Enable Remote Desktop in Windows Firewall from command line

command-line windows remote-desktop unattended windows-firewall

note: #command-line tag do not imply batch-file-only, I will accept a PowerShell script or any freely available utility, which can be started from command line and finish its work unattended.

tl;dr

how to unattendedly transform firewall rules exactly to state GUI puts it, on Windows Vista to Windows 10 of any interface (display) language?

Elaborating

This question is similar to #786383, but it's not the same.

Basically, because answer isn't good for me:

  1. set rule group="remote desktop" new enable=Yes opens port 3389 for public networks, and I want to avoid that. Also, different Windows languages have different group names, but I need an universal solution.
  2. netsh firewall set service type = remotedesktop mode = enable isn't working for me either: it is deprecated since win7, and allows rdp for current network only (if you're in public one, 3389 will be opened for public networks and won't work in private networks afterwards).

Note that before RDP is enabled via GUI, there is only one rule per protocol for RDP. But when RDP is enabled via GUI, port only gets opened for private and domain networks, and rules split for this. After enabling, there are 4 rules in Windows 8+ and 2 rules (no UDP) in Windows XP, Vista and 7.

Work-around I'm currently using is adding my own rules:

netsh.exe advfirewall firewall add rule name="Remote Desktop - User Mode (TCP-In)" dir=in action=allow program="%%SystemRoot%%\system32\svchost.exe" service="TermService" description="Inbound rule for the Remote Desktop service to allow RDP traffic. [TCP 3389] added by LogicDaemon's script" enable=yes profile=private,domain localport=3389 protocol=tcp
netsh.exe advfirewall firewall add rule name="Remote Desktop - User Mode (UDP-In)" dir=in action=allow program="%%SystemRoot%%\system32\svchost.exe" service="TermService" description="Inbound rule for the Remote Desktop service to allow RDP traffic. [UDP 3389] added by LogicDaemon's script" enable=yes profile=private,domain localport=3389 protocol=udp

but that's bad, because (unlike standard ones) they can be modified by user, have no group (to work with other scripts), and don't get automatically disabled when RDP is turned off via GUI.

Screenshots

Firewall rules before enabling RDP via GUI for the first time * **

Same rules when RDP is enabled via GUI (state I want to get):

And after disabling RDP in GUI:

I won't retell the whole story of this fight with windows command line utilities, until somebody asks. Here is that story in Russian.


Solution 1:

netsh firewall set service type = remotedesktop mode = enable

or

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Solution 2:

If I understand the question correctly this will get you what you want. This is PowerShell:

$FireWall = New-Object -comObject HNetCfg.FwPolicy2
$EnableRules = $FireWall.rules | Where-Object {$_.LocalPorts -like "*3389*" -and $_.Profiles -eq "3"}
ForEach ($Rule In $EnableRules){($Rule.Enabled = "True")}

This will filter out the rules and grab the correct rule names agnostic of language. It does this by filtering on port 3389 and finding the rule associated with "Domain and Private networks". Profiles -eq 3 is the bitmap mask for Private and Domain networks, you can see the reference here:

https://msdn.microsoft.com/en-us/library/windows/desktop/aa366303(v=vs.85).aspx

Where 1 (Domain networks) + 2 (Private networks) = 3

Here is the MSDN link where I figured out the rest:

https://msdn.microsoft.com/en-us/library/windows/desktop/aa365309(v=vs.85).aspx

And here is how I figured out what the properties and methods were for the other objects:

PS C:\> $FireWall | Get-Member


   TypeName: System.__ComObject#{98325047-c671-4174-8d81-defcd3f03186}

Name                                         MemberType            Definition
----                                         ----------            ----------
EnableRuleGroup                              Method                void EnableRuleGroup (int, string, bool)
IsRuleGroupEnabled                           Method                bool IsRuleGroupEnabled (int, string)
RestoreLocalFirewallDefaults                 Method                void RestoreLocalFirewallDefaults ()
BlockAllInboundTraffic                       ParameterizedProperty bool BlockAllInboundTraffic (NET_FW_PROFILE_TYPE2...
DefaultInboundAction                         ParameterizedProperty NET_FW_ACTION_ DefaultInboundAction (NET_FW_PROFI...
DefaultOutboundAction                        ParameterizedProperty NET_FW_ACTION_ DefaultOutboundAction (NET_FW_PROF...
ExcludedInterfaces                           ParameterizedProperty Variant ExcludedInterfaces (NET_FW_PROFILE_TYPE2_...
FirewallEnabled                              ParameterizedProperty bool FirewallEnabled (NET_FW_PROFILE_TYPE2_) {get...
IsRuleGroupCurrentlyEnabled                  ParameterizedProperty bool IsRuleGroupCurrentlyEnabled (string) {get}
NotificationsDisabled                        ParameterizedProperty bool NotificationsDisabled (NET_FW_PROFILE_TYPE2_...
UnicastResponsesToMulticastBroadcastDisabled ParameterizedProperty bool UnicastResponsesToMulticastBroadcastDisabled...
CurrentProfileTypes                          Property              int CurrentProfileTypes () {get}
LocalPolicyModifyState                       Property              NET_FW_MODIFY_STATE_ LocalPolicyModifyState () {g...
Rules                                        Property              INetFwRules Rules () {get}
ServiceRestriction                           Property              INetFwServiceRestriction ServiceRestriction () {g...



PS C:\> $Rules | Get-Member


   TypeName: System.__ComObject#{9c27c8da-189b-4dde-89f7-8b39a316782c}

Name                 MemberType Definition
----                 ---------- ----------
Action               Property   NET_FW_ACTION_ Action () {get} {set}
ApplicationName      Property   string ApplicationName () {get} {set}
Description          Property   string Description () {get} {set}
Direction            Property   NET_FW_RULE_DIRECTION_ Direction () {get} {set}
EdgeTraversal        Property   bool EdgeTraversal () {get} {set}
EdgeTraversalOptions Property   int EdgeTraversalOptions () {get} {set}
Enabled              Property   bool Enabled () {get} {set}
Grouping             Property   string Grouping () {get} {set}
IcmpTypesAndCodes    Property   string IcmpTypesAndCodes () {get} {set}
Interfaces           Property   Variant Interfaces () {get} {set}
InterfaceTypes       Property   string InterfaceTypes () {get} {set}
LocalAddresses       Property   string LocalAddresses () {get} {set}
LocalPorts           Property   string LocalPorts () {get} {set}
Name                 Property   string Name () {get} {set}
Profiles             Property   int Profiles () {get} {set}
Protocol             Property   int Protocol () {get} {set}
RemoteAddresses      Property   string RemoteAddresses () {get} {set}
RemotePorts          Property   string RemotePorts () {get} {set}
serviceName          Property   string serviceName () {get} {set}

Related

Aceplayer VLC shows "Buffering [x] %" on top in fullscreen mode... Annoying
How to open DevTools in Opera?
7zip - Create self-extracting Archive (sfx) with specified Extract path
Create a custom resolution on Windows 10
MAC OSX: How to unzip password protected .zip file
How to monitor Windows Defender real time protection?
How to completely disable push notifications in Firefox?
Location of OpenSSH configuration file on Windows
Linux program to create a timeline diagram? [closed]
How to sign a PowerShell script easily?
What's the best way to share files between linux and windows 7 on a dual/multi boot computer?
How to make TAB work right in Command Window?