Upload af RDPSign fra arbejde-noter repo
This commit is contained in:
@@ -0,0 +1,118 @@
|
||||
# RDP - IntuneWin Package
|
||||
|
||||
## Package Contents
|
||||
|
||||
| File | Purpose |
|
||||
|------|---------|
|
||||
| `Install.ps1` | Copies RDP files to public desktop, creates self-signed certificate and signs all RDP files |
|
||||
| `Detect.ps1` | Detects whether all RDP files from the package are present on the public desktop |
|
||||
| `Uninstall.ps1` | Removes RDP files from the public desktop |
|
||||
| `SignOnly.ps1` | Signs existing RDP files on the public desktop — no file copy (standalone use) |
|
||||
| `SignOnly_detect.ps1` | Detects whether certificate is present and all RDP files on the desktop are signed |
|
||||
| `Clearsigning.ps1` | Removes signatures from RDP files and cleans up certificate and registry (cleanup/debug use) |
|
||||
| `sandbox.ps1` | Combined install + detect script for local sandbox testing |
|
||||
| `rdp-files\*.rdp` | Source RDP files deployed to the public desktop |
|
||||
|
||||
---
|
||||
|
||||
## Intune App Configuration
|
||||
|
||||
### Program
|
||||
- **Install command:**
|
||||
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1`
|
||||
- **Uninstall command:**
|
||||
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Uninstall.ps1`
|
||||
- **Install behavior:** System
|
||||
|
||||
### Detection Rule
|
||||
Use a custom detection script:
|
||||
- **Script file:** `Detect.ps1`
|
||||
- **Run script as 32-bit process on 64-bit clients:** No
|
||||
- **Enforce script signature check:** No
|
||||
|
||||
Detection logic:
|
||||
- Checks that all `.rdp` files from `rdp-files\` are present on the public desktop (`C:\Users\Public\Desktop`)
|
||||
- Returns `exit 0` = installed
|
||||
- Returns `exit 1` = not installed
|
||||
|
||||
---
|
||||
|
||||
## What Install.ps1 Does
|
||||
|
||||
1. Copies all `.rdp` files from `.\rdp-files\` to the public desktop
|
||||
2. Searches for an existing self-signed certificate (`CN=RDPSign`) in `Cert:\LocalMachine\My`
|
||||
3. If not found, creates a new self-signed code signing certificate (valid 25 years, non-exportable)
|
||||
4. Adds the certificate to `Trusted Root` and `Trusted Publishers` in the local machine store
|
||||
5. Adds the certificate thumbprint to the registry key `TrustedCertThumbprints`
|
||||
6. Signs all `.rdp` files on the public desktop using `rdpsign.exe /sha256`
|
||||
7. Sets `RedirectionWarningDialogVersion = 1` in registry to suppress RDP warning dialogs
|
||||
|
||||
---
|
||||
|
||||
## Registry Changes
|
||||
|
||||
| Path | Value | Type | Data |
|
||||
|------|-------|------|------|
|
||||
| `HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services` | `TrustedCertThumbprints` | String | Certificate thumbprint |
|
||||
| `HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client` | `RedirectionWarningDialogVersion` | DWORD | `1` |
|
||||
|
||||
---
|
||||
|
||||
## Logging and Troubleshooting
|
||||
|
||||
| Script | Log file |
|
||||
|--------|----------|
|
||||
| `Install.ps1` | `C:\Intune\DesktopShortcuts.log` |
|
||||
| `Detect.ps1` | `C:\Intune\DesktopShortcuts.log` |
|
||||
| `Uninstall.ps1` | `C:\Intune\DesktopShortcuts.log` |
|
||||
| `SignOnly.ps1` | `C:\Intune\RDPSign.log` |
|
||||
|
||||
---
|
||||
|
||||
## SignOnly Intune App Configuration
|
||||
|
||||
### Program
|
||||
- **Install command:**
|
||||
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1`
|
||||
- **Uninstall command:**
|
||||
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1`
|
||||
- **Install behavior:** System
|
||||
|
||||
### Detection Rule
|
||||
Use a custom detection script:
|
||||
- **Script file:** `SignOnly_detect.ps1`
|
||||
- **Run script as 32-bit process on 64-bit clients:** No
|
||||
- **Enforce script signature check:** No
|
||||
|
||||
Detection logic:
|
||||
- Checks that `CN=RDPSign` certificate exists in `My`, `Root`, and `TrustedPublisher` stores
|
||||
- Checks that thumbprint is present in registry
|
||||
- Checks that all `.rdp` files on the public desktop contain a valid signature
|
||||
- Returns `exit 0` + `"Detected"` = installed
|
||||
- Returns `exit 1` = not installed
|
||||
|
||||
---
|
||||
|
||||
## Utility Scripts (not part of Intune package)
|
||||
|
||||
### `SignOnly.ps1`
|
||||
Signs all existing `.rdp` files on the public desktop without copying any files. Useful for re-signing after an update or if files are already deployed.
|
||||
Run as administrator.
|
||||
|
||||
### `SignOnly_detect.ps1`
|
||||
Detection script for use with `SignOnly.ps1` as an Intune package. Checks:
|
||||
- Certificate exists in `My`, `Root`, and `TrustedPublisher` stores
|
||||
- Thumbprint is present in registry
|
||||
- All `.rdp` files on the desktop contain a valid signature
|
||||
|
||||
### `Clearsigning.ps1`
|
||||
Removes all signing artifacts. Useful for testing or cleanup. Run as administrator.
|
||||
- Strips `signscope` and `signature` lines from all `.rdp` files on the public desktop
|
||||
- Removes `CN=RDPSign` certificate from `My`, `Root`, and `TrustedPublisher` stores
|
||||
- Removes `TrustedCertThumbprints` from registry
|
||||
- Removes `RedirectionWarningDialogVersion` from registry
|
||||
|
||||
### `sandbox.ps1`
|
||||
Combines install and detect into a single script for local sandbox testing.
|
||||
Run from the folder containing `rdp-files\` as administrator.
|
||||
Output is written to both the console and `C:\Intune\DesktopShortcuts.log`.
|
||||
Reference in New Issue
Block a user