Enable Remote Desktop in Windows Firewall from command line
Solution 1
netsh firewall set service type = remotedesktop mode = enable
or
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
Solution 2
If I understand the question correctly this will get you what you want. This is PowerShell:
$FireWall = New-Object -comObject HNetCfg.FwPolicy2
$EnableRules = $FireWall.rules | Where-Object {$_.LocalPorts -like "*3389*" -and $_.Profiles -eq "3"}
ForEach ($Rule In $EnableRules){($Rule.Enabled = "True")}
This will filter out the rules and grab the correct rule names agnostic of language. It does this by filtering on port 3389 and finding the rule associated with "Domain and Private networks". Profiles -eq 3
is the bitmap mask for Private and Domain networks, you can see the reference here:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa366303(v=vs.85).aspx
Where 1 (Domain networks) + 2 (Private networks) = 3
Here is the MSDN link where I figured out the rest:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa365309(v=vs.85).aspx
And here is how I figured out what the properties and methods were for the other objects:
PS C:\> $FireWall | Get-Member
TypeName: System.__ComObject#{98325047-c671-4174-8d81-defcd3f03186}
Name MemberType Definition
---- ---------- ----------
EnableRuleGroup Method void EnableRuleGroup (int, string, bool)
IsRuleGroupEnabled Method bool IsRuleGroupEnabled (int, string)
RestoreLocalFirewallDefaults Method void RestoreLocalFirewallDefaults ()
BlockAllInboundTraffic ParameterizedProperty bool BlockAllInboundTraffic (NET_FW_PROFILE_TYPE2...
DefaultInboundAction ParameterizedProperty NET_FW_ACTION_ DefaultInboundAction (NET_FW_PROFI...
DefaultOutboundAction ParameterizedProperty NET_FW_ACTION_ DefaultOutboundAction (NET_FW_PROF...
ExcludedInterfaces ParameterizedProperty Variant ExcludedInterfaces (NET_FW_PROFILE_TYPE2_...
FirewallEnabled ParameterizedProperty bool FirewallEnabled (NET_FW_PROFILE_TYPE2_) {get...
IsRuleGroupCurrentlyEnabled ParameterizedProperty bool IsRuleGroupCurrentlyEnabled (string) {get}
NotificationsDisabled ParameterizedProperty bool NotificationsDisabled (NET_FW_PROFILE_TYPE2_...
UnicastResponsesToMulticastBroadcastDisabled ParameterizedProperty bool UnicastResponsesToMulticastBroadcastDisabled...
CurrentProfileTypes Property int CurrentProfileTypes () {get}
LocalPolicyModifyState Property NET_FW_MODIFY_STATE_ LocalPolicyModifyState () {g...
Rules Property INetFwRules Rules () {get}
ServiceRestriction Property INetFwServiceRestriction ServiceRestriction () {g...
PS C:\> $Rules | Get-Member
TypeName: System.__ComObject#{9c27c8da-189b-4dde-89f7-8b39a316782c}
Name MemberType Definition
---- ---------- ----------
Action Property NET_FW_ACTION_ Action () {get} {set}
ApplicationName Property string ApplicationName () {get} {set}
Description Property string Description () {get} {set}
Direction Property NET_FW_RULE_DIRECTION_ Direction () {get} {set}
EdgeTraversal Property bool EdgeTraversal () {get} {set}
EdgeTraversalOptions Property int EdgeTraversalOptions () {get} {set}
Enabled Property bool Enabled () {get} {set}
Grouping Property string Grouping () {get} {set}
IcmpTypesAndCodes Property string IcmpTypesAndCodes () {get} {set}
Interfaces Property Variant Interfaces () {get} {set}
InterfaceTypes Property string InterfaceTypes () {get} {set}
LocalAddresses Property string LocalAddresses () {get} {set}
LocalPorts Property string LocalPorts () {get} {set}
Name Property string Name () {get} {set}
Profiles Property int Profiles () {get} {set}
Protocol Property int Protocol () {get} {set}
RemoteAddresses Property string RemoteAddresses () {get} {set}
RemotePorts Property string RemotePorts () {get} {set}
serviceName Property string serviceName () {get} {set}
Solution 3
The following cmd commands..
netsh firewall set service type = remotedesktop mode = enable
and
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /
are not sufficient to enable remote desktop.
I had to add this one to make it work (Client: Windows 10).
netsh advfirewall firewall add rule name="Open Remote Desktop" protocol=TCP dir=in localport=3389 action=allow
Related videos on Youtube
Nauf_M
DevOps engineer at Intremedia. My opinion is in no way relevant to opinion of my bosses. Release process, code repositories organization, IaC (in AWS using Terraform and Ansible), CI/CD (Jenkins mostly, some Groovy), some coding (Go, JavaScript, Python). Some experience with Azure DevOps (aka TFS), GitLab CI/CD. Contacts: Telegram: @aderbenev_intermedia_net vkontakte: @logicdaemon (checking 1-2 times per week; care, FSB spies on you!) facebook messenger: @LogicDaemon (well, in 2019 I found out someone tried to contact me in 2016)
Updated on September 18, 2022Comments
-
Nauf_M almost 2 years
note: #command-line tag do not imply batch-file-only, I will accept a PowerShell script or any freely available utility, which can be started from command line and finish its work unattended.
tl;dr
how to unattendedly transform firewall rules exactly to state GUI puts it, on Windows Vista to Windows 10 of any interface (display) language?
Elaborating
This question is similar to #786383, but it's not the same.
Basically, because answer isn't good for me:
-
set rule group="remote desktop" new enable=Yes
opens port 3389 for public networks, and I want to avoid that. Also, different Windows languages have different group names, but I need an universal solution. -
netsh firewall set service type = remotedesktop mode = enable
isn't working for me either: it is deprecated since win7, and allows rdp for current network only (if you're in public one, 3389 will be opened for public networks and won't work in private networks afterwards).
Note that before RDP is enabled via GUI, there is only one rule per protocol for RDP. But when RDP is enabled via GUI, port only gets opened for private and domain networks, and rules split for this. After enabling, there are 4 rules in Windows 8+ and 2 rules (no UDP) in Windows XP, Vista and 7.
Work-around I'm currently using is adding my own rules:
netsh.exe advfirewall firewall add rule name="Remote Desktop - User Mode (TCP-In)" dir=in action=allow program="%%SystemRoot%%\system32\svchost.exe" service="TermService" description="Inbound rule for the Remote Desktop service to allow RDP traffic. [TCP 3389] added by LogicDaemon's script" enable=yes profile=private,domain localport=3389 protocol=tcp netsh.exe advfirewall firewall add rule name="Remote Desktop - User Mode (UDP-In)" dir=in action=allow program="%%SystemRoot%%\system32\svchost.exe" service="TermService" description="Inbound rule for the Remote Desktop service to allow RDP traffic. [UDP 3389] added by LogicDaemon's script" enable=yes profile=private,domain localport=3389 protocol=udp
but that's bad, because (unlike standard ones) they can be modified by user, have no group (to work with other scripts), and don't get automatically disabled when RDP is turned off via GUI.
Screenshots
Firewall rules before enabling RDP via GUI for the first time * **
Same rules when RDP is enabled via GUI (state I want to get):
And after disabling RDP in GUI:
I won't retell the whole story of this fight with windows command line utilities, until somebody asks. Here is that story in Russian.
-
Nathan Rice about 9 yearsSo am I correct in to summarize that you want the 2 built in firewall rules that enable UDP/TCP on Port 3389 for only the Domain and Private profiles?
-
Nauf_M about 9 yearsalmost. First, yes, I'm about modifying built-in rules. Second, yes, I want built-in rules to enable 3389 on Domain and Private networks. But here goes the tricky part (otherwise it would already be answered): let's first say about TCP. By default, there are no separate rules for {Public} and {Doman, Private} networks. There is one rule for {All} networks. But when RDP is enabled via GUI, there appears two rules, one for {Public} and one for {Doman, Private}. Same with UDP. Also I added screenshots, may clarify a bit also.
-
-
Nauf_M about 9 yearsI tried that.
netsh firewall
is deprecated (since win7), does not work in Win10, and allows rdp for current network only (if you're in public one, rdp will be allowed for public networks and won't work in private networks afterwards). This is noted in original story, I just thought it's not worth mentioning in question. I'll fix that fault. -
Nauf_M about 9 yearsnot sure why, but it says there's no such a property i.imgur.com/A0OmzZ8.png. I guess this is because until RDP is enabled 1st time via GUI, there is no such a rule, there is single rule for all networks (public, private, domain). But when enabled via GUI, this rule is split! Also there's typo at
)}
-
Nauf_M about 9 yearson Windows 8, there is no error, but nothing is done altogether i.imgur.com/te0J1Q9.png. Firewall rules look before enabling RDP via GUI for the first time: i.imgur.com/sEIE0me.png, after enabling and then disabling via GUI: i.imgur.com/PjnFOh1.png. Same rules when RDP is enabled via GUI (state I want to get): i.imgur.com/c3ywfHy.png
-
I say Reinstate Monica over 7 yearsWhile indeed deprecated,
netsh firewall
still works in Windows 10 (tested on Pro). -
Nauf_M over 7 years@Twisty I confirm, it works in version 1607 (build 14393.693) indeed. When I've been writing my prev comment, I tested it in current version (there were no release yet), and it didn't work.
-
itachi almost 3 yearsI can confirm this works for Windows 8.1. This is the only answer that truly helped me. I don't know why I couldn't find "Remote desktop" in the GUI firewall settings.
-
Nauf_M almost 3 yearsThis name is only valid for a specific Windows version, and only English UI.