If creating a policy package for SCCM: Compile to EXE, add the EXE you just created to SCCM as a package: Create Package > Environment > Program can run: Only when user is logged on > Run with administrator rights.
Registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
type: dword
value: fDenyTSConnections
data: 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
type: dword
value: TSUserEnabled
data: 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
type: string
value: WinStationsDisabled
data: 0
* along with adding users to the Remote Desktop Users group