Problem

So, I was having an issue with a group of computers where I was unable to connected with Remote Desktop on a group of domain computers even though it was enabled. Troubleshooting the issue pointed to a group policy Block rule in the Windows firewall but there was no such GPO rule.

When you would go to Windows Defender Firewall and look at the rules you would see a DENY rule for Remote Desktop and if I tried to delete the DENY rule, I would get the message “This rule has been applied by the system administrator and cannot be modified”:

I did have a setting in place in a group policy that I was using to restrict access to a subnet of computers under Computer Configuration/Administrative Templates/Network/Network Connections/Windows Defender Firewall/Domain Profile/Windows Firewall: Allow inbound Remote Desktop exceptions.

The group policy results tool showed no block rules for Remote Desktop and only the Allow inbound Remote Desktop exceptions shown above. Disabling this setting in Group Policy would remove the DENY rule I was seeing in the firewall.

Solution

It turned out that I had an extra period after one of the IP addresses in the above GPO setting.  After some testing, I determined that you can’t have any extra characters in those fields or it would create an automatic DENY rule.  This includes spaces like you would use to format the line so it would look better.  So, make sure you have no extra spaces or typos in GPO boxes, or they make cause unexpected issues.