Disable Remote Desktop Access using Intune (MEM)

In this post, you will learn how to disable Remote Desktop access using Intune (MEM). By disabling remote desktop services, you prevent users from connecting to the machine.

Ideally, you allow remote desktop connections on a computer to connect and control the computer from another device. This setting is found on the Remote tab in the System properties sheet.

To connect to a remote computer in your network, the computer must be turned on. The Remote Desktop must be enabled, you must have network access and permissions to the remote computer.

So, why do you disable the remote desktop connections? The answer to this is enabling RDP can also become the gateway where a malware infection or targeted ransomware is deployed, resulting in critical service disruption.

Some organizations prefer to disable the remote desktop access completely on servers and even workstations. The goal is to prevent malicious users access the computer remotely via RDP.

Intune’s configuration policies help you lock down Windows devices as per your organization’s security requirements. In Intune, we will make use of a policy setting called Allow users to connect remotely by using Remote Desktop Services.

This policy setting allows you to configure remote access to computers by using Remote Desktop Services. When this policy is disabled, the users cannot connect remotely to the target computer by using Remote Desktop Services.

Caution – When you deploy an Intune Configuration profile to disable Remote Desktop Access using Intune, it removes the ability to RDP the machine. So be careful while applying this policy to Virtual machines running in Azure.

Disable Remote Desktop Access using Intune (MEM)

You can perform the following steps to disable remote desktop access using Intune (MEM)

• Log in to Microsoft Endpoint Admin center portal.
• Go to Devices > Configuration Profiles.
• Click Create Profile to create a configuration profile for disabling Remote Desktop Access.

On Create a profile window, select the Platform as Windows 10 and later. Now select Profile type as Settings Catalog. Click Create.

Specify the profile name as Disable Remote Desktop Access or Services and click Next.

On the Configuration Settings window, we will use the Intune Settings catalog to configure the settings to disable Remote Desktop Access. Click Add Settings.

On the Settings Picker window, type remote desktop services and click Search. From the list of results, select Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.

Under Settings, select Allow users to connect remotely by using Remote Desktop Services.

Ensure the setting, “Allow users to connect remotely by using Remote Desktop Services” is disabled.

If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services.

Click Next.

On the Assignments section, you can select the target groups. Click Add groups and select the groups. Click Next.

You can specify the scope tags. For now, we will not configure the scope tags. Click Next.

On the Review+Create section, verify the settings that you have configured and click Create.

Keep an eye on the notifications, and you should see a new notification created confirming the new configuration profile is created. After a few minutes, when you attempt to RDP a virtual machine or a computer, it shouldn’t allow.

To turn on the remote desktop access on the computer, you can edit the same policy and enable Allow users to connect remotely by using Remote Desktop Services setting.