Connect to Windows VMs using RDP

Windows

This document describes how to connect to Windows virtual machine (VM) instances using RDP. For other ways to connect to Windows VMs, see Connect to Windows VMs using PowerShell and Connect to Windows VMs using SSH.

Before you begin

If you want to use the command-line examples in this guide, do the following:
1. Install or update to the latest version of the Google Cloud CLI.
2. Set a default region and zone.
Be sure the VM allows access through Remote Desktop Protocol (RDP). By default, Compute Engine creates firewall rules that allow RDP access on TCP port 3389. Verify that these firewall rules exist by visiting the firewall rules page in the Google Cloud console and looking for firewall rules that allow tcp:3389 connections.

Connect to Windows VMs by using RDP

Compute Engine supports multiple ways to connect to your Windows instances.

Connecting to Windows instances.

The best way to connect to the remote desktop of a Windows instance depends on multiple factors:

If you are connecting from anywhere over the public internet (Connecting from > Anywhere in the previous illustration), it's best to enable Identity-Aware Proxy TCP forwarding for your project. Then use IAP Desktop (on Windows) or the Google Cloud CLI in combination with an RDP client. For more information, see Microsoft Remote Desktop clients to connect to the Windows instance. If you cannot use Identity-Aware Proxy TCP forwarding, use Chrome Remote Desktop.
If the VM instance has a public IP address and firewall rules permit RDP access, use an RDP client. For more information, see Microsoft Remote Desktop clients to connect to the Windows instance.
If the VM instance does not have a public IP and you are connecting by using Cloud VPN or Cloud Interconnect, you can connect to the VM's private IP address by using an RDP client For more information, see Microsoft Remote Desktop clients.

If you have difficulty connecting using RDP, see Troubleshooting RDP. If you can't connect to a Windows instance by using Remote Desktop, see Connecting to the Windows SAC, in this document.

To connect to the remote desktop of a Windows instance, use one of the following procedures.

IAP Desktop

IAP Desktop is a Windows application that lets you manage multiple Remote Desktop connections to Windows VM instances. IAP Desktop connects to VM instances by using Identity-Aware Proxy TCP forwarding and does not require VM instances to have a public IP address.

Before you connect by using IAP Desktop, make sure that the following prerequisites are met:

You've configured your VPC to allow IAP traffic to your VM instance.
You've downloaded and installed IAP Desktop on your local computer.

To connect to a VM instance by using IAP Desktop, do the following:

In IAP Desktop, select File > Add Google Cloud project.
Enter the ID or name of your project, and click OK.
In the Project Explorer window, right-click the VM instance you want to connect to and select Connect.

For more information about IAP Desktop, see the GitHub project page.

Remote Desktop Connection app

You can use the Microsoft Remote Desktop Connection app that is part of Windows to connect to Windows instances.

Before you connect using the Microsoft Remote Desktop Connection app, make sure that one of the following prerequisites is met:

Your VM instance has a public IP address and your firewall rules allow TCP ingress traffic from your client's public IP address to the instance by using port 3389.
Your local network is connected to your VPC by using Cloud VPN or Cloud Interconnect and your firewall rules allow TCP ingress traffic from your client's private IP address to the instance by using port 3389.

To connect with Microsoft Windows Remote Desktop, do the following:

Create a Windows account and password if you do not have one yet.
To connect over the internet, use the external IP address. To connect by using Cloud VPN or Cloud Interconnect, use the internal IP address.

Identify the external and internal IP addresses of your Windows instance by completing one of the following steps:
- In the Google Cloud console, go to the VM instances page.
  
  Go to the VM instances page
- By using the gcloud CLI, run gcloud compute instances list:
```
gcloud compute instances list
```
Open Microsoft Windows Remote Desktop Connection on your Windows machine. You can find the executable at %systemroot%\system32\mstsc.exe
In the Computer box, enter the IP address.

If you've configured your instance to use a different port number for RDP, add it after the IP address, for example: 1.2.3.4:3389.
Click Connect.
Enter your username and password, and click OK.

If you have forgotten your password, you can reset it.

Chrome Remote Desktop

Chrome Remote Desktop is a service that lets you remotely access another computer by using a web browser. Chrome Remote Desktop works on Windows, macOS, and Linux and does not require the VM instance to have a public IP address.

Before you connect by using Chrome Remote Desktop, make sure that the following prerequisites are met:

You've created a Windows account and password on the VM instance.
You've installed the Chrome Remote Desktop service on the VM instance.

To connect to a VM instance by using Chrome Remote Desktop, do the following:

On your local computer, go to the Chrome Remote Desktop website.
If you're not already signed in to Google, sign in with the same Google Account that you used to set up the Chrome Remote Desktop service.
Select the instance that you want to connect to.
When you're prompted, enter the PIN that you created when installing the Chrome Remote Desktop service, and click the arrow button to connect.

Other

You can connect to your Windows VM instances by using other RDP clients, such as clients developed for Android, iOS, Mac, and others. For a list of officially supported clients, see Microsoft Remote Desktop clients.

Before you connect, make sure that one of the following prerequisites is met:

Your VM instance has a public IP address and your firewall rules allow TCP ingress traffic from your client's public IP address to the instance by using port 3389.
Your local network is connected to your VPC by using VPN or Cloud Interconnect and your firewall rules allow TCP ingress traffic from your client's private IP address to the instance by using port 3389.

To connect using other RDP clients, do the following:

To connect over the internet, use the external IP address. To connect by using Cloud VPN or Cloud Interconnect, use the internal IP address.

Identify the external and internal IP addresses of your Windows instance by completing one of the following steps:
- In the Google Cloud console, go to the VM instances page.
  
  Go to the VM instances page
- By using the gcloud CLI, run gcloud compute instances list:
```
gcloud compute instances list
```
Install the supported client according to the client's installation instructions.
Connect using the IP address of your instance, and authenticate with your username and password for the instance.

If you have difficulty connecting using RDP, see the Troubleshooting RDP page. For information about RDP licensing, see the FAQ about Microsoft licenses.

Verify the RDP certificate

Verify the RDP certificate by viewing the serial port output from the initial boot of the VM or by using the appropriate PowerShell command from the SAC.

Serial port

Verify the RDP certificate by viewing the output from serial port 1 during the initial boot of the Windows VM.

Examine the output of serial port 1 during the initial boot of the Windows VM for the following:

Serial port 1 (console) output for rdp-test
...
...
2021/03/31 15:53:58 GCEInstanceSetup: RDP certificate details: Subject: CN=rdp-test, Thumbprint: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
...
...

PowerShell from the SAC

Connect to the Windows SAC.

Run the following PowerShell commands:

# WinRM Cert
Write-Host 'WinRM certificate details:'; Get-ChildItem 'Cert:\LocalMachine\My' | Where-Object { $_.Subject -like "CN=$env:COMPUTERNAME*" -and $_.NotAfter -gt $(Get-Date) -and $_.HasPrivateKey} |  Select-Object Subject, Thumbprint | Format-List
# RDP Cert
Write-Host 'RDP certificate details:'; Get-ChildItem 'Cert:\LocalMachine\Remote Desktop\' | Where-Object { $_.Subject -like "CN=$env:COMPUTERNAME*" -and $_.NotAfter -gt $(Get-Date) -and $_.HasPrivateKey} |  Select-Object Subject, Thumbprint | Format-List

Connect to the Windows SAC

This section describes how to use the interactive serial console to connect to the Special Administrative Console (SAC) of your Windows instance. The SAC uses a serial port connection to the VM and doesn't rely on network connectivity.

Permissions required for this task

To perform this task, you must have the following permissions:

compute.instances.setMetadata on the VM if enabling interactive access on a specific VM
compute.projects.setCommonInstanceMetadata on the project, if enabling interactive access for all VMs in the project
iam.serviceAccountUser role on the instance's service account

Before you can connect to your VM using the interactive serial console, enable interactive access for your VM. For more information, see Enabling interactive access on the serial console.

To connect to your Windows instance using an interactive serial console, complete the steps in one of the following tabs.

Console

In the Google Cloud console, go to the VM instances page.

Go to VM instances
Click the name of the VM you want to connect to.
Click Connect to serial console to open the interactive console.

The interactive serial console opens. It is ready to use when you see the following output:

Computer is booting, SAC started and initialized.

Use the "ch -?" command for information about using channels.
Use the "?" command for general help.

SAC>

gcloud

Use the gcloud compute connect-to-serial-port command to connect to VM instances that have serial port access enabled:

gcloud compute connect-to-serial-port VM_NAME \
    --port=2 \
    --zone=ZONE \
    --project=PROJECT_ID

Replace the following:

PROJECT_ID: the ID of the project that contains the instance
ZONE: the name of the zone in which the instance is located
VM_NAME: the name of the instance

The interactive serial console opens. It is ready to use when you see the following output:

Computer is booting, SAC started and initialized.

Use the "ch -?" command for information about using channels.
Use the "?" command for general help.

SAC>

For information about using the interactive serial console, see the Microsoft SAC Commands documentation.

Open Command Prompt in Windows SAC

A common workflow is to open Command Prompt or Powershell to allow running of commands, to open a cmd channel, do the following:

Type cmd, then press Enter. You see the following output:

SAC>cmd
The Command Prompt session was successfully launched.
SAC>
EVENT:   A new channel has been created.  Use "ch -?" for channel help.
Channel: Cmd0001
SAC>

Use the ch -sn CHANNEL_NAME command, then press Enter. Replace CHANNEL_NAME with the name of the channel you created in the previous step.

SAC>ch -sn Cmd0001

Name:                  Cmd0001
Description:           Command
Type:                  VT-UTF8
Channel GUID:          28de7392-5413-11ea-bb03-c9656a2ed613
Application Type GUID: 63d02271-8aa4-11d5-bccf-00b0d014a2d0

Press <esc><tab> for next channel.
Press <esc><tab>0 to return to the SAC channel.
Use any other key to view this channel.

Press Space, then login with the local credentials registered on the system.

Please enter login credentials.
Username: USERNAME
Domain: DOMAIN (leave blank if no domain)
Password: PASSWORD

Once connected, you have access to a Command Prompt shell.

Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

Optional: To enter a Powershell prompt, type powershell.exe, then press Enter.

What's next

Learn how to Connect to Linux VMs using the Google Cloud console and the gcloud CLI.
Learn how to manage access to instances.
Learn how to transfer files to Windows VMs.