Sccm Rdp



With the MS12-020 RDP explit that was just announced, I wanted to be able to determine which of our servers have Network Level Authentication enabled for Remote Desktop, which will help reduce the risk until they are patched. I created a Configuration Item to determine if NLA is enabled based on the UserAuthentication value being set to “1” in the following registry key: HKLMSystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp. After reviewing some comlpiance reports, I noticed some servers were showing up as not compliant even though a GPO was in place to enable NLA for them. Of course, I overlooked the fact that if you enable NLA using Group Policy, the UserAuthentication value is located in HKLMSoftwarePoliciesMicrosoftWindows NTTerminal Services.

In SCCM you can configure and enable Remote control feature to remote control endpoints in your environment. Please watch the step by step video. Manage Remote Desktop settings. Set this option to Yes to let Configuration Manager manage Remote Desktop sessions for computers. Allow permitted viewers to connect by using Remote Desktop connection. Set this option to Yes to add users specified in the permitted viewer list to the Remote Desktop local user group on clients. In the Configuration Manager console, choose Administration Client Settings Default Client Settings. On the Home tab, in the Properties group, choose Properties. In the Default dialog box, choose Remote Tools. Configure the remote control, Remote Assistance and Remote Desktop client settings.

I have only used the DCM feature of SCCM once before, so I was not very familiar with it. I attempted to find a way to create a second Configuration Item for the second registry location, and create a baseline that reports compliance if one or the other items are validated. It appears this is not possible.

So – in order to get accurate compliance information (whether a server has NLA enabled manually or through Group Policy) I wrote a script to check both registry locations and report as compliant if NLA is enabled in either location.

————
REM This script will detect if Network Level Authentication is enabled either manually or by GPO
REM This script will return “Compliant” if NLA is enabledstrComputer = “.”

Remote Desktop Configuration Manager Download


Const HKLM = &H80000002


Const PathManual = “SystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp”
Const PathGPO = “SoftwarePoliciesMicrosoftWindows NTTerminal Services”
Const valueName = “UserAuthentication”

Rdp


Set REG=GetObject(“winmgmts:{impersonationLevel=impersonate}!” & strComputer & “rootdefault:StdRegProv”)
REG.GetDWORDValue HKLM,PathManual,valueName,manualNLA
REG.GetDWORDValue HKLM,PathGPO,valueName,GPONLA

IF manualNLA = 1 THEN
wscript.echo “Compliant”
ELSEIF GPONLA = 1 THEN
wscript.echo “Compliant”
ELSE
wscript.echo “NOTCompliant”
END IF

Sccm Rdp

———-

Sccm Enable Rdp

This is how the Configuration Item is configured:

On the Settings tab select New – Script.

Sccm Rdp Application

  • On the General tab provide a Name, specify VBScript as the Script language, and enter the following script:
  • On the Validation tab set the Data Type to String, and create a new validation entry by clicking the New button.
    The Validation Operator should be set to Equals, and the Value should be set to Compliant (because the script returns either “Compliant” or “NOTCompliant”)
Sccm enable rdp

Add this Configuration Item to a Baseline and assign it to a Collection.