feat(SignOnly_detect): tilføj detaljeret logning og forbedret fejlhåndtering

- Tilføj Write-Log på alle checkpoints (certifikat, registry, filer)
    - Omskriv cert-tjek til at logge alle manglende stores før exit
    - Skift fra exit 1 til skip på brugere uden RDP-filer
    - Indpak i try/catch for robust fejlhåndtering

    feat(sandbox): tilføj sandbox_signonly.ps1 til test af SignOnly + Detect

    - Kombiner SignOnly (cert + signering) og Detect (verifikation) i ét script
    - Samme skip-logik for brugere uden RDP-filer
This commit is contained in:
GCH
2026-06-02 12:53:27 +02:00
parent 81870bcdcf
commit f90a12f7f1
3 changed files with 317 additions and 28 deletions
+234
View File
@@ -0,0 +1,234 @@
# ============================================================
# SIGNONLY + DETECT - Sandbox test script
# ============================================================
# CHANGELOG
# v1.0 - Initial
# ============================================================
param(
[switch]$AllUsers
)
Start-Sleep -Seconds 10
# Setup logging
$baseFolder = Join-Path $env:SystemDrive "Intune"
$logFile = Join-Path $baseFolder "RDPSign.log"
# Check if Sysnative exists (means script is running in 32-bit mode on x64 OS)
if (Test-Path "$($env:windir)\Sysnative") {
$rdpSignPath = "$($env:windir)\Sysnative\rdpsign.exe"
} else {
$rdpSignPath = "$($env:windir)\System32\rdpsign.exe"
}
if (-not (Test-Path $baseFolder)) {
New-Item -Path $baseFolder -ItemType Directory -Force | Out-Null
}
function Write-Log {
param($Message)
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
Add-Content -Path $logFile -Value $logMessage
Write-Host $logMessage
}
function Get-DesktopPaths {
if ($AllUsers) {
Get-ChildItem "$env:SystemDrive\Users" -Directory -Exclude "Public","Default" | ForEach-Object {
Get-ChildItem $_.FullName -Directory -Filter "Desktop" -Depth 2 -ErrorAction SilentlyContinue |
Select-Object -ExpandProperty FullName
}
} else {
[Environment]::GetFolderPath("CommonDesktopDirectory")
}
}
# ============================================================
# SIGNONLY
# ============================================================
Write-Log "=== START SIGNONLY ==="
Write-Log "Running in mode: $(if ($AllUsers) { 'All Users' } else { 'Public Desktop' })"
try {
$certSubjectName = "RDPSign"
$certSubject = "CN=$certSubjectName"
Write-Log "Searching for existing certificate: $certSubjectName..."
$existingCert = Get-ChildItem Cert:\LocalMachine\My |
Where-Object { $_.Subject -eq $certSubject } |
Select-Object -First 1
if ($existingCert) {
Write-Log "Found existing certificate with Thumbprint: $($existingCert.Thumbprint)"
$thumbprint = $existingCert.Thumbprint
} else {
Write-Log "No existing certificate found. Creating new one..."
$cert = New-SelfSignedCertificate `
-Subject $certSubject `
-CertStoreLocation "Cert:\LocalMachine\My" `
-Type CodeSigningCert `
-KeyExportPolicy NonExportable `
-NotAfter (Get-Date).AddYears(25)
$thumbprint = $cert.Thumbprint
# Add to Trusted Root
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("Root", "LocalMachine")
$rootStore.Open("ReadWrite")
$rootStore.Add($cert)
$rootStore.Close()
# Add to Trusted Publishers
$pubStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("TrustedPublisher", "LocalMachine")
$pubStore.Open("ReadWrite")
$pubStore.Add($cert)
$pubStore.Close()
# Add thumbprint to RDP trusted certs in registry
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
$keyName = "TrustedCertThumbprints"
if (-not (Test-Path $gpoPath)) {
New-Item -Path $gpoPath -Force | Out-Null
}
$currentValue = (Get-ItemProperty -Path $gpoPath -Name $keyName -ErrorAction SilentlyContinue).$keyName
if ($currentValue -notmatch [regex]::Escape($thumbprint)) {
$newValue = if ([string]::IsNullOrWhiteSpace($currentValue)) { $thumbprint } else { "$currentValue,$thumbprint" }
if ($null -eq $currentValue) {
New-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue -PropertyType String -Force | Out-Null
} else {
Set-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue
}
Write-Log "Updated TrustedCertThumbprints registry value."
} else {
Write-Log "Thumbprint already exists in registry. Skipping update."
}
Write-Log "Certificate created and trusted successfully."
}
$successCount = 0
$failCount = 0
foreach ($desktopPath in (Get-DesktopPaths)) {
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -Recurse -ErrorAction SilentlyContinue
if ($rdpFiles.Count -eq 0) {
Write-Log "Skip: No .rdp files on $desktopPath"
continue
}
Write-Log "Found $($rdpFiles.Count) file(s) to sign on: $desktopPath"
foreach ($rdpFile in $rdpFiles) {
Write-Log "Signing: $($rdpFile.Name)"
& $rdpSignPath /sha256 $thumbprint $rdpFile.FullName
if ($LASTEXITCODE -eq 0) {
Write-Log " [OK] $($rdpFile.Name)"
$successCount++
} else {
Write-Log " [FAILED] $($rdpFile.Name) - rdpsign exit code: $LASTEXITCODE"
$failCount++
}
}
}
# Set registry key to suppress RDP warning dialogs
reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client" /v RedirectionWarningDialogVersion /t REG_DWORD /d 1 /f
if ($failCount -eq 0) {
Write-Log "All $successCount file(s) signed successfully."
} else {
Write-Log "$successCount file(s) signed successfully, $failCount file(s) failed."
}
} catch {
Write-Log "SIGNONLY error: $_"
}
# ============================================================
# DETECT
# ============================================================
Write-Log "=== START DETECT ==="
try {
$certSubject = "CN=RDPSign"
Write-Log "Checking certificate: $certSubject..."
$certInMy = Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Subject -eq $certSubject }
$certInRoot = Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $_.Subject -eq $certSubject }
$certInPub = Get-ChildItem Cert:\LocalMachine\TrustedPublisher | Where-Object { $_.Subject -eq $certSubject }
$certOk = $true
if (-not $certInMy) {
Write-Log "FAIL: Certificate not found in LocalMachine\My"
$certOk = $false
}
if (-not $certInRoot) {
Write-Log "FAIL: Certificate not found in LocalMachine\Root"
$certOk = $false
}
if (-not $certInPub) {
Write-Log "FAIL: Certificate not found in LocalMachine\TrustedPublisher"
$certOk = $false
}
if (-not $certOk) {
Write-Log "DETECT [FAIL]: Certificate missing"
} else {
Write-Log "OK: Certificate found in all stores"
}
# Check registry thumbprint
Write-Log "Checking registry thumbprint..."
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
$thumbprintValue = (Get-ItemProperty -Path $gpoPath -Name "TrustedCertThumbprints" -ErrorAction SilentlyContinue).TrustedCertThumbprints
if ([string]::IsNullOrWhiteSpace($thumbprintValue)) {
Write-Log "FAIL: TrustedCertThumbprints not found in registry"
$certOk = $false
} else {
Write-Log "OK: Thumbprint found in registry"
}
# Check that all RDP files on desktop(s) are signed
Write-Log "Checking RDP file signatures..."
$desktopsChecked = 0
$filesChecked = 0
$allSigned = $true
foreach ($desktopPath in (Get-DesktopPaths)) {
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -ErrorAction SilentlyContinue
if ($rdpFiles.Count -eq 0) {
Write-Log "Skip: No .rdp files on $desktopPath"
continue
}
Write-Log "Found $($rdpFiles.Count) file(s) to check on: $desktopPath"
foreach ($file in $rdpFiles) {
$filesChecked++
$content = Get-Content $file.FullName -ErrorAction SilentlyContinue
$hasSig = $content | Where-Object { $_ -match "^signature:s:" }
if (-not $hasSig) {
Write-Log "FAIL: $($file.Name) on $desktopPath is not signed"
$allSigned = $false
}
}
$desktopsChecked++
}
if ($allSigned -and $certOk) {
Write-Log "DETECT [OK]: $filesChecked file(s) across $desktopsChecked desktop(s) - all signed and configured"
exit 0
} else {
Write-Log "DETECT [FAIL]: Check log for details"
exit 1
}
} catch {
Write-Log "Detect error: $_"
exit 1
}