There seem to be no available cmdlets to change the settings in the Remote Desktop section of the Remote tab in the System Properties dialogue box:
Namely to switch between Don’t allow remote connections to this computer and Allow remote connections to this computer. Then, on selecting the latter, to control Allow connections only from computers running Remote Desktop with Network Level Authentication.
Luckily you can do this with two WMI objects from within the root\CIMV2\TerminalServices namespace:
- Win32_TerminalServiceSetting via the SetAllowTSConnections method, enables and disables remote desktop connections and can also enable the appropriate firewall exception
- Win32_TSGeneralSetting via the SetUserAuthenticationRequired method, enables and disables the need for the user to be “authenticated” – which actually means enable and disable NLA.
The script below allows you to set all the options on either a remote or local computer. To change the local computer set the ComputerName parameter to localhost or just a full stop (.).
param([string]$ComputerName = "", [int]$RDPEnable = "", [int]$RDPFirewallOpen = "", [int]$NLAEnable = "")
# $RDPEnable - Set to 1 to enable remote desktop connections, 0 to disable
# $RDPFirewallOpen - Set to 1 to open RDP firewall port(s), 0 to close
# $NLAEnable - Set to 1 to enable, 0 to disable
if (($ComputerName -eq "") -or ($RDPEnable -eq "") -or ($RDPFirewallOpen -eq "") -or ($NLAEnable = "")){
Write-Host "You need to specify all parameters, e.g.:" -ForegroundColor Yellow
Write-Host " .\RemoteConnections.ps1 localhost 1 1 0" -ForegroundColor Yellow
exit
}
# Remote Desktop Connections
$RDP = Get-WmiObject -Class Win32_TerminalServiceSetting -ComputerName $ComputerName -Namespace root\CIMV2\TerminalServices -Authentication PacketPrivacy
$Result = $RDP.SetAllowTSConnections($RDPEnable,$RDPFirewallOpen) # First value enables remote connections, second opens firewall port(s)
if ($Result.ReturnValue -eq 0){
Write-Host "Remote Connection settings changed sucessfully"
} else {
Write-Host ("Failed to change Remote Connections setting(s), return code "+$Result.ReturnValue) -ForegroundColor Red
exit
}
# NLA (Network Level Authentication)
$NLA = Get-WmiObject -Class Win32_TSGeneralSetting -ComputerName $ComputerName -Namespace root\CIMV2\TerminalServices -Authentication PacketPrivacy
$NLA.SetUserAuthenticationRequired($NLAEnable) | Out-Null # Does not set ReturnValue to 0 when it succeeds and we don't want to see screen output to pipe to null
# Recreate the WMI object so we can read out the (hopefully changed) setting
$NLA = Get-WmiObject -Class Win32_TSGeneralSetting -ComputerName $ComputerName -Namespace root\CIMV2\TerminalServices -Authentication PacketPrivacy
if ($NLA.UserAuthenticationRequired -eq $NLAEnable){
Write-Host "NLA setting changed sucessfully"
} else {
Write-Host "Failed to change NLA setting" -ForegroundColor Red
exit
}
I should probably make this into a cmdlet (or maybe Microsoft might have cared to do that for us all in the first place…!).
