Disable Remote Desktop Protocol on Windows Machines

What the RDP Disabler does

This Automox Worklet™ disables Remote Desktop Protocol (RDP) connections on Windows endpoints. RDP allows users to remotely connect to and control Windows machines, but this capability creates security risks when enabled on endpoints that do not require remote access functionality.

The Worklet modifies the Terminal Server configuration in the Windows registry at HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server. By setting the fDenyTSConnections value to 1, the Worklet instructs Windows to refuse all incoming RDP connection attempts.

This configuration change takes effect immediately without requiring a reboot. Existing RDP sessions may continue until disconnected, but no new connections can be established once the registry value is set.

Why disable RDP on endpoints

Attackers target RDP through brute force attacks, credential stuffing, and vulnerability exploitation, making it one of the most commonly exploited services in enterprise environments. RDP is frequently used as an initial access vector by ransomware operators. Notable vulnerabilities like BlueKeep (CVE-2019-0708) and related flaws allow remote code execution through RDP without authentication.

Ransomware operators frequently use compromised RDP credentials as their initial access vector. Dark web marketplaces sell RDP access to compromised systems. By disabling RDP on endpoints that do not need it, you eliminate this attack surface entirely.

Many compliance frameworks require organizations to minimize remote access capabilities. CIS Controls recommend disabling unnecessary remote access services. For endpoints that require remote management, consider using Automox or other secure alternatives that provide better logging, authentication, and access controls than native RDP.

How RDP disabling works

1. Evaluation phase: The Worklet reads the fDenyTSConnections registry value from HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server. If the value equals 1 (connections denied), the endpoint is compliant. If the value is 0 or missing (connections allowed), the endpoint requires remediation.

2. Remediation phase: The Worklet uses Set-ItemProperty to set fDenyTSConnections to 1. This immediately prevents new RDP connections to the endpoint. The Worklet reports success or failure based on whether the registry modification completed successfully.

RDP disabling requirements

• Windows 7 or later, Windows Server 2008 or later

• PowerShell 2.0 or later

• Administrative privileges to modify HKLM registry

• Alternative remote management solution in place if remote access is needed

Expected remote access state after remediation

After remediation, the endpoint refuses all incoming RDP connection attempts. Users attempting to connect via Remote Desktop Client receive a connection refused error. The Terminal Services service may still run, but it does not accept connections. This configuration eliminates RDP as an attack vector while allowing other remote management tools to continue functioning.

You can verify the configuration by checking the registry value at HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server where fDenyTSConnections should equal 1. You can also verify by attempting an RDP connection to the endpoint, which should fail. The Windows Firewall may show RDP ports as open, but the Terminal Server configuration prevents connections regardless of firewall settings, demonstrating defense-in-depth security.

How to validate disable remote desktop protocol on windows machines changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for disable remote desktop protocol on windows machines.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Get-ItemProperty, Non-Compliant.

4. Validate remediation effects from script operations such as Set-ItemProperty, Write-Output, then rerun evaluation for compliance.