Using Remote Desktop Services in Containers
[01/21/2019: Microsoft made a change sometime after
microsoft/windowsservercore:1709_KB4074588, breaking RDS. I'm looking into this and will post a new article/edit this one when more information is available.]
Remote Desktop Services (RDS) is not officially supported in Windows Containers. Nano Server-based containers, for example, don’t contain the required bits on disk. On the flip side, Windows Server Core-based containers do but the feature is deactivated for a few technical and political reasons. In these containers, you can reactivate those bits with an easy registry value.
The value to twiddle is
HKLM\System\CurrentControlSet\Control\Terminal Server\TemporaryALiC. (ALiC => Allow Listeners in Container.) Set this REG_DWORD to
1 sometime before TermService startup and you’re all set. RDS defaults will kick in and spin up a RDP-Tcp transport for you to connect to as normal.
Quick and dirty Dockerfile:
#escape=` FROM microsoft/windowsservercore:1709_KB4074588 RUN net user /add Rafael RUN net user Rafael !QAZ2wsx RUN net localgroup "Remote Desktop Users" Rafael /add RUN net localgroup "Administrators" Rafael /add RUN cmd /k reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v TemporaryALiC /t REG_DWORD /d 1
⚠ Warnings ⚠
- Only tested with Windows Server containers (silos).
- May interfere with the host machine's listener. Jiggling of the
TermServiceon the host machine before/after container startup may be required.
- Remote Applications Integrated Locally (RAIL) scenarios will require additional configuration (future blog post)