How To - Use RDP To Connect To InTune Enrolled Workstation

By default, a Windows 10 or 11 workstation enrolled in InTune does not allow connections from RDP. The only way around this is to configure the workstation before it leaves the IT department.

If the person who needs to use RDP to connect into an InTune workstation is a local administrator then they already have permission to do so. If the person is not a local administrator then they need to be added to the existing local group called "Remote Desktop Users" in Computer Management. Because the user will be a user in Entra, you need to add "\Everyone" as the pseudo local user in the Remote Desktop Users group otherwise it won't work
The NLA or Network Level Authentication for RDP needs to be changed to allow connections from the default RDP client. Open the "sysdm.cpl" window to make these changes to match the screenshot below.
The next step is to create a saved RDP file that can be edited in Notepad
The saved RDP must have the IP address or the FQDN of the workstation so that when the user double clicks on the saved RDP file it goes to the correct machine. When using Notepad to edit the RDP file, make sure it contains full address:s:192.168.1.131:3389 or substitute the correct IP or hostname
The RDP also needs the text lines included enablecredsspsupport:i:0 and authentication level:i:2
The RDP file also needs to the username also included username:s:AzureAD\person@horizondistributors.com
When actually logging in, you will still need to manually type in the AzureAD\ before the person's email address because the RDP client won't automatically add it in
Once the saved RDP file is working and you can use the correct person's credentials to connect and login to the InTune enrolled workstation, the saved RDP file needs to be given to the user so they can use that to easily connect. Below is an example of what the text of the RDP file should look like.

screen mode id:i:2

use multimon:i:0

desktopwidth:i:1920

desktopheight:i:1080

session bpp:i:32

winposstr:s:0,3,149,20,1013,748

compression:i:1

keyboardhook:i:2

audiocapturemode:i:0

videoplaybackmode:i:1

connection type:i:7

networkautodetect:i:1

bandwidthautodetect:i:1

displayconnectionbar:i:1

enableworkspacereconnect:i:0

disable wallpaper:i:0

allow font smoothing:i:0

allow desktop composition:i:0

disable full window drag:i:1

disable menu anims:i:1

disable themes:i:0

disable cursor setting:i:0

bitmapcachepersistenable:i:1

full address:s:192.168.1.131:3389

audiomode:i:0

redirectprinters:i:0

redirectcomports:i:0

redirectsmartcards:i:1

redirectclipboard:i:1

redirectposdevices:i:0

drivestoredirect:s:

autoreconnection enabled:i:1

authentication level:i:2

prompt for credentials:i:0

enablecredsspsupport:i:0

negotiate security layer:i:1

remoteapplicationmode:i:0

alternate shell:s:

shell working directory:s:

gatewayhostname:s:rds.horizondistributors.com

gatewayusagemethod:i:0

gatewaycredentialssource:i:4

gatewayprofileusagemethod:i:1

promptcredentialonce:i:1

gatewaybrokeringtype:i:0

use redirection server name:i:0

rdgiskdcproxy:i:0

kdcproxyname:s:

redirectwebauthn:i:1

enablerdsaadauth:i:0

username:s:AzureAD\tempmk@horizondistributors.com

domain:s:AzureAD