James O'Neill's blog

Windows Platform, Virtualization and PowerShell with a little Photography for good measure.

Checking and enabling Remote Desktop with PowerShell

Checking and enabling Remote Desktop with PowerShell

  • Comments 6
  • Likes

A couple of posts back I mentioned that I was working on a configuration library for Server 2008 R2 Core and Hyper-V Server R2 and this includes checking and setting the configuration for remote desktop.

It turns out that this is controlled from just 2 registry entries – hence it is controlled by the SCRegEdit script. One turns is fDenyTSConnections under  'HKLM:\System\CurrentControlSet\Control\Terminal Server' and the other is UserAuthentication  under 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp. So if the Values exist they appear as Item property in PowerShell and can be set, otherwise it can be created. I’ve found the safest way is to try to set  the value and trap the error which occurs if it doesn’t exist then create it specifying that it is a DWORD. So my function enables RemoteDesktop UNLESS –Disable is specified , and -lowSecurity is a boolean which tells it whether to demand user stronger authentication.

 

Function Set-RemoteDesktopConfig 

{Param ([switch]$LowSecurity, [switch]$disable) if ($Disable) {
set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'`
-name "fDenyTSConnections" -Value 1 -erroraction silentlycontinue if (-not $?) {new-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' `
-name "fDenyTSConnections" -Value 1 -PropertyType dword }
       set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' `
-name "UserAuthentication" -Value 1 -erroraction silentlycontinue
      if (-not $?) {new-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp'
-name "UserAuthentication" -Value 1 -PropertyType dword}
}
else {
set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' `
-name "fDenyTSConnections" -Value 0 -erroraction silentlycontinue
        if (-not $?) {new-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' `
-name "fDenyTSConnections" -Value 0 -PropertyType dword }
       if ($LowSecurity) {
set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp'`
-name "UserAuthentication" -Value 0 -erroraction silentlycontinue
        if (-not $?) {new-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp'`
-name "UserAuthentication" -Value 0 -PropertyType dword}
}
     } 

}

Finding out what the settings are is even easier.

Function Get-RemoteDesktopConfig
{if ((Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server').fDenyTSConnections -eq 1)

          {"Connections not allowed"}
elseif ((Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp').UserAuthentication -eq 1)
         {"Only Secure Connections allowed"}
else {"All Connections allowed"}
}

The next part of the configurator to share will be for checking and setting firewall rules.

Comments
  • PingBack from http://feeds.bscopes.com/2009/02/01/blog-james-oneills-blog/

  • Instead of changing the registry I suggest using the documented and supported interface that Microsoft has provided :)  It's WMI class "Win32_TerminalServiceSetting".  Also, changes made via WMI take effect without requiring a reboot.

    http://www.google.com/search?q=Win32_TerminalServiceSetting

  • Hi Marty. Actually I stole these from ScRegedit on server core, they take immediate effect (no reboot) and win32_terminalServiceSetting is only for machines running full terminal services (not remote desktop) - it's not present otherwise.

  • Win32_TerminalServiceSetting is not just for terminal server, it's also present for remote desktop, both servers and workstations.  Maybe you missed it because the WMI namespace is different depending on OS version:

    Windows Vista and Windows Server 2008

    \root\CIMV2\TerminalServices

    Windows XP and Windows Server 2003

    \root\CIMV2

  • Thanks , I'll go and have another look at it.

  • OK, so you can test the state

    (Get-WmiObject -Class "Win32_TerminalServiceSetting" -Namespace root\cimv2\terminalservices).AllowTsConnections

    and set it

    (Get-WmiObject -Class "Win32_TerminalServiceSetting" -Namespace root\cimv2\terminalservices).SetAllowTsConnections(1)

    For authentication

    (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").UserAuthenticationRequired

    and

    (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(1)

    0 or 1 in the Set turns it on and off.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment