Friday, March 16, 2012

Enabling NLA for RDP connections using PowerShell

The critical nature of Microsoft bulletin MS12-020 may have you searching for a method to easily enable Network Layer Authentication on your Windows 2008 SP2/R2 servers to avoid an unscheduled patch installation and restart. It is possible to enable it with group policy, but that may not be the best method for every environment. If you have PowerShell remoting setup on all of your servers, you can easily enable NLA:

Enable/Disable NLA for Terminal Services or Remote Desktop Protocol RDP (0=Off, 1=On)

(Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").UserAuthenticationRequired
(Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(1)

For a single server you can enable the setting with invoke-command:

invoke-command –computername MyServer –scriptblock {(Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(1)}

You can use VMware PowerShell commands to generate the list of servers and execute the command on each server:

$vmnames=get-vm –location "Windows-NonProduction" | select-object -expandproperty name | sort
$sessions = New-PSSession -computername $vmnames
invoke-command –session $sessions –scriptblock {(Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(1)}

If you have text file with the server names you can use:

$sessions = cat (.\names.txt)
invoke-command –session $sessions –scriptblock {(Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(1)}

No comments:

Post a Comment