Windows Security

Disable Remote Desktop when not needed

Practical Windows guide: disable Remote Desktop when not needed without the usual guesswork.

14 min read Intermediate Updated 9 Jun 2026
Windows library Start the guide

Step-by-step guide

Work through each section in order. Stop when your issue is resolved — you do not need every step for every situation.

What you will achieve

Turn off Remote Desktop when you do not need it, closing a common attack surface without breaking local access to the PC.

1) Disable via Settings (Windows 11)

  1. Open Settings → System → Remote Desktop.
  2. Toggle Remote Desktop to Off.
  3. Confirm the change — local login and screen sharing apps unrelated to RDP are unaffected.

2) Disable via System Properties (all editions)

  1. Press Win + R, type sysdm.cpl, press Enter.
  2. Open the Remote tab.
  3. Select Don't allow remote connections to this computer.
  4. Click OK and reboot if the service was actively in use.

3) Stop and disable the service

Admin PowerShell:

Set-Service TermService -StartupType Disabled
Stop-Service TermService -Force
Get-Service TermService | Select-Object Name, Status, StartType

4) Block RDP at the firewall (optional extra layer)

  1. Open wf.mscInbound Rules.
  2. Disable Remote Desktop - User Mode (TCP-In) rules on Public and Private profiles if RDP must never be used.

5) Confirm RDP is off remotely (audit)

Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name fDenyTSConnections

Value 1 means RDP disabled.

6) Alternative remote tools

  1. Quick Assist, TeamViewer, or Splunk SOAR-approved tools may remain enabled — disabling RDP does not block those.
  2. Audit Settings → Apps → Installed apps for remote tools you did not install.

7) Group Policy disable (Pro)

  1. Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Connections → Allow users to connect remotely → Disabled.

8) Verify no RDP listeners

netstat -an | findstr ":3389"

No LISTENING on 3389 confirms RDP service is off.

9) Disable Remote Assistance too

  1. sysdm.cpl → Remote tab → uncheck Allow Remote Assistance connections.
  2. Remote Assistance is separate from RDP but still inbound desktop access.

Verification checklist

Port scan from another LAN machine: 3389 closed. Attempt mstsc connection — should fail immediately. Confirm Remote Assistance also disabled in sysdm.cpl.

  1. Reboot once after changes that affect services, drivers, or firmware.
  2. Confirm the original problem is resolved under normal daily use, not only immediately after the fix.
  3. Note date, Windows version (Settings → System → About), and what changed in your personal runbook for next time.

Quick reference paths

  • Settings → System → Remote Desktop
  • sysdm.cpl → Remote tab
  • Services.msc → Remote Desktop Services
  • Admin tools: press Win + X for Terminal (Admin), Device Manager, and Computer Management.

On workstations that never need inbound remote access, combine disabled RDP with disabled Remote Assistance and blocked 3389 at the router — defence in depth beats a single toggle.

Related guides

desktop disable remote safely windows

Related guides

Continue with these next if you are building a fuller setup or troubleshooting path.

Security
Windows Defender exclusions (when safe)
Practical Windows guide: windows Defender exclusions (when safe) without the usual guesswork.
Read guide
Security
Local admin vs standard user accounts
Practical Windows guide: local admin vs standard user accounts without the usual guesswork.
Read guide