feat(SignOnly_detect): tilføj detaljeret logning og forbedret fejlhåndtering
- Tilføj Write-Log på alle checkpoints (certifikat, registry, filer)
- Omskriv cert-tjek til at logge alle manglende stores før exit
- Skift fra exit 1 til skip på brugere uden RDP-filer
- Indpak i try/catch for robust fejlhåndtering
feat(sandbox): tilføj sandbox_signonly.ps1 til test af SignOnly + Detect
- Kombiner SignOnly (cert + signering) og Detect (verifikation) i ét script
- Samme skip-logik for brugere uden RDP-filer
This commit is contained in:
+83
-28
@@ -1,5 +1,6 @@
|
||||
# ============================================================
|
||||
# CHANGELOG
|
||||
# v1.3 - Added detailed logging for detect failures
|
||||
# v1.2 - Get-DesktopPaths: Depth 2 search for OneDrive Desktop
|
||||
# v1.1 - AllUsers switch + Get-DesktopPaths helper
|
||||
# v1.0 - Initial
|
||||
@@ -9,6 +10,21 @@ param(
|
||||
[switch]$AllUsers
|
||||
)
|
||||
|
||||
# Setup logging
|
||||
$baseFolder = Join-Path $env:SystemDrive "Intune"
|
||||
$logFile = Join-Path $baseFolder "RDPSign.log"
|
||||
|
||||
if (-not (Test-Path $baseFolder)) {
|
||||
New-Item -Path $baseFolder -ItemType Directory -Force | Out-Null
|
||||
}
|
||||
|
||||
function Write-Log {
|
||||
param($Message)
|
||||
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
|
||||
Add-Content -Path $logFile -Value $logMessage
|
||||
Write-Host $logMessage
|
||||
}
|
||||
|
||||
function Get-DesktopPaths {
|
||||
if ($AllUsers) {
|
||||
Get-ChildItem "$env:SystemDrive\Users" -Directory -Exclude "Public","Default" | ForEach-Object {
|
||||
@@ -19,40 +35,79 @@ function Get-DesktopPaths {
|
||||
[Environment]::GetFolderPath("CommonDesktopDirectory")
|
||||
}
|
||||
}
|
||||
$certSubject = "CN=RDPSign"
|
||||
|
||||
# Check certificate exists in all three stores
|
||||
$certInMy = Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Subject -eq $certSubject }
|
||||
$certInRoot = Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $_.Subject -eq $certSubject }
|
||||
$certInPub = Get-ChildItem Cert:\LocalMachine\TrustedPublisher | Where-Object { $_.Subject -eq $certSubject }
|
||||
try {
|
||||
Write-Log "=== SignOnly Detect START ==="
|
||||
Write-Log "Running in mode: $(if ($AllUsers) { 'All Users' } else { 'Public Desktop' })"
|
||||
|
||||
if (-not $certInMy -or -not $certInRoot -or -not $certInPub) {
|
||||
exit 1
|
||||
}
|
||||
$certSubject = "CN=RDPSign"
|
||||
|
||||
# Check registry thumbprint
|
||||
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
|
||||
$thumbprintValue = (Get-ItemProperty -Path $gpoPath -Name "TrustedCertThumbprints" -ErrorAction SilentlyContinue).TrustedCertThumbprints
|
||||
if ([string]::IsNullOrWhiteSpace($thumbprintValue)) {
|
||||
exit 1
|
||||
}
|
||||
# Check certificate exists in all three stores
|
||||
Write-Log "Checking certificate: $certSubject..."
|
||||
$certInMy = Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Subject -eq $certSubject }
|
||||
$certInRoot = Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $_.Subject -eq $certSubject }
|
||||
$certInPub = Get-ChildItem Cert:\LocalMachine\TrustedPublisher | Where-Object { $_.Subject -eq $certSubject }
|
||||
|
||||
# Check that all RDP files on desktop(s) are signed
|
||||
foreach ($desktopPath in (Get-DesktopPaths)) {
|
||||
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -ErrorAction SilentlyContinue
|
||||
|
||||
if ($rdpFiles.Count -eq 0) {
|
||||
$certOk = $true
|
||||
if (-not $certInMy) {
|
||||
Write-Log "FAIL: Certificate not found in LocalMachine\My"
|
||||
$certOk = $false
|
||||
}
|
||||
if (-not $certInRoot) {
|
||||
Write-Log "FAIL: Certificate not found in LocalMachine\Root"
|
||||
$certOk = $false
|
||||
}
|
||||
if (-not $certInPub) {
|
||||
Write-Log "FAIL: Certificate not found in LocalMachine\TrustedPublisher"
|
||||
$certOk = $false
|
||||
}
|
||||
if (-not $certOk) {
|
||||
exit 1
|
||||
}
|
||||
Write-Log "OK: Certificate found in all stores"
|
||||
|
||||
foreach ($file in $rdpFiles) {
|
||||
$content = Get-Content $file.FullName -ErrorAction SilentlyContinue
|
||||
$hasSig = $content | Where-Object { $_ -match "^signature:s:" }
|
||||
if (-not $hasSig) {
|
||||
exit 1
|
||||
}
|
||||
# Check registry thumbprint
|
||||
Write-Log "Checking registry thumbprint..."
|
||||
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
|
||||
$thumbprintValue = (Get-ItemProperty -Path $gpoPath -Name "TrustedCertThumbprints" -ErrorAction SilentlyContinue).TrustedCertThumbprints
|
||||
if ([string]::IsNullOrWhiteSpace($thumbprintValue)) {
|
||||
Write-Log "FAIL: TrustedCertThumbprints not found in registry"
|
||||
exit 1
|
||||
}
|
||||
}
|
||||
Write-Log "OK: Thumbprint found in registry"
|
||||
|
||||
Write-Host "Detected"
|
||||
exit 0
|
||||
# Check that all RDP files on desktop(s) are signed
|
||||
Write-Log "Checking RDP file signatures..."
|
||||
$desktopsChecked = 0
|
||||
$filesChecked = 0
|
||||
|
||||
foreach ($desktopPath in (Get-DesktopPaths)) {
|
||||
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -ErrorAction SilentlyContinue
|
||||
|
||||
if ($rdpFiles.Count -eq 0) {
|
||||
Write-Log "Skip: No .rdp files on $desktopPath"
|
||||
continue
|
||||
}
|
||||
|
||||
Write-Log "Found $($rdpFiles.Count) file(s) to check on: $desktopPath"
|
||||
|
||||
foreach ($file in $rdpFiles) {
|
||||
$filesChecked++
|
||||
$content = Get-Content $file.FullName -ErrorAction SilentlyContinue
|
||||
$hasSig = $content | Where-Object { $_ -match "^signature:s:" }
|
||||
if (-not $hasSig) {
|
||||
Write-Log "FAIL: $($file.Name) on $desktopPath is not signed"
|
||||
exit 1
|
||||
}
|
||||
}
|
||||
$desktopsChecked++
|
||||
}
|
||||
|
||||
Write-Log "OK: All $filesChecked file(s) across $desktopsChecked desktop(s) are signed"
|
||||
Write-Log "=== SignOnly Detect END - Installed ==="
|
||||
exit 0
|
||||
}
|
||||
catch {
|
||||
Write-Log "Error: $_"
|
||||
exit 1
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user