param(
  [switch]$Apply
)

$ErrorActionPreference = "Stop"

function Get-RdpPolicy {
  $path = "HKLM:\System\CurrentControlSet\Control\Terminal Server"
  $value = Get-ItemProperty -Path $path -Name "fDenyTSConnections"
  return [ordered]@{
    Path = $path
    Enabled = $value.fDenyTSConnections -eq 0
  }
}

function Get-RdpFirewallRules {
  Get-NetFirewallRule -DisplayGroup "Remote Desktop" -ErrorAction SilentlyContinue |
    Select-Object DisplayName, Enabled, Profile, Direction, Action
}

function Test-RdpPort {
  $connection = Get-NetTCPConnection -LocalPort 3389 -State Listen -ErrorAction SilentlyContinue
  return $null -ne $connection
}

function Write-Step {
  param(
    [string]$Label,
    [string]$Status
  )

  Write-Host ("[{0}] {1}" -f $Status, $Label)
}

$policy = Get-RdpPolicy
$firewallRules = @(Get-RdpFirewallRules)
$enabledFirewallRules = @($firewallRules | Where-Object { $_.Enabled -eq "True" -and $_.Direction -eq "Inbound" -and $_.Action -eq "Allow" })
$rdpListening = Test-RdpPort
$modeLabel = if ($Apply) { "Apply changes" } else { "Dry run" }

Write-Host "AllReach Windows RDP host preparation"
Write-Host "Mode: $modeLabel"
Write-Host ""

Write-Step "Remote Desktop setting" $(if ($policy.Enabled) { "OK" } else { "CHANGE" })
Write-Host "  Registry: $($policy.Path)"

Write-Step "Remote Desktop firewall rules" $(if ($enabledFirewallRules.Count -gt 0) { "OK" } else { "CHANGE" })
Write-Host "  Enabled inbound allow rules: $($enabledFirewallRules.Count)"

Write-Step "TCP 3389 listener" $(if ($rdpListening) { "OK" } else { "CHECK" })
Write-Host "  Listener appears only after Windows RDP is enabled and ready."

if (-not $Apply) {
  Write-Host ""
  Write-Host "No changes were made. Re-run with -Apply to enable Remote Desktop and its built-in firewall rules."
  exit 0
}

if (-not $policy.Enabled) {
  Set-ItemProperty -Path $policy.Path -Name "fDenyTSConnections" -Value 0
  Write-Host "Enabled Remote Desktop connections."
}

Enable-NetFirewallRule -DisplayGroup "Remote Desktop" | Out-Null
Write-Host "Enabled built-in Remote Desktop firewall rules."

if (Test-RdpPort) {
  Write-Host "RDP is listening on TCP 3389."
} else {
  Write-Host "RDP setting is enabled, but TCP 3389 is not listening yet. Sign out/in or check Windows Remote Desktop settings."
}