(162) Microsoft Intune - Enabling RDP for Entra Joined Devices
- Mr B SOE way
- 2 days ago
- 2 min read
Recently one of my customers wanted to enable RDP on Entra Joined devices, by default nothing is set. This is the whole process with getting it setup in Microsoft Intune
You will need the following to be setup:
Endpoint Security | Firewall: You need to create Firewall Rules with https://intune.microsoft.com/ then Endpoint Security then Firewall with the following setup.
Direction: The rule applies to inbound traffic. Action: Allow Protocol: 6 Enabled: Enabled Name: Allow RDP TCP 3389 Interface Types: Remote Access, Wireless, Lan File Path: %SystemRoot%\system32\svchost.exe Network Types: FW_PROFILE_TYPE_DOMAIN, FW_PROFILE_TYPE_PRIVATE, FW_PROFILE_TYPE_PRIVATE Local Port Ranges: 3389
Direction: The rule applies to inbound traffic. Action: Allow Protocol: 6 Enabled: Enabled Name: Allow Remote Assistance TCP 135 Interface Types: Remote Access, Wireless, LanFile Network Types: FW_PROFILE_TYPE_DOMAIN, FW_PROFILE_TYPE_PRIVATE, FW_PROFILE_TYPE_PRIVATE Local Port Ranges: 135
Endpoint Security | Account Protection: You need to create Account Protection with https://intune.microsoft.com/ then Endpoint Security then Account Protection with the following setup.
Make sure to select: Local group: Remote Desktop Users
Group and user action: Add (Update) User selection type: Select individual users or group
It should look like this:
Device Configuration: Go to https://intune.microsoft.com/ then select Devices then select Configuration then select Create then select New Policy then select Platform: Windows 10 and later then select Profile Type: Settings Catalog.
Select Allow users to connect remotely by using Remote Desktop Services as Enabled
Select Configure Offer Remote Assistance as Enabled
Enter in Helpers (Device): Entra group
Permit remote control of this comptuer (Device): Allow helpers to remotely control the computer
Select Configure Solicited Remote Assistance as Enabled
Permit remote control of this computer: Allow helpers to remotely control the computer
Method for sending email invitations: Mailto
Maximum ticket time (units): Hours
Maximum ticket time (value): 1
It should look like this:
To enable the rest of the Firewall settings, you can either create a PowerShell script or Win32 app. Install.ps1
# Enable Remote Assistance firewall rule
netsh advfirewall firewall set rule group="Remote Assistance" new enable=yes
# Enable Remote Desktop firewall rule
netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes# Detect-RemoteDesktopFirewallRules.ps1
# Function to check if a firewall rule group is enabled
function Is-FirewallRuleGroupEnabled {
param (
[string]$groupName
)
$ruleStatus = netsh advfirewall firewall show rule name=all | Select-String -Pattern $groupName
if ($ruleStatus -match "Enabled: Yes") {
return $true
} else {
return $false
}
}
# Check Remote Assistance firewall rule
$remoteAssistanceEnabled = Is-FirewallRuleGroupEnabled -groupName "Remote Assistance"
# Check Remote Desktop firewall rule
$remoteDesktopEnabled = Is-FirewallRuleGroupEnabled -groupName "Remote Desktop"
if ($remoteAssistanceEnabled -and $remoteDesktopEnabled) {
Write-Output "Both Remote Assistance and Remote Desktop firewall rules are enabled."
} elseif ($remoteAssistanceEnabled) {
Write-Output "Remote Assistance firewall rule is enabled, but Remote Desktop is not."
} elseif ($remoteDesktopEnabled) {
Write-Output "Remote Desktop firewall rule is enabled, but Remote Assistance is not."
} else {
Write-Output "Neither Remote Assistance nor Remote Desktop firewall rules are enabled."
}
Wrap it up as a Win32 app with https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool, then upload to Intune.
End result once deployed successfully on the device, you will get this: For the Win32 app, it will apply the following:
Windows Firewall policies applies this:
Device Configuration Policy applies this:
Comments