Detailed troubleshooting steps for remote desktop connection issues to Windows VMs in Azure

This article provides detailed troubleshooting steps to diagnose and fix complex Remote Desktop errors for Windows-based Azure virtual machines.


To eliminate the more common Remote Desktop errors, make sure to read the basic troubleshooting article for Remote Desktop before proceeding.

You may encounter a Remote Desktop error message that does not resemble any of the specific error messages covered in the basic Remote Desktop troubleshooting guide. Follow these steps to determine why the Remote Desktop (RDP) client is unable to connect to the RDP service on the Azure VM.


Azure has two different deployment models for creating and working with resources: Resource Manager and classic. This article covers using both models, but Microsoft recommends that most new deployments use the Resource Manager model.

If you need more help at any point in this article, you can contact the Azure experts on the MSDN Azure and the Stack Overflow forums. Alternatively, you can also file an Azure support incident. Go to the Azure Support site and click Get Support. For information about using Azure Support, read the Microsoft Azure Support FAQ.

Components of a Remote Desktop connection

The following components are involved in an RDP connection:

Before proceeding, it might help to mentally review what has changed since the last successful Remote Desktop connection to the VM. For example:

  • The public IP address of the VM or the cloud service containing the VM (also called the virtual IP address VIP) has changed. The RDP failure could be because your DNS client cache still has the old IP address registered for the DNS name. Flush your DNS client cache and try connecting the VM again. Or try connecting directly with the new VIP.
  • You are using a third-party application to manage your Remote Desktop connections instead of using the connection generated by the Azure portal. Verify that the application configuration includes the correct TCP port for the Remote Desktop traffic. You can check this port for a classic virtual machine in the Azure portal, by clicking the VM's Settings > Endpoints.

Preliminary steps

Before proceeding to the detailed troubleshooting,

Try reconnecting to the VM via Remote Desktop after these steps.

Detailed troubleshooting steps

The Remote Desktop client may not be able to reach the Remote Desktop service on the Azure VM due to issues at the following sources:

Source 1: Remote Desktop client computer

Verify that your computer can make Remote Desktop connections to another on-premises, Windows-based computer.

If you cannot, check for the following settings on your computer:

  • A local firewall setting that is blocking Remote Desktop traffic.
  • Locally installed client proxy software that is preventing Remote Desktop connections.
  • Locally installed network monitoring software that is preventing Remote Desktop connections.
  • Other types of security software that either monitor traffic or allow/disallow specific types of traffic that is preventing Remote Desktop connections.

In all these cases, temporarily disable the software and try to connect to an on-premises computer via Remote Desktop. If you can find out the actual cause this way, work with your network administrator to correct the software settings to allow Remote Desktop connections.

Source 2: Organization intranet edge device

Verify that a computer directly connected to the Internet can make Remote Desktop connections to your Azure virtual machine.

If you do not have a computer that is directly connected to the Internet, create and test with a new Azure virtual machine in a resource group or cloud service. For more information, see Create a virtual machine running Windows in Azure. You can delete the virtual machine and the resource group or the cloud service, after the test.

If you can create a Remote Desktop connection with a computer directly attached to the Internet, check your organization intranet edge device for:

  • An internal firewall blocking HTTPS connections to the Internet.
  • A proxy server preventing Remote Desktop connections.
  • Intrusion detection or network monitoring software running on devices in your edge network that is preventing Remote Desktop connections.

Work with your network administrator to correct the settings of your organization intranet edge device to allow HTTPS-based Remote Desktop connections to the Internet.

Source 3: Cloud service endpoint and ACL

For VMs created using the Classic deployment model, verify that another Azure VM that is in the same cloud service or virtual network can make Remote Desktop connections to your Azure VM.


For virtual machines created in Resource Manager, skip to Source 4: Network Security Groups.

If you do not have another virtual machine in the same cloud service or virtual network, create one. Follow the steps in Create a virtual machine running Windows in Azure. Delete the test virtual machine after the test is completed.

If you can connect via Remote Desktop to a virtual machine in the same cloud service or virtual network, check for these settings:

  • The endpoint configuration for Remote Desktop traffic on the target VM: The private TCP port of the endpoint must match the TCP port on which the VM's Remote Desktop service is listening (default is 3389).
  • The ACL for the Remote Desktop traffic endpoint on the target VM: ACLs allow you to specify allowed or denied incoming traffic from the Internet based on its source IP address. Misconfigured ACLs can prevent incoming Remote Desktop traffic to the endpoint. Check your ACLs to ensure that incoming traffic from your public IP addresses of your proxy or other edge server is allowed. For more information, see What is a Network Access Control List (ACL)?

To check if the endpoint is the source of the problem, remove the current endpoint and create a new one, choosing a random port in the range 49152–65535 for the external port number. For more information, see How to set up endpoints to a virtual machine.

Source 4: Network Security Groups

Network Security Groups allow more granular control of allowed inbound and outbound traffic. You can create rules spanning subnets and cloud services in an Azure virtual network.

Use IP flow verify to confirm if a rule in a Network Security Group is blocking traffic to or from a virtual machine. You can also review effective security group rules to ensure inbound "Allow" NSG rule exists and is prioritized for RDP port(default 3389). For more information, see Using Effective Security Rules to troubleshoot VM traffic flow.

Source 5: Windows-based Azure VM

Follow the instructions in this article. This article resets the Remote Desktop service on the virtual machine:

  • Enable the "Remote Desktop" Windows Firewall default rule (TCP port 3389).
  • Enable Remote Desktop connections by setting the HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections registry value to 0.

Try the connection from your computer again. If you are still not able to connect via Remote Desktop, check for the following possible problems:

  • The Remote Desktop service is not running on the target VM.
  • The Remote Desktop service is not listening on TCP port 3389.
  • Windows Firewall or another local firewall has an outbound rule that is preventing Remote Desktop traffic.
  • Intrusion detection or network monitoring software running on the Azure virtual machine is preventing Remote Desktop connections.

For VMs created using the classic deployment model, you can use a remote Azure PowerShell session to the Azure virtual machine. First, you need to install a certificate for the virtual machine's hosting cloud service. Go to Configure Secure Remote PowerShell Access to Azure Virtual Machines and download the InstallWinRMCertAzureVM.ps1 script file to your local computer.

Next, install Azure PowerShell if you haven't already. See How to install and configure Azure PowerShell.

Next, open an Azure PowerShell command prompt and change the current folder to the location of the InstallWinRMCertAzureVM.ps1 script file. To run an Azure PowerShell script, you must set the correct execution policy. Run the Get-ExecutionPolicy command to determine your current policy level. For information about setting the appropriate level, see Set-ExecutionPolicy.

Next, fill in your Azure subscription name, the cloud service name, and your virtual machine name (removing the < and > characters), and then run these commands.

$subscr="<Name of your Azure subscription>"
$serviceName="<Name of the cloud service that contains the target virtual machine>"
$vmName="<Name of the target virtual machine>"
.\InstallWinRMCertAzureVM.ps1 -SubscriptionName $subscr -ServiceName $serviceName -Name $vmName

You can get the correct subscription name from the SubscriptionName property of the display of the Get-AzureSubscription command. You can get the cloud service name for the virtual machine from the ServiceName column in the display of the Get-AzureVM command.

Check if you have the new certificate. Open a Certificates snap-in for the current user and look in the Trusted Root Certification Authorities\Certificates folder. You should see a certificate with the DNS name of your cloud service in the Issued To column (example:

Next, initiate a remote Azure PowerShell session by using these commands.

$uri = Get-AzureWinRMUri -ServiceName $serviceName -Name $vmName
$creds = Get-Credential
Enter-PSSession -ConnectionUri $uri -Credential $creds

After entering valid administrator credentials, you should see something similar to the following Azure PowerShell prompt:

[]: PS C:\Users\User1\Documents>

The first part of this prompt is your cloud service name that contains the target VM, which could be different from "". You can now issue Azure PowerShell commands for this cloud service to investigate the problems mentioned and correct the configuration.

To manually correct the Remote Desktop Services listening TCP port

At the remote Azure PowerShell session prompt, run this command.

Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "PortNumber"

The PortNumber property shows the current port number. If needed, change the Remote Desktop port number back to its default value (3389) by using this command.

Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "PortNumber" -Value 3389

Verify that the port has been changed to 3389 by using this command.

Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "PortNumber"

Exit the remote Azure PowerShell session by using this command.


Verify that the Remote Desktop endpoint for the Azure VM is also using TCP port 3398 as its internal port. Restart the Azure VM and try the Remote Desktop connection again.

Additional resources

How to reset a password or the Remote Desktop service for Windows virtual machines

How to install and configure Azure PowerShell

Troubleshoot Secure Shell (SSH) connections to a Linux-based Azure virtual machine

Troubleshoot access to an application running on an Azure virtual machine