How to activate RemoteDesktop on a 2012 Server in Powershell Remoteshell

Felix Leven Senior Systems Engineer Microsoft & Citrix.
CERTIFIED EXPERT
All things Microsoft Admin, for 20 years plus, focusing on automation, infrastructure as code, devops, monitoring and reporting lately.
Published:
My GPO's made for 2008 R2 servers were not allowing me to RDP into a new 2012 server by default.  That’s why I tried to allow RDP via Powershell, because I could log into a remote shell without further configuration.
Below I will describe how I went step by step to find and change the necessary setting.

In a NON-Admin session, one of the first things I do, is to save my admin credentials.
$cred = Get-Crendetials

Open in new window

A window will open and you can enter your admin-user credentials and now they are stored in $cred and there is no need to enter them over and over again.

Now I connect to the server where I want to enable the RDP connection:
Note: IP addresses will not work here
Enter-PSSession servername -Credential $cred

Open in new window

The PSDrive cmdlet shows me the available providers I can connect to, filesystem, Registry, ActiveDirectory or Certificate Store by default for example.
Get-PSDrive

Open in new window


Output example:
Name           Used (GB)     Free (GB) Provider      Root
                      ----           ---------     --------- --------      ----
                      Alias                                  Alias
                      C                 402,81         46,34 FileSystem    C:\ 		-> Filesystem
                      Cert                                   Certificate   \			-> Certificate Store 
                      HKCU                                   Registry      HKEY_CURRENT_USER 	-> Registry
                      HKLM                                   Registry      HKEY_LOCAL_MACHINE	-> Registry

Open in new window

I was interested in editing the Registry, that's why I connect to HKEY_LOCAL_MACHINE:
cd HKLM:

Open in new window

I don't remember the exact location, where to find the Registry entry that will allow the RDP connection, but it was under "Control":
cd '.\SYSTEM\CurrentControlSet\Control

Open in new window

This was the part I could remember, now I have to search for the missing pattern, because it was something like *Fdeny*:
ls -Recurse -ea SilentlyContinue | where-object {($_.property -LIKE "*fdeny*")}

Open in new window

Output:
    Hive: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
                      
                      Name                           Property
                      ----                           --------
                      Terminal Server                RCDependentServices   : {CertPropSvc, SessionEnv}
                                                     NotificationTimeOut   : 0
                                                     SnapshotMonitors      : 1
                                                     ProductVersion        : 5.1
                                                     AllowRemoteRPC        : 0
                                                     DelayConMgrTimeout    : 0
                                                    [b] fDenyTSConnections    : 1[/b]
                                                     StartRCM              : 0
                                                     TSAdvertise           : 0
                                                     DeleteTempDirsOnExit  : 1
                                                     fSingleSessionPerUser : 1
                                                     PerSessionTempDir     : 0
                                                     TSUserEnabled         : 0
                                                     InstanceID            : b667f9ec-e8ba-46a5-9c1b-5efdb5b

Open in new window

This helps! It is the fDenyTSConnections Property I need to change!

LS or Get-ChildItem will only help you to browse through the different Registry keys, but it will not show you the properties of the "Terminal Server" key! You need to execute Get-ItemProperty '.\Terminal Server' to view the "fDenyTSConnections" Property and its Value.

Finally I can change the RDP connection settings on my server:
Set-ItemProperty -Path '.\Terminal Server' -name fDenyTSConnections -Value 0

Open in new window

Again Get-ItemProperty '.\Terminal Server' can help to verify the changes.

Probably you'll have to allow RDP in your local firewall now. We are doing that again with Powershell, because in future versions of Windows, Microsoft might remove the Netsh functionality for Windows Firewall with Advanced Security.
Before, we worked with NETSH:
netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes

Open in new window

Note that in some languages you have to use "remotedesktop" instead.
Now, we have to start using cmdlets to configure "Windows Firewall with Advanced Security" and a lot of other stuff! (again, it's "remotedesktop" in some languages):
Set-NetFirewallRule -DisplayGroup "Remote Desktop" -Enabled True

Open in new window


Important: If you only want to change a single rule (not a group), the names/descriptions/translations of some of them changed in 2012 Server!


RDP should be up and running now.
3
6,450 Views
Felix Leven Senior Systems Engineer Microsoft & Citrix.
CERTIFIED EXPERT
All things Microsoft Admin, for 20 years plus, focusing on automation, infrastructure as code, devops, monitoring and reporting lately.

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.