With the recent Covid-19 outbreak, we had to setup a lot of users to work from home. We were creating to options for remote access:
- Sharing access to their workstation through our existing monitoring agent (we use Datto with Splashtop).
- Setting up their existing VPN client with RDP access.
Using the option 1 was beneficial if the users had home computers we weren’t monitoring/managing as it only provide screen control with no real network connection. However, the two limitations to use Splashtop were:
- Hard to run dual display setups.
- Unable to print from the remote computer to the local printer.
The other thing is that in the bare minimum state, the agent/splashtop setup had a cost per workstation to it. While we were passing this along to our customer at our annual cost, some of them still didn’t want to pay it for multiple employees.
Enter the VPN/RDP connection setup. The main reason for using the VPN/RDP setup is:
- It carried no additional cost (most of our customers on are Fortigate firewalls).
- It’s easier to work with multiscreen connections.
- Has the ability to support printing from the remote system to the local printer.
As a disclaimer: for security reasons, we never open RDP access to a machine through the network firewall to the public internet. We only use RDP access when paired with a VPN connection to limit exposure and security risk.
Instead of having to remote all the way into a users workstation and click through multiple screens, I finally figured out the various CLI commands to speed up this process.
I’ll first list of that I turned this into a batch file you can download and run on the workstation and then I’ll break down each command.
First off, download the zip and extract the batch script.
When you extract the batch file, there is only one place you are going to need to edit. You just need to change the highlighted part below to the users windows username, save it and run in.
All I would have to do was edit the script, upload it to their computer real quick, run it from the agent CLI and then delete the script. Sort of made me feel like a hacker 🙂
Breaking Down the Script
Now I’ll break down the script.
The first line of the script enabled Remote Desktop Connect.
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
The next line unchecks the Network Level Authentication checkbox.
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
The next command adds the necessary rules to the Windows Firewall to allow RDP connections.
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
Next one adds the user to the Remote Desktop Users security group on the workstation to authorize them to remote in using RDP.
net localgroup "Remote Desktop users" "USERNAME_HERE" /add
The last command puts the computer into the High Performance power profile. This will allow the monitor to go to sleep, but does not allow the computer to go to sleep.
powercfg /s 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c