Thursday, October 18, 2012

How to Boot Directly into Desktop with Windows Server 2012 with a GUI

I love Windows Server 2012 RTM, I really do.  But who's bright idea was it to boot to the "Modern UI" (aka, Metro) instead of the Windows Desktop?  There's really no reason for this, so I wrote a PowerShell script that configures Windows Server 2012 with a GUI to boot directly into the Desktop after signing in locally.  It does not affect RDP connections - those already go directly to the Desktop.

This is not a hack.  The script simply changes permissions on an existing registry key to allow the value to be changed, and then changes it.

NOTE: This script does not work on Windows 8 RTM -- It only works on Windows Server 2012 RTM.  Early beta builds of Windows 8 allowed you to toggle booting to the Desktop.  Microsoft removed those hacks in the RTM build of Windows 8, sorry.  :(

You may also want to read my article, How to Enable Autologon for Windows Server 2008 Member Servers and Windows 7 Member Workstations.  Those procedures also work for Windows Server 2012 and Windows 8.

Copy and paste the following text into Notepad and save it as BootToDesktop.ps1 on your Windows Server 2012 computer:

#Take Ownership of the "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Server" registry key
$definition = @"
using System;
using System.Runtime.InteropServices;
namespace Win32Api
    public class NtDll
        [DllImport("ntdll.dll", EntryPoint="RtlAdjustPrivilege")]
        public static extern int RtlAdjustPrivilege(ulong Privilege, bool Enable, bool CurrentThread, ref bool Enabled);
Add-Type -TypeDefinition $definition -PassThru
$bEnabled = $false
$res = [Win32Api.NtDll]::RtlAdjustPrivilege(9, $true, $false, [ref]$bEnabled)
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows NT\CurrentVersion\Server", [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)
$acl = $key.GetAccessControl()

#Give Full Control of the key to BUILTIN\Administrators

$acl = Get-Acl "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Server"
$rule = New-Object System.Security.AccessControl.RegistryAccessRule("BUILTIN\Administrators","FullControl","Allow")

#Set the value of ClientExperienceEnabled to 0 to enable boot to Desktop

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Server" -Name ClientExperienceEnabled -Value 0

Optionally, you can download the BootToDesktop.ps1 script here.

Now simply run the BootToDesktop.ps1 script from an elevated Windows PowerShell prompt and reboot.  The next time you sign in Windows Server 2012 will go straight into the Desktop.

The PowerShell script does three things:
  • It assigns ownership of the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Server registry key to the local built-in Administrators group.  By default this key is owned by the protected TrustedInstaller security principal.
  • Full control is given on the key to the built-in Administrators group.  By default built-in Administrators only have Read access.  Full control gives us the ability to change values in the key.
  • Changes the ClientExperienceEnabled value from 1 to 0, which configures Windows to start directly to the Desktop.

Windows Server 2012 and Windows 8 secure protected registry keys and files using the TrustedInstaller security principal.  TrustedInstaller is a core part of Windows Resource Protection (WRP) technology.  Windows usually assigns ownership of WRP protected items to TrustedInstaller and they normally cannot be modified or deleted.  This script overcomes that and allows you to change the value of the ClientExperienceEnabled value.

Since this is really just a simple registry change, you can safely use it in your server imaging process for all your Windows Server 2012 computers.  It only needs to be run once per server and affects all users who login to that server. 8:33 AM