In this version of Remote Desktop Connection, if the Terminal Server role service is installed on the remote computer, running mstsc /admin will do the following (for the current connection only): Disable Terminal Services client access licensing. Download this app from Microsoft Store for Windows 10, Windows 8.1, Windows 10 Mobile, Windows Phone 8.1, Windows 10 Team (Surface Hub), HoloLens. See screenshots, read the latest customer reviews, and compare ratings for Microsoft Remote Desktop. To require all outbound Remote Desktop requests to use RestrictedAdmin mode: Open Group Policy Management Console: click Start, click Run, type gpmc.msc, and then click OK. Select the group policy which best applies to the systems from which you will initiate Remote Desktop connections. Edit the Group Policy and navigate to the following node. In Remote Desktop Connection, type the name of the PC you want to connect to (from Step 1), and then select Connect. On your Windows, Android, or iOS device: Open the Remote Desktop app (available for free from Microsoft Store, Google Play, and the Mac App Store), and add the name of the PC that you want to connect to (from Step 1).

-->

Microsoft Remote Desktop Access Local Files

Applies to: Windows 10, Windows 8.1, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2

Now that you've set up the Remote Desktop client on your device (Android, Mac, iOS, or Windows), you may have questions. Here are answers to the most commonly asked questions about the Remote Desktop clients.

The majority of these questions apply to all of the clients, but there are a few client specific items.

If you have additional questions that you'd like us to answer, leave them as feedback on this article.

Setting up

Which PCs can I connect to?

Check out the supported configuration article for information about what PCs you can connect to.

How do I set up a PC for Remote Desktop?

I have my device set up, but I don't think the PC's ready. Help?

First, have you seen the Remote Desktop Setup Wizard? It walks you through getting your PC ready for remote access. Download and run that tool on your PC to get everything set.

Otherwise, if you prefer to do things manually, read on.

For Windows 10, do the following:

  1. On the device you want to connect to, open Settings.
  2. Select System and then Remote Desktop.
  3. Use the slider to enable Remote Desktop.
  4. In general, it's best to keep the PC awake and discoverable to facilitate connections. Click Show settings to go to the power settings for your PC, where you can change this setting.

    Note

    You can't connect to a PC that's asleep or hibernating, so make sure the settings for sleep and hibernation on the remote PC are set to Never. (Hibernation isn't available on all PCs.)

Make note of the name of this PC under How to connect to this PC. You'll need this to configure the clients.

You can grant permission for specific users to access this PC - to do that, click Select users that can remotely access this PC.Members of the Administrators group automatically have access.

For Windows 8.1, follow the instructions to allow remote connections in Connect to another desktop using Remote Desktop Connections.

Connection, gateway, and networks

Why can't I connect using Remote Desktop?

Here are some possible solutions to common problems you might encounter when trying to connect to a remote PC. If these solutions don't work, you can find more help on the Microsoft Community website.

  • The remote PC can't be found. Make sure you have the right PC name, and then check to see if you entered that name correctly. If you still can't connect, try using the IP address of the remote PC instead of the PC name.

  • There's a problem with the network. Make sure you have internet connection.

  • The Remote Desktop port might be blocked by a firewall. If you're using Windows Firewall, follow these steps:

    1. Open Windows Firewall.

    2. Click Allow an app or feature through Windows Firewall.

    3. Click Change settings. You might be asked for an admin password or to confirm your choice.

    4. Under Allowed apps and features, select Remote Desktop, and then tap or click OK.

      If you're using a different firewall, make sure the port for Remote Desktop (usually 3389) is open.

  • Remote connections might not be set up on the remote PC. To fix this, scroll back up to How do I set up a PC for Remote Desktop? question in this topic.

  • The remote PC might only allow PCs to connect that have Network Level Authentication set up.

  • The remote PC might be turned off. You can't connect to a PC that's turned off, asleep, or hibernating, so make sure the settings for sleep and hibernation on the remote PC are set to Never (hibernation isn't available on all PCs.).

Why can't I find or connect to my PC?

Check the following:

  • Is the PC on and awake?

  • Did you enter the right name or IP address?

    Important

    Using the PC name requires your network to resolve the name correctly through DNS. In many home networks, you have to use the IP address instead of the host name to connect.

  • Is the PC on a different network? Did you configure the PC to let outside connections through? Check out Allow access to your PC from outside your network for help.

  • Are you connecting to a supported Windows version?

    Note

    Windows XP Home, Windows Media Center Edition, Windows Vista Home and Windows 7 Home or Starter are not supported without 3rd party software.

Why can't I sign in to a remote PC?

If you can see the sign-in screen of the remote PC but you can't sign in, you might not have been added to the Remote Desktop Users Group or to any group with administrator rights on the remote PC. Ask your system admin to do this for you.

Which connection methods are supported for company networks?

If you want to access your office desktop from outside your company network, your company must provide you with a means of remote access. The RD Client currently supports the following:

  • Terminal Server Gateway or Remote Desktop Gateway
  • Remote Desktop Web Access
  • VPN (through iOS built-in VPN options)

VPN doesn't work

VPN issues can have several causes. The first step is to verify that the VPN works on the same network as your PC or Mac computer. If you can't test with a PC or Mac, you can try to access a company intranet web page with your device's browser.

Other things to check:

  • The 3G network blocks or corrupts VPN. There are several 3G providers in the world who seem to block or corrupt 3G traffic. Verify VPN connectivity works correctly for over a minute.
  • L2TP or PPTP VPNs. If you are using L2TP or PPTP in your VPN, please set Send All Traffic to ON in the VPN configuration.
  • VPN is misconfigured. A misconfigured VPN server can be the reason why the VPN connections never worked or stopped working after some time. Ensure testing with the iOS device's web browser or a PC or Mac on the same network if this happens.

How can I test if VPN is working properly?

Verify that VPN is enabled on your device. You can test your VPN connection by going to a webpage on your internal network or using a web service which is only available via the VPN.

How do I configure L2TP or PPTP VPN connections?

If you are using L2TP or PPTP in your VPN, make sure to set Send all traffic to ON in the VPN configuration.

Web client

Which browsers can I use?

The web client supports Microsoft Edge, Internet Explorer 11, Mozilla Firefox (v55.0 and later), Safari, and Google Chrome.

What PCs can I use to access the web client?

The web client supports Windows, macOS, Linux, and ChromeOS. Mobile devices are not supported at this time.

Can I use the web client in a Remote Desktop deployment without a gateway?

No. The client requires a Remote Desktop Gateway to connect. Don't know what that means? Ask your admin about it.

Does the Remote Desktop web client replace the Remote Desktop Web Access page?

No. The Remote Desktop web client is hosted at a different URL than the Remote Desktop Web Access page. You can use either the web client or the Web Access page to view the remote resources in a browser.

Can I embed the web client in another web page?

This feature is not supported at the moment.

Monitors, audio, and mouse

How do I use all of my monitors?

To use two or more screens, do the following:

  1. Right-click the remote desktop that you want to enable multiple screens for, and then click Edit.
  2. Enable Use all monitors and Full screen.

Is bi-directional sound supported?

Bi-directional sound can be configured in the Windows client on a per-connection basis. The relevant settings can be accessed in the Remote audio section of the Local Resources options tab.

What can I do if the sound won't play?

Sign out of the session (don't just disconnect, sign all the way out), and then sign in again.

Mac client - hardware questions

Is retina resolution supported?

Yes, the remote desktop client supports retina resolution.

How do I enable secondary right-click?

In order to make use of the right-click inside an open session you have three options:

  • Standard PC two button USB mouse
  • Apple Magic Mouse: To enable right-click, click System Preferences in the dock, click Mouse, and then enable Secondary click.
  • Apple Magic Trackpad or MacBook Trackpad: To enable right-click, click System Preferences in the dock, click Trackpad, and then enable Secondary click.

Is AirPrint supported?

No, the Remote Desktop client doesn't support AirPrint. (This is true for both Mac and iOS clients.)

Why do incorrect characters appear in the session?

If you are using an international keyboard, you might see an issue where the characters that appear in the session do match the characters you typed on the Mac keyboard.

This can occur in the following scenarios:

  • You are using a keyboard that the remote session does not recognize. When Remote Desktop doesn't recognize the keyboard, it defaults to the language last used with the remote PC.
  • You are connecting to a previously disconnected session on a remote PC and that remote PC uses a different keyboard language than the language you are currently trying to use.

You can fix this issue by manually setting the keyboard language for the remote session. See the steps in the next section.

How do language settings affect keyboards in a remote session?

There are many types of Mac keyboard layouts. Some of these are Mac specific layouts or custom layouts for which an exact match may not be available on the version of Windows you are remoting into. The remote session maps your keyboard to the best matching keyboard language available on the remote PC.

If your Mac keyboard layout is set to the PC version of the language keyboard (for example, French – PC) all your keys should be mapped correctly and your keyboard should just work.

If your Mac keyboard layout is set to the Mac version of a keyboard (for example, French) the remote session will map you to the PC version of the French language. Some of the Mac keyboard shortcuts you are used to using on OSX will not work in the remote Windows session.

If your keyboard layout is set to a variation of a language (for example, Canadian-French) and if the remote session cannot map you to that exact variation, the remote session will map you to the closest language (for example, French). Some of the Mac keyboard shortcuts you are used to using on OSX will not work in the remote Windows session.

If your keyboard layout is set to a layout the remote session cannot match at all, your remote session will default to give you the language you last used with that PC. In this case, or in cases where you need to change the language of your remote session to match your Mac keyboard, you can manually set the keyboard language in the remote session to the language that is the closest match to the one you wish to use as follows.

Use the following instructions to change the keyboard layout inside the remote desktop session:

On Windows 10 or Windows 8:

  1. From inside the remote session, open Region and Language. Click Start > Settings > Time and Language. Open Region and Language.
  2. Add the language you want to use. Then close the Region and Language window.
  3. Now, in the remote session, you'll see the ability to switch between languages. (In the right side of the remote session, near the clock.) Click the language you want to switch to (such as Eng).

You might need to close and restart the application you are currently using for the keyboard changes to take effect.

Specific errors

Why do I get an 'Insufficient privileges' error?

You are not allowed to access the session you want to connect to. The most likely cause is that you are trying to connect to an admin session. Only administrators are allowed to connect to the console. Verify that the console switch is off in the advanced settings of the remote desktop. If this is not the source of the problem, please contact your system administrator for further assistance.

Why does the client say that there is no CAL?

When a remote desktop client connects to a Remote Desktop server, the server issues a Remote Desktop Services Client Access License (RDS CAL) stored by the client. Whenever the client connects again it will use its RDS CAL and the server will not issue another license. The server will issue another license if the RDS CAL on the device is missing or corrupt. When the maximum number of licensed devices is reached the server will not issue new RDS CALs. Contact your network administrator for assistance.

Why did I get an 'Access Denied' error?

The 'Access Denied' error is a generated by the Remote Desktop Gateway and the result of incorrect credentials during the connection attempt. Verify your username and password. If the connection worked before and the error occurred recently, you possibly changed your Windows user account password and haven't updated it yet in the remote desktop settings.

What does 'RPC Error 23014' or 'Error 0x59e6' mean?

In case of an RPC error 23014 or Error 0x59E6 try again after waiting a few minutes, the RD Gateway server has reached the maximum number of active connections. Depending on the Windows version running on the RD Gateway the maximum number of connections differs: The Windows Server 2008 R2 Standard implementation limits the number of connections to 250. The Windows Server 2008 R2 Foundation implementation limits the number of connections to 50. All other Windows implementations allow an unlimited number of connections.

What does the 'Failed to parse NTLM challenge' error mean?

This error is caused by a misconfiguration on the remote PC. Make sure the RDP security level setting on the remote PC is set to 'Client Compatible.' (Talk to your system admin if you need help doing this.)

What does 'TS_RAP You are not allowed to connect to the given host' mean?

This error happens when a Resource Authorization Policy on the gateway server stops your user name from connecting to the remote PC. This can happen in the following instances:

  • The remote PC name is the same as the name of the gateway. Then, when you try to connect to the remote PC, the connection goes to the gateway instead, which you probably don't have permission to access. If you need to connect to the gateway, do not use the external gateway name as PC name. Instead use 'localhost' or the IP address (127.0.0.1), or the internal server name.
  • Your user account isn't a member of the user group for remote access.
-->

Use these steps when a Remote Desktop client can't connect to a remote desktop but doesn't provide messages or other symptoms that would help identify the cause.

Check the status of the RDP protocol

Check the status of the RDP protocol on a local computer

To check and change the status of the RDP protocol on a local computer, see How to enable Remote Desktop.

Note

If the remote desktop options are not available, see Check whether a Group Policy Object is blocking RDP.

Check the status of the RDP protocol on a remote computer

Important

Follow this section's instructions carefully. Serious problems can occur if the registry is modified incorrectly. Before you start modifying the registry, back up the registry so you can restore it in case something goes wrong.

To check and change the status of the RDP protocol on a remote computer, use a network registry connection:

  1. First, go to the Start menu, then select Run. In the text box that appears, enter regedt32.
  2. In the Registry Editor, select File, then select Connect Network Registry.
  3. In the Select Computer dialog box, enter the name of the remote computer, select Check Names, and then select OK.
  4. Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server.
    • If the value of the fDenyTSConnections key is 0, then RDP is enabled.
    • If the value of the fDenyTSConnections key is 1, then RDP is disabled.
  5. To enable RDP, change the value of fDenyTSConnections from 1 to 0.

Check whether a Group Policy Object (GPO) is blocking RDP on a local computer

Microsoft

If you can't turn on RDP in the user interface or the value of fDenyTSConnections reverts to 1 after you've changed it, a GPO may be overriding the computer-level settings.

To check the group policy configuration on a local computer, open a Command Prompt window as an administrator, and enter the following command:

After this command finishes, open gpresult.html. In Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostConnections, find the Allow users to connect remotely by using Remote Desktop Services policy.

  • If the setting for this policy is Enabled, Group Policy is not blocking RDP connections.

  • If the setting for this policy is Disabled, check Winning GPO. This is the GPO that is blocking RDP connections.

Check whether a GPO is blocking RDP on a remote computer

To check the Group Policy configuration on a remote computer, the command is almost the same as for a local computer:

The file that this command produces (gpresult-<computer name>.html) uses the same information format as the local computer version (gpresult.html) uses.

Modifying a blocking GPO

You can modify these settings in the Group Policy Object Editor (GPE) and Group Policy Management Console (GPM). For more information about how to use Group Policy, see Advanced Group Policy Management.

To modify the blocking policy, use one of the following methods:

  • In GPE, access the appropriate level of GPO (such as local or domain), and navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections > Allow users to connect remotely by using Remote Desktop Services.
    1. Set the policy to either Enabled or Not configured.
    2. On the affected computers, open a command prompt window as an administrator, and run the gpupdate /force command.
  • In GPM, navigate to the organizational unit (OU) in which the blocking policy is applied to the affected computers and delete the policy from the OU.

Microsoft Remote Desktop App

Check the status of the RDP services

On both the local (client) computer and the remote (target) computer, the following services should be running:

  • Remote Desktop Services (TermService)
  • Remote Desktop Services UserMode Port Redirector (UmRdpService)

You can use the Services MMC snap-in to manage the services locally or remotely. You can also use PowerShell to manage the services locally or remotely (if the remote computer is configured to accept remote PowerShell cmdlets).

On either computer, if one or both services are not running, start them.

Note

If you start the Remote Desktop Services service, click Yes to automatically restart the Remote Desktop Services UserMode Port Redirector service.

Check that the RDP listener is functioning

Important

Download Remote Desktop Windows 10

Follow this section's instructions carefully. Serious problems can occur if the registry is modified incorrectly. Before you starty modifying the registry, back up the registry so you can restore it in case something goes wrong.

Check the status of the RDP listener

For this procedure, use a PowerShell instance that has administrative permissions. For a local computer, you can also use a command prompt that has administrative permissions. However, this procedure uses PowerShell because the same cmdlets work both locally and remotely.

  1. To connect to a remote computer, run the following cmdlet:

  2. Enter qwinsta.

  3. If the list includes rdp-tcp with a status of Listen, the RDP listener is working. Proceed to Check the RDP listener port. Otherwise, continue at step 4.

  4. Export the RDP listener configuration from a working computer.

    1. Sign in to a computer that has the same operating system version as the affected computer has, and access that computer's registry (for example, by using Registry Editor).
    2. Navigate to the following registry entry:
      HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp
    3. Export the entry to a .reg file. For example, in Registry Editor, right-click the entry, select Export, and then enter a filename for the exported settings.
    4. Copy the exported .reg file to the affected computer.
  5. To import the RDP listener configuration, open a PowerShell window that has administrative permissions on the affected computer (or open the PowerShell window and connect to the affected computer remotely).

    1. To back up the existing registry entry, enter the following cmdlet:

    2. To remove the existing registry entry, enter the following cmdlets:

    3. To import the new registry entry and then restart the service, enter the following cmdlets:

      Replace <filename> with the name of the exported .reg file.

  6. Test the configuration by trying the remote desktop connection again. If you still can't connect, restart the affected computer.

  7. If you still can't connect, check the status of the RDP self-signed certificate.

Check the status of the RDP self-signed certificate

  1. If you still can't connect, open the Certificates MMC snap-in. When you are prompted to select the certificate store to manage, select Computer account, and then select the affected computer.
  2. In the Certificates folder under Remote Desktop, delete the RDP self-signed certificate.
  3. On the affected computer, restart the Remote Desktop Services service.
  4. Refresh the Certificates snap-in.
  5. If the RDP self-signed certificate has not been recreated, check the permissions of the MachineKeys folder.

Enable Remote Desktop

Check the permissions of the MachineKeys folder

Microsoft Remote Desktop Assistant

  1. On the affected computer, open Explorer, and then navigate to C:ProgramDataMicrosoftCryptoRSA.
  2. Right-click MachineKeys, select Properties, select Security, and then select Advanced.
  3. Make sure that the following permissions are configured:
    • BuiltinAdministrators: Full control
    • Everyone: Read, Write

Check the RDP listener port

On both the local (client) computer and the remote (target) computer, the RDP listener should be listening on port 3389. No other applications should be using this port.

Important

Follow this section's instructions carefully. Serious problems can occur if the registry is modified incorrectly. Before you starty modifying the registry, back up the registry so you can restore it in case something goes wrong.

To check or change the RDP port, use the Registry Editor:

  1. Go to the Start menu, select Run, then enter regedt32 into the text box that appears.
    • To connect to a remote computer, select File, and then select Connect Network Registry.
    • In the Select Computer dialog box, enter the name of the remote computer, select Check Names, and then select OK.
  2. Open the registry and navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStations<listener>.
  3. If PortNumber has a value other than 3389, change it to 3389.

    Important

    You can operate Remote Desktop services using another port. However, we don't recommend you do this. This article doesn't cover how to troubleshoot that type of configuration.

  4. After you change the port number, restart the Remote Desktop Services service.

Check that another application isn't trying to use the same port

For this procedure, use a PowerShell instance that has administrative permissions. For a local computer, you can also use a command prompt that has administrative permissions. However, this procedure uses PowerShell because the same cmdlets work locally and remotely.

  1. Open a PowerShell window. To connect to a remote computer, enter Enter-PSSession -ComputerName <computer name>.

  2. Enter the following command:

  3. Look for an entry for TCP port 3389 (or the assigned RDP port) with a status of Listening.

    Note

    The process identifier (PID) for the process or service using that port appears under the PID column.

  4. To determine which application is using port 3389 (or the assigned RDP port), enter the following command:

  5. Look for an entry for the PID number that is associated with the port (from the netstat output). The services or processes that are associated with that PID appear on the right column.

  6. If an application or service other than Remote Desktop Services (TermServ.exe) is using the port, you can resolve the conflict by using one of the following methods:

    • Configure the other application or service to use a different port (recommended).
    • Uninstall the other application or service.
    • Configure RDP to use a different port, and then restart the Remote Desktop Services service (not recommended).

Check whether a firewall is blocking the RDP port

Microsoft Remote Desktop Access Mac

Use the psping tool to test whether you can reach the affected computer by using port 3389.

Microsoft Remote Desktop For Mac

  1. Go to a different computer that isn't affected and download psping from https://live.sysinternals.com/psping.exe.

  2. Open a command prompt window as an administrator, change to the directory in which you installed psping, and then enter the following command:

  3. Check the output of the psping command for results such as the following:

    • Connecting to <computer IP>: The remote computer is reachable.
    • (0% loss): All attempts to connect succeeded.
    • The remote computer refused the network connection: The remote computer is not reachable.
    • (100% loss): All attempts to connect failed.
  4. Run psping on multiple computers to test their ability to connect to the affected computer.

  5. Note whether the affected computer blocks connections from all other computers, some other computers, or only one other computer.

  6. Recommended next steps:

    • Engage your network administrators to verify that the network allows RDP traffic to the affected computer.
    • Investigate the configurations of any firewalls between the source computers and the affected computer (including Windows Firewall on the affected computer) to determine whether a firewall is blocking the RDP port.