Using Remote Desktop Services in Containers

[01/21/2019: Microsoft made a change sometime after microsoft/windowsservercore:1709_KB4074588, breaking RDS. I'm looking into this and will post a new article/edit this one when more information is available.]

Remote Desktop Services (RDS) is not officially supported in Windows Containers. Nano Server-based containers, for example, don’t contain the required bits on disk. On the flip side, Windows Server Core-based containers do but the feature is deactivated for a few technical and political reasons. In these containers, you can reactivate those bits with an easy registry value.

The value to twiddle is HKLM\System\CurrentControlSet\Control\Terminal Server\TemporaryALiC. (ALiC => Allow Listeners in Container.) Set this REG_DWORD to 1 sometime before TermService startup and you’re all set. RDS defaults will kick in and spin up a RDP-Tcp transport for you to connect to as normal.

Quick and dirty Dockerfile:

#escape=`
FROM microsoft/windowsservercore:1709_KB4074588
RUN net user /add Rafael
RUN net user Rafael !QAZ2wsx
RUN net localgroup "Remote Desktop Users" Rafael /add
RUN net localgroup "Administrators" Rafael /add
RUN cmd /k reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v TemporaryALiC /t REG_DWORD /d 1

Warnings

• Only tested with Windows Server containers (silos).
• May interfere with the host machine's listener. Jiggling of the TermService on the host machine before/after container startup may be required.
• Remote Applications Integrated Locally (RAIL) scenarios will require additional configuration (future blog post)