RDP and WinRM down recovery - Windows Server remote access decision tree for port 3389, WinRM listener, and firewall troubleshooting

RDP and WinRM Down: How to Recover Remote Access to Windows Server

by
11 min read

Remote Desktop stops responding. PowerShell Remoting fails with “WinRM cannot complete the operation.” The server still replies to ping, but you cannot get a shell or a desktop session.

That is a different failure mode from most Windows Server problems. When a service fails, you restart it. When a disk fills, you clear space. When RDP and WinRM are both down, the tool you normally use to fix the server is gone.

This guide walks through RDP and WinRM down recovery as a decision tree: confirm the server is alive, check the ports, repair the listener, verify firewall rules, handle TrustedHosts and authentication problems, and decide what to do when there is no console access. Workgroup and standalone servers first – AD-joined environments add GPO complexity covered at the end of each section.

TL;DR
  • RDP failing? Start with qwinsta /server:<ip> from another machine – no output means the listener is down or blocked.
  • Port 3389 conflict can make the RDP listener unavailable. netstat -ano | findstr :3389 shows what holds the port.
  • fDenyTSConnections = 1 means RDP is disabled at the OS level. Set to 0 to re-enable – firewall, TermService state, and GPO still need to allow the connection.
  • WinRM error 0x80338012 = listener broken. Fix: winrm invoke Restore winrm/Config then winrm quickconfig.
  • WinRM “Access Denied” with correct credentials on a workgroup server = check TrustedHosts on the client, not the server.
  • If fixes revert after minutes, GPO is overwriting local changes. The fix is in Group Policy, not on the server.

Fast Recovery Order When RDP and WinRM Are Down

Before following the full decision trees, check where you stand:

  1. Confirm server is alive: ping <server-ip> and Test-NetConnection -ComputerName <server-ip> -Port 3389.
  2. Check RDP port 3389 from the client – open or closed.
  3. Check WinRM ports 5985 and 5986 from the client.
  4. If one path still works, use it to repair the other (see “If One Remote Path Still Works” below).
  5. If both RDP and WinRM are down, move to console, out-of-band management, WinPE, or PsExec over SMB.
  6. If local fixes revert, check GPO before making the same change again.

Recovery Rule: Do Not Remove the Last Working Access Path

If one remote access method still works, preserve it. Do not restart multiple services, reset firewall profiles, or change network settings in a batch. Make one change, test from the client, then continue.

If you are connected through a fragile RDP or WinRM session, open a second session before restarting services. Losing the only working session turns a remote repair into a console-only recovery.

If One Remote Path Still Works

If WinRM works but RDP is down: use PowerShell Remoting to repair RDP settings, the firewall rule, and TermService. All commands in the RDP section below can be run over a remote PowerShell session.

If RDP works but WinRM is down: sign in via Remote Desktop and run the WinRM repair commands locally – winrm quickconfig, listener checks, service state, and the firewall rule.

If both RDP and WinRM are down: skip to the no-console recovery section. At that point, you need another management path – hypervisor console, iDRAC/iLO/IPMI, WinPE boot media, cloud serial console, or SMB/PsExec if port 445 still works.

Before You Start: Confirm the Server Is Actually Up

RDP and WinRM down symptoms look identical whether the server is running or not. Confirm first:

ping <server-ip> Test-NetConnection -ComputerName <server-ip> -Port 3389 Test-NetConnection -ComputerName <server-ip> -Port 5985

Test-NetConnection returns TcpTestSucceeded : True if the port is open. If ping succeeds but port 3389 is closed, the server is up but RDP is blocked or not listening. If both ports are closed, either a firewall is blocking them or the services are not running.

PowerShell equivalents for service state checks once you have any access path:

Get-Service TermService Get-Service WinRM

If the server does not respond to ping, you have a network or power problem – not an RDP and WinRM down problem. Check the network path first.

RDP Failure: Decision Tree

Step 1 – Check the RDP listener

From any other Windows machine on the same network:

qwinsta /server:<server-ip>

Output present (shows “rdp-tcp” line): the listener is up. Your connection problem is authentication, firewall, or network – not the listener itself.

No output or connection error: the RDP listener is down, disabled, or blocked by firewall before reaching the service.

Step 2 – Confirm port 3389 is open

Test-NetConnection -ComputerName <server-ip> -Port 3389

TcpTestSucceeded: False: the port is closed. Windows Firewall is blocking it, the service is not listening, or an upstream firewall is in the path.

TcpTestSucceeded: True but connection still fails: the port is open. The problem is the RDP service, authentication, or certificate. Move to Step 4.

Step 3 – Check if RDP is enabled on the server

If you have any other access path, check the registry:

reg query "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections

Value 0x1 = RDP disabled at the OS level. Fix:

reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

No reboot is usually required for this registry change, but it only enables RDP at the OS setting level. The firewall rule, TermService state, listener health, and GPO still need to allow the connection.

Step 4 – Port 3389 conflict

A port 3389 conflict can cause RDP and WinRM down symptoms when another service binds to 3389 before TermService does.

netstat -ano | findstr :3389

The PID in the last column owns the port. Check what it is:

tasklist /fi "PID eq <PID>"

If it is not svchost.exe hosting TermService, something else is bound to 3389. Change the conflicting application’s port or stop it, then restart TermService:

net stop "TermService" && net start "TermService"

Step 5 – Windows Firewall blocking RDP

Even with RDP enabled and the service running, Windows Firewall can keep RDP and WinRM down by blocking incoming connections. Check the network profile the server is using – if it classified the network as Public, RDP rules may not apply:

Get-NetConnectionProfile

If the server is on the Public profile when it should be on Domain or Private, fix the network profile assignment before enabling individual rules. Then check the RDP firewall rule and which profiles it applies to:

Get-NetFirewallRule -DisplayGroup "Remote Desktop" | Select-Object DisplayName, Enabled, Profile

Enable the rule if disabled:

Enable-NetFirewallRule -DisplayName "Remote Desktop - User Mode (TCP-In)"

Step 6 – TermService itself

sc queryex TermService

If stopped:

net start "TermService"

If TermService fails to start, check its service and driver dependencies with sc qc TermService and review Event ID 7000 and 7001 in the System log. Per Microsoft’s RDP general troubleshooting guide, if dependencies are intact, run sfc /scannow. For a full guide to service failure diagnosis, see the Windows Server Service Failures guide.

Step 7 – GPO override (domain-joined servers only)

If every local fix reverts after minutes, Group Policy is overwriting your changes. GPO wins over local settings and is a common cause of persistent RDP and WinRM down issues on domain-joined servers.

gpresult /r

Look for policies under “Computer Configuration” related to Remote Desktop Services. If the setting “Allow users to connect remotely” is set to Disabled by GPO, local registry changes are overwritten at the next refresh. The fix is in the GPO, not on the server.

Failure scenario

After enabling RDP via fDenyTSConnections, the registry value reverts to 1 within 90 minutes and RDP and WinRM down symptoms return. A GPO is applying the setting in Replace mode. Running gpresult /h C:\gpreport.html and reviewing the HTML report shows which GPO is responsible and which OU it is linked to. Local changes on a domain-joined server are always temporary if a conflicting GPO exists.

WinRM Failure: Decision Tree

Step 1 – Confirm WinRM is listening

Test-NetConnection -ComputerName <server-ip> -Port 5985 Test-NetConnection -ComputerName <server-ip> -Port 5986

Port 5985 = HTTP. Port 5986 = HTTPS. If the port is closed, the WinRM service is not listening or the firewall is blocking it. Check the listener configuration directly:

Get-Item WSMan:\localhost\Listener\*

Step 2 – WinRM service state

sc queryex WinRM

If stopped:

net start WinRM

If WinRM fails to start, check Event ID 7000 in the System log. For the full event ID reference and filtering commands, see the Windows Server Event Log Troubleshooting guide.

Step 3 – Listener configuration broken (Error 0x80338012)

Error -2144108526 (0x80338012) is one of the most common causes of WinRM down when the service itself is running. Per Microsoft’s WinRM troubleshooting documentation, this error “may occur if the Windows Remote Management service and its listener functionality are broken.”

Fix: WinRM Listener Broken (0x80338012)
  1. Restore the default listener configuration: winrm invoke Restore winrm/Config
  2. Reconfigure: winrm quickconfig – starts the service, sets auto-start, creates HTTP listener on port 5985, adds firewall exception.
  3. Verify the listener exists: winrm enumerate winrm/config/listener – output should show Transport = HTTP with Enabled = true.
  4. Test from the client: Test-NetConnection -ComputerName <server-ip> -Port 5985

For production environments, HTTPS is usually preferred over HTTP, but it requires a valid server certificate and a correctly configured HTTPS listener – it is not just a flag. HTTP is acceptable for emergency recovery on a trusted internal management network when RDP and WinRM are both down and you need any working path. After access is restored, restrict the firewall rule scope or move back to HTTPS.

Step 4 – TrustedHosts (workgroup connections)

If you are connecting from a workgroup machine, or from a machine in a different domain, WinRM requires TrustedHosts configuration on the client machine – not the server. This is one of the most common misconfigurations when troubleshooting RDP and WinRM down scenarios.

# Check current TrustedHosts on the client winrm get winrm/config/client # Add a specific server without replacing existing entries $current = (Get-Item WSMan:\localhost\Client\TrustedHosts).Value Set-Item WSMan:\localhost\Client\TrustedHosts -Value "$current,<server-ip>" -Force
Failure scenario

Avoid setting TrustedHosts to * unless this is a temporary lab or emergency recovery step. A wildcard TrustedHosts means the client trusts any host for NTLM authentication, which removes protection against connecting to a rogue server. Prefer a specific IP address or hostname, and revert after recovery. Operators who copy wildcard TrustedHosts examples from forums often forget to clean up afterward.

Step 5 – Authentication failures

“Access Denied” with correct credentials on a workgroup server is a common WinRM down symptom that looks like a credential problem but usually isn’t.

Credential format: use .\Administrator or <computername>\<username> – not just Administrator. NTLM authentication requires the explicit computer name or dot prefix to signal a local account.

Enter-PSSession -ComputerName <ip> -Credential (Get-Credential ".\Administrator")

UAC remote restriction (workgroup only): non-built-in admin accounts are filtered by UAC on workgroup servers. Registry fix on the server:

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

CredSSP not configured: required for double-hop scenarios. Enable on both sides:

# On server: Enable-WSManCredSSP -Role Server # On client: Enable-WSManCredSSP -Role Client -DelegateComputer "<server-name>"

Step 6 – WinRM HTTPS certificate expired or removed

If WinRM is configured for HTTPS only and the certificate expired or was removed from the local machine store, the HTTPS listener breaks – another cause of WinRM down when the service itself is running. Per Microsoft’s WinRM configuration documentation, the listener requires a valid certificate thumbprint in the store.

winrm enumerate winrm/config/listener

If the HTTPS listener shows a CertificateThumbprint pointing to a certificate no longer in the store, re-enable HTTP temporarily:

winrm create winrm/config/listener?Address=*+Transport=HTTP winrm quickconfig

Use this as a temporary recovery path only on a trusted management network. After access is restored, fix the certificate and re-enable HTTPS, then remove the HTTP listener if it is not needed.

When RDP and WinRM Are Both Down: No Console Access

Both RDP and WinRM are down. No hypervisor console, no iDRAC or iLO. Options in order of preference:

Option 1 – Physical console. If the server is local, use a monitor and keyboard directly.

Option 2 – Out-of-band management. iDRAC, iLO, IPMI, BMC – these give console access regardless of OS state. This is why out-of-band management matters for production servers.

Option 3 – PsExec over SMB. If file sharing still works (port 445), PsExec can reach the server even when RDP and WinRM are both down:

psexec \\<server-ip> -u Administrator cmd.exe

This uses MSRPC over port 445, not 3389 or 5985. Works when the Server service and file sharing are still running.

Option 4 – Boot to WinPE and fix the registry offline. If you can control the boot sequence remotely, boot to WinPE and fix the offline registry:

# Mount the offline OS hive reg load HKLM\OfflineSystem D:\Windows\System32\config\SYSTEM # Enable RDP reg add "HKLM\OfflineSystem\ControlSet001\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f # Set WinRM to autostart reg add "HKLM\OfflineSystem\ControlSet001\Services\WinRM" /v Start /t REG_DWORD /d 2 /f # Unload hive reg unload HKLM\OfflineSystem

Boot back to the OS – both services should start. Verify with Test-NetConnection from the client before assuming the fix worked.

Note for cloud VMs: if the server is a hosted VM or cloud instance, also check the provider-side controls – security groups, NSGs, firewall rules, or access control lists. Windows Firewall can be correctly configured while the cloud network still blocks port 3389 or 5985 at the infrastructure layer.

Key Event IDs for RDP and WinRM Down Scenarios

Event ID Log Meaning
4625 Security Logon failure – check Sub Status for reason code
131 TerminalServices-RemoteConnectionManager/Operational RDP listener started
261 TerminalServices-RemoteConnectionManager/Operational Listener received connection attempt
1149 TerminalServices-RemoteConnectionManager/Operational User authenticated for RDP
6 Microsoft-Windows-WinRM/Operational WSMan listener created
8 Microsoft-Windows-WinRM/Operational WSMan listener deleted
7000 System WinRM or TermService failed to start
7001 System Service start failed due to dependency failure

RDP operational logs are not visible in the default System log view. Query them directly:

Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" -MaxEvents 20 | Select-Object TimeCreated, Id, Message | Format-List

Common Mistakes When RDP and WinRM Are Down

Changing fDenyTSConnections but not the firewall. Enabling RDP via the registry opens the service at the OS level but does not touch Windows Firewall. If the firewall rule is disabled or scoped to the wrong network profile, RDP and WinRM down symptoms continue. Fix both.

Configuring TrustedHosts on the server instead of the client. TrustedHosts controls what the local machine trusts as a remote WinRM endpoint. It is always a client-side setting for outgoing connections. Changing it on the server does nothing for incoming authentication.

Running winrm quickconfig and assuming HTTPS. By default, winrm quickconfig creates an HTTP listener. HTTPS requires a valid certificate and a separate listener configuration.

Assuming GPO changes take effect immediately. After modifying a GPO that controls RDP or WinRM settings, run gpupdate /force on the server. Without it, the change applies at the next background refresh, which is 90-120 minutes by default.

Wildcard TrustedHosts left in place after recovery. Setting TrustedHosts to * for emergency access and forgetting to revert is common. After restoring access when RDP and WinRM are down, set TrustedHosts back to a specific IP or hostname list.

Missing the network profile issue. A server that classifies its network connection as Public will not apply Domain or Private firewall rules. RDP and WinRM firewall rules are typically scoped to Domain and Private profiles. If Get-NetConnectionProfile shows Public on an internal server, the firewall profile assignment is the problem, not the rules themselves.

Frequently Asked Questions

Can I recover RDP access through WinRM when RDP and WinRM down occurs on one side?

Yes. If WinRM still works, use PowerShell Remoting to enable RDP, start TermService, and enable the Windows Firewall rule for Remote Desktop – all without console access. This is often the fastest recovery path when RDP is down but WinRM is intact.

Invoke-Command -ComputerName <server-ip> -ScriptBlock { Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name fDenyTSConnections -Value 0 Start-Service TermService Enable-NetFirewallRule -DisplayName "Remote Desktop - User Mode (TCP-In)" }

Can I recover WinRM through RDP?

Yes. If RDP still works when WinRM is down, sign in and repair WinRM locally. Run winrm quickconfig, check the listener with winrm enumerate winrm/config/listener, verify the service is running, and confirm the firewall rule for port 5985 is enabled.

What if ping works but both port 3389 and port 5985 are closed?

The server is alive but the RDP and WinRM down condition is caused by something blocking both ports: Windows Firewall blocking both, both services stopped, broken listeners, network profile showing Public instead of Domain/Private, cloud or upstream firewall rules, or a security hardening script that disabled both services. Use console access or another management path – PsExec over port 445 if SMB still works, otherwise out-of-band management or WinPE.

RDP connects but immediately disconnects. What is happening?

Immediate disconnect after the login screen usually means the session is terminated by the server, not refused. Check for: a Group Policy setting limiting RDP sessions or session time, the user account hitting logon restrictions, or a broken user profile. Event ID 4625 in the Security log shows the logon result. The TerminalServices-RemoteConnectionManager operational log shows the session lifecycle.

Can I use WinRM over HTTPS with a self-signed certificate?

Yes, with the -SkipCACheck and -SkipCNCheck flags in New-PSSessionOption. Acceptable for lab and internal management-only scenarios when recovering from an RDP and WinRM down situation.

$opts = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName <server> -Port 5986 -UseSSL -SessionOption $opts -Credential (Get-Credential)

Why does winrm quickconfig say “WinRM is already set up” but connections still fail?

winrm quickconfig only checks if the service is running and a listener exists. It does not validate whether the listener is correctly configured or whether the firewall rule is passing traffic. Run winrm enumerate winrm/config/listener to check listener details, and Test-NetConnection -Port 5985 from the client to confirm the port is reachable. Also run Get-NetConnectionProfile on the server – if the network profile is Public, the firewall rule added by quickconfig may not be active.

RDP works from one machine but not another on the same network. Why?

The most likely differences: network path differences (VLAN, firewall rule scoped to specific subnets), NLA or authentication differences between clients, or the connecting user not being in the Remote Desktop Users group. Check Get-NetFirewallRule -DisplayGroup "Remote Desktop" | Select-Object DisplayName, Enabled, Profile to confirm the rule profile scope is not the issue.

How do I check RDP session limits and disconnect idle sessions?

Default Windows Server allows two concurrent RDP sessions for administration. If both are occupied, new connections are refused even when RDP itself is working. Check active sessions:

# List sessions qwinsta /server:<server-ip> # Disconnect an idle session rwinsta <session-id> /server:<server-ip>

Windows Server Operations Series

8 articles — Event Logs · Performance · Services · Remote Access · Network · Storage · Backup · Boot Recovery

Operations & Troubleshooting
Event Log Troubleshooting: Event IDs, Timelines, and Operator Commands Performance Troubleshooting: CPU, Memory, Disk, and Poolmon Triage Service Failures & Recovery: Dependency Chains and Auto-Restart RDP and WinRM Down: How to Recover Remote Access Network Troubleshooting: Client-Side Connectivity Triage Storage Troubleshooting: Disk Errors, CHKDSK, and Knowing When a Drive Is Dying Backup and Bare Metal Recovery: wbadmin, WSB, and Restore Verification Boot Failure Recovery: WinRE, bootrec, BCDEdit, and 0xc000000e

View all Windows Server Operations guides →