Enable Remote Desktop on Azure Joined Machine

Remoting into a machine is not as simple as it used to be

I recently discovered that RDP’ing into a Windows machine is not as easy as it used to be. Last time I did this, I was primarily working on Windows 7 devices. Goodness how things have changed with Windows 10 AND joining them to Entra ID. Here is what I ended up getting to work.

Assumptions

The following steps assume you have already logged into this machine with a user and that user is now the device “owner”. However, this device owner does not mean you are a local administrator. If you are not a local administrator, you’ll need to have someone with those permissions do this for you.

Steps

  1. Sign in to the computer as an administrator
    • This could either be a local administrator account OR an Entra ID user that has the “Microsoft Entra Joined Device Local Administrator” role in Entra ID.
  2. Enable remote desktop - detailed instructions can be found here
    1. Go to Start and then click the Settings icon on the left
    2. Select the System group followed by the Remote Desktop item.
    3. Use the slider to enable Remote Desktop.
  3. Add the appropriate user to the local remote desktop users group
    • Technically, if you are already a local administrator on the computer, you have the ability to remote in to the machine already, but running the following command will explicitly add your user to the list.
    • Open powershell as administrator and run: net localgroup "Remote Desktop Users" /add "AzureAD\<userUPN>"
      • Reminder UPN is the username followed by a separator “at sign” (@) followed by the active directory’s internet domain. So the command would like like: net localgroup "Remote Desktop Users" /add "AzureAD\[email protected]"
      • The above command will add the user you specify to the “Remote Desktop Users” group in the CONTOSO\username format that I’d describe as “classic” domain.
  4. Disable NLA
    • “If you are using your work account you must disable Network Level Authentication on the remote machine”
    • Start menu > Settings > Remote Desktop > Advanced Settings > Uncheck NLA
  5. RDP using the local IP address of the computer with the CONTOSO\<userUPN> format
    • This step assumes that you are on the same private network as the computer
Microsoft  Windows  RDP