Windows Remote Unlock

[Lien Kocurek]

Youcan use Remote Desktop to connect to and control your PC from a remote device by using a Microsoft Remote Desktop client (available for Windows, iOS, macOS and Android). When you allow remote connections to your PC, you can use another device to connect to your PC and have access to all of your apps, files, and network resources as if you were sitting at your desk.

To connect to a remote PC, that computer must be turned on, it must have a network connection, Remote Desktop must be enabled, you must have network access to the remote computer (this could be through the Internet), and you must have permission to connect. For permission to connect, you must be on the list of users. Before you start a connection, it's a good idea to look up the name of the computer you're connecting to and to make sure Remote Desktop connections are allowed through its firewall.

The simplest way to allow access to your PC from a remote device is using the Remote Desktop options under Settings. Since this functionality was added in the Windows 10 Fall Creators update (1709), a separate downloadable app is also available that provides similar functionality for earlier versions of Windows. You can also use the legacy way of enabling Remote Desktop, however this method provides less functionality and validation.

To configure your PC for remote access, download and run the Microsoft Remote Desktop Assistant. This assistant updates your system settings to enable remote access, ensures your computer is awake for connections, and checks that your firewall allows Remote Desktop connections.

If you only want to access your PC when you are physically using it, you don't need to enable Remote Desktop. Enabling Remote Desktop opens a port on your PC that is visible to your local network. You should only enable Remote Desktop in trusted networks, such as your home. You also don't want to enable Remote Desktop on any PC where access is tightly controlled.

Be aware that when you enable access to Remote Desktop, you are granting anyone in the Administrators group, as well as any additional users you select, the ability to remotely access their accounts on the computer.

If you want to restrict who can access your PC, choose to allow access only with Network Level Authentication (NLA). When you enable this option, users have to authenticate themselves to the network before they can connect to your PC. Allowing connections only from computers running Remote Desktop with NLA is a more secure authentication method that can help protect your computer from malicious users and software. To learn more about NLA and Remote Desktop, check out Configure NLA for RDS Connections.

We recently upgraded to 10.1.5-h1 and it appears after the upgrade the Windows-Remote-Managment traffic over tcp5985 is now being identified as Web-browsing. This is causing that traffic to drop. We checked dynamic updates and presently leveraging the latest update released on 5/16. Seeing if this is a growing issue?

Closing the loop on this issue. After working with TAC there is a known issue that is resolved in the 10.1.6 code released yesterday. The issue is when a policy uses L7 app-id with specific ports configured in the service port field as opposed to using "application-default". I took the workaround I used and changed it to application-default, removed the specific tcp ports listed, and removed web-browsing; leaving just windows-remote-management. This resolved the issue and will plan on an upgrade in the near future to 10.1.6.

I am not aware of this issue. Maybe a reboot or a delete and reinstall of the dynamic update again. I am not aware of any documented modifications to the AppID signature. Additional tshooting is needed.

I have opened a TAC case on this issue and will update the thread if/when I hear back.

As a work around I added "web-browsing" to the policy but kept the specified service port tcp/5985 and 5986. This resolved the issue AND the traffic started passing/identifying as "Windows-Remote-Management". Web-browsing is an IMPLIED application for Windows-Remote-Management but this behavior looks to be that relationship has changed and now is DEPENDENT on Web-browsing. I did not find any app-updates that would have caused/mentioned this and panorama/applipidea doesn't flag web-browsing as dependent for Windows-Remote-Management.

I'm using 10.1.6 recently upgraded the software, we are using this application windows-remote-management with service as application default but still it is not working traffic is getting identified as web-browsing on port tcp-5985 and it is getting deny.

You can disconnect from a windows 10 session with tsdiscon.exe . I created a taskbar short cut for just this purpose. Not sure if that executable is available in windows 8. (it should be). I found this to be the most expedient way to logoff a remote desktop session when the remote desktop bar is intentionally hidden (it always seemed to be in the way).

Before connecting to the remote computer, you can change in the properties (local sources) to never send keyboard shortcuts to the remote pc. By default its set to: Only when in full-screen. When set to local, certain keyboard shortcuts that are different than what you normally use become active.

Remote desktop generally doesn't have an "untrap" key, but the mouse is never trapped. Simply move it anywhere on the other monitor, click so that the RDP client loses focus, and then your keys will work fine with the rest of your system until you give the RDP client focus again.

In our case, our domain and public DNS are hosted on OVH, which as far as I can tell has an API to manage the DNS zone programmatically. Many other DNS providers offer APIs to make such changes. Can you confirm that this would allow me to pass the DNS challenge, if properly configured?

In terms of using Let's Encrypt certificate in Windows Remote Desktop, we've had a handful of questions about that and it doesn't look like anyone ever reported back afterward about how well it worked (or didn't work).

For removing the spaces from the fingerprint, do you have an equivalent of tr in the Windows command line, maybe with Powershell? In Unix you could use tr -d ' ' to remove spaces from a string, without having to do it by hand in a text editor.

As far I understand it, this should be completely automatable through PowerShell and Python, right?

For example, at renewal you would run certbot, with a hook for DNS validation, and once we have the certificate then obtain the thumbprint and store it in a PowerShell variable (with space removal), convert the certificate to PFX and import it. This last step is still not clear to me: in your screenshot you used the key store GUI, can you use PowerShell to import the certificate, or update it on renewal? On Windows does it work and makes sense to use something such as symlinks like on Unix OSes?

I am working my way through the powershell side also going to log a request with the boulder team to make PFX an option as being able to download a PFX file from letsencrypt will simplify things for windows users

I bet a PowerShell expert can automate most of this process. I understand that Microsoft has exposed a significant amount of Windows configuration to PowerShell in one way or another. So I expect there could be a script made that takes care of most of these steps for you.

And IF a single signed RDP client will work when copied to other client workstations - you can also use Active Directory to deploy that signed RDP client file to the other workstations:

Using Group Policy Preferences for copying files:

experts-exchange.com Using Group Policy Preferences for copying filesI know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using...

The "Desktop Sharing" settings that come installed by default seem to use VNC. VNC is a bit of a bandwidth hog, can only work at the resolution of whatever screen is attached to the host, requires you to log in at the machine itself, and mirrors every action on the host.

I would recommend X2go. It's very similar to RDP and highly efficient even over low-bandwidth, high-latency connections. Clients for all systems, including a plugin for Firefox, etc. It works over ssh and integrates with PulseAudio so you can use VoIP, for instance. Read more on

The x2go client requires a session command to execute upon logging in. For example, to use Unity 2D, use the session command: gnome-session --session=ubuntu-2d. This was found by looking in the file (on the host) /usr/share/xsessions/ubuntu-2d.desktop and copying value of the Exec=... line. If you want to use some other session, you can use the value from another file in /usr/share/xsessions/, but it seems that anything requiring 3D acceleration will not work.

Chrome Remote Desktop BETA allows users to remotely access another computer through Chrome browser or a Chromebook. Computers can be made available on an short-term basis for scenarios such as ad hoc remote support, or on a more long-term basis for remote access to your applications and files. All connections are fully secured.

3a8082e126