Use RDP with the JumpCloud Agent

Remote Desktop is available in non-Domain environments. By default, it allows for access from any local user account that’s part of the Remote Desktop Users or Administrators local groups in Windows. The JumpCloud Agent adds all users into Users and Remote Desktop Users and all Administrators in the respective Administrators local group by default.


  • Remote Desktop connections require a VPN solution or a method for routing the network traffic securely.

Enabling RDP Access to a Windows Endpoint

The following Microsoft documentation details the process of enabling RDP: 

An alternative to these methods is to use the JumpCloud Remote Management policy for Windows to enable the specific remote capabilities you want the system to have. See Configure Settings for Windows Policies.

Installing the JumpCloud Agent

JumpCloud provides multiple ways to install the Agent on your local system. See Install the Agent for more information. 

If you currently use configuration management software like SCCM or JAMF, you can use them to deploy and install the Agent to your environment. You can also automate the installation process. See Install the Agent from Command Line

Provisioning Local User Accounts

In order to grant access to this system for our test user, you need to bind the user to the system resource. If you're unfamiliar with binding users to resources, refer to Connect New Users to Resources.

Accessing a System via Remote Desktop

On a Windows system, accessing a remote computer requires you to click the start button, then type “windows remote desktop” to launch the client.

For Remote Desktop connections from Mac systems, you need to download a client from Microsoft or a third party. See Microsoft's Get started with the macOS client for step-by-step instructions.

Enable MFA for RDP

As of June 2022, as long as you have MFA enabled on your org, it will automatically be required for any user using RDP to access a device. This is true even when a user locks the device and unlocks it using RDP.

For example, if a local user logs into a device, uses MFA as part of the login process, then locks the device, when they unlock the device, they will not be required to use MFA. This is because they have already done so on the initial log in.

However, if the device has an RDP session open, even if the user isn’t actively using it, the user will be prompted for MFA every time they log into the device. This is expected behavior to ensure the security of the device. 

See the following chart:

Type of UserMFA required at login?MFA required at unlock?

Removing Users from the Remote Desktop User Group


When you remove JumpCloud-managed user accounts from a  Remote Desktop Users group, it doesn’t affect JumpCloud’s ability to manage the users through the JumpCloud Agent. 

If you want to remove users from the Remote Desktop Users Users Group in Windows, you can run the following PowerShell command from Commands in the Admin Portal to your targeted Windows Devices to remove their membership. To learn more about Commands, see Get Started: Commands

Get-LocalGroupMember "Remote Desktop Users" | ForEach-Object {Remove-LocalGroupMember "Remote Desktop Users" $_ -Confirm:$false}

Back to Top

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case