Disable RDP Windows 10 PowerShell Script Configuration Baseline SCCM

So I was setting up a KIOSK environment using  Windows 10 1709 for a client recently and we wanted to take the route of applying as few GPOs as possible (as it should be in 2018)!

Ensuring that this stayed disabled was something that we decided to deploy using ConfigMgr Configuration Baselines.

So the Check compliance script is as follows:

Ok, so now the check script is out the way, here is the remediation script:

As Always scripts are as is, and if you do use them remeber where you got them from 😉

If you would like to see the setup of this baseline let me know in the comments below.

Cheers,

SCCMOG

4 Replies to “Disable RDP Windows 10 PowerShell Script Configuration Baseline SCCM”

  1. HI Im trying ot use this but everytime it runs its coming back as compliant, i has to amend the script as the variables for the firewall dont exist:
    #Variables
    $TSRegPath = “HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server”
    $TSRegProperty = “fDenyTSConnections”
    $RDPTcpRegPath = “HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp”
    $RDPTcpRegProperty = “UserAuthentication”

    #Set initial values
    $TSSet = $True
    $RDPTCPSet = $True
    $RDPUserinTCPReturn = $True
    $RDPUserinUDPReturn = $True

    #Test fDenyTSConnections state
    $TSReturn = (Get-ItemProperty -Path $TSRegPath -Name $TSRegProperty -ErrorAction SilentlyContinue).fDenyTSConnections
    If ($TSReturn -eq 1) {
    $TSSet = $False
    }

    #Test RDP-TCP State
    $RDPTCPReturn = (Get-ItemProperty -Path $RDPTcpRegPath -Name $RDPTcpRegProperty -ErrorAction SilentlyContinue).UserAuthentication
    If ($RDPTCPReturn -eq 0) {
    $RDPTCPSet = $False
    }

    #Get Firewall states
    $RDPUserinTCPReturn = (Get-NetFirewallRule -Name RemoteDesktop-UserMode-In-TCP -ErrorAction SilentlyContinue).Enabled
    $RDPUserinUDPReturn = (Get-NetFirewallRule -Name RemoteDesktop-UserMode-In-UDP -ErrorAction SilentlyContinue).Enabled
    $RDPShadinTCPReturn = (Get-NetFirewallRule -Name RemoteDesktop-Shadow-In-TCP -ErrorAction SilentlyContinue).Enabled

    #Evaluate and report
    If ( ! ($TSSet) -and ($RDPTCPSet) -and ($RDPUserinTCPReturn) -and ($RDPUserinUDPReturn) -and ($RDPShadinTCPReturn))
    {
    Write-Host “Yes”
    }

Leave a Reply

Your email address will not be published. Required fields are marked *

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.