change-rdp-port.ps1

# Requires elevated (Administrator) PowerShell session

param(
    [Parameter(Mandatory=$true)]
    [ValidateRange(1025, 65535)]
    [int]$NewRdpPort
)

# --- Configuration ---
$RdpKeyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
$RegValueName = "PortNumber"
$DefaultPort = 3389 # The port we are replacing
$RdpFirewallRuleName = "Remote Desktop (TCP-In)" # Default Windows Firewall Rule Name

Write-Host "--- Starting RDP Port Change Script ---"
Write-Host "Attempting to change RDP Port from $DefaultPort to $NewRdpPort."

# 1. Update the RDP Registry Key
# --------------------------------
Write-Host "1. Updating RDP Port in the registry..."
try {
    # Ensure the registry path exists
    if (-not (Test-Path $RdpKeyPath)) {
        Write-Error "RDP registry path $RdpKeyPath does not exist. Please check your system configuration."
        exit 1
    }

    # Set the new PortNumber value
    New-ItemProperty -Path $RdpKeyPath -Name $RegValueName -Value $NewRdpPort -Type DWORD -Force | Out-Null
    
    # Verify the change
    $CurrentRegPort = (Get-ItemProperty -Path $RdpKeyPath -Name $RegValueName).PortNumber
    if ($CurrentRegPort -eq $NewRdpPort) {
        Write-Host "Registry update successful. New RDP PortNumber is $NewRdpPort."
    } else {
        Write-Error "Registry update failed. Current PortNumber is $CurrentRegPort."
        exit 1
    }

} catch {
    Write-Error "An error occurred during registry modification: $($_.Exception.Message)"
    exit 1
}


# 2. Update the Windows Firewall Rule
# ------------------------------------
Write-Host "2. Updating Windows Firewall rule '$RdpFirewallRuleName'..."
try {
    # Get the default RDP firewall rule
    $Rule = Get-NetFirewallRule -DisplayName $RdpFirewallRuleName -ErrorAction Stop

    # Check if the existing rule uses the default port 3389
    if ($Rule.LocalPort -eq $DefaultPort) {
        # Modify the rule to use the new custom port
        Set-NetFirewallRule -DisplayName $RdpFirewallRuleName -LocalPort $NewRdpPort
        Write-Host "Firewall rule updated successfully to port $NewRdpPort."
    } elseif ($Rule.LocalPort -eq $NewRdpPort) {
        Write-Host "Firewall rule is already set to the new port $NewRdpPort. No action needed."
    } else {
        # Fallback if the default rule name exists but uses a different port unexpectedly
        Write-Warning "The existing rule '$RdpFirewallRuleName' is configured for port $($Rule.LocalPort). Updating it to $NewRdpPort."
        Set-NetFirewallRule -DisplayName $RdpFirewallRuleName -LocalPort $NewRdpPort
    }

} catch {
    Write-Warning "Could not find or modify the default firewall rule '$RdpFirewallRuleName'."
    Write-Host "Creating a new firewall rule for the custom port $NewRdpPort..."
    
    # Create a new firewall rule if the default one couldn't be modified/found
    New-NetFirewallRule -DisplayName "RDP Custom Port ($NewRdpPort)" `
        -Direction Inbound `
        -LocalPort $NewRdpPort `
        -Protocol TCP `
        -Action Allow `
        -Profile Any | Out-Null

    Write-Host "New firewall rule 'RDP Custom Port ($NewRdpPort)' created successfully."
}


# 3. Restart Remote Desktop Services
# ----------------------------------
Write-Host "3. Restarting Remote Desktop Services to load the new port..."
try {
    Restart-Service TermService -Force
    Restart-Service SessionEnv -Force
    Write-Host "Remote Desktop Services restarted successfully."
} catch {
    Write-Warning "Could not restart services. You may need to manually restart them or reboot the system."
}


# 4. Final Verification
# ---------------------
Write-Host "--- Script Finished. ---"
Write-Host "Verifying new listener status (Netstat -ano | findstr $NewRdpPort):"
netstat -ano | findstr $NewRdpPort
Write-Host "Attempt RDP connection to confirm success."