Checking and enabling Remote Desktop with PowerShell

A couple of posts back I mentioned that I was working on a configuration library for Server 2008 R2 Core and Hyper-V Server R2 and this includes checking and setting the configuration for remote desktop.

It turns out that this is controlled from just 2 registry entries – hence it is controlled by the SCRegEdit script. One turns is fDenyTSConnections under  ‘HKLM:\System\CurrentControlSet\Control\Terminal Server’ and the other is UserAuthentication  under ‘HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp. So if the Values exist they appear as Item property in PowerShell and can be set, otherwise it can be created. I’ve found the safest way is to try to set  the value and trap the error which occurs if it doesn’t exist then create it specifying that it is a DWORD. So my function enables RemoteDesktop UNLESS –Disable is specified , and -lowSecurity is a boolean which tells it whether to demand user stronger authentication.


Function Set-RemoteDesktopConfig 

{Param ([switch]$LowSecurity, [switch]$disable) if ($Disable) {
set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'`
-name "fDenyTSConnections" -Value 1 -erroraction silentlycontinue if (-not $?) {new-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' `
-name "fDenyTSConnections" -Value 1 -PropertyType dword }
       set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' `
-name "UserAuthentication" -Value 1 -erroraction silentlycontinue
      if (-not $?) {new-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp'
-name "UserAuthentication" -Value 1 -PropertyType dword}
else {
set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' `
-name "fDenyTSConnections" -Value 0 -erroraction silentlycontinue
        if (-not $?) {new-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' `
-name "fDenyTSConnections" -Value 0 -PropertyType dword }
       if ($LowSecurity) {
set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp'`
-name "UserAuthentication" -Value 0 -erroraction silentlycontinue
        if (-not $?) {new-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp'`
-name "UserAuthentication" -Value 0 -PropertyType dword}


Finding out what the settings are is even easier.

Function Get-RemoteDesktopConfig
{if ((Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server').fDenyTSConnections -eq 1)

          {"Connections not allowed"}
elseif ((Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp').UserAuthentication -eq 1)
         {"Only Secure Connections allowed"}
else {"All Connections allowed"}

The next part of the configurator to share will be for checking and setting firewall rules.

Comments (6)

  1. Anonymous says:

    Thanks , I’ll go and have another look at it.

  2. Anonymous says:

    Hi Marty. Actually I stole these from ScRegedit on server core, they take immediate effect (no reboot) and win32_terminalServiceSetting is only for machines running full terminal services (not remote desktop) – it’s not present otherwise.

  3. Anonymous says:

    OK, so you can test the state

    (Get-WmiObject -Class "Win32_TerminalServiceSetting" -Namespace rootcimv2terminalservices).AllowTsConnections

    and set it

    (Get-WmiObject -Class "Win32_TerminalServiceSetting" -Namespace rootcimv2terminalservices).SetAllowTsConnections(1)

    For authentication

    (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace rootcimv2terminalservices -Filter "TerminalName=’RDP-tcp’").UserAuthenticationRequired


    (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace rootcimv2terminalservices -Filter "TerminalName=’RDP-tcp’").SetUserAuthenticationRequired(1)

    0 or 1 in the Set turns it on and off.

  4. Marty says:

    Instead of changing the registry I suggest using the documented and supported interface that Microsoft has provided :)  It’s WMI class "Win32_TerminalServiceSetting".  Also, changes made via WMI take effect without requiring a reboot.

  5. Marty says:

    Win32_TerminalServiceSetting is not just for terminal server, it’s also present for remote desktop, both servers and workstations.  Maybe you missed it because the WMI namespace is different depending on OS version:

    Windows Vista and Windows Server 2008


    Windows XP and Windows Server 2003