How To Change Remote Desktop (RDP) Port With PowerShell #RDP #PowerShell

2 min read


As you already know that Remote Desktop Connection (RDC) for Windows listens on Port 3389 by default. However, the Remote Desktop Connection Client for the Mac supports only port 3389.

This port is disabled in Windows Firewall by default. If you need to allow access to any server or client internally, you need to enable Remote Desktop on the desired machine, if you want to enable external access, then you need to enable Remote access on your edge Firewall and on the desired machine as well.

Changing the listening port will help to “hide” Remote Desktop from hackers who are constantly scanning the network for computers listening on the default Remote Desktop port (TCP 3389). This offers effective protection against the latest RDP worms, and add additional security to your environment.

Another scenario where changing the listening port is useful, if you want to allow external access to internal resources and you have only one Public IP address, in this case what you need to do, is to change the listening RDP default port number (TCP 3389) to different port number on each server.

Changing the listening port for Remote Desktop the manual way is described by Microsoft here.

In this post, I will how you how to change the port that Remote Desktop listens on large number of servers with PowerShell.

Change the listening port for Remote Desktop with PowerShell

Assume you have installed the Active Directory module for Windows PowerShell module on your management machine.

Open Windows PowerShell with Administrator privilege and run the following script:

$DCs = Get-ADComputer -Filter * -SearchBase "CN=Computers,DC=VIRT,DC=LAB"
Foreach ($DC in $DCs) {
Invoke-Command -ComputerName $DC.Name -ScriptBlock {
param ($DC)
Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\" -Name PortNumber | Select-Object PortNumber
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\" -Name PortNumber -Value 3395
New-NetFirewallRule -DisplayName “Remote Desktop - User Mode (TCP-In) 3395” -Direction Inbound –Protocol TCP -Profile Any –LocalPort 3395 -Action allow
New-NetFirewallRule -DisplayName “Remote Desktop - User Mode (UDP-In) 3395” -Direction Inbound –Protocol UDP -Profile Any –LocalPort 3395 -Action allow
[ValidateSet('Yes','No')]$Answer = Read-Host "`nAre you sure you want to restart $($DC.Name) ? Enter Yes/No"
If ($Answer -eq 'Yes') { Restart-Computer -Force }
 } -ArgumentList $DC

Above script will change the RDP listening port to 3395 for all servers in the OU named “Computers“, and finally it will create a new Firewall Rule to allow inbound remote access over TCP/UDP port 3395.

For the change to take effect, you need to restart the computer, thus I added a validate set variable to confirm if you want to restart the server now or later.

How To Change Remote Desktop (RDP) Port With PowerShell #RDP #PowerShell 1

Last but not least, you need to connect to the target machine by specifying the new RDP port.

i.e. mstsc /v

Hope this helps!


About Charbel Nemnom 579 Articles
Charbel Nemnom is a Cloud Architect, Swiss Certified ICT Security Expert, Microsoft Most Valuable Professional (MVP), and Microsoft Certified Trainer (MCT), totally fan of the latest's IT platform solutions, accomplished hands-on technical professional with over 17 years of broad IT Infrastructure experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems. Excellent communicator is adept at identifying business needs and bridging the gap between functional groups and technology to foster targeted and innovative IT project development. Well respected by peers through demonstrating passion for technology and performance improvement. Extensive practical knowledge of complex systems builds, network design, business continuity, and cloud security.

Be the first to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.