DSCResources/xRemoteDesktopAdmin/xRemoteDesktopAdmin.psm1
<#
This sample DSC Resource allows you to configure the Remote Desktop settings (under Remote Settings). Leveraging the xFirewall resource (included in MSFT_xNetworking), firewall rules can also be configured. Leveraging the Group resource (included in Windows), the "Remote Desktop Users" group can also be configured. This sample has been tested with Windows Server 2012 R2 and WMF 5.0 Preview Author: Tiander Turpijn, Microsoft Corporation Used parameters: Ensure [string] translates to reg value fDenyTSConnections [Int] - Allow RDP connection: Present = 0 "Enabled", Absent = 1 "Disabled" UserAuthentication [string] translates to reg value UserAuthentication [Int] - Allow only Network Level Authentication - connections: Secure = 1 "Secure", NonSecure = 0 "NonSecure" #> #region GET RDP Settings function Get-TargetResource { [CmdletBinding()] [OutputType([System.Collections.Hashtable])] param ( [Parameter(Mandatory)] [ValidateSet("Present","Absent")] [System.String]$Ensure, [ValidateSet("NonSecure", "Secure")] [System.String]$UserAuthentication ) switch ($Ensure) { "Present" {[System.Byte]$fDenyTSConnections = 0} "Absent" {[System.Byte]$fDenyTSConnections = 1} } switch ($UserAuthentication) { "NonSecure" {[System.Byte]$UserAuthentication = 0} "Secure" {[System.Byte]$UserAuthentication = 1} } $GetDenyTSConnections = Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" $GetUserAuth = Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" $returnValue = @{ Ensure = switch ($GetDenyTSConnections.fDenyTSConnections) { 0 {"Present"} 1 {"Absent"} } UserAuthentication = switch ($GetUserAuth.UserAuthentication) { 0 {"NonSecure"} 1 {"Secure"} } } $returnValue } # Get-TargetResource 'Present' 'Secure' -Verbose # Expectation is a hashtable with configuration of the machine. #endregion #region SET RDP Settings function Set-TargetResource { [CmdletBinding()] [OutputType([System.Collections.Hashtable])] param ( [Parameter(Mandatory)] [ValidateSet("Present","Absent")] [System.String]$Ensure, [ValidateSet("NonSecure", "Secure")] [System.String]$UserAuthentication ) switch ($Ensure) { "Present" {[System.Byte]$fDenyTSConnections = 0} "Absent" {[System.Byte]$fDenyTSConnections = 1} } switch ($UserAuthentication) { "NonSecure" {[System.Byte]$UserAuthentication = 0} "Secure" {[System.Byte]$UserAuthentication = 1} } $GetEnsure = (Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections").fDenyTSConnections $GetUserAuthentiation = (Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication").UserAuthentication #The make it so section if ($fDenyTSConnections -ne $GetEnsure) { Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value $fDenyTSConnections } if ($UserAuthentication -ne $GetUserAuthentication) { Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value $UserAuthentication } } # Set-TargetResource 'Present' 'Secure' -Verbose # Expectation is the computer will be configured to accept secure RDP connections. To verify, right click on the Windows button and open System - Remote Settings. #endregion #region TEST RDP Settings function Test-TargetResource { [CmdletBinding()] [OutputType([System.Collections.Hashtable])] param ( [Parameter(Mandatory)] [ValidateSet("Present","Absent")] [System.String]$Ensure, [ValidateSet("NonSecure", "Secure")] [System.String]$UserAuthentication ) switch ($Ensure) { "Present" {[System.Byte]$fDenyTSConnections = 0} "Absent" {[System.Byte]$fDenyTSConnections = 1} } switch ($UserAuthentication) { "NonSecure" {[System.Byte]$UserAuthentication = 0} "Secure" {[System.Byte]$UserAuthentication = 1} } $GetfDenyTSConnections = (Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections").fDenyTSConnections $GetUserAuthentiation = (Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication").UserAuthentication $bool = $false if ($fDenyTSConnections -eq $GetfDenyTSConnections -and $UserAuthentication -eq $GetUserAuthentiation) { Write-Verbose "RDP settings are matching the desired state" $bool = $true } else { Write-Verbose "RDP settings are Non-Compliant!" if ($fDenyTSConnections -ne $GetfDenyTSConnections) { Write-Verbose "DenyTSConnections settings are non-compliant, Value should be $fDenyTSConnections - Detected value is: $GetfDenyTSConnections" } if ($UserAuthentication -ne $GetUserAuthentiation) { Write-Verbose "UserAuthentication settings are non-compliant, Value should be $UserAuthentication - Detected value is: $GetUserAuthentiation" } } $bool } # Test-TargetResource 'Present' 'Secure' -Verbose # Expectation is a true/false output based on whether the machine matches the declared configuration. #endregion Export-ModuleMember -Function *-TargetResource |