Search code examples
dockerwindows-10containersremote-desktopterminal-services

Enable Remote Desktop on Windows 10 Container


I'm trying to enable remote desktop on a container image.

Dockerfile

FROM mcr.microsoft.com/windows:2004

EXPOSE 3389

RUN net user administrator Stack0verflow
RUN net user administrator /active:yes

# I tried disabling the firewall; but this command errors as Windows Defender Firewall service 
# is not enabled; so presumably if the firewall's not running, it's not a firewall issue.
#RUN netsh advfirewall set allprofiles state off

# switch shell to powershell (note: pwsh not available on the image)
SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue'; $ExecutionPolicy = 'Unrestricted';"]

# enable RDP (value is 1 on the base image)
RUN Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name 'fDenyTSConnections' -Type 'DWord' -Value 0
# per https://www.withinrafael.com/2018/03/09/using-remote-desktop-services-in-containers/
RUN Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name 'TemporaryALiC' -Type 'DWord' -Value 1

Note: Since it's a Windows image, I've switched Docker Desktop to Windows Containers (ref: Docker: "no matching manifest for windows/amd64 in the manifest list entries")

I then build this image via: docker build -t win10poc .

... And run it via: docker run --expose 3389 --publish 3390:3389 -it win10poc

The container runs successfully; but I can't connect to it (using mstsc with computer name 127.0.0.1:3390 on the host device; or even doing a Test-NetConnection -ComputerName 127.0.0.1 -Port 3390).

I've also tried running powershell -command "Test-NetConnection -ComputerName 'localhost' -Port 3389" from the container's command prompt; but this also returns a failure; suggesting that the service is not listening on this port.

Note: Running net start TermService on the container returns The requested service has already been started; so it should be listening.

My host device is running Windows 10.0.19041.264.

Note: I've seen a similar question for Windows Server; though asked again as that's for Server rather than Desktop, the question has less info on what's been tried, and there are no answers. As such, I'm hoping this doesn't count as a duplicate.


Solution

  • The reference you used to build your Dockerfile states that after 1709_KB4074588 RDP cannot be made to work anymore. Pulling today that tag does not work either: you get a response from the server but can't execute anything. I have no idea how the windows and servercore images differ in general and in terms of RDP, and on top of that I'm by no means a windows expert. My experience so far (using xfreerdp as client):

    • windows/servercore:1607 cexecsvc running, port 3389 not listening
    • windows/servercore:1709 can connect to RDP but executing an app results in ERRINFO_LOGOFF_BY_USER
    • windows/servercore:1709_KB4074588 behaves same as 1709

    Research shows also that you need to disable remote execution whitelist (don't know the correct name).

    • reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fAllowUnlistedRemotePrograms /t REG_DWORD /d 1
    • reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\TSAppAllowList" /v fDisabledAllowList /t REG_DWORD /f /d 1

    After reading a brief about sessions, desktops and stations I wrote a quick test enumerating sessions (see LsaEnumerateLogonSessions and LsaGetLogonSessionData) and saw that while a normal RDP session shows many (why? no idea) sessions for the same user and a few of them are interactive (10 - CachedInteractive in my case) a console in a Docker instance shows a single session for the ContainerAdministrator user of type 5 (Proxy - not supported), so as I understand it there's no way to get an interactive desktop from this session.