Windows Server 2008 : Configuring Server Core for Remote Administration - Using the Server Core Registry Editor

The Server Core Registry Editor (scregedit.wsf) is a script used to modify the registry on Server Core installations. The script is only available on Server Core installations, not full installations of Windows Server 2008 or Windows Server 2008 R2. The basic syntax of the command is

cscript %windir%\system32\scregedit.wsf /property value

Tip

cscript is the command-based script host used to execute the script file and must be entered first.

Tip

Because the path (%windir%\system32\, normally C:\windows\system32\) is not known to the system, it must be included in the command.

For example, if you want to enable remote desktop connections from other systems to the Server Core installation, you can use the following command:

cscript %windir%\system32\scregedit.wsf /ar 0

The /ar switch enables or disables remote connections. A value of 0 enables remote desktop connections and a value of 1 disables remote desktop connections. The following table shows the common properties and values used with scrededit.wsf.

scregedit.wsf Command	Comments
Allow Remote Desktop connections. /ar 0 | 1 C:\>cscript %windir%\system32\ scregedit.wsf /ar 0 C:\>cscript %windir%\system32\ scregedit.wsf /ar 1	You can enable Remote Desktop with a 0 and disable it with a 1. You can view the current setting with the /v switch like the following: C:\>cscript %windir%\system32\scregedit.wsf /ar /v
Require CredSSP. /ar 0 | 1 C:\>cscript %windir%\system32\ scregedit.wsf /cs 0 C:\>cscript %windir%\system32\ scregedit.wsf /cs 1	You can allow connections from earlier versions of Windows that don’t support Credential Security Support Provider (CredSSP) with a value of 0, or require CredSSP with a value of 1. If the value is 1, the system blocks connections from computers that don’t support CredSSP (pre-Windows Vista computers). Figure 1 shows this setting in the GUI of a full installation of Windows Server 2008 server (not a Server Core server). Notice that it shows that connections are only allowed From Computers running Desktop with Network Level Authentication (More Secure). This is the same setting as /cs with a value of 1 to require CredSSP. You can view the current setting with the /v switch, such as the following: C:\>cscript %windir%\system32\scregedit.wsf /cs /v Note CredSSP is an authentication enhancement used with Remote Desktop Protocol 6.1. It provides an extra layer of security by preventing a client from establishing a session without first authenticating.
Configure automatic updates. /au 4 | 1 C:\>cscript %windir%\system32\ scregedit.wsf /au 4 C:\>cscript %windir%\system32\ scregedit.wsf /au 1	You can enable automatic updates with a 4 and disable it with a 1. You can view the current setting with the /v switch, such as the following: C:\>cscript %windir%\system32\scregedit.wsf /au /v
Allow IPsec Monitor remote management. /im 0 | 1 C:\>cscript %windir%\system32\ scregedit.wsf /im 0 C:\>cscript %windir%\system32\ scregedit.wsf /im 1	You can enable remote management using the IPsec Monitor with a value of 1 and disable it with a 0. You can view the current setting with the /v switch, such as the following: C:\>cscript %windir%\system32\scregedit.wsf /im /v

Figure 1. Enabling Remote Desktop and requiring CredSSP