"Windows Firewall: Allow inbound Remote Desktop exceptions" script
-
Friday, August 10, 2012 9:39 PM
In my office, we have to enable the GPO policy for "Window Firewall: Allow inbound Remote Desktop exception" to activate Remote desktop. I was ask to script this process, but do not knwo if this policy can be changes through a VBS or Batch Files. Please Help.
All Replies
-
Friday, August 10, 2012 10:59 PM
Once set in GPO you cannot change it with a script.
You cannot change GPO via a script. It is not necessary or needed to do this. Just create a GPO for RDP and link it where needed. It iws a very simple and quick thing to do. It takes only a minute or two.
¯\_(ツ)_/¯
-
Saturday, August 11, 2012 7:57 AM
In my office, we have to enable the GPO policy for "Window Firewall: Allow inbound Remote Desktop exception" to activate Remote desktop. I was ask to script this process, but do not knwo if this policy can be changes through a VBS or Batch Files. Please Help.
If you already have a GPO that enables the RDP firewall rule, why do you need scripting?Grant Ward, a.k.a. Bigteddy
-
Saturday, August 11, 2012 8:03 AM
To be clear. You cannot set a GP rule via a scipt. Why would you want to ?
There are some third party tools that can allow you to generate a policy object from a template but it is not a native capability of Windows.
Grant has the correct quesion. Why?
¯\_(ツ)_/¯
-
Monday, August 13, 2012 2:38 PMThe reason is that we are in a testing environment, and we have to reimage our systems all the times. Everytime we reimage, the remote desktop is blocked, instead of doing this process manually, our bosses asked us to try to do a script (if possible) to enable the Remote Desktop. We are able to script the registry settings, but we were not able to script the GPO. I thought this was not possible but I wanted to make sure, or if there is any other way to do this. Thanks
-
Monday, August 13, 2012 2:44 PMModerator
Hi,
Once you configure the setting in the GPO, it doesn't go away when you reimage a system to which the GPO applies. If you reimage the system and put it back in the proper OU, the GPO will automatically be reapplied.
Bill
- Proposed As Answer by jrvMicrosoft Community Contributor Monday, August 13, 2012 2:45 PM
-
Monday, August 13, 2012 3:04 PM
That is correct. I am trying to changed them in the "Local Group Policy Editor" of the disconnected machines. Almost all of the machines are disconnected.
- Edited by Mangual12 Monday, August 13, 2012 3:04 PM
-
Monday, August 13, 2012 3:16 PMModerator
- Proposed As Answer by jrvMicrosoft Community Contributor Monday, August 13, 2012 3:22 PM
-
Monday, August 13, 2012 3:37 PM
What Bill is pointing you at is how to do this in the setup phase.
You are trying to alter the system image after the image has been deployed. This is not necessary. The setup can be customized to do all of this for you.
Group Policy is after the fact. It can do this but it is not normally how you would do it in a deployed stand alone system.
If you are in a domain you would do it with GP.
The WAIK is a valuable tool to reference for deployments of any kind. It is how vendors like Dell and HP customize the systems. They can add their own software and completely modify every step of the customer’s experience which is usually not more than saying yes to a few prompts.
We can also customize the setup so an image can be distributed and the user can initialize it when they plug in the PC. The prompt will ask for employee ID and password and the customization will be generated from a website which can allow us to add the users name and extension to the description and to update AD with the computer serial number and add it to the employees HR records.
This allows any employee or manager to select a system from one of the approved vendors systems and customize the order. The system order is generated and the system is staged based on a GUID generated by Dell, HP or other approved vendor. When the system arrives it is plugged in and the correct image is installed based on the GUID. The purchasing records are also updated using the GUID. An inventory of the delivered system can be done based on the purchase record. We can even do this over the Internet.
Soon you will see Dell doing this for consumer systems.
¯\_(ツ)_/¯
-
Monday, August 13, 2012 3:40 PM
I just would note that the way we used to do this was to alter teh setup.inf and setsc.inf in the INF folder to alter the remote access and other security bits.
Thisis what teh AIK install does but indeirectly. The setup.inf has sections which delclare registry updates. The is an inf for the firewall that can be customized too.
If you are only intersted in a quick solution then modify the master installation setup.inf and firewall.inf (not the right name)
¯\_(ツ)_/¯
-
Monday, August 13, 2012 3:43 PM
Here is the XP guide for firewall.inf. The Vista and later guides allow for more options on the firewall.
http://www.microsoft.com/en-us/download/details.aspx?id=18996
¯\_(ツ)_/¯
-
Monday, August 13, 2012 3:51 PM
Here is WAIK for Win7 and WS2008R2. Vista is simiilar but the firewall is different.
¯\_(ツ)_/¯
-
Monday, August 13, 2012 4:23 PM
I was not able to find the netfw.inf in Windows 7. Basically, I am trying to find if there is a registry setting or a way to enable the following settings: "Windows Firewall: Allow inbound Remote Desktop exception" and "Allow users to connect remotely using Remote Desktop Services".
- Edited by Mangual12 Monday, August 13, 2012 4:50 PM
-
Monday, August 13, 2012 5:29 PM
I was not able to find the netfw.inf in Windows 7. Basically, I am trying to find if there is a registry setting or a way to enable the following settings: "Windows Firewall: Allow inbound Remote Desktop exception" and "Allow users to connect remotely using Remote Desktop Services".
http://technet.microsoft.com/en-us/library/dd799245(v=ws.10).aspx¯\_(ツ)_/¯
-
Monday, August 13, 2012 5:32 PM
Here is the rule that you will enable.
netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes
¯\_(ツ)_/¯
-
Monday, August 13, 2012 5:35 PM
Here is one example of using an unattended file.
<?xml version='1.0' encoding='utf-8'?> <unattend xmlns="urn:schemas-microsoft-com:unattend" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"> <settings pass="specialize"> <component name="Microsoft-Windows-TerminalServices-LocalSessionManager" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> <fDenyTSConnections>false</fDenyTSConnections> </component> <component name="Microsoft-Windows-TerminalServices-RDP-WinStationExtensions" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> <UserAuthentication>0</UserAuthentication> </component> <component name="Networking-MPSSVC-Svc" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> <FirewallGroups> <FirewallGroup wcm:action="add" wcm:keyValue="rd1"> <Active>true</Active> <Group>Remote Desktop</Group> <Profile>all</Profile> </FirewallGroup> </FirewallGroups> </component> </settings> </unattend>¯\_(ツ)_/¯
-
Monday, August 13, 2012 7:56 PM
Ok. I am able to set everything for the Remote Desktop but I am trying to enable "Allow users to connect remotely using Remote Desktop Services" in the group policies through a script or netsh firewall, or if there is a registry setting for this policy that I can set through regedit.
-
Monday, August 13, 2012 8:35 PM
Ok. I am able to set everything for the Remote Desktop but I am trying to enable "Allow users to connect remotely using Remote Desktop Services" in the group policies through a script or netsh firewall, or if there is a registry setting for this policy that I can set through regedit.
Every bit of that information has been posted in three different forms. Did you read the links carefully.
netsh does not enable Remote Desktop. It can only add the firewall rules. BigTeddy posted the registry code above. I posted the unattended setup information in two forms.
Take your pick.
¯\_(ツ)_/¯
-
Monday, August 13, 2012 8:55 PMI know but after I do all the changes pointed above the remote desktop will not work until I manually enable "Allow users to connect remotely using Remote Desktop Services" in the group policies. The reason is that all the registry setting are set but the Remote Desktop section on the computer properties will stay, of course, greyed out unles I enable the "Allow users to connect remotely using Remote Desktop Services" policy. This is the problem I am running into now.
-
Monday, August 13, 2012 9:07 PM
I know but after I do all the changes pointed above the remote desktop will not work until I manually enable "Allow users to connect remotely using Remote Desktop Services" in the group policies. The reason is that all the registry setting are set but the Remote Desktop section on the computer properties will stay, of course, greyed out unles I enable the "Allow users to connect remotely using Remote Desktop Services" policy. This is the problem I am running into now.
Yup. That is why you need to use the Unattended setup script or to use WAIK. In XP this worked and could even be done remotely using WMI. Now it has more bits some of which are either hidden or encrypted.
I recommend just using the WAIK methods. In WAIK I believe it needs to be done in phase 3 or it likely won't get set.
I think you may need to do the firewall after the RDP setup becsue the rule may not exist until TS is enabled.
You should probably post in the Windows deployment forum as they would know more of the issues of imaging Win7.
¯\_(ツ)_/¯
- Marked As Answer by IamMredMicrosoft Employee, Owner Friday, August 17, 2012 10:31 PM
.png)
