All Products
Search
Document Center

:How do I enable Remote Desktop Services on a Windows ECS instance?

Last Updated:Feb 27, 2026

If Remote Desktop Services are disabled on your Windows Elastic Compute Service (ECS) instance, Remote Desktop connections fail. This topic describes how to enable Remote Desktop Services through a VNC session so that you can connect to the instance over Remote Desktop Protocol (RDP).

Prerequisites

Before you begin, make sure that:

  • The Windows ECS instance is in the Running state

  • You can access the instance through Virtual Network Computing (VNC). For instructions, see Connect to an instance by using VNC

  • The security group associated with the instance allows inbound TCP traffic on port 3389

  • The instance has a public IP address or an Elastic IP Address (EIP) bound to it

Procedure

Note

The following steps use Windows Server 2012 as an example. The steps may differ depending on your operating system version. For version-specific instructions, see the official Microsoft documentation.

  1. Connect to the ECS instance through VNC.

  2. Open the Run dialog box, enter cmd, and click OK to open Command Prompt.

  3. Check whether port 3389 is listening:

    netstat -aon | findstr "3389"

    If the command returns no output, port 3389 is not listening. Continue with the following steps to enable Remote Desktop Services and open the port.

  4. Switch to PowerShell:

    powershell
  5. Run the following commands to enable Remote Desktop Services:

    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name fDenyTSConnections -Value 0 -Force
    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name UserAuthentication -Value 1 -Force
    netsh.exe advfirewall firewall add rule name="Open RDP Port 3389" dir=in action=allow protocol=TCP localport=3389

    These commands perform the following operations:

    CommandRegistry path / TargetEffect
    Set fDenyTSConnections to 0HKLM:\SYSTEM\CurrentControlSet\Control\Terminal ServerAllows incoming Remote Desktop connections
    Set UserAuthentication to 1HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TcpEnables Network Level Authentication (NLA), which requires users to authenticate before a remote session is established
    Add firewall rule "Open RDP Port 3389"Windows Firewall (inbound, TCP, port 3389)Allows inbound RDP traffic through the firewall

    Expected output:

    Command output showing successful execution

Verify the result

Connect to the Windows ECS instance from your local machine using Remote Desktop. For detailed steps, see Connect to a Windows instance by using a username and password.

If the connection succeeds, Remote Desktop Services are working correctly.

Troubleshooting

If you still cannot connect after enabling Remote Desktop Services, check the following in order:

  1. Security group rules -- Verify that the security group allows inbound TCP traffic on port 3389. Add a rule if one does not exist.

  2. Public IP address -- Confirm that the instance has a public IP address or an EIP bound to it.

  3. Windows Firewall -- Run netsh advfirewall firewall show rule name="Open RDP Port 3389" to confirm the firewall rule was created.

  4. Port 3389 listening -- Run netstat -aon | findstr "3389" again to confirm the port is now listening.

  5. NLA compatibility -- If your local Remote Desktop client does not support NLA, disable it by setting UserAuthentication to 0. Only do this in controlled environments.

For more troubleshooting steps, see What do I do if I cannot connect to a Windows instance?

References