Share via

RDP to VMSS instance is not working after removing VMAccess Agent Extension

Sudipta Patnaik 0 Reputation points Microsoft Employee
2025-06-04T17:46:54.0433333+00:00

RDP to an instance of the vmss is not working after removing VMAccess Agent Extension.
The NSG inbound rules are set up correctly for RDP port 3389.

Is there any other configuration required to RDP without VMAccess Agent extension?

Azure Virtual Machine Scale Sets
Azure Virtual Machine Scale Sets
Azure compute resources that are used to create and manage groups of heterogeneous load-balanced virtual machines.
450 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Suwarna S Kale 3,391 Reputation points
    2025-06-05T01:37:06.96+00:00

    Hello Sudipta Patnaik,

    Thank you for posting your question in the Microsoft Q&A forum. 

    When RDP fails to a VMSS instance after removing the VMAccess Agent extension despite correct NSG rules, several other factors should be verified.

    • Ensure the Windows Firewall on the VM allows RDP traffic, as it may block connections even with open NSG rules.
    • Check that the VM's operating system has the RDP service enabled and running, as the VMAccess extension typically manages this configuration.
    • Validate that the VMSS instance has a valid network interface with proper IP configuration and that the instance itself is in a healthy, running state.
    • Confirm the VM's local administrator account credentials are correct, as password resets often rely on the VMAccess extension. If using Azure Bastion or just-in-time access, ensure those services are properly configured.

    Finally, consider redeploying the instance or re-adding the VMAccess extension if all else fails, as some VMSS configurations may depend on it for proper RDP setup. 

    If the above answer helped, please do not forget to "Accept Answer" as this may help other community members to refer the info if facing a similar issue. Your contribution to the Microsoft Q&A community is highly appreciated. 

  2. Markapuram Sudheer Reddy 2,050 Reputation points Microsoft External Staff Moderator
    2025-06-05T02:36:47.8566667+00:00

    Hi Sudipta Patnaik,

    In addition to the response of Suwarna S Kale,

    The VMAccess Extension is used to manage administrative users, configure RDP, and check or repair disks on Azure Windows virtual machines if you become locked out or if RDP is misconfigured. If you remove the extension but RDP is already set up correctly, you can able to connect via RDP. https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/vmaccess-windows

    How to check if RDP is enabled:

    1. By running sysdm.cpl, you must press Win + R, type sysdm.cpl, and then hit the Enter key. Now, to view the relevant Remote Desktop settings, locate the “Remote” tab. Then, you can easily check if the Remote Desktop feature is enabled or not. To do this, check if the “Allow connections to this computer” is selected. By default, RDP only allows local Administrator group members to connect remotely to a machine. Click Select Users to give additional users access to RDP. 
                                              (or)
    2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server and check below configurations RDP is enabled if the fDenyTSConnections key value is 0. RDP is not enabled if the fDenyTSConnections key value is 1.

    However, if you later lose access (for example, you forget the password or RDP is disabled), you will not be able to use Azure's built-in tools to reset credentials or repair RDP settings until you reinstall the VMAccess Agent extension.

    If the information is helpful, please click on 'Upvote"

    If you have any queries, please do let us know, will help you.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.