RDP Port 3389 is Disabled by Default for All Newly Provisioned Windows 365 Cloud PCs

RDP Port 3389 is Disabled by Default for All Newly Provisioned Windows 365 Cloud PCs! When you create a new Windows 365 Cloud PC, the Remote Desktop Protocol (RDP) port (Port 3389) is turned off by default.

If you need to use Remote Desktop, you must manually (better via Intune) enable the port in specific cases. Port 3389 is used for Remote Desktop connections. To keep new Windows 365 Cloud PCs secure, this port is turned off by default.

Microsoft advises keeping it closed to protect your PCs from potential security risks. However, if you need to use Remote Desktop and your Cloud PCs are on your company’s Azure network, you can open the port with specific settings.

This post explains why Remote Desktop Port 3389 is disabled by default for all newly provisioned Windows 365 Cloud PCs. More details are described below.

Patch My PC
[sibwp_form id=2]

What is Port 3389?

RDP-Port-3389-is-Disabled-by-Default

Port 3389 is the default network port used by the Remote Desktop Protocol (RDP), which allows users to connect remotely to another computer or server over a network. More details RDP Remote Desktop Protocol Investments to Improve Windows 365 and AVD Experience.

RDP Port 3389 is Disabled by Default for All Newly Provisioned Windows 365 Cloud PCs

Port 3389 is disabled by default for all newly provisioned Cloud PCs. Microsoft confirms this settings change is to enhance the security of Windows 365 Cloud OC.

If you need to open Port 3389 for Remote Desktop access on Windows 365 Cloud PCs that are reconfigured using the Azure Network Connection (ANC) deployment option, you have two main choices.

Azure Network Connection (ANC) Deployment Option
Windows 365 Security Baselines
Create a custom Firewall rule in Microsoft Intune
RDP Port 3389 is Disabled by Default for All Newly Provisioned Windows 365 Cloud PCs – Table 1

NOTE! – These options aren’t applicable for customers using a Microsoft-hosted network for Windows 365 Cloud PCs.

Adaptiva

Windows 365 Security Baselines

You can easily use Windows 365 Security Baselines to manage port 3389 for Windows 365 Cloud PCs. These baselines offer a range of tools and configurations designed to enhance security. To configure port 3389, follow these steps.

  • Modify your Firewall settings to allow traffic through port 3389.
  • Setting the Default Inbound Action for Public Profile to Allow
  • These changes help you to ensure that port 3389 is appropriately configured to meet your organization’s operational needs.
  • Sign in to the Microsoft Intune admin center > Select Endpoint Security > Security Baselines.
  • The Security Baseline shows the Windows 365 Security Baseline

NOTE! – After selecting the Windows 365 Security Baseline, you must review all the settings required for this scenario. Select the appropriate configurations from the baseline and deploy them to all the relevant Cloud PCS.

RDP Port 3389 is Disabled by Default for All Newly Provisioned Windows 365 Cloud PCs - Fig.1
RDP Port 3389 is Disabled by Default for All Newly Provisioned Windows 365 Cloud PCs – Fig.1

Create a Custom Firewall Rule in Microsoft Intune

In Intune, you can use the Endpoint Security Firewall policy to configure the built-in firewall for Windows devices. While similar settings can be configured through Endpoint Protection profiles under device configuration, those profiles include additional non-firewall settings, which may complicate the process if you only want to focus on firewall configurations.

More Details 4 New Intune Firewall Logging Configuration Policies

RDP Port 3389 is Disabled by Default for All Newly Provisioned Windows 365 Cloud PCs - Fig.3
RDP Port 3389 is Disabled by Default for All Newly Provisioned Windows 365 Cloud PCs – Fig.3

You can easily set up a custom Firewall rule in Microsoft Intune to manage Port 3389 for Windows 365 Cloud PCs. In Microsoft Intune, you can create a custom firewall rule to allow inbound traffic on port 3389, which connects remote desktops to Windows 365 Cloud PCs. This involves setting up a rule that specifies the following.

  • Port number: 3389
  • Protocol: TCP
  • IP restrictions: Limit access to specific IP addresses or networks to ensure only authorized users can connect.

By creating this custom rule, you can easily control who can access port 3389 while maintaining security for your Cloud PCs.

RDP Port 3389 is Disabled by Default for All Newly Provisioned Windows 365 Cloud PCs - Fig.2
RDP Port 3389 is Disabled by Default for All Newly Provisioned Windows 365 Cloud PCs – Fig.2

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair has been Microsoft MVP from 2015 onwards for 10 consecutive years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is also a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.