Enabling RDP by changing registry setting only works if RDP has been enabled several times previously

1

I'm trying to build an auto config batch file to set up new PC's the way I need them configured. One of the things I need to do is to enable RDP.

I have found this post which gives a solution involving changing a registry key:

reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f

Many other posts and blogs give the same advice.

However, when I test this on my system, it only works if remote desktop has been enabled before, several times.

If I use the standard settings interface to enable RDP, I get an "enable remote desktop" popup, asking me to confirm that I want to allow RDP. I select yes, and the registry setting changes. I use the settings interface to turn RDP back off, I get another popup to confirm, I click yes, and the registry setting changes back.

However, it does not work the other way around - changing the registry setting does not affect the slider in the standard settings interface. Setting the registry key to zero does not enable RDP. I have checked that the firewall is configured to allow RDP, and that the relevant RDP services are all started. As soon as I turn the settings RDP slider on, I can RDP into the machine. Once I turn it off, even if I change the registry setting back and make sure all services/firewall settings are OK, I can't RDP in any more.

However, if I mess with the Enable RDP settings slider enough, eventually it stops showing the confirmation popup and just does it. At this point, changing that registry key has the desired effect - changing the registry key changes the position of the settings slider, and allows me to RDP into the machine as expected.

Obviously this makes my batch file ineffective on new PC's, which is it's whole purpose.

How can I overcome this?

Windows 10 Enterprise LTSC Version 1809

(edited to clarify some points)

batch-file
cmd
rdp
asked on Stack Overflow Nov 11, 2020 by ASForrest • edited Nov 17, 2020 by ASForrest

2 Answers

2

The following powershell script works for me:

set-itemproperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0
set-itemproperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP\' -Name "UserAuthentication" -Value 1
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

I see the same process described here with an explanation of what each item does.

So perhaps your problem is not running one of those steps, but its also unclear if you are testing RDP empirically after running your script or just looking at the UI - which may still be displaying a cached RDP status.

I think the batch file equivalent would be:

reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP" /v UserAuthentication /t REG_DWORD /d 0x00000001 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

But using powershell is likely to be more future proof.

answered on Stack Overflow Nov 24, 2020 by Peter Wishart
0

May i suggest using powershell to do so (u can run powershell from CMD/Batch if neede to work only with batch). Follow this article.

P.S Pay attention, they suggest its for remote(if winrm is active), but can be executed locally

answered on Stack Overflow Nov 24, 2020 by Ilya Gurenko

User contributions licensed under CC BY-SA 3.0