When using Remote Desktop Protocol (RDP) to connect to Windows machines, administrators often encounter the default behavior where RDP automatically logs into an existing session rather than displaying the login screen. This creates security and multi-user access challenges in enterprise environments.
The most straightforward approach is through Group Policy (GPO):
# Group Policy Path: Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Connections
Set "Restrict Remote Desktop Services users to a single Remote Desktop Services session" to Disabled. This forces RDP to show the login screen instead of auto-connecting.
For systems without GPO access, modify this registry key:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] "fSingleSessionPerUser"=dword:00000000
Save as a .reg file and import, or apply via PowerShell:
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server' -Name fSingleSessionPerUser -Value 0
When security is paramount, combine with Restricted Admin mode:
mstsc /v:targetPC /restrictedadmin
This requires corresponding GPO settings:
# Enable Restricted Admin Mode: Computer Configuration → Administrative Templates → System → Credentials Delegation → "Restrict delegation of credentials to remote servers" → Enable "Remote Credential Guard"
If policies don't apply:
- Run
gpupdate /forceon target machines - Verify policy precedence with
rsop.msc - Check Terminal Services service status:
Get-Service TermService
For non-domain machines, use tscon command:
tscon 1 /dest:console
Then reconnect via RDP to see the login screen.
Remember that exposing the login screen increases attack surface:
- Enable Network Level Authentication (NLA)
- Implement account lockout policies
- Configure firewall rules to restrict RDP access
When establishing Remote Desktop Protocol (RDP) connections to Windows machines, administrators often need to access the logon screen instead of being automatically authenticated into a session. This requirement is particularly crucial for:
- Active Directory domain join scenarios
- Password reset operations
- Multi-user terminal server environments
- Security auditing procedures
By default, Windows RDP connections automatically authenticate users with saved credentials. The session initiates immediately without displaying the logon screen. This behavior stems from the registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
"fPromptForPassword" = 0
The most reliable enterprise solution involves Group Policy Object (GPO) configuration:
Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security
"Always prompt for password upon connection" = Enabled
For PowerShell automation:
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Name "fPromptForPassword" -Value 1
gpupdate /force
For individual connections, use these MSTSC parameters:
mstsc /v:servername /admin /prompt
When GPO isn't available, consider these approaches:
# Registry modification alternative
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 1 /f
For Windows Server Core installations:
# Configure Network Level Authentication
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Value 1
Restart-Service TermService -Force
If the logon screen still doesn't appear:
- Verify Network Level Authentication (NLA) settings
- Check CredSSP configuration for modern Windows versions
- Confirm Terminal Services service status
- Validate firewall rules for RDP (TCP 3389)