feat(RDPSign): Get-DesktopPaths OneDrive Desktop support + compressed changelogs

- Opdatér Get-DesktopPaths i alle 7 app-scripts: brug Get-ChildItem
  -Filter 'Desktop' -Depth 2 i stedet for Join-Path/Test-Path
  så OneDrive-omdirigeret Desktop også fanges
- Tilføj -Exclude 'Public','Default' for at springe systemprofiler over
- Komprimér og opdatér changelog i alle scripts med ny version
- Fjern old_app/ (arkiveret v1.0 scripts)
- Opdatér README.md og README.html
This commit is contained in:
GCH
2026-06-02 08:23:16 +02:00
parent 8e6dffa229
commit 2225abed9d
18 changed files with 575 additions and 1337 deletions
+339 -339
View File
@@ -1,340 +1,340 @@
<h1 id="rdp---intunewin-pakke">RDP - IntuneWin Pakke</h1> <h1 id="rdp---intunewin-pakke">RDP - IntuneWin Pakke</h1>
<blockquote> <blockquote>
<p>Denne pakke installerer og signerer RDP-genveje på skrivebordet via <p>Denne pakke installerer og signerer RDP-genveje på skrivebordet via
et selvsigneret certifikat, så brugerne ikke får en sikkerhedsadvarsel et selvsigneret certifikat, så brugerne ikke får en sikkerhedsadvarsel
ved åbning. Som standard arbejder alle scripts mod det ved åbning. Som standard arbejder alle scripts mod det
<strong>offentlige skrivebord</strong> <strong>offentlige skrivebord</strong>
(<code>C:\Users\Public\Desktop</code>). Brug <code>-AllUsers</code> (<code>C:\Users\Public\Desktop</code>). Brug <code>-AllUsers</code>
switchen for at køre mod alle brugeres individuelle skriveborde i switchen for at køre mod alle brugeres individuelle skriveborde i
stedet. stedet.
</p> </p>
</blockquote> </blockquote>
<hr /> <hr />
<h2 id="indhold">Indhold</h2> <h2 id="indhold">Indhold</h2>
<ul> <ul>
<li><a href="#pakkens-indhold">Pakkens indhold</a></li> <li><a href="#pakkens-indhold">Pakkens indhold</a></li>
<li><a href="#intune-app-konfiguration">Intune App <li><a href="#intune-app-konfiguration">Intune App
Konfiguration</a></li> Konfiguration</a></li>
<li><a href="#hvad-install.ps1-gør">Hvad Install.ps1 gør</a></li> <li><a href="#hvad-install.ps1-gør">Hvad Install.ps1 gør</a></li>
<li><a href="#sådan-opsætter-du-detect.ps1">Sådan opsætter du <li><a href="#sådan-opsætter-du-detect.ps1">Sådan opsætter du
Detect.ps1</a></li> Detect.ps1</a></li>
<li><a href="#allusers-switch">AllUsers Switch</a></li> <li><a href="#allusers-switch">AllUsers Switch</a></li>
<li><a href="#registry-ændringer">Registry-ændringer</a></li> <li><a href="#registry-ændringer">Registry-ændringer</a></li>
<li><a href="#logning-og-fejlfinding">Logning og fejlfinding</a></li> <li><a href="#logning-og-fejlfinding">Logning og fejlfinding</a></li>
<li><a href="#signonly-intune-app-konfiguration">SignOnly Intune App <li><a href="#signonly-intune-app-konfiguration">SignOnly Intune App
Konfiguration</a></li> Konfiguration</a></li>
<li><a href="#øvrige-scripts-i-pakken">Øvrige scripts i pakken</a></li> <li><a href="#øvrige-scripts-i-pakken">Øvrige scripts i pakken</a></li>
</ul> </ul>
<hr /> <hr />
<h2 id="pakkens-indhold">Pakkens indhold</h2> <h2 id="pakkens-indhold">Pakkens indhold</h2>
<table> <table>
<colgroup> <colgroup>
<col style="width: 38%" /> <col style="width: 38%" />
<col style="width: 61%" /> <col style="width: 61%" />
</colgroup> </colgroup>
<thead> <thead>
<tr> <tr>
<th>Fil</th> <th>Fil</th>
<th>Formål</th> <th>Formål</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td><code>Install.ps1</code></td> <td><code>Install.ps1</code></td>
<td>Kopierer RDP-filer til skrivebord(e), opretter selvsigneret <td>Kopierer RDP-filer til skrivebord(e), opretter selvsigneret
certifikat og signerer alle RDP-filer. Understøtter certifikat og signerer alle RDP-filer. Understøtter
<code>-AllUsers</code> switch. <code>-AllUsers</code> switch.
</td> </td>
</tr> </tr>
<tr> <tr>
<td><code>Detect.ps1</code></td> <td><code>Detect.ps1</code></td>
<td>Tjekker at specifikke forventede .rdp-filer (defineret i <td>Tjekker at specifikke forventede .rdp-filer (defineret i
<code>$expectedFiles</code> array) eksisterer på skrivebord(e). <code>$expectedFiles</code> array) eksisterer på skrivebord(e).
Understøtter <code>-AllUsers</code> switch. Understøtter <code>-AllUsers</code> switch.
</td> </td>
</tr> </tr>
<tr> <tr>
<td><code>Uninstall.ps1</code></td> <td><code>Uninstall.ps1</code></td>
<td>Fjerner RDP-filer fra skrivebord(e). Understøtter <td>Fjerner RDP-filer fra skrivebord(e). Understøtter
<code>-AllUsers</code> switch. <code>-AllUsers</code> switch.
</td> </td>
</tr> </tr>
<tr> <tr>
<td><code>SignOnly.ps1</code></td> <td><code>SignOnly.ps1</code></td>
<td>Signerer eksisterende RDP-filer på skrivebord(e) — ingen <td>Signerer eksisterende RDP-filer på skrivebord(e) — ingen
filkopiering. Understøtter <code>-AllUsers</code> switch.</td> filkopiering. Understøtter <code>-AllUsers</code> switch.</td>
</tr> </tr>
<tr> <tr>
<td><code>SignOnly_detect.ps1</code></td> <td><code>SignOnly_detect.ps1</code></td>
<td>Registrerer om certifikat er til stede og alle RDP-filer på <td>Registrerer om certifikat er til stede og alle RDP-filer på
skrivebord(e) er signerede. Understøtter <code>-AllUsers</code> skrivebord(e) er signerede. Understøtter <code>-AllUsers</code>
switch.</td> switch.</td>
</tr> </tr>
<tr> <tr>
<td><code>Clearsigning.ps1</code></td> <td><code>Clearsigning.ps1</code></td>
<td>Fjerner signaturer fra RDP-filer og rydder op i certifikat og <td>Fjerner signaturer fra RDP-filer og rydder op i certifikat og
registry (til oprydning/debug). Understøtter <code>-AllUsers</code> registry (til oprydning/debug). Understøtter <code>-AllUsers</code>
switch.</td> switch.</td>
</tr> </tr>
<tr> <tr>
<td><code>sandbox.ps1</code></td> <td><code>sandbox.ps1</code></td>
<td>Kombineret install + detect script til lokal sandkasse-test. <td>Kombineret install + detect script til lokal sandkasse-test.
Understøtter <code>-AllUsers</code> switch.</td> Understøtter <code>-AllUsers</code> switch.</td>
</tr> </tr>
<tr> <tr>
<td><code>rdp-files\*.rdp</code></td> <td><code>rdp-files\*.rdp</code></td>
<td>Kilde-RDP-filer der installeres på skrivebord(e)</td> <td>Kilde-RDP-filer der installeres på skrivebord(e)</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><a href="#rdp---intunewin-pakke">↑ Tilbage til toppen</a></p> <p><a href="#rdp---intunewin-pakke">↑ Tilbage til toppen</a></p>
<hr /> <hr />
<h2 id="sådan-opsætter-du-detect.ps1">Sådan opsætter du Detect.ps1</h2> <h2 id="sådan-opsætter-du-detect.ps1">Sådan opsætter du Detect.ps1</h2>
<p>Før du uploader <code>Detect.ps1</code> til Intune som <p>Før du uploader <code>Detect.ps1</code> til Intune som
registreringsregel, skal du åbne filen og udfylde registreringsregel, skal du åbne filen og udfylde
<code>$expectedFiles</code> array med de <code>.rdp</code> filnavne der <code>$expectedFiles</code> array med de <code>.rdp</code> filnavne der
ligger i <code>.\\rdp-files\\</code>: ligger i <code>.\\rdp-files\\</code>:
</p> </p>
<div class="sourceCode" id="cb1"> <div class="sourceCode" id="cb1">
<pre class="sourceCode powershell"><code class="sourceCode powershell"><span id="cb1-1"><a href="#cb1-1" aria-hidden="true" tabindex="-1"></a><span class="va">$expectedFiles</span> <span class="op">=</span> <span class="op">@(</span></span> <pre class="sourceCode powershell"><code class="sourceCode powershell"><span id="cb1-1"><a href="#cb1-1" aria-hidden="true" tabindex="-1"></a><span class="va">$expectedFiles</span> <span class="op">=</span> <span class="op">@(</span></span>
<span id="cb1-2"><a href="#cb1-2" aria-hidden="true" tabindex="-1"></a> <span class="st">&quot;Server1.rdp&quot;</span><span class="op">,</span></span> <span id="cb1-2"><a href="#cb1-2" aria-hidden="true" tabindex="-1"></a> <span class="st">&quot;Server1.rdp&quot;</span><span class="op">,</span></span>
<span id="cb1-3"><a href="#cb1-3" aria-hidden="true" tabindex="-1"></a> <span class="st">&quot;Server2.rdp&quot;</span><span class="op">,</span></span> <span id="cb1-3"><a href="#cb1-3" aria-hidden="true" tabindex="-1"></a> <span class="st">&quot;Server2.rdp&quot;</span><span class="op">,</span></span>
<span id="cb1-4"><a href="#cb1-4" aria-hidden="true" tabindex="-1"></a> <span class="st">&quot;DesktopApp.rdp&quot;</span></span> <span id="cb1-4"><a href="#cb1-4" aria-hidden="true" tabindex="-1"></a> <span class="st">&quot;DesktopApp.rdp&quot;</span></span>
<span id="cb1-5"><a href="#cb1-5" aria-hidden="true" tabindex="-1"></a><span class="op">)</span></span></code></pre> <span id="cb1-5"><a href="#cb1-5" aria-hidden="true" tabindex="-1"></a><span class="op">)</span></span></code></pre>
</div> </div>
<p>Når scriptet kører: - Uden <code>-AllUsers</code>: tjekker at alle <p>Når scriptet kører: - Uden <code>-AllUsers</code>: tjekker at alle
filer i <code>$expectedFiles</code> findes på det offentlige skrivebord filer i <code>$expectedFiles</code> findes på det offentlige skrivebord
(<code>C:\Users\Public\Desktop</code>) - Med <code>-AllUsers</code>: (<code>C:\Users\Public\Desktop</code>) - Med <code>-AllUsers</code>:
tjekker alle filer i <code>$expectedFiles</code> på tværs af alle tjekker alle filer i <code>$expectedFiles</code> på tværs af alle
brugeres skriveborde - Returnerer <code>exit 0</code> = installeret brugeres skriveborde - Returnerer <code>exit 0</code> = installeret
(alle filer fundet) - Returnerer <code>exit 1</code> = ikke installeret (alle filer fundet) - Returnerer <code>exit 1</code> = ikke installeret
(en eller flere filer mangler)</p> (en eller flere filer mangler)</p>
<blockquote> <blockquote>
<p><strong>Vigtigt:</strong> Husk at opdatere <p><strong>Vigtigt:</strong> Husk at opdatere
<code>$expectedFiles</code> hver gang du tilføjer eller fjerner <code>$expectedFiles</code> hver gang du tilføjer eller fjerner
<code>.rdp</code> filer i pakken, ellers vil detekteringen være <code>.rdp</code> filer i pakken, ellers vil detekteringen være
forkert. forkert.
</p> </p>
</blockquote> </blockquote>
<hr /> <hr />
<h2 id="intune-app-konfiguration">Intune App Konfiguration</h2> <h2 id="intune-app-konfiguration">Intune App Konfiguration</h2>
<h3 id="program">Program</h3> <h3 id="program">Program</h3>
<ul> <ul>
<li><strong>Installationskommando:</strong> <li><strong>Installationskommando:</strong>
<code>powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1</code> <code>powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1</code>
</li> </li>
<li><strong>Installationskommando (alle brugeres skriveborde):</strong> <li><strong>Installationskommando (alle brugeres skriveborde):</strong>
<code>powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1 -AllUsers</code> <code>powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1 -AllUsers</code>
</li> </li>
<li><strong>Afinstallationskommando:</strong> <li><strong>Afinstallationskommando:</strong>
<code>powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Uninstall.ps1</code> <code>powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Uninstall.ps1</code>
</li> </li>
<li><strong>Afinstallationskommando (alle brugeres <li><strong>Afinstallationskommando (alle brugeres
skriveborde):</strong> skriveborde):</strong>
<code>powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Uninstall.ps1 -AllUsers</code> <code>powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Uninstall.ps1 -AllUsers</code>
</li> </li>
<li><strong>Installationsadfærd:</strong> System</li> <li><strong>Installationsadfærd:</strong> System</li>
</ul> </ul>
<h3 id="registreringsregel">Registreringsregel</h3> <h3 id="registreringsregel">Registreringsregel</h3>
<p>Brug et brugerdefineret registreringsscript: - <p>Brug et brugerdefineret registreringsscript: -
<strong>Scriptfil:</strong> <code>Detect.ps1</code> - <strong>Kør script <strong>Scriptfil:</strong> <code>Detect.ps1</code> - <strong>Kør script
som 32-bit proces på 64-bit klienter:</strong> Nej - <strong>Gennemtving som 32-bit proces på 64-bit klienter:</strong> Nej - <strong>Gennemtving
scriptsignaturkontrol:</strong> Nej scriptsignaturkontrol:</strong> Nej
</p> </p>
<p>Registreringslogik: - Uden <code>-AllUsers</code>: tjekker at alle <p>Registreringslogik: - Uden <code>-AllUsers</code>: tjekker at alle
<code>.rdp</code>-filer er til stede på det offentlige skrivebord <code>.rdp</code>-filer er til stede på det offentlige skrivebord
(<code>C:\Users\Public\Desktop</code>) - Med <code>-AllUsers</code>: (<code>C:\Users\Public\Desktop</code>) - Med <code>-AllUsers</code>:
tjekker alle brugeres skriveborde under <code>C:\Users\</code> - tjekker alle brugeres skriveborde under <code>C:\Users\</code> -
Returnerer <code>exit 0</code> = installeret - Returnerer Returnerer <code>exit 0</code> = installeret - Returnerer
<code>exit 1</code> = ikke installeret <code>exit 1</code> = ikke installeret
</p> </p>
<p><a href="#rdp---intunewin-pakke">↑ Tilbage til toppen</a></p> <p><a href="#rdp---intunewin-pakke">↑ Tilbage til toppen</a></p>
<hr /> <hr />
<h2 id="hvad-install.ps1-gør">Hvad Install.ps1 gør</h2> <h2 id="hvad-install.ps1-gør">Hvad Install.ps1 gør</h2>
<ol type="1"> <ol type="1">
<li>Finder målskrivebord(e) — offentligt skrivebord som standard, alle <li>Finder målskrivebord(e) — offentligt skrivebord som standard, alle
brugeres skriveborde med <code>-AllUsers</code></li> brugeres skriveborde med <code>-AllUsers</code></li>
<li>Kopierer alle <code>.rdp</code>-filer fra <code>.\rdp-files\</code> <li>Kopierer alle <code>.rdp</code>-filer fra <code>.\rdp-files\</code>
til de fundne skrivebord(e)</li> til de fundne skrivebord(e)</li>
<li>Søger efter eksisterende selvsigneret certifikat <li>Søger efter eksisterende selvsigneret certifikat
(<code>CN=RDPSign</code>) i <code>Cert:\LocalMachine\My</code></li> (<code>CN=RDPSign</code>) i <code>Cert:\LocalMachine\My</code></li>
<li>Opretter et nyt selvsigneret kodesigneringscertifikat hvis intet <li>Opretter et nyt selvsigneret kodesigneringscertifikat hvis intet
findes (gyldigt i 25 år, ikke-eksporterbart)</li> findes (gyldigt i 25 år, ikke-eksporterbart)</li>
<li>Tilføjer certifikatet til <code>Trusted Root</code> og <li>Tilføjer certifikatet til <code>Trusted Root</code> og
<code>Trusted Publishers</code> i den lokale maskines <code>Trusted Publishers</code> i den lokale maskines
certifikatstore certifikatstore
</li> </li>
<li>Tilføjer certifikatets thumbprint til registry-nøglen <li>Tilføjer certifikatets thumbprint til registry-nøglen
<code>TrustedCertThumbprints</code> <code>TrustedCertThumbprints</code>
</li> </li>
<li>Signerer alle <code>.rdp</code>-filer på skrivebord(e) med <li>Signerer alle <code>.rdp</code>-filer på skrivebord(e) med
<code>rdpsign.exe /sha256</code> <code>rdpsign.exe /sha256</code>
</li> </li>
<li>Sætter <code>RedirectionWarningDialogVersion = 1</code> i registry <li>Sætter <code>RedirectionWarningDialogVersion = 1</code> i registry
for at undertrykke RDP-advarselsdialoger</li> for at undertrykke RDP-advarselsdialoger</li>
</ol> </ol>
<p><a href="#rdp---intunewin-pakke">↑ Tilbage til toppen</a></p> <p><a href="#rdp---intunewin-pakke">↑ Tilbage til toppen</a></p>
<hr /> <hr />
<h2 id="allusers-switch">AllUsers Switch</h2> <h2 id="allusers-switch">AllUsers Switch</h2>
<p>Alle scripts understøtter <code>-AllUsers</code> switchen. Som <p>Alle scripts understøtter <code>-AllUsers</code> switchen. Som
standard — uden <code>-AllUsers</code> — køres alle scripts kun mod det standard — uden <code>-AllUsers</code> — køres alle scripts kun mod det
<strong>offentlige skrivebord</strong> <strong>offentlige skrivebord</strong>
(<code>C:\Users\Public\Desktop</code>). Når <code>-AllUsers</code> (<code>C:\Users\Public\Desktop</code>). Når <code>-AllUsers</code>
angives, itererer scriptet i stedet over alle brugerprofiler under angives, itererer scriptet i stedet over alle brugerprofiler under
<code>C:\Users\</code> og behandler hver brugers <code>C:\Users\</code> og behandler hver brugers
<code>Desktop</code>-mappe. <code>Desktop</code>-mappe.
</p> </p>
<div class="sourceCode" id="cb2"> <div class="sourceCode" id="cb2">
<pre <pre
class="sourceCode powershell"><code class="sourceCode powershell"><span id="cb2-1"><a href="#cb2-1" aria-hidden="true" tabindex="-1"></a><span class="co"># Kun offentligt skrivebord (standard)</span></span> class="sourceCode powershell"><code class="sourceCode powershell"><span id="cb2-1"><a href="#cb2-1" aria-hidden="true" tabindex="-1"></a><span class="co"># Kun offentligt skrivebord (standard)</span></span>
<span id="cb2-2"><a href="#cb2-2" aria-hidden="true" tabindex="-1"></a><span class="op">.</span>\Install<span class="op">.</span><span class="fu">ps1</span></span> <span id="cb2-2"><a href="#cb2-2" aria-hidden="true" tabindex="-1"></a><span class="op">.</span>\Install<span class="op">.</span><span class="fu">ps1</span></span>
<span id="cb2-3"><a href="#cb2-3" aria-hidden="true" tabindex="-1"></a></span> <span id="cb2-3"><a href="#cb2-3" aria-hidden="true" tabindex="-1"></a></span>
<span id="cb2-4"><a href="#cb2-4" aria-hidden="true" tabindex="-1"></a><span class="co"># Alle brugeres skriveborde</span></span> <span id="cb2-4"><a href="#cb2-4" aria-hidden="true" tabindex="-1"></a><span class="co"># Alle brugeres skriveborde</span></span>
<span id="cb2-5"><a href="#cb2-5" aria-hidden="true" tabindex="-1"></a><span class="op">.</span>\Install<span class="op">.</span><span class="fu">ps1</span> <span class="op">-</span>AllUsers</span></code></pre> <span id="cb2-5"><a href="#cb2-5" aria-hidden="true" tabindex="-1"></a><span class="op">.</span>\Install<span class="op">.</span><span class="fu">ps1</span> <span class="op">-</span>AllUsers</span></code></pre>
</div> </div>
<p><a href="#rdp---intunewin-pakke">↑ Tilbage til toppen</a></p> <p><a href="#rdp---intunewin-pakke">↑ Tilbage til toppen</a></p>
<hr /> <hr />
<h2 id="registry-ændringer">Registry-ændringer</h2> <h2 id="registry-ændringer">Registry-ændringer</h2>
<table> <table>
<colgroup> <colgroup>
<col style="width: 20%" /> <col style="width: 20%" />
<col style="width: 29%" /> <col style="width: 29%" />
<col style="width: 25%" /> <col style="width: 25%" />
<col style="width: 25%" /> <col style="width: 25%" />
</colgroup> </colgroup>
<thead> <thead>
<tr> <tr>
<th>Sti</th> <th>Sti</th>
<th>Værdi</th> <th>Værdi</th>
<th>Type</th> <th>Type</th>
<th>Data</th> <th>Data</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td><code>HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services</code></td> <td><code>HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services</code></td>
<td><code>TrustedCertThumbprints</code></td> <td><code>TrustedCertThumbprints</code></td>
<td>String</td> <td>String</td>
<td>Certifikatets thumbprint</td> <td>Certifikatets thumbprint</td>
</tr> </tr>
<tr> <tr>
<td><code>HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client</code></td> <td><code>HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client</code></td>
<td><code>RedirectionWarningDialogVersion</code></td> <td><code>RedirectionWarningDialogVersion</code></td>
<td>DWORD</td> <td>DWORD</td>
<td><code>1</code></td> <td><code>1</code></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><a href="#rdp---intunewin-pakke">↑ Tilbage til toppen</a></p> <p><a href="#rdp---intunewin-pakke">↑ Tilbage til toppen</a></p>
<hr /> <hr />
<h2 id="logning-og-fejlfinding">Logning og fejlfinding</h2> <h2 id="logning-og-fejlfinding">Logning og fejlfinding</h2>
<table> <table>
<thead> <thead>
<tr> <tr>
<th>Script</th> <th>Script</th>
<th>Logfil</th> <th>Logfil</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td><code>Install.ps1</code></td> <td><code>Install.ps1</code></td>
<td><code>C:\Intune\DesktopShortcuts.log</code></td> <td><code>C:\Intune\DesktopShortcuts.log</code></td>
</tr> </tr>
<tr> <tr>
<td><code>Detect.ps1</code></td> <td><code>Detect.ps1</code></td>
<td><code>C:\Intune\DesktopShortcuts.log</code></td> <td><code>C:\Intune\DesktopShortcuts.log</code></td>
</tr> </tr>
<tr> <tr>
<td><code>Uninstall.ps1</code></td> <td><code>Uninstall.ps1</code></td>
<td><code>C:\Intune\DesktopShortcuts.log</code></td> <td><code>C:\Intune\DesktopShortcuts.log</code></td>
</tr> </tr>
<tr> <tr>
<td><code>SignOnly.ps1</code></td> <td><code>SignOnly.ps1</code></td>
<td><code>C:\Intune\RDPSign.log</code></td> <td><code>C:\Intune\RDPSign.log</code></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><a href="#rdp---intunewin-pakke">↑ Tilbage til toppen</a></p> <p><a href="#rdp---intunewin-pakke">↑ Tilbage til toppen</a></p>
<hr /> <hr />
<h2 id="signonly-intune-app-konfiguration">SignOnly Intune App <h2 id="signonly-intune-app-konfiguration">SignOnly Intune App
Konfiguration</h2> Konfiguration</h2>
<h3 id="program-1">Program</h3> <h3 id="program-1">Program</h3>
<ul> <ul>
<li><strong>Installationskommando:</strong> <li><strong>Installationskommando:</strong>
<code>powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1</code> <code>powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1</code>
</li> </li>
<li><strong>Installationskommando (alle brugeres skriveborde):</strong> <li><strong>Installationskommando (alle brugeres skriveborde):</strong>
<code>powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1 -AllUsers</code> <code>powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1 -AllUsers</code>
</li> </li>
<li><strong>Afinstallationskommando:</strong> <li><strong>Afinstallationskommando:</strong>
<code>powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1</code> <code>powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1</code>
</li> </li>
<li><strong>Afinstallationskommando (alle brugeres <li><strong>Afinstallationskommando (alle brugeres
skriveborde):</strong> skriveborde):</strong>
<code>powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1 -AllUsers</code> <code>powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1 -AllUsers</code>
</li> </li>
<li><strong>Installationsadfærd:</strong> System</li> <li><strong>Installationsadfærd:</strong> System</li>
</ul> </ul>
<h3 id="registreringsregel-1">Registreringsregel</h3> <h3 id="registreringsregel-1">Registreringsregel</h3>
<p>Brug et brugerdefineret registreringsscript: - <p>Brug et brugerdefineret registreringsscript: -
<strong>Scriptfil:</strong> <code>SignOnly_detect.ps1</code> - <strong>Scriptfil:</strong> <code>SignOnly_detect.ps1</code> -
<strong>Kør script som 32-bit proces på 64-bit klienter:</strong> Nej - <strong>Kør script som 32-bit proces på 64-bit klienter:</strong> Nej -
<strong>Gennemtving scriptsignaturkontrol:</strong> Nej <strong>Gennemtving scriptsignaturkontrol:</strong> Nej
</p> </p>
<p>Registreringslogik: - Tjekker at <code>CN=RDPSign</code>-certifikatet <p>Registreringslogik: - Tjekker at <code>CN=RDPSign</code>-certifikatet
findes i <code>My</code>, <code>Root</code> og findes i <code>My</code>, <code>Root</code> og
<code>TrustedPublisher</code> stores - Tjekker at thumbprint er til <code>TrustedPublisher</code> stores - Tjekker at thumbprint er til
stede i registry - Uden <code>-AllUsers</code>: tjekker at alle stede i registry - Uden <code>-AllUsers</code>: tjekker at alle
<code>.rdp</code>-filer på det offentlige skrivebord er signerede - Med <code>.rdp</code>-filer på det offentlige skrivebord er signerede - Med
<code>-AllUsers</code>: tjekker alle <code>.rdp</code>-filer på tværs af <code>-AllUsers</code>: tjekker alle <code>.rdp</code>-filer på tværs af
alle brugeres skriveborde - Returnerer <code>exit 0</code> + alle brugeres skriveborde - Returnerer <code>exit 0</code> +
<code>"Detected"</code> = installeret - Returnerer <code>exit 1</code> = <code>"Detected"</code> = installeret - Returnerer <code>exit 1</code> =
ikke installeret ikke installeret
</p> </p>
<p><a href="#rdp---intunewin-pakke">↑ Tilbage til toppen</a></p> <p><a href="#rdp---intunewin-pakke">↑ Tilbage til toppen</a></p>
<hr /> <hr />
<h2 id="øvrige-scripts-i-pakken">Øvrige scripts i pakken</h2> <h2 id="øvrige-scripts-i-pakken">Øvrige scripts i pakken</h2>
<blockquote> <blockquote>
<p><strong>Bemærk:</strong> Alle PowerShell-scripts er pakket ind i <p><strong>Bemærk:</strong> Alle PowerShell-scripts er pakket ind i
samme IntuneWin-pakke. Det betyder at man altid kan kalde på et samme IntuneWin-pakke. Det betyder at man altid kan kalde på et
vilkårligt script direkte fra Intune eller manuelt, f.eks.:</p> vilkårligt script direkte fra Intune eller manuelt, f.eks.:</p>
<div class="sourceCode" id="cb3"> <div class="sourceCode" id="cb3">
<pre <pre
class="sourceCode powershell"><code class="sourceCode powershell"><span id="cb3-1"><a href="#cb3-1" aria-hidden="true" tabindex="-1"></a>powershell<span class="op">.</span><span class="fu">exe</span> <span class="op">-</span>ExecutionPolicy Bypass <span class="op">-</span>NoProfile <span class="op">-</span>WindowStyle Hidden <span class="op">-</span>File <span class="op">.</span>\Install<span class="op">.</span><span class="fu">ps1</span></span> class="sourceCode powershell"><code class="sourceCode powershell"><span id="cb3-1"><a href="#cb3-1" aria-hidden="true" tabindex="-1"></a>powershell<span class="op">.</span><span class="fu">exe</span> <span class="op">-</span>ExecutionPolicy Bypass <span class="op">-</span>NoProfile <span class="op">-</span>WindowStyle Hidden <span class="op">-</span>File <span class="op">.</span>\Install<span class="op">.</span><span class="fu">ps1</span></span>
<span id="cb3-2"><a href="#cb3-2" aria-hidden="true" tabindex="-1"></a>powershell<span class="op">.</span><span class="fu">exe</span> <span class="op">-</span>ExecutionPolicy Bypass <span class="op">-</span>NoProfile <span class="op">-</span>WindowStyle Hidden <span class="op">-</span>File <span class="op">.</span>\Install<span class="op">.</span><span class="fu">ps1</span> <span class="op">-</span>AllUsers</span> <span id="cb3-2"><a href="#cb3-2" aria-hidden="true" tabindex="-1"></a>powershell<span class="op">.</span><span class="fu">exe</span> <span class="op">-</span>ExecutionPolicy Bypass <span class="op">-</span>NoProfile <span class="op">-</span>WindowStyle Hidden <span class="op">-</span>File <span class="op">.</span>\Install<span class="op">.</span><span class="fu">ps1</span> <span class="op">-</span>AllUsers</span>
<span id="cb3-3"><a href="#cb3-3" aria-hidden="true" tabindex="-1"></a>powershell<span class="op">.</span><span class="fu">exe</span> <span class="op">-</span>ExecutionPolicy Bypass <span class="op">-</span>NoProfile <span class="op">-</span>WindowStyle Hidden <span class="op">-</span>File <span class="op">.</span>\SignOnly<span class="op">.</span><span class="fu">ps1</span></span> <span id="cb3-3"><a href="#cb3-3" aria-hidden="true" tabindex="-1"></a>powershell<span class="op">.</span><span class="fu">exe</span> <span class="op">-</span>ExecutionPolicy Bypass <span class="op">-</span>NoProfile <span class="op">-</span>WindowStyle Hidden <span class="op">-</span>File <span class="op">.</span>\SignOnly<span class="op">.</span><span class="fu">ps1</span></span>
<span id="cb3-4"><a href="#cb3-4" aria-hidden="true" tabindex="-1"></a>powershell<span class="op">.</span><span class="fu">exe</span> <span class="op">-</span>ExecutionPolicy Bypass <span class="op">-</span>NoProfile <span class="op">-</span>WindowStyle Hidden <span class="op">-</span>File <span class="op">.</span>\SignOnly<span class="op">.</span><span class="fu">ps1</span> <span class="op">-</span>AllUsers</span> <span id="cb3-4"><a href="#cb3-4" aria-hidden="true" tabindex="-1"></a>powershell<span class="op">.</span><span class="fu">exe</span> <span class="op">-</span>ExecutionPolicy Bypass <span class="op">-</span>NoProfile <span class="op">-</span>WindowStyle Hidden <span class="op">-</span>File <span class="op">.</span>\SignOnly<span class="op">.</span><span class="fu">ps1</span> <span class="op">-</span>AllUsers</span>
<span id="cb3-5"><a href="#cb3-5" aria-hidden="true" tabindex="-1"></a>powershell<span class="op">.</span><span class="fu">exe</span> <span class="op">-</span>ExecutionPolicy Bypass <span class="op">-</span>NoProfile <span class="op">-</span>WindowStyle Hidden <span class="op">-</span>File <span class="op">.</span>\Clearsigning<span class="op">.</span><span class="fu">ps1</span></span> <span id="cb3-5"><a href="#cb3-5" aria-hidden="true" tabindex="-1"></a>powershell<span class="op">.</span><span class="fu">exe</span> <span class="op">-</span>ExecutionPolicy Bypass <span class="op">-</span>NoProfile <span class="op">-</span>WindowStyle Hidden <span class="op">-</span>File <span class="op">.</span>\Clearsigning<span class="op">.</span><span class="fu">ps1</span></span>
<span id="cb3-6"><a href="#cb3-6" aria-hidden="true" tabindex="-1"></a>powershell<span class="op">.</span><span class="fu">exe</span> <span class="op">-</span>ExecutionPolicy Bypass <span class="op">-</span>NoProfile <span class="op">-</span>WindowStyle Hidden <span class="op">-</span>File <span class="op">.</span>\Clearsigning<span class="op">.</span><span class="fu">ps1</span> <span class="op">-</span>AllUsers</span></code></pre> <span id="cb3-6"><a href="#cb3-6" aria-hidden="true" tabindex="-1"></a>powershell<span class="op">.</span><span class="fu">exe</span> <span class="op">-</span>ExecutionPolicy Bypass <span class="op">-</span>NoProfile <span class="op">-</span>WindowStyle Hidden <span class="op">-</span>File <span class="op">.</span>\Clearsigning<span class="op">.</span><span class="fu">ps1</span> <span class="op">-</span>AllUsers</span></code></pre>
</div> </div>
<p>osv. for alle scripts i pakken.</p> <p>osv. for alle scripts i pakken.</p>
</blockquote> </blockquote>
<h3 id="signonly.ps1"><code>SignOnly.ps1</code></h3> <h3 id="signonly.ps1"><code>SignOnly.ps1</code></h3>
<p>Signerer alle eksisterende <code>.rdp</code>-filer på skrivebord(e) <p>Signerer alle eksisterende <code>.rdp</code>-filer på skrivebord(e)
uden at kopiere filer. Nyttigt til gensignering efter en opdatering uden at kopiere filer. Nyttigt til gensignering efter en opdatering
eller hvis filer allerede er installeret. Kør som administrator. eller hvis filer allerede er installeret. Kør som administrator.
Understøtter <code>-AllUsers</code> switch.</p> Understøtter <code>-AllUsers</code> switch.</p>
<h3 id="signonly_detect.ps1"><code>SignOnly_detect.ps1</code></h3> <h3 id="signonly_detect.ps1"><code>SignOnly_detect.ps1</code></h3>
<p>Registreringsscript til brug med <code>SignOnly.ps1</code> som <p>Registreringsscript til brug med <code>SignOnly.ps1</code> som
Intune-pakke. Tjekker: - Certifikat findes i <code>My</code>, Intune-pakke. Tjekker: - Certifikat findes i <code>My</code>,
<code>Root</code> og <code>TrustedPublisher</code> stores - Thumbprint <code>Root</code> og <code>TrustedPublisher</code> stores - Thumbprint
er til stede i registry - Alle <code>.rdp</code>-filer på skrivebord(e) er til stede i registry - Alle <code>.rdp</code>-filer på skrivebord(e)
indeholder en gyldig signatur indeholder en gyldig signatur
</p> </p>
<p>Understøtter <code>-AllUsers</code> switch.</p> <p>Understøtter <code>-AllUsers</code> switch.</p>
<h3 id="clearsigning.ps1"><code>Clearsigning.ps1</code></h3> <h3 id="clearsigning.ps1"><code>Clearsigning.ps1</code></h3>
<p>Fjerner alle signeringsartefakter. Nyttigt til test eller oprydning. <p>Fjerner alle signeringsartefakter. Nyttigt til test eller oprydning.
Kør som administrator. Understøtter <code>-AllUsers</code> switch. - Kør som administrator. Understøtter <code>-AllUsers</code> switch. -
Fjerner <code>signscope</code>- og <code>signature</code>-linjer fra Fjerner <code>signscope</code>- og <code>signature</code>-linjer fra
alle <code>.rdp</code>-filer på skrivebord(e) - Fjerner alle <code>.rdp</code>-filer på skrivebord(e) - Fjerner
<code>CN=RDPSign</code>-certifikatet fra <code>My</code>, <code>CN=RDPSign</code>-certifikatet fra <code>My</code>,
<code>Root</code> og <code>TrustedPublisher</code> stores - Fjerner <code>Root</code> og <code>TrustedPublisher</code> stores - Fjerner
<code>TrustedCertThumbprints</code> fra registry - Fjerner <code>TrustedCertThumbprints</code> fra registry - Fjerner
<code>RedirectionWarningDialogVersion</code> fra registry <code>RedirectionWarningDialogVersion</code> fra registry
</p> </p>
<h3 id="sandbox.ps1"><code>sandbox.ps1</code></h3> <h3 id="sandbox.ps1"><code>sandbox.ps1</code></h3>
<p>Kombinerer install og detect i ét script til lokal sandkasse-test. <p>Kombinerer install og detect i ét script til lokal sandkasse-test.
Understøtter <code>-AllUsers</code> switch. Kør fra mappen der Understøtter <code>-AllUsers</code> switch. Kør fra mappen der
indeholder <code>rdp-files\</code> som administrator. Output skrives til indeholder <code>rdp-files\</code> som administrator. Output skrives til
både konsollen og <code>C:\Intune\DesktopShortcuts.log</code>.</p> både konsollen og <code>C:\Intune\DesktopShortcuts.log</code>.</p>
<p><a href="#rdp---intunewin-pakke">↑ Tilbage til toppen</a></p> <p><a href="#rdp---intunewin-pakke">↑ Tilbage til toppen</a></p>
+214 -214
View File
@@ -1,214 +1,214 @@
# RDP - IntuneWin Pakke # RDP - IntuneWin Pakke
> Denne pakke installerer og signerer RDP-genveje på skrivebordet via et selvsigneret certifikat, så brugerne ikke får en sikkerhedsadvarsel ved åbning. > Denne pakke installerer og signerer RDP-genveje på skrivebordet via et selvsigneret certifikat, så brugerne ikke får en sikkerhedsadvarsel ved åbning.
> Som standard arbejder alle scripts mod det **offentlige skrivebord** (`C:\Users\Public\Desktop`). > Som standard arbejder alle scripts mod det **offentlige skrivebord** (`C:\Users\Public\Desktop`).
> Brug `-AllUsers` switchen for at køre mod alle brugeres individuelle skriveborde i stedet. > Brug `-AllUsers` switchen for at køre mod alle brugeres individuelle skriveborde i stedet.
--- ---
## Indhold ## Indhold
- [Pakkens indhold](#pakkens-indhold) - [Pakkens indhold](#pakkens-indhold)
- [Intune App Konfiguration](#intune-app-konfiguration) - [Intune App Konfiguration](#intune-app-konfiguration)
- [Hvad Install.ps1 gør](#hvad-installps1-gør) - [Hvad Install.ps1 gør](#hvad-installps1-gør)
- [Sådan opsætter du Detect.ps1](#sådan-opsætter-du-detectps1) - [Sådan opsætter du Detect.ps1](#sådan-opsætter-du-detectps1)
- [AllUsers Switch](#allusers-switch) - [AllUsers Switch](#allusers-switch)
- [Registry-ændringer](#registry-ændringer) - [Registry-ændringer](#registry-ændringer)
- [Logning og fejlfinding](#logning-og-fejlfinding) - [Logning og fejlfinding](#logning-og-fejlfinding)
- [SignOnly Intune App Konfiguration](#signonly-intune-app-konfiguration) - [SignOnly Intune App Konfiguration](#signonly-intune-app-konfiguration)
- [Øvrige scripts i pakken](#øvrige-scripts-i-pakken) - [Øvrige scripts i pakken](#øvrige-scripts-i-pakken)
--- ---
## Pakkens indhold ## Pakkens indhold
| Fil | Formål | | Fil | Formål |
|-----|--------| |-----|--------|
| `Install.ps1` | Kopierer RDP-filer til skrivebord(e), opretter selvsigneret certifikat og signerer alle RDP-filer. Understøtter `-AllUsers` switch. | | `Install.ps1` | Kopierer RDP-filer til skrivebord(e), opretter selvsigneret certifikat og signerer alle RDP-filer. Understøtter `-AllUsers` switch. |
| `Detect.ps1` | Tjekker at specifikke forventede .rdp-filer (defineret i `$expectedFiles` array) eksisterer på skrivebord(e). Understøtter `-AllUsers` switch. | | `Detect.ps1` | Tjekker at specifikke forventede .rdp-filer (defineret i `$expectedFiles` array) eksisterer på skrivebord(e). Understøtter `-AllUsers` switch. |
| `Uninstall.ps1` | Fjerner RDP-filer fra skrivebord(e). Understøtter `-AllUsers` switch. | | `Uninstall.ps1` | Fjerner RDP-filer fra skrivebord(e). Understøtter `-AllUsers` switch. |
| `SignOnly.ps1` | Signerer eksisterende RDP-filer på skrivebord(e) — ingen filkopiering. Understøtter `-AllUsers` switch. | | `SignOnly.ps1` | Signerer eksisterende RDP-filer på skrivebord(e) — ingen filkopiering. Understøtter `-AllUsers` switch. |
| `SignOnly_detect.ps1` | Registrerer om certifikat er til stede og alle RDP-filer på skrivebord(e) er signerede. Understøtter `-AllUsers` switch. | | `SignOnly_detect.ps1` | Registrerer om certifikat er til stede og alle RDP-filer på skrivebord(e) er signerede. Understøtter `-AllUsers` switch. |
| `Clearsigning.ps1` | Fjerner signaturer fra RDP-filer og rydder op i certifikat og registry (til oprydning/debug). Understøtter `-AllUsers` switch. | | `Clearsigning.ps1` | Fjerner signaturer fra RDP-filer og rydder op i certifikat og registry (til oprydning/debug). Understøtter `-AllUsers` switch. |
| `sandbox.ps1` | Kombineret install + detect script til lokal sandkasse-test. Understøtter `-AllUsers` switch. | | `sandbox.ps1` | Kombineret install + detect script til lokal sandkasse-test. Understøtter `-AllUsers` switch. |
| `rdp-files\*.rdp` | Kilde-RDP-filer der installeres på skrivebord(e) | | `rdp-files\*.rdp` | Kilde-RDP-filer der installeres på skrivebord(e) |
[↑ Tilbage til toppen](#rdp---intunewin-pakke) [↑ Tilbage til toppen](#rdp---intunewin-pakke)
--- ---
## Sådan opsætter du Detect.ps1 ## Sådan opsætter du Detect.ps1
Før du uploader `Detect.ps1` til Intune som registreringsregel, skal du åbne filen og udfylde `$expectedFiles` array med de `.rdp` filnavne der ligger i `.\\rdp-files\\`: Før du uploader `Detect.ps1` til Intune som registreringsregel, skal du åbne filen og udfylde `$expectedFiles` array med de `.rdp` filnavne der ligger i `.\\rdp-files\\`:
```powershell ```powershell
$expectedFiles = @( $expectedFiles = @(
"Server1.rdp", "Server1.rdp",
"Server2.rdp", "Server2.rdp",
"DesktopApp.rdp" "DesktopApp.rdp"
) )
``` ```
Når scriptet kører: Når scriptet kører:
- Uden `-AllUsers`: tjekker at alle filer i `$expectedFiles` findes på det offentlige skrivebord (`C:\Users\Public\Desktop`) - Uden `-AllUsers`: tjekker at alle filer i `$expectedFiles` findes på det offentlige skrivebord (`C:\Users\Public\Desktop`)
- Med `-AllUsers`: tjekker alle filer i `$expectedFiles` på tværs af alle brugeres skriveborde - Med `-AllUsers`: tjekker alle filer i `$expectedFiles` på tværs af alle brugeres skriveborde
- Returnerer `exit 0` = installeret (alle filer fundet) - Returnerer `exit 0` = installeret (alle filer fundet)
- Returnerer `exit 1` = ikke installeret (en eller flere filer mangler) - Returnerer `exit 1` = ikke installeret (en eller flere filer mangler)
> **Vigtigt:** Husk at opdatere `$expectedFiles` hver gang du tilføjer eller fjerner `.rdp` filer i pakken, ellers vil detekteringen være forkert. > **Vigtigt:** Husk at opdatere `$expectedFiles` hver gang du tilføjer eller fjerner `.rdp` filer i pakken, ellers vil detekteringen være forkert.
--- ---
## Intune App Konfiguration ## Intune App Konfiguration
### Program ### Program
- **Installationskommando:** - **Installationskommando:**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1` `powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1`
- **Installationskommando (alle brugeres skriveborde):** - **Installationskommando (alle brugeres skriveborde):**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1 -AllUsers` `powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1 -AllUsers`
- **Afinstallationskommando:** - **Afinstallationskommando:**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Uninstall.ps1` `powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Uninstall.ps1`
- **Afinstallationskommando (alle brugeres skriveborde):** - **Afinstallationskommando (alle brugeres skriveborde):**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Uninstall.ps1 -AllUsers` `powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Uninstall.ps1 -AllUsers`
- **Installationsadfærd:** System - **Installationsadfærd:** System
### Registreringsregel ### Registreringsregel
Brug et brugerdefineret registreringsscript: Brug et brugerdefineret registreringsscript:
- **Scriptfil:** `Detect.ps1` - **Scriptfil:** `Detect.ps1`
- **Kør script som 32-bit proces på 64-bit klienter:** Nej - **Kør script som 32-bit proces på 64-bit klienter:** Nej
- **Gennemtving scriptsignaturkontrol:** Nej - **Gennemtving scriptsignaturkontrol:** Nej
Registreringslogik: Registreringslogik:
- Uden `-AllUsers`: tjekker at alle `.rdp`-filer er til stede på det offentlige skrivebord (`C:\Users\Public\Desktop`) - Uden `-AllUsers`: tjekker at alle `.rdp`-filer er til stede på det offentlige skrivebord (`C:\Users\Public\Desktop`)
- Med `-AllUsers`: tjekker alle brugeres skriveborde under `C:\Users\` - Med `-AllUsers`: tjekker alle brugeres skriveborde under `C:\Users\`
- Returnerer `exit 0` = installeret - Returnerer `exit 0` = installeret
- Returnerer `exit 1` = ikke installeret - Returnerer `exit 1` = ikke installeret
[↑ Tilbage til toppen](#rdp---intunewin-pakke) [↑ Tilbage til toppen](#rdp---intunewin-pakke)
--- ---
## Hvad Install.ps1 gør ## Hvad Install.ps1 gør
1. Finder målskrivebord(e) — offentligt skrivebord som standard, alle brugeres skriveborde med `-AllUsers` 1. Finder målskrivebord(e) — offentligt skrivebord som standard, alle brugeres skriveborde med `-AllUsers`
2. Kopierer alle `.rdp`-filer fra `.\rdp-files\` til de fundne skrivebord(e) 2. Kopierer alle `.rdp`-filer fra `.\rdp-files\` til de fundne skrivebord(e)
3. Søger efter eksisterende selvsigneret certifikat (`CN=RDPSign`) i `Cert:\LocalMachine\My` 3. Søger efter eksisterende selvsigneret certifikat (`CN=RDPSign`) i `Cert:\LocalMachine\My`
4. Opretter et nyt selvsigneret kodesigneringscertifikat hvis intet findes (gyldigt i 25 år, ikke-eksporterbart) 4. Opretter et nyt selvsigneret kodesigneringscertifikat hvis intet findes (gyldigt i 25 år, ikke-eksporterbart)
5. Tilføjer certifikatet til `Trusted Root` og `Trusted Publishers` i den lokale maskines certifikatstore 5. Tilføjer certifikatet til `Trusted Root` og `Trusted Publishers` i den lokale maskines certifikatstore
6. Tilføjer certifikatets thumbprint til registry-nøglen `TrustedCertThumbprints` 6. Tilføjer certifikatets thumbprint til registry-nøglen `TrustedCertThumbprints`
7. Signerer alle `.rdp`-filer på skrivebord(e) med `rdpsign.exe /sha256` 7. Signerer alle `.rdp`-filer på skrivebord(e) med `rdpsign.exe /sha256`
8. Sætter `RedirectionWarningDialogVersion = 1` i registry for at undertrykke RDP-advarselsdialoger 8. Sætter `RedirectionWarningDialogVersion = 1` i registry for at undertrykke RDP-advarselsdialoger
[↑ Tilbage til toppen](#rdp---intunewin-pakke) [↑ Tilbage til toppen](#rdp---intunewin-pakke)
--- ---
## AllUsers Switch ## AllUsers Switch
Alle scripts understøtter `-AllUsers` switchen. Som standard — uden `-AllUsers` — køres alle scripts kun mod det **offentlige skrivebord** (`C:\Users\Public\Desktop`). Når `-AllUsers` angives, itererer scriptet i stedet over alle brugerprofiler under `C:\Users\` og behandler hver brugers `Desktop`-mappe. Alle scripts understøtter `-AllUsers` switchen. Som standard — uden `-AllUsers` — køres alle scripts kun mod det **offentlige skrivebord** (`C:\Users\Public\Desktop`). Når `-AllUsers` angives, itererer scriptet i stedet over alle brugerprofiler under `C:\Users\` og behandler hver brugers `Desktop`-mappe.
```powershell ```powershell
# Kun offentligt skrivebord (standard) # Kun offentligt skrivebord (standard)
.\Install.ps1 .\Install.ps1
# Alle brugeres skriveborde # Alle brugeres skriveborde
.\Install.ps1 -AllUsers .\Install.ps1 -AllUsers
``` ```
[↑ Tilbage til toppen](#rdp---intunewin-pakke) [↑ Tilbage til toppen](#rdp---intunewin-pakke)
--- ---
## Registry-ændringer ## Registry-ændringer
| Sti | Værdi | Type | Data | | Sti | Værdi | Type | Data |
|-----|-------|------|------| |-----|-------|------|------|
| `HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services` | `TrustedCertThumbprints` | String | Certifikatets thumbprint | | `HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services` | `TrustedCertThumbprints` | String | Certifikatets thumbprint |
| `HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client` | `RedirectionWarningDialogVersion` | DWORD | `1` | | `HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client` | `RedirectionWarningDialogVersion` | DWORD | `1` |
[↑ Tilbage til toppen](#rdp---intunewin-pakke) [↑ Tilbage til toppen](#rdp---intunewin-pakke)
--- ---
## Logning og fejlfinding ## Logning og fejlfinding
| Script | Logfil | | Script | Logfil |
|--------|--------| |--------|--------|
| `Install.ps1` | `C:\Intune\DesktopShortcuts.log` | | `Install.ps1` | `C:\Intune\DesktopShortcuts.log` |
| `Detect.ps1` | `C:\Intune\DesktopShortcuts.log` | | `Detect.ps1` | `C:\Intune\DesktopShortcuts.log` |
| `Uninstall.ps1` | `C:\Intune\DesktopShortcuts.log` | | `Uninstall.ps1` | `C:\Intune\DesktopShortcuts.log` |
| `SignOnly.ps1` | `C:\Intune\RDPSign.log` | | `SignOnly.ps1` | `C:\Intune\RDPSign.log` |
[↑ Tilbage til toppen](#rdp---intunewin-pakke) [↑ Tilbage til toppen](#rdp---intunewin-pakke)
--- ---
## SignOnly Intune App Konfiguration ## SignOnly Intune App Konfiguration
### Program ### Program
- **Installationskommando:** - **Installationskommando:**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1` `powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1`
- **Installationskommando (alle brugeres skriveborde):** - **Installationskommando (alle brugeres skriveborde):**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1 -AllUsers` `powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1 -AllUsers`
- **Afinstallationskommando:** - **Afinstallationskommando:**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1` `powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1`
- **Afinstallationskommando (alle brugeres skriveborde):** - **Afinstallationskommando (alle brugeres skriveborde):**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1 -AllUsers` `powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1 -AllUsers`
- **Installationsadfærd:** System - **Installationsadfærd:** System
### Registreringsregel ### Registreringsregel
Brug et brugerdefineret registreringsscript: Brug et brugerdefineret registreringsscript:
- **Scriptfil:** `SignOnly_detect.ps1` - **Scriptfil:** `SignOnly_detect.ps1`
- **Kør script som 32-bit proces på 64-bit klienter:** Nej - **Kør script som 32-bit proces på 64-bit klienter:** Nej
- **Gennemtving scriptsignaturkontrol:** Nej - **Gennemtving scriptsignaturkontrol:** Nej
Registreringslogik: Registreringslogik:
- Tjekker at `CN=RDPSign`-certifikatet findes i `My`, `Root` og `TrustedPublisher` stores - Tjekker at `CN=RDPSign`-certifikatet findes i `My`, `Root` og `TrustedPublisher` stores
- Tjekker at thumbprint er til stede i registry - Tjekker at thumbprint er til stede i registry
- Uden `-AllUsers`: tjekker at alle `.rdp`-filer på det offentlige skrivebord er signerede - Uden `-AllUsers`: tjekker at alle `.rdp`-filer på det offentlige skrivebord er signerede
- Med `-AllUsers`: tjekker alle `.rdp`-filer på tværs af alle brugeres skriveborde - Med `-AllUsers`: tjekker alle `.rdp`-filer på tværs af alle brugeres skriveborde
- Returnerer `exit 0` + `"Detected"` = installeret - Returnerer `exit 0` + `"Detected"` = installeret
- Returnerer `exit 1` = ikke installeret - Returnerer `exit 1` = ikke installeret
[↑ Tilbage til toppen](#rdp---intunewin-pakke) [↑ Tilbage til toppen](#rdp---intunewin-pakke)
--- ---
## Øvrige scripts i pakken ## Øvrige scripts i pakken
> **Bemærk:** Alle PowerShell-scripts er pakket ind i samme IntuneWin-pakke. Det betyder at man altid kan kalde på et vilkårligt script direkte fra Intune eller manuelt, f.eks.: > **Bemærk:** Alle PowerShell-scripts er pakket ind i samme IntuneWin-pakke. Det betyder at man altid kan kalde på et vilkårligt script direkte fra Intune eller manuelt, f.eks.:
> >
> ```powershell > ```powershell
> powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1 > powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1
> powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1 -AllUsers > powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1 -AllUsers
> powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1 > powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1
> powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1 -AllUsers > powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1 -AllUsers
> powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1 > powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1
> powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1 -AllUsers > powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1 -AllUsers
> ``` > ```
> osv. for alle scripts i pakken. > osv. for alle scripts i pakken.
### `SignOnly.ps1` ### `SignOnly.ps1`
Signerer alle eksisterende `.rdp`-filer på skrivebord(e) uden at kopiere filer. Nyttigt til gensignering efter en opdatering eller hvis filer allerede er installeret. Kør som administrator. Understøtter `-AllUsers` switch. Signerer alle eksisterende `.rdp`-filer på skrivebord(e) uden at kopiere filer. Nyttigt til gensignering efter en opdatering eller hvis filer allerede er installeret. Kør som administrator. Understøtter `-AllUsers` switch.
### `SignOnly_detect.ps1` ### `SignOnly_detect.ps1`
Registreringsscript til brug med `SignOnly.ps1` som Intune-pakke. Tjekker: Registreringsscript til brug med `SignOnly.ps1` som Intune-pakke. Tjekker:
- Certifikat findes i `My`, `Root` og `TrustedPublisher` stores - Certifikat findes i `My`, `Root` og `TrustedPublisher` stores
- Thumbprint er til stede i registry - Thumbprint er til stede i registry
- Alle `.rdp`-filer på skrivebord(e) indeholder en gyldig signatur - Alle `.rdp`-filer på skrivebord(e) indeholder en gyldig signatur
Understøtter `-AllUsers` switch. Understøtter `-AllUsers` switch.
### `Clearsigning.ps1` ### `Clearsigning.ps1`
Fjerner alle signeringsartefakter. Nyttigt til test eller oprydning. Kør som administrator. Understøtter `-AllUsers` switch. Fjerner alle signeringsartefakter. Nyttigt til test eller oprydning. Kør som administrator. Understøtter `-AllUsers` switch.
- Fjerner `signscope`- og `signature`-linjer fra alle `.rdp`-filer på skrivebord(e) - Fjerner `signscope`- og `signature`-linjer fra alle `.rdp`-filer på skrivebord(e)
- Fjerner `CN=RDPSign`-certifikatet fra `My`, `Root` og `TrustedPublisher` stores - Fjerner `CN=RDPSign`-certifikatet fra `My`, `Root` og `TrustedPublisher` stores
- Fjerner `TrustedCertThumbprints` fra registry - Fjerner `TrustedCertThumbprints` fra registry
- Fjerner `RedirectionWarningDialogVersion` fra registry - Fjerner `RedirectionWarningDialogVersion` fra registry
### `sandbox.ps1` ### `sandbox.ps1`
Kombinerer install og detect i ét script til lokal sandkasse-test. Understøtter `-AllUsers` switch. Kombinerer install og detect i ét script til lokal sandkasse-test. Understøtter `-AllUsers` switch.
Kør fra mappen der indeholder `rdp-files\` som administrator. Kør fra mappen der indeholder `rdp-files\` som administrator.
Output skrives til både konsollen og `C:\Intune\DesktopShortcuts.log`. Output skrives til både konsollen og `C:\Intune\DesktopShortcuts.log`.
[↑ Tilbage til toppen](#rdp---intunewin-pakke) [↑ Tilbage til toppen](#rdp---intunewin-pakke)
+3 -5
View File
@@ -1,10 +1,8 @@
# ============================================================ # ============================================================
# CHANGELOG # CHANGELOG
# v1.1 - Added -AllUsers switch to remove signatures from RDP # v1.2 - Get-DesktopPaths: Depth 2 search for OneDrive Desktop
# files on all user desktops instead of only the public # v1.1 - AllUsers switch + Get-DesktopPaths helper
# desktop. # v1.0 - Initial
# Added Get-DesktopPaths helper function.
# v1.0 - Initial version, clears signing on public desktop only.
# ============================================================ # ============================================================
param( param(
+4 -12
View File
@@ -1,17 +1,9 @@
# ============================================================ # ============================================================
# CHANGELOG # CHANGELOG
# v1.2 - Checks for specific expected .rdp filenames instead # v1.3 - Get-DesktopPaths: Depth 2 search for OneDrive Desktop
# of just "any .rdp file exists on desktop". # v1.2 - Detect by expected filename list
# v1.1 - Added -AllUsers switch to check all user desktops # v1.1 - AllUsers switch + Get-DesktopPaths helper
# instead of only the public desktop. # v1.0 - Initial
# Added Get-DesktopPaths helper function.
# v1.0 - Initial version, checks public desktop only.
# ============================================================
param(
[switch]$AllUsers
)
# ============================================================ # ============================================================
# Update this list whenever .rdp files are added or removed # Update this list whenever .rdp files are added or removed
# from the rdp-files\\ folder. # from the rdp-files\\ folder.
+3 -4
View File
@@ -1,9 +1,8 @@
# ============================================================ # ============================================================
# CHANGELOG # CHANGELOG
# v1.1 - Added -AllUsers switch to deploy to all user desktops # v1.2 - Get-DesktopPaths: Depth 2 search for OneDrive Desktop
# instead of only the public desktop. # v1.1 - AllUsers switch + Get-DesktopPaths helper
# Added Get-DesktopPaths helper function. # v1.0 - Initial
# v1.0 - Initial version, deploys to public desktop only.
# ============================================================ # ============================================================
param( param(
+3 -4
View File
@@ -1,9 +1,8 @@
# ============================================================ # ============================================================
# CHANGELOG # CHANGELOG
# v1.1 - Added -AllUsers switch to sign RDP files on all user # v1.2 - Get-DesktopPaths: Depth 2 search for OneDrive Desktop
# desktops instead of only the public desktop. # v1.1 - AllUsers switch + Get-DesktopPaths helper
# Added Get-DesktopPaths helper function. # v1.0 - Initial
# v1.0 - Initial version, signs on public desktop only.
# ============================================================ # ============================================================
param( param(
+3 -5
View File
@@ -1,10 +1,8 @@
# ============================================================ # ============================================================
# CHANGELOG # CHANGELOG
# v1.1 - Added -AllUsers switch to check certificate and signed # v1.2 - Get-DesktopPaths: Depth 2 search for OneDrive Desktop
# RDP files across all user desktops instead of only the # v1.1 - AllUsers switch + Get-DesktopPaths helper
# public desktop. # v1.0 - Initial
# Added Get-DesktopPaths helper function.
# v1.0 - Initial version, checks public desktop only.
# ============================================================ # ============================================================
param( param(
+3 -4
View File
@@ -1,9 +1,8 @@
# ============================================================ # ============================================================
# CHANGELOG # CHANGELOG
# v1.1 - Added -AllUsers switch to remove files from all user # v1.2 - Get-DesktopPaths: Depth 2 search for OneDrive Desktop
# desktops instead of only the public desktop. # v1.1 - AllUsers switch + Get-DesktopPaths helper
# Added Get-DesktopPaths helper function. # v1.0 - Initial
# v1.0 - Initial version, removes from public desktop only.
# ============================================================ # ============================================================
param( param(
+3 -42
View File
@@ -2,48 +2,9 @@
# INSTALL + DETECT - Sandbox test script # INSTALL + DETECT - Sandbox test script
# ============================================================ # ============================================================
# CHANGELOG # CHANGELOG
# v1.1 - Added -AllUsers switch to deploy and detect across all # v1.2 - Get-DesktopPaths: Depth 2 search for OneDrive Desktop
# user desktops instead of only the public desktop. # v1.1 - AllUsers switch + Get-DesktopPaths helper
# Added Get-DesktopPaths helper function. # v1.0 - Initial
# v1.0 - Initial version, public desktop only.
# ============================================================
param(
[switch]$AllUsers
)
# Setup logging
$baseFolder = Join-Path $env:SystemDrive "Intune"
$logFile = Join-Path $baseFolder "DesktopShortcuts.log"
# Check if Sysnative exists (means script is running in 32-bit mode on x64 OS)
if (Test-Path "$($env:windir)\Sysnative") {
$rdpSignPath = "$($env:windir)\Sysnative\rdpsign.exe"
} else {
$rdpSignPath = "$($env:windir)\System32\rdpsign.exe"
}
if (-not (Test-Path $baseFolder)) {
New-Item -Path $baseFolder -ItemType Directory -Force | Out-Null
}
function Write-Log {
param($Message)
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
Add-Content -Path $logFile -Value $logMessage
Write-Host $logMessage
}
function Get-DesktopPaths {
if ($AllUsers) {
Get-ChildItem "$env:SystemDrive\Users" -Directory -Exclude "Public","Default" | ForEach-Object {
Get-ChildItem $_.FullName -Directory -Filter "Desktop" -Depth 2 -ErrorAction SilentlyContinue |
Select-Object -ExpandProperty FullName
}
} else {
[Environment]::GetFolderPath("CommonDesktopDirectory")
}
}
# ============================================================ # ============================================================
# INSTALL # INSTALL
# ============================================================ # ============================================================
-33
View File
@@ -1,33 +0,0 @@
$desktopPath = [Environment]::GetFolderPath("CommonDesktopDirectory")
$certSubject = "CN=RDPSign"
# 1. Unsign RDP files
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp"
foreach ($file in $rdpFiles) {
$content = Get-Content $file.FullName
$cleaned = $content | Where-Object { $_ -notmatch "^signscope:s:" -and $_ -notmatch "^signature:s:" }
$cleaned | Set-Content $file.FullName -Encoding Unicode
Write-Host "Unsigned: $($file.Name)"
}
# 2. Remove certificate from all stores
foreach ($storeName in @("My", "Root", "TrustedPublisher")) {
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store($storeName, "LocalMachine")
$store.Open("ReadWrite")
$certs = $store.Certificates | Where-Object { $_.Subject -eq $certSubject }
foreach ($cert in $certs) {
$store.Remove($cert)
Write-Host "Removed certificate from store: $storeName"
}
$store.Close()
}
# 3. Remove thumbprint from registry
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
Remove-ItemProperty -Path $gpoPath -Name "TrustedCertThumbprints" -ErrorAction SilentlyContinue
Write-Host "Removed TrustedCertThumbprints"
# 4. Remove RedirectionWarningDialogVersion
$clientPath = "HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services\Client"
Remove-ItemProperty -Path $clientPath -Name "RedirectionWarningDialogVersion" -ErrorAction SilentlyContinue
Write-Host "Removed RedirectionWarningDialogVersion"
-43
View File
@@ -1,43 +0,0 @@
# Setup logging
$baseFolder = Join-Path $env:SystemDrive "Intune"
$logFile = Join-Path $baseFolder "DesktopShortcuts.log"
$desktopPath = [Environment]::GetFolderPath("CommonDesktopDirectory")
# Create necessary folders
if (-not (Test-Path $baseFolder)) {
New-Item -Path $baseFolder -ItemType Directory -Force | Out-Null
}
function Write-Log {
param($Message)
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
Add-Content -Path $logFile -Value $logMessage
Write-Host $logMessage
}
$rdpFiles = Get-ChildItem -Path "$desktopPath\*.rdp" -ErrorAction SilentlyContinue
try {
if ($rdpFiles.Count -eq 0) {
Write-Log "DETECT [FAIL]: No .rdp files found on public desktop: $desktopPath"
exit 1
}
$allFound = $true
foreach ($file in $rdpFiles) {
if (-not (Test-Path (Join-Path $desktopPath $file.Name))) {
Write-Log "DETECT [FAIL]: Missing: $($file.Name)"
$allFound = $false
}
}
if ($allFound) {
Write-Log "DETECT [OK]: All .rdp files found on public desktop: $desktopPath"
exit 0
} else {
exit 1
}
} catch {
Write-Log "Detect error: $_"
exit 1
}
-139
View File
@@ -1,139 +0,0 @@
# Setup logging
$baseFolder = Join-Path $env:SystemDrive "Intune"
$logFile = Join-Path $baseFolder "DesktopShortcuts.log"
$desktopPath = [Environment]::GetFolderPath("CommonDesktopDirectory")
# Check if Sysnative exists (means script is running in 32-bit mode on x64 OS)
if (Test-Path "$($env:windir)\Sysnative") {
$rdpSignPath = "$($env:windir)\Sysnative\rdpsign.exe"
} else {
$rdpSignPath = "$($env:windir)\System32\rdpsign.exe"
}
# Create necessary folders
if (-not (Test-Path $baseFolder)) {
New-Item -Path $baseFolder -ItemType Directory -Force | Out-Null
}
function Write-Log {
param($Message)
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
Add-Content -Path $logFile -Value $logMessage
Write-Host $logMessage
}
try {
# Copy RDP files to public desktop
Get-ChildItem -Path ".\rdp-files\*.rdp" | ForEach-Object {
try {
Copy-Item -Path $_.FullName -Destination $desktopPath -Force
} catch {
Write-Log "Error copying file: $_"
exit 1
}
}
Start-Sleep -Seconds 2 # Wait for files to be fully copied before signing
Write-Log "Copied .rdp files to public desktop: $desktopPath"
# Get RDP files from public desktop for signing
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -Recurse -ErrorAction SilentlyContinue
$certSubjectName = "RDPSign"
$certSubject = "CN=$certSubjectName"
Write-Log "Searching for existing certificate: $certSubjectName..."
$existingCert = Get-ChildItem Cert:\LocalMachine\My |
Where-Object { $_.Subject -eq $certSubject } |
Select-Object -First 1
if ($existingCert) {
Write-Log "Found existing certificate with Thumbprint: $($existingCert.Thumbprint)"
$thumbprint = $existingCert.Thumbprint
} else {
Write-Log "No existing certificate found. Creating new one..."
$cert = New-SelfSignedCertificate `
-Subject $certSubject `
-CertStoreLocation "Cert:\LocalMachine\My" `
-Type CodeSigningCert `
-KeyExportPolicy NonExportable `
-NotAfter (Get-Date).AddYears(25)
$thumbprint = $cert.Thumbprint
# Add to Trusted Root
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("Root", "LocalMachine")
$rootStore.Open("ReadWrite")
$rootStore.Add($cert)
$rootStore.Close()
# Add to Trusted Publishers
$pubStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("TrustedPublisher", "LocalMachine")
$pubStore.Open("ReadWrite")
$pubStore.Add($cert)
$pubStore.Close()
# Add thumbprint to RDP trusted certs in registry
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
$keyName = "TrustedCertThumbprints"
if (-not (Test-Path $gpoPath)) {
New-Item -Path $gpoPath -Force | Out-Null
}
$currentValue = (Get-ItemProperty -Path $gpoPath -Name $keyName -ErrorAction SilentlyContinue).$keyName
if ($currentValue -notmatch [regex]::Escape($thumbprint)) {
$newValue = if ([string]::IsNullOrWhiteSpace($currentValue)) { $thumbprint } else { "$currentValue,$thumbprint" }
if ($null -eq $currentValue) {
New-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue -PropertyType String -Force | Out-Null
} else {
Set-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue
}
Write-Log "Updated TrustedCertThumbprints registry value."
} else {
Write-Log "Thumbprint already exists in registry. Skipping update."
}
Write-Log "Certificate created and trusted successfully."
}
if ($rdpFiles.Count -eq 0) {
Write-Log "No .rdp files found on Desktop: $desktopPath"
exit 0
}
Write-Log "Found $($rdpFiles.Count) file(s) to sign."
$successCount = 0
$failCount = 0
foreach ($rdpFile in $rdpFiles) {
Write-Log "Signing: $($rdpFile.Name)"
& $rdpSignPath /sha256 $thumbprint $rdpFile.FullName
if ($LASTEXITCODE -eq 0) {
Write-Log " [OK] $($rdpFile.Name)"
$successCount++
} else {
Write-Log " [FAILED] $($rdpFile.Name) - rdpsign exit code: $LASTEXITCODE"
$failCount++
}
}
# Set registry key to suppress RDP warning dialogs
reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client" /v RedirectionWarningDialogVersion /t REG_DWORD /d 1 /f
if ($failCount -eq 0) {
Write-Log "All $successCount file(s) signed successfully."
} else {
Write-Log "$successCount file(s) signed successfully, $failCount file(s) failed."
exit 1
}
exit 0
} catch {
Write-Log "Error: $_"
exit 1
}
-118
View File
@@ -1,118 +0,0 @@
# RDP - IntuneWin Package
## Package Contents
| File | Purpose |
|------|---------|
| `Install.ps1` | Copies RDP files to public desktop, creates self-signed certificate and signs all RDP files |
| `Detect.ps1` | Detects whether all RDP files from the package are present on the public desktop |
| `Uninstall.ps1` | Removes RDP files from the public desktop |
| `SignOnly.ps1` | Signs existing RDP files on the public desktop — no file copy (standalone use) |
| `SignOnly_detect.ps1` | Detects whether certificate is present and all RDP files on the desktop are signed |
| `Clearsigning.ps1` | Removes signatures from RDP files and cleans up certificate and registry (cleanup/debug use) |
| `sandbox.ps1` | Combined install + detect script for local sandbox testing |
| `rdp-files\*.rdp` | Source RDP files deployed to the public desktop |
---
## Intune App Configuration
### Program
- **Install command:**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1`
- **Uninstall command:**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Uninstall.ps1`
- **Install behavior:** System
### Detection Rule
Use a custom detection script:
- **Script file:** `Detect.ps1`
- **Run script as 32-bit process on 64-bit clients:** No
- **Enforce script signature check:** No
Detection logic:
- Checks that all `.rdp` files from `rdp-files\` are present on the public desktop (`C:\Users\Public\Desktop`)
- Returns `exit 0` = installed
- Returns `exit 1` = not installed
---
## What Install.ps1 Does
1. Copies all `.rdp` files from `.\rdp-files\` to the public desktop
2. Searches for an existing self-signed certificate (`CN=RDPSign`) in `Cert:\LocalMachine\My`
3. If not found, creates a new self-signed code signing certificate (valid 25 years, non-exportable)
4. Adds the certificate to `Trusted Root` and `Trusted Publishers` in the local machine store
5. Adds the certificate thumbprint to the registry key `TrustedCertThumbprints`
6. Signs all `.rdp` files on the public desktop using `rdpsign.exe /sha256`
7. Sets `RedirectionWarningDialogVersion = 1` in registry to suppress RDP warning dialogs
---
## Registry Changes
| Path | Value | Type | Data |
|------|-------|------|------|
| `HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services` | `TrustedCertThumbprints` | String | Certificate thumbprint |
| `HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client` | `RedirectionWarningDialogVersion` | DWORD | `1` |
---
## Logging and Troubleshooting
| Script | Log file |
|--------|----------|
| `Install.ps1` | `C:\Intune\DesktopShortcuts.log` |
| `Detect.ps1` | `C:\Intune\DesktopShortcuts.log` |
| `Uninstall.ps1` | `C:\Intune\DesktopShortcuts.log` |
| `SignOnly.ps1` | `C:\Intune\RDPSign.log` |
---
## SignOnly Intune App Configuration
### Program
- **Install command:**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1`
- **Uninstall command:**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1`
- **Install behavior:** System
### Detection Rule
Use a custom detection script:
- **Script file:** `SignOnly_detect.ps1`
- **Run script as 32-bit process on 64-bit clients:** No
- **Enforce script signature check:** No
Detection logic:
- Checks that `CN=RDPSign` certificate exists in `My`, `Root`, and `TrustedPublisher` stores
- Checks that thumbprint is present in registry
- Checks that all `.rdp` files on the public desktop contain a valid signature
- Returns `exit 0` + `"Detected"` = installed
- Returns `exit 1` = not installed
---
## Utility Scripts (not part of Intune package)
### `SignOnly.ps1`
Signs all existing `.rdp` files on the public desktop without copying any files. Useful for re-signing after an update or if files are already deployed.
Run as administrator.
### `SignOnly_detect.ps1`
Detection script for use with `SignOnly.ps1` as an Intune package. Checks:
- Certificate exists in `My`, `Root`, and `TrustedPublisher` stores
- Thumbprint is present in registry
- All `.rdp` files on the desktop contain a valid signature
### `Clearsigning.ps1`
Removes all signing artifacts. Useful for testing or cleanup. Run as administrator.
- Strips `signscope` and `signature` lines from all `.rdp` files on the public desktop
- Removes `CN=RDPSign` certificate from `My`, `Root`, and `TrustedPublisher` stores
- Removes `TrustedCertThumbprints` from registry
- Removes `RedirectionWarningDialogVersion` from registry
### `sandbox.ps1`
Combines install and detect into a single script for local sandbox testing.
Run from the folder containing `rdp-files\` as administrator.
Output is written to both the console and `C:\Intune\DesktopShortcuts.log`.
-125
View File
@@ -1,125 +0,0 @@
# Setup logging
$baseFolder = Join-Path $env:SystemDrive "Intune"
$logFile = Join-Path $baseFolder "RDPSign.log"
$desktopPath = [Environment]::GetFolderPath("CommonDesktopDirectory")
# Check if Sysnative exists (means script is running in 32-bit mode on x64 OS)
if (Test-Path "$($env:windir)\Sysnative") {
$rdpSignPath = "$($env:windir)\Sysnative\rdpsign.exe"
} else {
$rdpSignPath = "$($env:windir)\System32\rdpsign.exe"
}
if (-not (Test-Path $baseFolder)) {
New-Item -Path $baseFolder -ItemType Directory -Force | Out-Null
}
function Write-Log {
param($Message)
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
Add-Content -Path $logFile -Value $logMessage
Write-Host $logMessage
}
try {
# Get RDP files from public desktop for signing
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -Recurse -ErrorAction SilentlyContinue
$certSubjectName = "RDPSign"
$certSubject = "CN=$certSubjectName"
Write-Log "Searching for existing certificate: $certSubjectName..."
$existingCert = Get-ChildItem Cert:\LocalMachine\My |
Where-Object { $_.Subject -eq $certSubject } |
Select-Object -First 1
if ($existingCert) {
Write-Log "Found existing certificate with Thumbprint: $($existingCert.Thumbprint)"
$thumbprint = $existingCert.Thumbprint
} else {
Write-Log "No existing certificate found. Creating new one..."
$cert = New-SelfSignedCertificate `
-Subject $certSubject `
-CertStoreLocation "Cert:\LocalMachine\My" `
-Type CodeSigningCert `
-KeyExportPolicy NonExportable `
-NotAfter (Get-Date).AddYears(25)
$thumbprint = $cert.Thumbprint
# Add to Trusted Root
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("Root", "LocalMachine")
$rootStore.Open("ReadWrite")
$rootStore.Add($cert)
$rootStore.Close()
# Add to Trusted Publishers
$pubStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("TrustedPublisher", "LocalMachine")
$pubStore.Open("ReadWrite")
$pubStore.Add($cert)
$pubStore.Close()
# Add thumbprint to RDP trusted certs in registry
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
$keyName = "TrustedCertThumbprints"
if (-not (Test-Path $gpoPath)) {
New-Item -Path $gpoPath -Force | Out-Null
}
$currentValue = (Get-ItemProperty -Path $gpoPath -Name $keyName -ErrorAction SilentlyContinue).$keyName
if ($currentValue -notmatch [regex]::Escape($thumbprint)) {
$newValue = if ([string]::IsNullOrWhiteSpace($currentValue)) { $thumbprint } else { "$currentValue,$thumbprint" }
if ($null -eq $currentValue) {
New-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue -PropertyType String -Force | Out-Null
} else {
Set-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue
}
Write-Log "Updated TrustedCertThumbprints registry value."
} else {
Write-Log "Thumbprint already exists in registry. Skipping update."
}
Write-Log "Certificate created and trusted successfully."
}
if ($rdpFiles.Count -eq 0) {
Write-Log "No .rdp files found on Desktop: $desktopPath"
exit 0
}
Write-Log "Found $($rdpFiles.Count) file(s) to sign."
$successCount = 0
$failCount = 0
foreach ($rdpFile in $rdpFiles) {
Write-Log "Signing: $($rdpFile.Name)"
& $rdpSignPath /sha256 $thumbprint $rdpFile.FullName
if ($LASTEXITCODE -eq 0) {
Write-Log " [OK] $($rdpFile.Name)"
$successCount++
} else {
Write-Log " [FAILED] $($rdpFile.Name) - rdpsign exit code: $LASTEXITCODE"
$failCount++
}
}
# Set registry key to suppress RDP warning dialogs
reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client" /v RedirectionWarningDialogVersion /t REG_DWORD /d 1 /f
if ($failCount -eq 0) {
Write-Log "All $successCount file(s) signed successfully."
} else {
Write-Log "$successCount file(s) signed successfully, $failCount file(s) failed."
exit 1
}
exit 0
} catch {
Write-Log "Error: $_"
exit 1
}
-36
View File
@@ -1,36 +0,0 @@
$desktopPath = [Environment]::GetFolderPath("CommonDesktopDirectory")
$certSubject = "CN=RDPSign"
# Check certificate exists in all three stores
$certInMy = Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Subject -eq $certSubject }
$certInRoot = Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $_.Subject -eq $certSubject }
$certInPub = Get-ChildItem Cert:\LocalMachine\TrustedPublisher | Where-Object { $_.Subject -eq $certSubject }
if (-not $certInMy -or -not $certInRoot -or -not $certInPub) {
exit 1
}
# Check registry thumbprint
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
$thumbprintValue = (Get-ItemProperty -Path $gpoPath -Name "TrustedCertThumbprints" -ErrorAction SilentlyContinue).TrustedCertThumbprints
if ([string]::IsNullOrWhiteSpace($thumbprintValue)) {
exit 1
}
# Check that all RDP files on desktop are signed
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -ErrorAction SilentlyContinue
if ($rdpFiles.Count -eq 0) {
exit 1
}
foreach ($file in $rdpFiles) {
$content = Get-Content $file.FullName -ErrorAction SilentlyContinue
$hasSig = $content | Where-Object { $_ -match "^signature:s:" }
if (-not $hasSig) {
exit 1
}
}
Write-Host "Detected"
exit 0
-38
View File
@@ -1,38 +0,0 @@
# Setup logging
$baseFolder = Join-Path $env:SystemDrive "Intune"
$logFile = Join-Path $baseFolder "DesktopShortcuts.log"
$desktopPath = [Environment]::GetFolderPath("CommonDesktopDirectory")
# Create necessary folders
$folders = @(
$baseFolder
)
foreach ($folder in $folders) {
if (-not (Test-Path $folder)) {
New-Item -Path $folder -ItemType Directory -Force | Out-Null
}
}
function Write-Log {
param($Message)
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
Add-Content -Path $logFile -Value $logMessage
Write-Host $logMessage
}
try {
Get-ChildItem -Path ".\rdp-files\*.rdp" | ForEach-Object {
$targetFile = Join-Path $desktopPath $_.Name
if (Test-Path $targetFile) {
Remove-Item -Path $targetFile -Force
Write-Log "Removed: $($_.Name)"
} else {
Write-Log "Not found, skipping: $($_.Name)"
}
}
Write-Log "Uninstall completed from public desktop: $desktopPath"
exit 0
} catch {
Write-Log "An error occurred: $_"
exit 1
}
-176
View File
@@ -1,176 +0,0 @@
# ============================================================
# INSTALL + DETECT - Sandbox test script
# ============================================================
# Setup logging
$baseFolder = Join-Path $env:SystemDrive "Intune"
$logFile = Join-Path $baseFolder "DesktopShortcuts.log"
$desktopPath = [Environment]::GetFolderPath("CommonDesktopDirectory")
# Check if Sysnative exists (means script is running in 32-bit mode on x64 OS)
if (Test-Path "$($env:windir)\Sysnative") {
$rdpSignPath = "$($env:windir)\Sysnative\rdpsign.exe"
} else {
$rdpSignPath = "$($env:windir)\System32\rdpsign.exe"
}
if (-not (Test-Path $baseFolder)) {
New-Item -Path $baseFolder -ItemType Directory -Force | Out-Null
}
function Write-Log {
param($Message)
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
Add-Content -Path $logFile -Value $logMessage
Write-Host $logMessage
}
# ============================================================
# INSTALL
# ============================================================
Write-Log "=== START INSTALL ==="
try {
# Copy RDP files to public desktop
Get-ChildItem -Path ".\rdp-files\*.rdp" | ForEach-Object {
try {
Copy-Item -Path $_.FullName -Destination $desktopPath -Force
} catch {
Write-Log "Error copying file: $_"
}
}
Start-Sleep -Seconds 2 # Wait for files to be fully copied before signing
Write-Log "Copied .rdp files to public desktop: $desktopPath"
# Get RDP files from public desktop for signing
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -Recurse -ErrorAction SilentlyContinue
$certSubjectName = "RDPSign"
$certSubject = "CN=$certSubjectName"
Write-Log "Searching for existing certificate: $certSubjectName..."
$existingCert = Get-ChildItem Cert:\LocalMachine\My |
Where-Object { $_.Subject -eq $certSubject } |
Select-Object -First 1
if ($existingCert) {
Write-Log "Found existing certificate with Thumbprint: $($existingCert.Thumbprint)"
$thumbprint = $existingCert.Thumbprint
} else {
Write-Log "No existing certificate found. Creating new one..."
$cert = New-SelfSignedCertificate `
-Subject $certSubject `
-CertStoreLocation "Cert:\LocalMachine\My" `
-Type CodeSigningCert `
-KeyExportPolicy NonExportable `
-NotAfter (Get-Date).AddYears(25)
$thumbprint = $cert.Thumbprint
# Add to Trusted Root
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("Root", "LocalMachine")
$rootStore.Open("ReadWrite")
$rootStore.Add($cert)
$rootStore.Close()
# Add to Trusted Publishers
$pubStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("TrustedPublisher", "LocalMachine")
$pubStore.Open("ReadWrite")
$pubStore.Add($cert)
$pubStore.Close()
# Add thumbprint to RDP trusted certs in registry
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
$keyName = "TrustedCertThumbprints"
if (-not (Test-Path $gpoPath)) {
New-Item -Path $gpoPath -Force | Out-Null
}
$currentValue = (Get-ItemProperty -Path $gpoPath -Name $keyName -ErrorAction SilentlyContinue).$keyName
if ($currentValue -notmatch [regex]::Escape($thumbprint)) {
$newValue = if ([string]::IsNullOrWhiteSpace($currentValue)) { $thumbprint } else { "$currentValue,$thumbprint" }
if ($null -eq $currentValue) {
New-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue -PropertyType String -Force | Out-Null
} else {
Set-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue
}
Write-Log "Updated TrustedCertThumbprints registry value."
} else {
Write-Log "Thumbprint already exists in registry. Skipping update."
}
Write-Log "Certificate created and trusted successfully."
}
if ($rdpFiles.Count -eq 0) {
Write-Log "No .rdp files found on Desktop: $desktopPath"
exit 0
}
Write-Log "Found $($rdpFiles.Count) file(s) to sign."
$successCount = 0
$failCount = 0
foreach ($rdpFile in $rdpFiles) {
Write-Log "Signing: $($rdpFile.Name)"
& $rdpSignPath /sha256 $thumbprint $rdpFile.FullName
if ($LASTEXITCODE -eq 0) {
Write-Log " [OK] $($rdpFile.Name)"
$successCount++
} else {
Write-Log " [FAILED] $($rdpFile.Name) - rdpsign exit code: $LASTEXITCODE"
$failCount++
}
}
# Set registry key to suppress RDP warning dialogs
reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client" /v RedirectionWarningDialogVersion /t REG_DWORD /d 1 /f
if ($failCount -eq 0) {
Write-Log "All $successCount file(s) signed successfully."
} else {
Write-Log "$successCount file(s) signed successfully, $failCount file(s) failed."
}
} catch {
Write-Log "Install error: $_"
}
# ============================================================
# DETECT
# ============================================================
Write-Log "=== START DETECT ==="
$rdpFilesOnDesktop = Get-ChildItem -Path "$desktopPath\*.rdp" -ErrorAction SilentlyContinue
try {
if ($rdpFilesOnDesktop.Count -eq 0) {
Write-Log "DETECT [FAIL]: No .rdp files found on public desktop: $desktopPath"
exit 1
}
$allFound = $true
foreach ($file in $rdpFilesOnDesktop) {
if (-not (Test-Path (Join-Path $desktopPath $file.Name))) {
Write-Log "DETECT [FAIL]: Missing: $($file.Name)"
$allFound = $false
}
}
if ($allFound) {
Write-Log "DETECT [OK]: All .rdp files found on public desktop: $desktopPath"
exit 0
} else {
exit 1
}
} catch {
Write-Log "Detect error: $_"
exit 1
}