endpoint Security as suggested and ... it works !

I have learned something about the Intune Security baseline rules today.

For reference this is what's applied in the Baseline :

https://docs.microsoft.com/en-us/mem/intune/protect/security-baseline-settings-mdm-all?pivots=november-2021#microsoft-defender-firewall

Thank you !