Windows – Enable Remote Desktop in Windows Firewall from command line

command lineremote desktopunattendedwindowswindows firewall

note: #command-line tag do not imply batch-file-only, I will accept a PowerShell script or any freely available utility, which can be started from command line and finish its work unattended.

tl;dr

how to unattendedly transform firewall rules exactly to state GUI puts it, on Windows Vista to Windows 10 of any interface (display) language?

Elaborating

This question is similar to #786383, but it's not the same.

Basically, because answer isn't good for me:

  1. set rule group="remote desktop" new enable=Yes opens port 3389 for public networks, and I want to avoid that. Also, different Windows languages have different group names, but I need an universal solution.
  2. netsh firewall set service type = remotedesktop mode = enable isn't working for me either: it is deprecated since win7, and allows rdp for current network only (if you're in public one, 3389 will be opened for public networks and won't work in private networks afterwards).

Note that before RDP is enabled via GUI, there is only one rule per protocol for RDP. But when RDP is enabled via GUI, port only gets opened for private and domain networks, and rules split for this. After enabling, there are 4 rules in Windows 8+ and 2 rules (no UDP) in Windows XP, Vista and 7.

Work-around I'm currently using is adding my own rules:

netsh.exe advfirewall firewall add rule name="Remote Desktop - User Mode (TCP-In)" dir=in action=allow program="%%SystemRoot%%\system32\svchost.exe" service="TermService" description="Inbound rule for the Remote Desktop service to allow RDP traffic. [TCP 3389] added by LogicDaemon's script" enable=yes profile=private,domain localport=3389 protocol=tcp
netsh.exe advfirewall firewall add rule name="Remote Desktop - User Mode (UDP-In)" dir=in action=allow program="%%SystemRoot%%\system32\svchost.exe" service="TermService" description="Inbound rule for the Remote Desktop service to allow RDP traffic. [UDP 3389] added by LogicDaemon's script" enable=yes profile=private,domain localport=3389 protocol=udp

but that's bad, because (unlike standard ones) they can be modified by user, have no group (to work with other scripts), and don't get automatically disabled when RDP is turned off via GUI.

Screenshots

Firewall rules before enabling RDP via GUI for the first time * **

Same rules when RDP is enabled via GUI (state I want to get):

And after disabling RDP in GUI:

I won't retell the whole story of this fight with windows command line utilities, until somebody asks. Here is that story in Russian.

Best Answer

netsh firewall set service type = remotedesktop mode = enable

or

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
Related Question