ANAVEM
EnglishFrancais
ANAVEM
Reference
Languagefr
How to Enable Remote Desktop on Windows Server Core 2025

How to Enable Remote Desktop on Windows Server Core 2025

Enable Remote Desktop Protocol (RDP) on Windows Server Core 2025 using SConfig and PowerShell, configure firewall settings, and establish secure remote connections for server management.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
March 17, 2026 12 min 8
mediumrdp 8 steps 12 min

Why Enable Remote Desktop on Windows Server Core?

Windows Server Core provides a minimal installation option that reduces the attack surface and resource consumption compared to the full Desktop Experience. However, managing Server Core exclusively through the command line can be challenging for administrators accustomed to graphical interfaces. Remote Desktop Protocol (RDP) bridges this gap by providing secure remote access to Server Core's administrative desktop environment.

Enabling RDP on Server Core 2025 allows administrators to manage servers remotely using familiar graphical tools while maintaining the security and efficiency benefits of the Core installation. The process involves configuring the Terminal Services, enabling firewall rules, and implementing proper authentication mechanisms to ensure secure remote access.

What Security Considerations Apply to Server Core RDP?

Server Core's reduced attack surface makes it inherently more secure than full Windows installations, but RDP introduces additional security considerations. Network Level Authentication (NLA) provides the first line of defense by requiring user authentication before establishing RDP sessions. This prevents unauthorized users from consuming server resources and reduces exposure to brute-force attacks.

Modern RDP implementations in Windows Server 2025 include enhanced encryption, certificate-based authentication, and improved session management. Proper firewall configuration ensures that RDP traffic is controlled and monitored, while session timeouts prevent abandoned connections from remaining active indefinitely.

Related: How to Create a Hyper-V Cluster in Active Directory Domain

Related: How to Install Active Directory Domain Services on Windows

Related: Enable Active Directory Recycle Bin on Windows Server 2022

How Does SConfig Simplify Server Core Management?

The Server Configuration tool (SConfig) provides a text-based menu system specifically designed for Server Core management. Unlike PowerShell commands or direct registry editing, SConfig offers a user-friendly interface that guides administrators through common configuration tasks. For RDP enablement, SConfig automatically handles both the registry changes and firewall configuration in a single operation, reducing the chance of configuration errors and ensuring consistent results across different server deployments.

Implementation Guide

Full Procedure

01

Access Server Core and Launch SConfig

Log into your Windows Server Core 2025 system using administrator credentials. Server Core boots directly to a command prompt interface without a graphical desktop environment.

Launch the Server Configuration tool by running the SConfig command:

sconfig.cmd

The SConfig menu displays numbered configuration options. This tool provides a text-based interface for managing core server settings without requiring PowerShell knowledge.

Pro tip: SConfig is the fastest method for enabling RDP on Server Core. It automatically handles both registry changes and firewall configuration in one step.

Verification: The SConfig main menu should display with options 1-15, including option 7 for "Remote Desktop".

02

Enable Remote Desktop Through SConfig

From the SConfig main menu, select option 7 to configure Remote Desktop settings:

7

Press Enter to access the Remote Desktop configuration submenu. You'll see the current RDP status (typically "Disabled" on fresh installations) and configuration options.

Type E to enable Remote Desktop:

E

The system will prompt you to choose the authentication level. Select option 1 for the most secure configuration:

1

This enables "Allow only clients running Remote Desktop with Network Level Authentication (more secure)". NLA requires client authentication before establishing the RDP session, preventing unauthorized connection attempts.

Press OK to confirm the changes. SConfig automatically updates the registry and enables the necessary firewall rules.

Warning: Option 2 (less secure) disables NLA and should only be used for legacy clients that don't support modern authentication.

Verification: The Remote Desktop status in SConfig should now show "Enabled" with NLA authentication.

03

Verify Firewall Rules Using PowerShell

Exit SConfig by pressing 0 and return to the command prompt. Launch PowerShell to verify the firewall configuration:

powershell

Check that the Remote Desktop firewall rules are enabled:

Get-NetFirewallRule -DisplayGroup "Remote Desktop" | Where-Object {$_.Enabled -eq "True"}

This command should return three enabled rules:

  • Remote Desktop - User Mode (TCP-In)
  • Remote Desktop - User Mode (UDP-In)
  • Remote Desktop - Shadow (TCP-In)

If the rules aren't enabled, manually enable them:

Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

Alternatively, use the netsh command for compatibility with older scripts:

netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes

Verification: Run netsh advfirewall firewall show rule group="Remote Desktop" to confirm all rules show "Enabled: Yes".

04

Configure Registry Settings for RDP (Alternative Method)

While SConfig handles most configurations automatically, you can also enable RDP through direct registry modification. This method is useful for scripting or when SConfig isn't available.

Enable Remote Desktop by setting the fDenyTSConnections registry value to 0:

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name fDenyTSConnections -Value 0

Enable Network Level Authentication for enhanced security:

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name UserAuthentication -Value 1

For environments requiring command prompt compatibility, use reg commands:

reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 1 /f
Pro tip: Save these registry commands in a batch file for automated server deployment. Include error checking with if %errorlevel% neq 0 for production scripts.

Verification: Query the registry to confirm settings:

Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name fDenyTSConnections

The fDenyTSConnections value should be 0 (enabled).

05

Verify Terminal Services Status

Ensure the Terminal Services (TermService) is running and configured for automatic startup. This service handles all RDP connections to the server.

Check the current service status:

Get-Service TermService

The service should show Status: Running and StartType: Automatic. If the service isn't running, start it manually:

Start-Service TermService

Configure the service for automatic startup to ensure RDP remains available after reboots:

Set-Service TermService -StartupType Automatic

If you encounter issues with the service, restart it forcefully:

Restart-Service TermService -Force
Warning: Restarting TermService will disconnect any active RDP sessions. Coordinate with other administrators before running this command on production servers.

For additional verification, check that the service is listening on port 3389:

netstat -an | findstr :3389

You should see "TCP 0.0.0.0:3389 LISTENING" indicating the RDP service is accepting connections.

Verification: Run Get-Service TermService | Format-List to see detailed service information including startup type and current status.

06

Configure Network Level Authentication Settings

Network Level Authentication (NLA) provides enhanced security by requiring user authentication before establishing the RDP session. This prevents unauthorized users from consuming server resources.

Verify NLA is enabled (should be set from SConfig, but confirm manually):

Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name UserAuthentication

The UserAuthentication value should be 1 (enabled). If you need to disable NLA for legacy client compatibility, set it to 0:

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name UserAuthentication -Value 0

Configure the security layer for RDP connections. The recommended setting is SSL/TLS:

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name SecurityLayer -Value 2

Security layer values:

  • 0 = RDP Security Layer
  • 1 = Negotiate (SSL/TLS if available)
  • 2 = SSL/TLS (recommended)

Set the encryption level to high for maximum security:

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name MinEncryptionLevel -Value 3
Pro tip: For environments with mixed client versions, start with NLA enabled and SSL/TLS security. Only reduce security settings if specific legacy applications require it.

Verification: Query all security-related registry values:

Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' | Select-Object UserAuthentication, SecurityLayer, MinEncryptionLevel
07

Test Remote Desktop Connection

From your management workstation, test the RDP connection to verify everything is configured correctly. First, determine the server's IP address from the Server Core console:

Get-NetIPAddress -AddressFamily IPv4 | Where-Object {$_.IPAddress -ne '127.0.0.1'}

On your Windows client machine, open Remote Desktop Connection (mstsc.exe) or use the command line:

mstsc /v:SERVER_IP_ADDRESS

Replace SERVER_IP_ADDRESS with your server's actual IP. You can also use the server's hostname if DNS resolution is configured:

mstsc /v:SERVERNAME.domain.com

When prompted, enter your administrator credentials. If NLA is enabled, you'll authenticate before seeing the desktop. Accept any certificate warnings for self-signed certificates (common in lab environments).

Upon successful connection, you'll see the Server Core administrative desktop with Server Manager and basic management tools. This isn't the full Windows desktop experience but provides essential server management capabilities.

Warning: Server Core doesn't provide the full Windows desktop. You'll see a limited interface designed for server administration. Use Server Manager or PowerShell for most management tasks.

Test connection persistence by performing a simple administrative task:

Get-ComputerInfo | Select-Object WindowsProductName, TotalPhysicalMemory

Verification: Successfully connecting and running PowerShell commands confirms RDP is working correctly. Check the Event Viewer for successful logon events (Event ID 4624) in the Security log.

08

Configure Advanced RDP Security Settings

Implement additional security measures to protect your RDP deployment. Start by configuring session timeouts to prevent abandoned connections:

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name MaxConnectionTime -Value 3600000

This sets a 1-hour maximum connection time (value in milliseconds). Set idle session timeout:

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name MaxIdleTime -Value 1800000

This disconnects idle sessions after 30 minutes. Configure maximum concurrent connections:

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name MaxInstanceCount -Value 2

For enhanced security, consider changing the default RDP port from 3389:

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name PortNumber -Value 3390

After changing the port, update the firewall rule:

New-NetFirewallRule -DisplayName "RDP Custom Port" -Direction Inbound -Protocol TCP -LocalPort 3390 -Action Allow

Remove the default port 3389 rule if you're using a custom port:

Disable-NetFirewallRule -DisplayGroup "Remote Desktop"
Pro tip: Document any custom port changes in your server documentation. Clients will need to specify the custom port when connecting: mstsc /v:server:3390

Restart the Terminal Services to apply port changes:

Restart-Service TermService -Force

Verification: Test connection on the new port and confirm the old port is no longer listening with netstat -an | findstr :3389 and netstat -an | findstr :3390.

Frequently Asked Questions

Can I enable RDP on Windows Server Core without using SConfig?+
Yes, you can enable RDP using PowerShell commands or direct registry editing. Use Set-ItemProperty to modify the fDenyTSConnections registry value and Enable-NetFirewallRule to configure firewall settings. However, SConfig is the recommended method as it handles all necessary configurations automatically and reduces the risk of errors.
What is Network Level Authentication and why should I use it?+
Network Level Authentication (NLA) requires user authentication before establishing the RDP session, providing enhanced security by preventing unauthorized connection attempts. NLA reduces server resource consumption and protects against brute-force attacks. All modern RDP clients support NLA, and it should remain enabled unless you have specific legacy client compatibility requirements.
How do I change the default RDP port 3389 for better security?+
Modify the PortNumber registry value in HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp, create a new firewall rule for the custom port, disable the default port 3389 rule, and restart Terminal Services. Clients must specify the custom port when connecting using the format server:port. Document port changes for other administrators.
What should I do if RDP connections fail after enabling it on Server Core?+
Check that Terminal Services is running with Get-Service TermService, verify firewall rules are enabled with Get-NetFirewallRule, confirm the fDenyTSConnections registry value is 0, and ensure the server is listening on port 3389 with netstat. Common issues include firewall blocking connections, service not running, or NLA compatibility problems with older clients.
Does Server Core provide the same desktop experience as full Windows Server?+
No, Server Core provides a minimal administrative desktop with Server Manager and essential management tools, not the full Windows desktop experience. You'll have access to PowerShell, command prompt, and basic administrative interfaces. This reduced interface is intentional to minimize the attack surface while still providing necessary remote management capabilities.
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#rdp#windows-server#remote-access

Further Intelligence

Deepen your knowledge with related resources

How to Install Office 365 Offline for Enterprise Deployment
tutorial
General

How to Install Office 365 Offline for Enterprise Deployment

Deep Dive
How to Bulk Import Active Directory Users from CSV Using PowerShell
tutorial
DevOps

How to Bulk Import Active Directory Users from CSV Using PowerShell

Deep Dive
How to Deploy and Configure Remote Desktop Services (RDS) on Windows Server
tutorial
Networking

How to Deploy and Configure Remote Desktop Services (RDS) on Windows Server

Deep Dive

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...