«

»

Feb 12

Print this Post

Enable RDP, firewall exceptions, and NLA settings via PowerShell and WMI (aka “the right way”)

I’ve come across quite a few folks over the years that enable RDP by setting the registry values to do so manually, and enabling firewall rules the same way (or disabling the firewall service itself, which is not supported by Microsoft, so don’t). While neither of these things are “the right way” to do it (I found this out from dealing with Microsoft support on this, and apparently doing it manually via the registry can cause issues), the right way isn’t really called out as such very well that I can find either.

I’ve created a very simple PowerShell script (I put it in my MDT and SCCM task sequences when deploying machines as one of the first things done after the OS is deployed) that enables RDP for the Administrators group, opens the right port on the firewall, and can also be used to set it to NLA only if $NLAEnable = 1. Credit where credit is due, the script below was based on a script that does this same thing here. Thanks Robin!

This is “the right way” to do it, or so I’ve been told by Microsoft. To be fair, it’s much cleaner than what I see folks doing, so here it is:

$RDPEnable = 1
$RDPFirewallOpen = 1
$NLAEnable = 0

# Enable Remote Desktop Connections
$RDP = Get-WmiObject -Class Win32_TerminalServiceSetting -Namespace root\CIMV2\TerminalServices -Authentication PacketPrivacy
$Result = $RDP.SetAllowTSConnections($RDPEnable,$RDPFirewallOpen)

if ($Result.ReturnValue -eq 0)
{
    Write-Host "Remote Connection settings changed sucessfully" -ForegroundColor Cyan
}
else
{
    Write-Host ("Failed to change Remote Connections setting(s), return code "+$Result.ReturnValue) -ForegroundColor Red
    exit
}

# Set Network Level Authentication level
$NLA = Get-WmiObject -Class Win32_TSGeneralSetting -Namespace root\CIMV2\TerminalServices -Authentication PacketPrivacy
$NLA.SetUserAuthenticationRequired($NLAEnable) | Out-Null
$NLA = Get-WmiObject -Class Win32_TSGeneralSetting -Namespace root\CIMV2\TerminalServices -Authentication PacketPrivacy
if ($NLA.UserAuthenticationRequired -eq $NLAEnable)
{
    Write-Host "NLA setting changed sucessfully" -ForegroundColor Cyan
}
else
{
    Write-Host "Failed to change NLA setting" -ForegroundColor Red
    exit
}

Note that these WMI calls are documented on MSDN:
http://msdn.microsoft.com/en-us/library/aa383644(v=vs.85).aspx
http://msdn.microsoft.com/en-us/library/aa383441(v=vs.85).aspx

Permanent link to this article: http://www.cluberti.com/blog/2014/02/12/enable-rdp-firewall-exceptions-and-nla-settings-via-powershell-and-wmi-aka-the-right-way/

Bad Behavior has blocked 1655 access attempts in the last 7 days.