Compare commits
11 Commits
c25053bad9
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
| 69e9e81df8 | |||
| f90a12f7f1 | |||
| 81870bcdcf | |||
| 2225abed9d | |||
| 8e6dffa229 | |||
| 9534e8f7d2 | |||
| ab2bb0735b | |||
| efaceaa528 | |||
| 0593f8c042 | |||
| 13005cf161 | |||
| 2bf216bcc2 |
+342
@@ -0,0 +1,342 @@
|
|||||||
|
<h1 id="rdp---intunewin-pakke">RDP - IntuneWin Pakke</h1>
|
||||||
|
<blockquote>
|
||||||
|
<p>Denne pakke installerer og signerer RDP-genveje på skrivebordet via
|
||||||
|
et selvsigneret certifikat, så brugerne ikke får en sikkerhedsadvarsel
|
||||||
|
ved åbning. Som standard arbejder alle scripts mod det
|
||||||
|
<strong>offentlige skrivebord</strong>
|
||||||
|
(<code>C:\Users\Public\Desktop</code>). Brug <code>-AllUsers</code>
|
||||||
|
switchen for at køre mod alle brugeres individuelle skriveborde i
|
||||||
|
stedet.
|
||||||
|
</p>
|
||||||
|
</blockquote>
|
||||||
|
<hr />
|
||||||
|
<h2 id="indhold">Indhold</h2>
|
||||||
|
<ul>
|
||||||
|
<li><a href="#pakkens-indhold">Pakkens indhold</a></li>
|
||||||
|
<li><a href="#intune-app-konfiguration">Intune App
|
||||||
|
Konfiguration</a></li>
|
||||||
|
<li><a href="#hvad-install.ps1-gør">Hvad Install.ps1 gør</a></li>
|
||||||
|
<li><a href="#sådan-opsætter-du-detect.ps1">Sådan opsætter du
|
||||||
|
Detect.ps1</a></li>
|
||||||
|
<li><a href="#allusers-switch">AllUsers Switch</a></li>
|
||||||
|
<li><a href="#registry-ændringer">Registry-ændringer</a></li>
|
||||||
|
<li><a href="#logning-og-fejlfinding">Logning og fejlfinding</a></li>
|
||||||
|
<li><a href="#signonly-intune-app-konfiguration">SignOnly Intune App
|
||||||
|
Konfiguration</a></li>
|
||||||
|
<li><a href="#øvrige-scripts-i-pakken">Øvrige scripts i pakken</a></li>
|
||||||
|
</ul>
|
||||||
|
<hr />
|
||||||
|
<h2 id="pakkens-indhold">Pakkens indhold</h2>
|
||||||
|
<table>
|
||||||
|
<colgroup>
|
||||||
|
<col style="width: 38%" />
|
||||||
|
<col style="width: 61%" />
|
||||||
|
</colgroup>
|
||||||
|
<thead>
|
||||||
|
<tr>
|
||||||
|
<th>Fil</th>
|
||||||
|
<th>Formål</th>
|
||||||
|
</tr>
|
||||||
|
</thead>
|
||||||
|
<tbody>
|
||||||
|
<tr>
|
||||||
|
<td><code>Install.ps1</code></td>
|
||||||
|
<td>Kopierer RDP-filer til skrivebord(e), opretter selvsigneret
|
||||||
|
certifikat og signerer alle RDP-filer. Understøtter
|
||||||
|
<code>-AllUsers</code> switch.
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td><code>Detect.ps1</code></td>
|
||||||
|
<td>Tjekker at specifikke forventede .rdp-filer (defineret i
|
||||||
|
<code>$expectedFiles</code> array) eksisterer på skrivebord(e).
|
||||||
|
Understøtter <code>-AllUsers</code> switch.
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td><code>Uninstall.ps1</code></td>
|
||||||
|
<td>Fjerner RDP-filer fra skrivebord(e). Understøtter
|
||||||
|
<code>-AllUsers</code> switch.
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td><code>SignOnly.ps1</code></td>
|
||||||
|
<td>Signerer eksisterende RDP-filer på skrivebord(e) — ingen
|
||||||
|
filkopiering. Understøtter <code>-AllUsers</code> switch.</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td><code>SignOnly_detect.ps1</code></td>
|
||||||
|
<td>Registrerer om certifikat er til stede og alle RDP-filer på
|
||||||
|
skrivebord(e) er signerede. Understøtter <code>-AllUsers</code>
|
||||||
|
switch.</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td><code>Clearsigning.ps1</code></td>
|
||||||
|
<td>Fjerner signaturer fra RDP-filer og rydder op i certifikat og
|
||||||
|
registry (til oprydning/debug). Understøtter <code>-AllUsers</code>
|
||||||
|
switch.</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td><code>sandbox.ps1</code></td>
|
||||||
|
<td>Kombineret install + detect script til lokal sandkasse-test.
|
||||||
|
Understøtter <code>-AllUsers</code> switch.</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td><code>rdp-files\*.rdp</code></td>
|
||||||
|
<td>Kilde-RDP-filer der installeres på skrivebord(e)</td>
|
||||||
|
</tr>
|
||||||
|
</tbody>
|
||||||
|
</table>
|
||||||
|
<p><a href="#rdp---intunewin-pakke">↑ Tilbage til toppen</a></p>
|
||||||
|
<hr />
|
||||||
|
<h2 id="sådan-opsætter-du-detect.ps1">Sådan opsætter du Detect.ps1</h2>
|
||||||
|
<p>Før du uploader <code>Detect.ps1</code> til Intune som
|
||||||
|
registreringsregel, skal du åbne filen og udfylde
|
||||||
|
<code>$expectedFiles</code> array med de <code>.rdp</code> filnavne der
|
||||||
|
ligger i <code>.\\rdp-files\\</code>:
|
||||||
|
</p>
|
||||||
|
<div class="sourceCode" id="cb1">
|
||||||
|
<pre class="sourceCode powershell"><code class="sourceCode powershell"><span id="cb1-1"><a href="#cb1-1" aria-hidden="true" tabindex="-1"></a><span class="va">$expectedFiles</span> <span class="op">=</span> <span class="op">@(</span></span>
|
||||||
|
<span id="cb1-2"><a href="#cb1-2" aria-hidden="true" tabindex="-1"></a> <span class="st">"Server1.rdp"</span><span class="op">,</span></span>
|
||||||
|
<span id="cb1-3"><a href="#cb1-3" aria-hidden="true" tabindex="-1"></a> <span class="st">"Server2.rdp"</span><span class="op">,</span></span>
|
||||||
|
<span id="cb1-4"><a href="#cb1-4" aria-hidden="true" tabindex="-1"></a> <span class="st">"DesktopApp.rdp"</span></span>
|
||||||
|
<span id="cb1-5"><a href="#cb1-5" aria-hidden="true" tabindex="-1"></a><span class="op">)</span></span></code></pre>
|
||||||
|
</div>
|
||||||
|
<p>Når scriptet kører: - Uden <code>-AllUsers</code>: tjekker at alle
|
||||||
|
filer i <code>$expectedFiles</code> findes på det offentlige skrivebord
|
||||||
|
(<code>C:\Users\Public\Desktop</code>) - Med <code>-AllUsers</code>:
|
||||||
|
tjekker alle filer i <code>$expectedFiles</code> på tværs af alle
|
||||||
|
brugeres skriveborde - Returnerer <code>exit 0</code> = installeret
|
||||||
|
(alle filer fundet) - Returnerer <code>exit 1</code> = ikke installeret
|
||||||
|
(en eller flere filer mangler)</p>
|
||||||
|
<blockquote>
|
||||||
|
<p><strong>Vigtigt:</strong> Husk at opdatere
|
||||||
|
<code>$expectedFiles</code> hver gang du tilføjer eller fjerner
|
||||||
|
<code>.rdp</code> filer i pakken, ellers vil detekteringen være
|
||||||
|
forkert.
|
||||||
|
</p>
|
||||||
|
</blockquote>
|
||||||
|
<hr />
|
||||||
|
<h2 id="intune-app-konfiguration">Intune App Konfiguration</h2>
|
||||||
|
<h3 id="program">Program</h3>
|
||||||
|
<ul>
|
||||||
|
<li><strong>Installationskommando:</strong>
|
||||||
|
<code>powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1</code>
|
||||||
|
</li>
|
||||||
|
<li><strong>Installationskommando (alle brugeres skriveborde):</strong>
|
||||||
|
<code>powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1 -AllUsers</code>
|
||||||
|
</li>
|
||||||
|
<li><strong>Afinstallationskommando:</strong>
|
||||||
|
<code>powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Uninstall.ps1</code>
|
||||||
|
</li>
|
||||||
|
<li><strong>Afinstallationskommando (alle brugeres
|
||||||
|
skriveborde):</strong>
|
||||||
|
<code>powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Uninstall.ps1 -AllUsers</code>
|
||||||
|
</li>
|
||||||
|
<li><strong>Installationsadfærd:</strong> System</li>
|
||||||
|
</ul>
|
||||||
|
<h3 id="registreringsregel">Registreringsregel</h3>
|
||||||
|
<p>Brug et brugerdefineret registreringsscript: -
|
||||||
|
<strong>Scriptfil:</strong> <code>Detect.ps1</code> - <strong>Kør script
|
||||||
|
som 32-bit proces på 64-bit klienter:</strong> Nej - <strong>Gennemtving
|
||||||
|
scriptsignaturkontrol:</strong> Nej
|
||||||
|
</p>
|
||||||
|
<p>Registreringslogik: - Uden <code>-AllUsers</code>: tjekker at alle
|
||||||
|
<code>.rdp</code>-filer er til stede på det offentlige skrivebord
|
||||||
|
(<code>C:\Users\Public\Desktop</code>) - Med <code>-AllUsers</code>:
|
||||||
|
tjekker alle brugeres skriveborde under <code>C:\Users\</code> -
|
||||||
|
Returnerer <code>exit 0</code> = installeret - Returnerer
|
||||||
|
<code>exit 1</code> = ikke installeret
|
||||||
|
</p>
|
||||||
|
<p><a href="#rdp---intunewin-pakke">↑ Tilbage til toppen</a></p>
|
||||||
|
<hr />
|
||||||
|
<h2 id="hvad-install.ps1-gør">Hvad Install.ps1 gør</h2>
|
||||||
|
<ol type="1">
|
||||||
|
<li>Finder målskrivebord(e) — offentligt skrivebord som standard, alle
|
||||||
|
brugeres skriveborde med <code>-AllUsers</code>. Med <code>-AllUsers</code>
|
||||||
|
søges 2 mapper ned så OneDrive-omdirigeret Desktop også fanges</li>
|
||||||
|
<li>Kopierer alle <code>.rdp</code>-filer fra <code>.\rdp-files\</code>
|
||||||
|
til de fundne skrivebord(e)</li>
|
||||||
|
<li>Søger efter eksisterende selvsigneret certifikat
|
||||||
|
(<code>CN=RDPSign</code>) i <code>Cert:\LocalMachine\My</code></li>
|
||||||
|
<li>Opretter et nyt selvsigneret kodesigneringscertifikat hvis intet
|
||||||
|
findes (gyldigt i 25 år, ikke-eksporterbart)</li>
|
||||||
|
<li>Tilføjer certifikatet til <code>Trusted Root</code> og
|
||||||
|
<code>Trusted Publishers</code> i den lokale maskines
|
||||||
|
certifikatstore
|
||||||
|
</li>
|
||||||
|
<li>Tilføjer certifikatets thumbprint til registry-nøglen
|
||||||
|
<code>TrustedCertThumbprints</code>
|
||||||
|
</li>
|
||||||
|
<li>Signerer alle <code>.rdp</code>-filer på skrivebord(e) med
|
||||||
|
<code>rdpsign.exe /sha256</code>
|
||||||
|
</li>
|
||||||
|
<li>Sætter <code>RedirectionWarningDialogVersion = 1</code> i registry
|
||||||
|
for at undertrykke RDP-advarselsdialoger</li>
|
||||||
|
</ol>
|
||||||
|
<p><a href="#rdp---intunewin-pakke">↑ Tilbage til toppen</a></p>
|
||||||
|
<hr />
|
||||||
|
<h2 id="allusers-switch">AllUsers Switch</h2>
|
||||||
|
<p>Alle scripts understøtter <code>-AllUsers</code> switchen. Som
|
||||||
|
standard — uden <code>-AllUsers</code> — køres alle scripts kun mod det
|
||||||
|
<strong>offentlige skrivebord</strong>
|
||||||
|
(<code>C:\Users\Public\Desktop</code>). Når <code>-AllUsers</code>
|
||||||
|
angives, søger scriptet i stedet på tværs af alle brugerprofiler under
|
||||||
|
<code>C:\Users\</code> (ekskl. <code>Public</code>/<code>Default</code>).
|
||||||
|
Der søges 2 mapper ned (<code>-Depth 2</code>) for at fange både standard
|
||||||
|
<code>Desktop</code> og OneDrive-omdirigeret <code>Desktop</code>.
|
||||||
|
</p>
|
||||||
|
<div class="sourceCode" id="cb2">
|
||||||
|
<pre
|
||||||
|
class="sourceCode powershell"><code class="sourceCode powershell"><span id="cb2-1"><a href="#cb2-1" aria-hidden="true" tabindex="-1"></a><span class="co"># Kun offentligt skrivebord (standard)</span></span>
|
||||||
|
<span id="cb2-2"><a href="#cb2-2" aria-hidden="true" tabindex="-1"></a><span class="op">.</span>\Install<span class="op">.</span><span class="fu">ps1</span></span>
|
||||||
|
<span id="cb2-3"><a href="#cb2-3" aria-hidden="true" tabindex="-1"></a></span>
|
||||||
|
<span id="cb2-4"><a href="#cb2-4" aria-hidden="true" tabindex="-1"></a><span class="co"># Alle brugeres skriveborde</span></span>
|
||||||
|
<span id="cb2-5"><a href="#cb2-5" aria-hidden="true" tabindex="-1"></a><span class="op">.</span>\Install<span class="op">.</span><span class="fu">ps1</span> <span class="op">-</span>AllUsers</span></code></pre>
|
||||||
|
</div>
|
||||||
|
<p><a href="#rdp---intunewin-pakke">↑ Tilbage til toppen</a></p>
|
||||||
|
<hr />
|
||||||
|
<h2 id="registry-ændringer">Registry-ændringer</h2>
|
||||||
|
<table>
|
||||||
|
<colgroup>
|
||||||
|
<col style="width: 20%" />
|
||||||
|
<col style="width: 29%" />
|
||||||
|
<col style="width: 25%" />
|
||||||
|
<col style="width: 25%" />
|
||||||
|
</colgroup>
|
||||||
|
<thead>
|
||||||
|
<tr>
|
||||||
|
<th>Sti</th>
|
||||||
|
<th>Værdi</th>
|
||||||
|
<th>Type</th>
|
||||||
|
<th>Data</th>
|
||||||
|
</tr>
|
||||||
|
</thead>
|
||||||
|
<tbody>
|
||||||
|
<tr>
|
||||||
|
<td><code>HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services</code></td>
|
||||||
|
<td><code>TrustedCertThumbprints</code></td>
|
||||||
|
<td>String</td>
|
||||||
|
<td>Certifikatets thumbprint</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td><code>HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client</code></td>
|
||||||
|
<td><code>RedirectionWarningDialogVersion</code></td>
|
||||||
|
<td>DWORD</td>
|
||||||
|
<td><code>1</code></td>
|
||||||
|
</tr>
|
||||||
|
</tbody>
|
||||||
|
</table>
|
||||||
|
<p><a href="#rdp---intunewin-pakke">↑ Tilbage til toppen</a></p>
|
||||||
|
<hr />
|
||||||
|
<h2 id="logning-og-fejlfinding">Logning og fejlfinding</h2>
|
||||||
|
<table>
|
||||||
|
<thead>
|
||||||
|
<tr>
|
||||||
|
<th>Script</th>
|
||||||
|
<th>Logfil</th>
|
||||||
|
</tr>
|
||||||
|
</thead>
|
||||||
|
<tbody>
|
||||||
|
<tr>
|
||||||
|
<td><code>Install.ps1</code></td>
|
||||||
|
<td><code>C:\Intune\DesktopShortcuts.log</code></td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td><code>Detect.ps1</code></td>
|
||||||
|
<td><code>C:\Intune\DesktopShortcuts.log</code></td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td><code>Uninstall.ps1</code></td>
|
||||||
|
<td><code>C:\Intune\DesktopShortcuts.log</code></td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td><code>SignOnly.ps1</code></td>
|
||||||
|
<td><code>C:\Intune\RDPSign.log</code></td>
|
||||||
|
</tr>
|
||||||
|
</tbody>
|
||||||
|
</table>
|
||||||
|
<p><a href="#rdp---intunewin-pakke">↑ Tilbage til toppen</a></p>
|
||||||
|
<hr />
|
||||||
|
<h2 id="signonly-intune-app-konfiguration">SignOnly Intune App
|
||||||
|
Konfiguration</h2>
|
||||||
|
<h3 id="program-1">Program</h3>
|
||||||
|
<ul>
|
||||||
|
<li><strong>Installationskommando:</strong>
|
||||||
|
<code>powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1</code>
|
||||||
|
</li>
|
||||||
|
<li><strong>Installationskommando (alle brugeres skriveborde):</strong>
|
||||||
|
<code>powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1 -AllUsers</code>
|
||||||
|
</li>
|
||||||
|
<li><strong>Afinstallationskommando:</strong>
|
||||||
|
<code>powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1</code>
|
||||||
|
</li>
|
||||||
|
<li><strong>Afinstallationskommando (alle brugeres
|
||||||
|
skriveborde):</strong>
|
||||||
|
<code>powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1 -AllUsers</code>
|
||||||
|
</li>
|
||||||
|
<li><strong>Installationsadfærd:</strong> System</li>
|
||||||
|
</ul>
|
||||||
|
<h3 id="registreringsregel-1">Registreringsregel</h3>
|
||||||
|
<p>Brug et brugerdefineret registreringsscript: -
|
||||||
|
<strong>Scriptfil:</strong> <code>SignOnly_detect.ps1</code> -
|
||||||
|
<strong>Kør script som 32-bit proces på 64-bit klienter:</strong> Nej -
|
||||||
|
<strong>Gennemtving scriptsignaturkontrol:</strong> Nej
|
||||||
|
</p>
|
||||||
|
<p>Registreringslogik: - Tjekker at <code>CN=RDPSign</code>-certifikatet
|
||||||
|
findes i <code>My</code>, <code>Root</code> og
|
||||||
|
<code>TrustedPublisher</code> stores - Tjekker at thumbprint er til
|
||||||
|
stede i registry - Uden <code>-AllUsers</code>: tjekker at alle
|
||||||
|
<code>.rdp</code>-filer på det offentlige skrivebord er signerede - Med
|
||||||
|
<code>-AllUsers</code>: tjekker alle <code>.rdp</code>-filer på tværs af
|
||||||
|
alle brugeres skriveborde - Returnerer <code>exit 0</code> +
|
||||||
|
<code>"Detected"</code> = installeret - Returnerer <code>exit 1</code> =
|
||||||
|
ikke installeret
|
||||||
|
</p>
|
||||||
|
<p><a href="#rdp---intunewin-pakke">↑ Tilbage til toppen</a></p>
|
||||||
|
<hr />
|
||||||
|
<h2 id="øvrige-scripts-i-pakken">Øvrige scripts i pakken</h2>
|
||||||
|
<blockquote>
|
||||||
|
<p><strong>Bemærk:</strong> Alle PowerShell-scripts er pakket ind i
|
||||||
|
samme IntuneWin-pakke. Det betyder at man altid kan kalde på et
|
||||||
|
vilkårligt script direkte fra Intune eller manuelt, f.eks.:</p>
|
||||||
|
<div class="sourceCode" id="cb3">
|
||||||
|
<pre
|
||||||
|
class="sourceCode powershell"><code class="sourceCode powershell"><span id="cb3-1"><a href="#cb3-1" aria-hidden="true" tabindex="-1"></a>powershell<span class="op">.</span><span class="fu">exe</span> <span class="op">-</span>ExecutionPolicy Bypass <span class="op">-</span>NoProfile <span class="op">-</span>WindowStyle Hidden <span class="op">-</span>File <span class="op">.</span>\Install<span class="op">.</span><span class="fu">ps1</span></span>
|
||||||
|
<span id="cb3-2"><a href="#cb3-2" aria-hidden="true" tabindex="-1"></a>powershell<span class="op">.</span><span class="fu">exe</span> <span class="op">-</span>ExecutionPolicy Bypass <span class="op">-</span>NoProfile <span class="op">-</span>WindowStyle Hidden <span class="op">-</span>File <span class="op">.</span>\Install<span class="op">.</span><span class="fu">ps1</span> <span class="op">-</span>AllUsers</span>
|
||||||
|
<span id="cb3-3"><a href="#cb3-3" aria-hidden="true" tabindex="-1"></a>powershell<span class="op">.</span><span class="fu">exe</span> <span class="op">-</span>ExecutionPolicy Bypass <span class="op">-</span>NoProfile <span class="op">-</span>WindowStyle Hidden <span class="op">-</span>File <span class="op">.</span>\SignOnly<span class="op">.</span><span class="fu">ps1</span></span>
|
||||||
|
<span id="cb3-4"><a href="#cb3-4" aria-hidden="true" tabindex="-1"></a>powershell<span class="op">.</span><span class="fu">exe</span> <span class="op">-</span>ExecutionPolicy Bypass <span class="op">-</span>NoProfile <span class="op">-</span>WindowStyle Hidden <span class="op">-</span>File <span class="op">.</span>\SignOnly<span class="op">.</span><span class="fu">ps1</span> <span class="op">-</span>AllUsers</span>
|
||||||
|
<span id="cb3-5"><a href="#cb3-5" aria-hidden="true" tabindex="-1"></a>powershell<span class="op">.</span><span class="fu">exe</span> <span class="op">-</span>ExecutionPolicy Bypass <span class="op">-</span>NoProfile <span class="op">-</span>WindowStyle Hidden <span class="op">-</span>File <span class="op">.</span>\Clearsigning<span class="op">.</span><span class="fu">ps1</span></span>
|
||||||
|
<span id="cb3-6"><a href="#cb3-6" aria-hidden="true" tabindex="-1"></a>powershell<span class="op">.</span><span class="fu">exe</span> <span class="op">-</span>ExecutionPolicy Bypass <span class="op">-</span>NoProfile <span class="op">-</span>WindowStyle Hidden <span class="op">-</span>File <span class="op">.</span>\Clearsigning<span class="op">.</span><span class="fu">ps1</span> <span class="op">-</span>AllUsers</span></code></pre>
|
||||||
|
</div>
|
||||||
|
<p>osv. for alle scripts i pakken.</p>
|
||||||
|
</blockquote>
|
||||||
|
<h3 id="signonly.ps1"><code>SignOnly.ps1</code></h3>
|
||||||
|
<p>Signerer alle eksisterende <code>.rdp</code>-filer på skrivebord(e)
|
||||||
|
uden at kopiere filer. Nyttigt til gensignering efter en opdatering
|
||||||
|
eller hvis filer allerede er installeret. Kør som administrator.
|
||||||
|
Understøtter <code>-AllUsers</code> switch.</p>
|
||||||
|
<h3 id="signonly_detect.ps1"><code>SignOnly_detect.ps1</code></h3>
|
||||||
|
<p>Registreringsscript til brug med <code>SignOnly.ps1</code> som
|
||||||
|
Intune-pakke. Tjekker: - Certifikat findes i <code>My</code>,
|
||||||
|
<code>Root</code> og <code>TrustedPublisher</code> stores - Thumbprint
|
||||||
|
er til stede i registry - Alle <code>.rdp</code>-filer på skrivebord(e)
|
||||||
|
indeholder en gyldig signatur
|
||||||
|
</p>
|
||||||
|
<p>Understøtter <code>-AllUsers</code> switch.</p>
|
||||||
|
<h3 id="clearsigning.ps1"><code>Clearsigning.ps1</code></h3>
|
||||||
|
<p>Fjerner alle signeringsartefakter. Nyttigt til test eller oprydning.
|
||||||
|
Kør som administrator. Understøtter <code>-AllUsers</code> switch. -
|
||||||
|
Fjerner <code>signscope</code>- og <code>signature</code>-linjer fra
|
||||||
|
alle <code>.rdp</code>-filer på skrivebord(e) - Fjerner
|
||||||
|
<code>CN=RDPSign</code>-certifikatet fra <code>My</code>,
|
||||||
|
<code>Root</code> og <code>TrustedPublisher</code> stores - Fjerner
|
||||||
|
<code>TrustedCertThumbprints</code> fra registry - Fjerner
|
||||||
|
<code>RedirectionWarningDialogVersion</code> fra registry
|
||||||
|
</p>
|
||||||
|
<h3 id="sandbox.ps1"><code>sandbox.ps1</code></h3>
|
||||||
|
<p>Kombinerer install og detect i ét script til lokal sandkasse-test.
|
||||||
|
Understøtter <code>-AllUsers</code> switch. Kør fra mappen der
|
||||||
|
indeholder <code>rdp-files\</code> som administrator. Output skrives til
|
||||||
|
både konsollen og <code>C:\Intune\DesktopShortcuts.log</code>.</p>
|
||||||
|
<p><a href="#rdp---intunewin-pakke">↑ Tilbage til toppen</a></p>
|
||||||
@@ -1,191 +1,214 @@
|
|||||||
# RDP - IntuneWin Pakke
|
# RDP - IntuneWin Pakke
|
||||||
|
|
||||||
> Denne pakke installerer og signerer RDP-genveje på skrivebordet via et selvsigneret certifikat, så brugerne ikke får en sikkerhedsadvarsel ved åbning.
|
> Denne pakke installerer og signerer RDP-genveje på skrivebordet via et selvsigneret certifikat, så brugerne ikke får en sikkerhedsadvarsel ved åbning.
|
||||||
> Som standard arbejder alle scripts mod det **offentlige skrivebord** (`C:\Users\Public\Desktop`).
|
> Som standard arbejder alle scripts mod det **offentlige skrivebord** (`C:\Users\Public\Desktop`).
|
||||||
> Brug `-AllUsers` switchen for at køre mod alle brugeres individuelle skriveborde i stedet.
|
> Brug `-AllUsers` switchen for at køre mod alle brugeres individuelle skriveborde i stedet.
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## Indhold
|
## Indhold
|
||||||
|
|
||||||
- [Pakkens indhold](#pakkens-indhold)
|
- [Pakkens indhold](#pakkens-indhold)
|
||||||
- [Intune App Konfiguration](#intune-app-konfiguration)
|
- [Intune App Konfiguration](#intune-app-konfiguration)
|
||||||
- [Hvad Install.ps1 gør](#hvad-installps1-gør)
|
- [Hvad Install.ps1 gør](#hvad-installps1-gør)
|
||||||
- [AllUsers Switch](#allusers-switch)
|
- [Sådan opsætter du Detect.ps1](#sådan-opsætter-du-detectps1)
|
||||||
- [Registry-ændringer](#registry-ændringer)
|
- [AllUsers Switch](#allusers-switch)
|
||||||
- [Logning og fejlfinding](#logning-og-fejlfinding)
|
- [Registry-ændringer](#registry-ændringer)
|
||||||
- [SignOnly Intune App Konfiguration](#signonly-intune-app-konfiguration)
|
- [Logning og fejlfinding](#logning-og-fejlfinding)
|
||||||
- [Øvrige scripts i pakken](#øvrige-scripts-i-pakken)
|
- [SignOnly Intune App Konfiguration](#signonly-intune-app-konfiguration)
|
||||||
|
- [Øvrige scripts i pakken](#øvrige-scripts-i-pakken)
|
||||||
---
|
|
||||||
|
---
|
||||||
## Pakkens indhold
|
|
||||||
|
## Pakkens indhold
|
||||||
| Fil | Formål |
|
|
||||||
|-----|--------|
|
| Fil | Formål |
|
||||||
| `Install.ps1` | Kopierer RDP-filer til skrivebord(e), opretter selvsigneret certifikat og signerer alle RDP-filer. Understøtter `-AllUsers` switch. |
|
|-----|--------|
|
||||||
| `Detect.ps1` | Registrerer om alle RDP-filer fra pakken er til stede på skrivebord(e). Understøtter `-AllUsers` switch. |
|
| `Install.ps1` | Kopierer RDP-filer til skrivebord(e), opretter selvsigneret certifikat og signerer alle RDP-filer. Understøtter `-AllUsers` switch. |
|
||||||
| `Uninstall.ps1` | Fjerner RDP-filer fra skrivebord(e). Understøtter `-AllUsers` switch. |
|
| `Detect.ps1` | Tjekker at specifikke forventede .rdp-filer (defineret i `$expectedFiles` array) eksisterer på skrivebord(e). Understøtter `-AllUsers` switch. |
|
||||||
| `SignOnly.ps1` | Signerer eksisterende RDP-filer på skrivebord(e) — ingen filkopiering. Understøtter `-AllUsers` switch. |
|
| `Uninstall.ps1` | Fjerner RDP-filer fra skrivebord(e). Understøtter `-AllUsers` switch. |
|
||||||
| `SignOnly_detect.ps1` | Registrerer om certifikat er til stede og alle RDP-filer på skrivebord(e) er signerede. Understøtter `-AllUsers` switch. |
|
| `SignOnly.ps1` | Signerer eksisterende RDP-filer på skrivebord(e) — ingen filkopiering. Understøtter `-AllUsers` switch. |
|
||||||
| `Clearsigning.ps1` | Fjerner signaturer fra RDP-filer og rydder op i certifikat og registry (til oprydning/debug). Understøtter `-AllUsers` switch. |
|
| `SignOnly_detect.ps1` | Registrerer om certifikat er til stede og alle RDP-filer på skrivebord(e) er signerede. Understøtter `-AllUsers` switch. |
|
||||||
| `sandbox.ps1` | Kombineret install + detect script til lokal sandkasse-test. Understøtter `-AllUsers` switch. |
|
| `Clearsigning.ps1` | Fjerner signaturer fra RDP-filer og rydder op i certifikat og registry (til oprydning/debug). Understøtter `-AllUsers` switch. |
|
||||||
| `rdp-files\*.rdp` | Kilde-RDP-filer der installeres på skrivebord(e) |
|
| `sandbox.ps1` | Kombineret install + detect script til lokal sandkasse-test. Understøtter `-AllUsers` switch. |
|
||||||
|
| `rdp-files\*.rdp` | Kilde-RDP-filer der installeres på skrivebord(e) |
|
||||||
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
|
|
||||||
|
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
|
||||||
---
|
|
||||||
|
---
|
||||||
## Intune App Konfiguration
|
|
||||||
|
## Sådan opsætter du Detect.ps1
|
||||||
### Program
|
|
||||||
- **Installationskommando:**
|
Før du uploader `Detect.ps1` til Intune som registreringsregel, skal du åbne filen og udfylde `$expectedFiles` array med de `.rdp` filnavne der ligger i `.\\rdp-files\\`:
|
||||||
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1`
|
|
||||||
- **Installationskommando (alle brugeres skriveborde):**
|
```powershell
|
||||||
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1 -AllUsers`
|
$expectedFiles = @(
|
||||||
- **Afinstallationskommando:**
|
"Server1.rdp",
|
||||||
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Uninstall.ps1`
|
"Server2.rdp",
|
||||||
- **Afinstallationskommando (alle brugeres skriveborde):**
|
"DesktopApp.rdp"
|
||||||
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Uninstall.ps1 -AllUsers`
|
)
|
||||||
- **Installationsadfærd:** System
|
```
|
||||||
|
|
||||||
### Registreringsregel
|
Når scriptet kører:
|
||||||
Brug et brugerdefineret registreringsscript:
|
- Uden `-AllUsers`: tjekker at alle filer i `$expectedFiles` findes på det offentlige skrivebord (`C:\Users\Public\Desktop`)
|
||||||
- **Scriptfil:** `Detect.ps1`
|
- Med `-AllUsers`: tjekker alle filer i `$expectedFiles` på tværs af alle brugeres skriveborde
|
||||||
- **Kør script som 32-bit proces på 64-bit klienter:** Nej
|
- Returnerer `exit 0` = installeret (alle filer fundet)
|
||||||
- **Gennemtving scriptsignaturkontrol:** Nej
|
- Returnerer `exit 1` = ikke installeret (en eller flere filer mangler)
|
||||||
|
|
||||||
Registreringslogik:
|
> **Vigtigt:** Husk at opdatere `$expectedFiles` hver gang du tilføjer eller fjerner `.rdp` filer i pakken, ellers vil detekteringen være forkert.
|
||||||
- Uden `-AllUsers`: tjekker at alle `.rdp`-filer er til stede på det offentlige skrivebord (`C:\Users\Public\Desktop`)
|
|
||||||
- Med `-AllUsers`: tjekker alle brugeres skriveborde under `C:\Users\`
|
---
|
||||||
- Returnerer `exit 0` = installeret
|
|
||||||
- Returnerer `exit 1` = ikke installeret
|
## Intune App Konfiguration
|
||||||
|
|
||||||
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
|
### Program
|
||||||
|
- **Installationskommando:**
|
||||||
---
|
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1`
|
||||||
|
- **Installationskommando (alle brugeres skriveborde):**
|
||||||
## Hvad Install.ps1 gør
|
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1 -AllUsers`
|
||||||
|
- **Afinstallationskommando:**
|
||||||
1. Finder målskrivebord(e) — offentligt skrivebord som standard, alle brugeres skriveborde med `-AllUsers`
|
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Uninstall.ps1`
|
||||||
2. Kopierer alle `.rdp`-filer fra `.\rdp-files\` til de fundne skrivebord(e)
|
- **Afinstallationskommando (alle brugeres skriveborde):**
|
||||||
3. Søger efter eksisterende selvsigneret certifikat (`CN=RDPSign`) i `Cert:\LocalMachine\My`
|
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Uninstall.ps1 -AllUsers`
|
||||||
4. Opretter et nyt selvsigneret kodesigneringscertifikat hvis intet findes (gyldigt i 25 år, ikke-eksporterbart)
|
- **Installationsadfærd:** System
|
||||||
5. Tilføjer certifikatet til `Trusted Root` og `Trusted Publishers` i den lokale maskines certifikatstore
|
|
||||||
6. Tilføjer certifikatets thumbprint til registry-nøglen `TrustedCertThumbprints`
|
### Registreringsregel
|
||||||
7. Signerer alle `.rdp`-filer på skrivebord(e) med `rdpsign.exe /sha256`
|
Brug et brugerdefineret registreringsscript:
|
||||||
8. Sætter `RedirectionWarningDialogVersion = 1` i registry for at undertrykke RDP-advarselsdialoger
|
- **Scriptfil:** `Detect.ps1`
|
||||||
|
- **Kør script som 32-bit proces på 64-bit klienter:** Nej
|
||||||
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
|
- **Gennemtving scriptsignaturkontrol:** Nej
|
||||||
|
|
||||||
---
|
Registreringslogik:
|
||||||
|
- Uden `-AllUsers`: tjekker at alle `.rdp`-filer er til stede på det offentlige skrivebord (`C:\Users\Public\Desktop`)
|
||||||
## AllUsers Switch
|
- Med `-AllUsers`: tjekker alle brugeres skriveborde under `C:\Users\`
|
||||||
|
- Returnerer `exit 0` = installeret
|
||||||
Alle scripts understøtter `-AllUsers` switchen. Som standard — uden `-AllUsers` — køres alle scripts kun mod det **offentlige skrivebord** (`C:\Users\Public\Desktop`). Når `-AllUsers` angives, itererer scriptet i stedet over alle brugerprofiler under `C:\Users\` og behandler hver brugers `Desktop`-mappe.
|
- Returnerer `exit 1` = ikke installeret
|
||||||
|
|
||||||
```powershell
|
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
|
||||||
# Kun offentligt skrivebord (standard)
|
|
||||||
.\Install.ps1
|
---
|
||||||
|
|
||||||
# Alle brugeres skriveborde
|
## Hvad Install.ps1 gør
|
||||||
.\Install.ps1 -AllUsers
|
|
||||||
```
|
1. Finder målskrivebord(e) — offentligt skrivebord som standard, alle brugeres skriveborde med `-AllUsers`. Med `-AllUsers` søges 2 mapper ned så OneDrive-omdirigeret Desktop også fanges
|
||||||
|
2. Kopierer alle `.rdp`-filer fra `.\rdp-files\` til de fundne skrivebord(e)
|
||||||
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
|
3. Søger efter eksisterende selvsigneret certifikat (`CN=RDPSign`) i `Cert:\LocalMachine\My`
|
||||||
|
4. Opretter et nyt selvsigneret kodesigneringscertifikat hvis intet findes (gyldigt i 25 år, ikke-eksporterbart)
|
||||||
---
|
5. Tilføjer certifikatet til `Trusted Root` og `Trusted Publishers` i den lokale maskines certifikatstore
|
||||||
|
6. Tilføjer certifikatets thumbprint til registry-nøglen `TrustedCertThumbprints`
|
||||||
## Registry-ændringer
|
7. Signerer alle `.rdp`-filer på skrivebord(e) med `rdpsign.exe /sha256`
|
||||||
|
8. Sætter `RedirectionWarningDialogVersion = 1` i registry for at undertrykke RDP-advarselsdialoger
|
||||||
| Sti | Værdi | Type | Data |
|
|
||||||
|-----|-------|------|------|
|
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
|
||||||
| `HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services` | `TrustedCertThumbprints` | String | Certifikatets thumbprint |
|
|
||||||
| `HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client` | `RedirectionWarningDialogVersion` | DWORD | `1` |
|
---
|
||||||
|
|
||||||
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
|
## AllUsers Switch
|
||||||
|
|
||||||
---
|
Alle scripts understøtter `-AllUsers` switchen. Som standard — uden `-AllUsers` — køres alle scripts kun mod det **offentlige skrivebord** (`C:\Users\Public\Desktop`). Når `-AllUsers` angives, søger scriptet i stedet på tværs af alle brugerprofiler under `C:\Users\` (ekskl. `Public`/`Default`). Der søges 2 mapper ned (`-Depth 2`) for at fange både standard `Desktop` og OneDrive-omdirigeret `Desktop`.
|
||||||
|
|
||||||
## Logning og fejlfinding
|
```powershell
|
||||||
|
# Kun offentligt skrivebord (standard)
|
||||||
| Script | Logfil |
|
.\Install.ps1
|
||||||
|--------|--------|
|
|
||||||
| `Install.ps1` | `C:\Intune\DesktopShortcuts.log` |
|
# Alle brugeres skriveborde
|
||||||
| `Detect.ps1` | `C:\Intune\DesktopShortcuts.log` |
|
.\Install.ps1 -AllUsers
|
||||||
| `Uninstall.ps1` | `C:\Intune\DesktopShortcuts.log` |
|
```
|
||||||
| `SignOnly.ps1` | `C:\Intune\RDPSign.log` |
|
|
||||||
|
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
|
||||||
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
|
|
||||||
|
---
|
||||||
---
|
|
||||||
|
## Registry-ændringer
|
||||||
## SignOnly Intune App Konfiguration
|
|
||||||
|
| Sti | Værdi | Type | Data |
|
||||||
### Program
|
|-----|-------|------|------|
|
||||||
- **Installationskommando:**
|
| `HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services` | `TrustedCertThumbprints` | String | Certifikatets thumbprint |
|
||||||
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1`
|
| `HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client` | `RedirectionWarningDialogVersion` | DWORD | `1` |
|
||||||
- **Installationskommando (alle brugeres skriveborde):**
|
|
||||||
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1 -AllUsers`
|
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
|
||||||
- **Afinstallationskommando:**
|
|
||||||
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1`
|
---
|
||||||
- **Afinstallationskommando (alle brugeres skriveborde):**
|
|
||||||
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1 -AllUsers`
|
## Logning og fejlfinding
|
||||||
- **Installationsadfærd:** System
|
|
||||||
|
| Script | Logfil |
|
||||||
### Registreringsregel
|
|--------|--------|
|
||||||
Brug et brugerdefineret registreringsscript:
|
| `Install.ps1` | `C:\Intune\DesktopShortcuts.log` |
|
||||||
- **Scriptfil:** `SignOnly_detect.ps1`
|
| `Detect.ps1` | `C:\Intune\DesktopShortcuts.log` |
|
||||||
- **Kør script som 32-bit proces på 64-bit klienter:** Nej
|
| `Uninstall.ps1` | `C:\Intune\DesktopShortcuts.log` |
|
||||||
- **Gennemtving scriptsignaturkontrol:** Nej
|
| `SignOnly.ps1` | `C:\Intune\RDPSign.log` |
|
||||||
|
|
||||||
Registreringslogik:
|
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
|
||||||
- Tjekker at `CN=RDPSign`-certifikatet findes i `My`, `Root` og `TrustedPublisher` stores
|
|
||||||
- Tjekker at thumbprint er til stede i registry
|
---
|
||||||
- Uden `-AllUsers`: tjekker at alle `.rdp`-filer på det offentlige skrivebord er signerede
|
|
||||||
- Med `-AllUsers`: tjekker alle `.rdp`-filer på tværs af alle brugeres skriveborde
|
## SignOnly Intune App Konfiguration
|
||||||
- Returnerer `exit 0` + `"Detected"` = installeret
|
|
||||||
- Returnerer `exit 1` = ikke installeret
|
### Program
|
||||||
|
- **Installationskommando:**
|
||||||
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
|
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1`
|
||||||
|
- **Installationskommando (alle brugeres skriveborde):**
|
||||||
---
|
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1 -AllUsers`
|
||||||
|
- **Afinstallationskommando:**
|
||||||
## Øvrige scripts i pakken
|
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1`
|
||||||
|
- **Afinstallationskommando (alle brugeres skriveborde):**
|
||||||
> **Bemærk:** Alle PowerShell-scripts er pakket ind i samme IntuneWin-pakke. Det betyder at man altid kan kalde på et vilkårligt script direkte fra Intune eller manuelt, f.eks.:
|
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1 -AllUsers`
|
||||||
>
|
- **Installationsadfærd:** System
|
||||||
> ```powershell
|
|
||||||
> powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1
|
### Registreringsregel
|
||||||
> powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1 -AllUsers
|
Brug et brugerdefineret registreringsscript:
|
||||||
> powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1
|
- **Scriptfil:** `SignOnly_detect.ps1`
|
||||||
> powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1 -AllUsers
|
- **Kør script som 32-bit proces på 64-bit klienter:** Nej
|
||||||
> powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1
|
- **Gennemtving scriptsignaturkontrol:** Nej
|
||||||
> powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1 -AllUsers
|
|
||||||
> ```
|
Registreringslogik:
|
||||||
> osv. for alle scripts i pakken.
|
- Tjekker at `CN=RDPSign`-certifikatet findes i `My`, `Root` og `TrustedPublisher` stores
|
||||||
|
- Tjekker at thumbprint er til stede i registry
|
||||||
### `SignOnly.ps1`
|
- Uden `-AllUsers`: tjekker at alle `.rdp`-filer på det offentlige skrivebord er signerede
|
||||||
Signerer alle eksisterende `.rdp`-filer på skrivebord(e) uden at kopiere filer. Nyttigt til gensignering efter en opdatering eller hvis filer allerede er installeret. Kør som administrator. Understøtter `-AllUsers` switch.
|
- Med `-AllUsers`: tjekker alle `.rdp`-filer på tværs af alle brugeres skriveborde
|
||||||
|
- Returnerer `exit 0` + `"Detected"` = installeret
|
||||||
### `SignOnly_detect.ps1`
|
- Returnerer `exit 1` = ikke installeret
|
||||||
Registreringsscript til brug med `SignOnly.ps1` som Intune-pakke. Tjekker:
|
|
||||||
- Certifikat findes i `My`, `Root` og `TrustedPublisher` stores
|
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
|
||||||
- Thumbprint er til stede i registry
|
|
||||||
- Alle `.rdp`-filer på skrivebord(e) indeholder en gyldig signatur
|
---
|
||||||
|
|
||||||
Understøtter `-AllUsers` switch.
|
## Øvrige scripts i pakken
|
||||||
|
|
||||||
### `Clearsigning.ps1`
|
> **Bemærk:** Alle PowerShell-scripts er pakket ind i samme IntuneWin-pakke. Det betyder at man altid kan kalde på et vilkårligt script direkte fra Intune eller manuelt, f.eks.:
|
||||||
Fjerner alle signeringsartefakter. Nyttigt til test eller oprydning. Kør som administrator. Understøtter `-AllUsers` switch.
|
>
|
||||||
- Fjerner `signscope`- og `signature`-linjer fra alle `.rdp`-filer på skrivebord(e)
|
> ```powershell
|
||||||
- Fjerner `CN=RDPSign`-certifikatet fra `My`, `Root` og `TrustedPublisher` stores
|
> powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1
|
||||||
- Fjerner `TrustedCertThumbprints` fra registry
|
> powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1 -AllUsers
|
||||||
- Fjerner `RedirectionWarningDialogVersion` fra registry
|
> powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1
|
||||||
|
> powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1 -AllUsers
|
||||||
### `sandbox.ps1`
|
> powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1
|
||||||
Kombinerer install og detect i ét script til lokal sandkasse-test. Understøtter `-AllUsers` switch.
|
> powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1 -AllUsers
|
||||||
Kør fra mappen der indeholder `rdp-files\` som administrator.
|
> ```
|
||||||
Output skrives til både konsollen og `C:\Intune\DesktopShortcuts.log`.
|
> osv. for alle scripts i pakken.
|
||||||
|
|
||||||
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
|
### `SignOnly.ps1`
|
||||||
|
Signerer alle eksisterende `.rdp`-filer på skrivebord(e) uden at kopiere filer. Nyttigt til gensignering efter en opdatering eller hvis filer allerede er installeret. Kør som administrator. Understøtter `-AllUsers` switch.
|
||||||
|
|
||||||
|
### `SignOnly_detect.ps1`
|
||||||
|
Registreringsscript til brug med `SignOnly.ps1` som Intune-pakke. Tjekker:
|
||||||
|
- Certifikat findes i `My`, `Root` og `TrustedPublisher` stores
|
||||||
|
- Thumbprint er til stede i registry
|
||||||
|
- Alle `.rdp`-filer på skrivebord(e) indeholder en gyldig signatur
|
||||||
|
|
||||||
|
Understøtter `-AllUsers` switch.
|
||||||
|
|
||||||
|
### `Clearsigning.ps1`
|
||||||
|
Fjerner alle signeringsartefakter. Nyttigt til test eller oprydning. Kør som administrator. Understøtter `-AllUsers` switch.
|
||||||
|
- Fjerner `signscope`- og `signature`-linjer fra alle `.rdp`-filer på skrivebord(e)
|
||||||
|
- Fjerner `CN=RDPSign`-certifikatet fra `My`, `Root` og `TrustedPublisher` stores
|
||||||
|
- Fjerner `TrustedCertThumbprints` fra registry
|
||||||
|
- Fjerner `RedirectionWarningDialogVersion` fra registry
|
||||||
|
|
||||||
|
### `sandbox.ps1`
|
||||||
|
Kombinerer install og detect i ét script til lokal sandkasse-test. Understøtter `-AllUsers` switch.
|
||||||
|
Kør fra mappen der indeholder `rdp-files\` som administrator.
|
||||||
|
Output skrives til både konsollen og `C:\Intune\DesktopShortcuts.log`.
|
||||||
|
|
||||||
|
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
|
||||||
|
|||||||
@@ -1,10 +1,8 @@
|
|||||||
# ============================================================
|
# ============================================================
|
||||||
# CHANGELOG
|
# CHANGELOG
|
||||||
# v1.1 - Added -AllUsers switch to remove signatures from RDP
|
# v1.2 - Get-DesktopPaths: Depth 2 search for OneDrive Desktop
|
||||||
# files on all user desktops instead of only the public
|
# v1.1 - AllUsers switch + Get-DesktopPaths helper
|
||||||
# desktop.
|
# v1.0 - Initial
|
||||||
# Added Get-DesktopPaths helper function.
|
|
||||||
# v1.0 - Initial version, clears signing on public desktop only.
|
|
||||||
# ============================================================
|
# ============================================================
|
||||||
|
|
||||||
param(
|
param(
|
||||||
@@ -13,15 +11,14 @@ param(
|
|||||||
|
|
||||||
function Get-DesktopPaths {
|
function Get-DesktopPaths {
|
||||||
if ($AllUsers) {
|
if ($AllUsers) {
|
||||||
Get-ChildItem "$env:SystemDrive\Users" -Directory | ForEach-Object {
|
Get-ChildItem "$env:SystemDrive\Users" -Directory -Exclude "Public","Default" | ForEach-Object {
|
||||||
$path = Join-Path $_.FullName "Desktop"
|
Get-ChildItem $_.FullName -Directory -Filter "Desktop" -Depth 2 -ErrorAction SilentlyContinue |
|
||||||
if (Test-Path $path) { $path }
|
Select-Object -ExpandProperty FullName
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
[Environment]::GetFolderPath("CommonDesktopDirectory")
|
[Environment]::GetFolderPath("CommonDesktopDirectory")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$certSubject = "CN=RDPSign"
|
$certSubject = "CN=RDPSign"
|
||||||
|
|
||||||
# 1. Unsign RDP files
|
# 1. Unsign RDP files
|
||||||
|
|||||||
+20
-23
@@ -1,13 +1,17 @@
|
|||||||
# ============================================================
|
# ============================================================
|
||||||
# CHANGELOG
|
# CHANGELOG
|
||||||
# v1.1 - Added -AllUsers switch to check all user desktops
|
# v1.3 - Get-DesktopPaths: Depth 2 search for OneDrive Desktop
|
||||||
# instead of only the public desktop.
|
# v1.2 - Detect by expected filename list
|
||||||
# Added Get-DesktopPaths helper function.
|
# v1.1 - AllUsers switch + Get-DesktopPaths helper
|
||||||
# v1.0 - Initial version, checks public desktop only.
|
# v1.0 - Initial
|
||||||
# ============================================================
|
# ============================================================
|
||||||
|
# Update this list whenever .rdp files are added or removed
|
||||||
param(
|
# from the rdp-files\\ folder.
|
||||||
[switch]$AllUsers
|
# ============================================================
|
||||||
|
$expectedFiles = @(
|
||||||
|
# Add your .rdp filenames here, e.g.:
|
||||||
|
# "RemoteServer1.rdp",
|
||||||
|
# "RemoteServer2.rdp"
|
||||||
)
|
)
|
||||||
|
|
||||||
# Setup logging
|
# Setup logging
|
||||||
@@ -27,9 +31,9 @@ function Write-Log {
|
|||||||
|
|
||||||
function Get-DesktopPaths {
|
function Get-DesktopPaths {
|
||||||
if ($AllUsers) {
|
if ($AllUsers) {
|
||||||
Get-ChildItem "$env:SystemDrive\Users" -Directory | ForEach-Object {
|
Get-ChildItem "$env:SystemDrive\Users" -Directory -Exclude "Public","Default" | ForEach-Object {
|
||||||
$path = Join-Path $_.FullName "Desktop"
|
Get-ChildItem $_.FullName -Directory -Filter "Desktop" -Depth 2 -ErrorAction SilentlyContinue |
|
||||||
if (Test-Path $path) { $path }
|
Select-Object -ExpandProperty FullName
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
[Environment]::GetFolderPath("CommonDesktopDirectory")
|
[Environment]::GetFolderPath("CommonDesktopDirectory")
|
||||||
@@ -37,28 +41,21 @@ function Get-DesktopPaths {
|
|||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
$desktopPaths = Get-DesktopPaths
|
$desktopPaths = Get-desktopPaths
|
||||||
$allFound = $true
|
$allFound = $true
|
||||||
|
|
||||||
foreach ($desktopPath in $desktopPaths) {
|
foreach ($desktopPath in $desktopPaths) {
|
||||||
$rdpFiles = Get-ChildItem -Path "$desktopPath\*.rdp" -ErrorAction SilentlyContinue
|
foreach ($fileName in $expectedFiles) {
|
||||||
|
$targetFile = Join-Path $desktopPath $fileName
|
||||||
if ($rdpFiles.Count -eq 0) {
|
if (-not (Test-Path $targetFile)) {
|
||||||
Write-Log "DETECT [FAIL]: No .rdp files found on desktop: $desktopPath"
|
Write-Log "DETECT [FAIL]: Missing: $fileName on $desktopPath"
|
||||||
$allFound = $false
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
|
|
||||||
foreach ($file in $rdpFiles) {
|
|
||||||
if (-not (Test-Path (Join-Path $desktopPath $file.Name))) {
|
|
||||||
Write-Log "DETECT [FAIL]: Missing: $($file.Name) on $desktopPath"
|
|
||||||
$allFound = $false
|
$allFound = $false
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($allFound) {
|
if ($allFound) {
|
||||||
Write-Log "DETECT [OK]: All .rdp files found on all desktop(s)"
|
Write-Log "DETECT [OK]: All expected .rdp files found"
|
||||||
exit 0
|
exit 0
|
||||||
} else {
|
} else {
|
||||||
exit 1
|
exit 1
|
||||||
|
|||||||
+6
-9
@@ -1,9 +1,8 @@
|
|||||||
# ============================================================
|
# ============================================================
|
||||||
# CHANGELOG
|
# CHANGELOG
|
||||||
# v1.1 - Added -AllUsers switch to deploy to all user desktops
|
# v1.2 - Get-DesktopPaths: Depth 2 search for OneDrive Desktop
|
||||||
# instead of only the public desktop.
|
# v1.1 - AllUsers switch + Get-DesktopPaths helper
|
||||||
# Added Get-DesktopPaths helper function.
|
# v1.0 - Initial
|
||||||
# v1.0 - Initial version, deploys to public desktop only.
|
|
||||||
# ============================================================
|
# ============================================================
|
||||||
|
|
||||||
param(
|
param(
|
||||||
@@ -34,16 +33,14 @@ function Write-Log {
|
|||||||
|
|
||||||
function Get-DesktopPaths {
|
function Get-DesktopPaths {
|
||||||
if ($AllUsers) {
|
if ($AllUsers) {
|
||||||
# Return desktop path for each user profile found
|
Get-ChildItem "$env:SystemDrive\Users" -Directory -Exclude "Public","Default" | ForEach-Object {
|
||||||
Get-ChildItem "$env:SystemDrive\Users" -Directory | ForEach-Object {
|
Get-ChildItem $_.FullName -Directory -Filter "Desktop" -Depth 2 -ErrorAction SilentlyContinue |
|
||||||
$path = Join-Path $_.FullName "Desktop"
|
Select-Object -ExpandProperty FullName
|
||||||
if (Test-Path $path) { $path }
|
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
[Environment]::GetFolderPath("CommonDesktopDirectory")
|
[Environment]::GetFolderPath("CommonDesktopDirectory")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
$desktopPaths = Get-DesktopPaths
|
$desktopPaths = Get-DesktopPaths
|
||||||
Write-Log "Running in mode: $(if ($AllUsers) { 'All Users' } else { 'Public Desktop' })"
|
Write-Log "Running in mode: $(if ($AllUsers) { 'All Users' } else { 'Public Desktop' })"
|
||||||
|
|||||||
+6
-8
@@ -1,9 +1,8 @@
|
|||||||
# ============================================================
|
# ============================================================
|
||||||
# CHANGELOG
|
# CHANGELOG
|
||||||
# v1.1 - Added -AllUsers switch to sign RDP files on all user
|
# v1.2 - Get-DesktopPaths: Depth 2 search for OneDrive Desktop
|
||||||
# desktops instead of only the public desktop.
|
# v1.1 - AllUsers switch + Get-DesktopPaths helper
|
||||||
# Added Get-DesktopPaths helper function.
|
# v1.0 - Initial
|
||||||
# v1.0 - Initial version, signs on public desktop only.
|
|
||||||
# ============================================================
|
# ============================================================
|
||||||
|
|
||||||
param(
|
param(
|
||||||
@@ -34,15 +33,14 @@ function Write-Log {
|
|||||||
|
|
||||||
function Get-DesktopPaths {
|
function Get-DesktopPaths {
|
||||||
if ($AllUsers) {
|
if ($AllUsers) {
|
||||||
Get-ChildItem "$env:SystemDrive\Users" -Directory | ForEach-Object {
|
Get-ChildItem "$env:SystemDrive\Users" -Directory -Exclude "Public","Default" | ForEach-Object {
|
||||||
$path = Join-Path $_.FullName "Desktop"
|
Get-ChildItem $_.FullName -Directory -Filter "Desktop" -Depth 2 -ErrorAction SilentlyContinue |
|
||||||
if (Test-Path $path) { $path }
|
Select-Object -ExpandProperty FullName
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
[Environment]::GetFolderPath("CommonDesktopDirectory")
|
[Environment]::GetFolderPath("CommonDesktopDirectory")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
$certSubjectName = "RDPSign"
|
$certSubjectName = "RDPSign"
|
||||||
$certSubject = "CN=$certSubjectName"
|
$certSubject = "CN=$certSubjectName"
|
||||||
|
|||||||
+89
-37
@@ -1,61 +1,113 @@
|
|||||||
# ============================================================
|
# ============================================================
|
||||||
# CHANGELOG
|
# CHANGELOG
|
||||||
# v1.1 - Added -AllUsers switch to check certificate and signed
|
# v1.3 - Added detailed logging for detect failures
|
||||||
# RDP files across all user desktops instead of only the
|
# v1.2 - Get-DesktopPaths: Depth 2 search for OneDrive Desktop
|
||||||
# public desktop.
|
# v1.1 - AllUsers switch + Get-DesktopPaths helper
|
||||||
# Added Get-DesktopPaths helper function.
|
# v1.0 - Initial
|
||||||
# v1.0 - Initial version, checks public desktop only.
|
|
||||||
# ============================================================
|
# ============================================================
|
||||||
|
|
||||||
param(
|
param(
|
||||||
[switch]$AllUsers
|
[switch]$AllUsers
|
||||||
)
|
)
|
||||||
|
|
||||||
|
# Setup logging
|
||||||
|
$baseFolder = Join-Path $env:SystemDrive "Intune"
|
||||||
|
$logFile = Join-Path $baseFolder "RDPSign.log"
|
||||||
|
|
||||||
|
if (-not (Test-Path $baseFolder)) {
|
||||||
|
New-Item -Path $baseFolder -ItemType Directory -Force | Out-Null
|
||||||
|
}
|
||||||
|
|
||||||
|
function Write-Log {
|
||||||
|
param($Message)
|
||||||
|
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
|
||||||
|
Add-Content -Path $logFile -Value $logMessage
|
||||||
|
Write-Host $logMessage
|
||||||
|
}
|
||||||
|
|
||||||
function Get-DesktopPaths {
|
function Get-DesktopPaths {
|
||||||
if ($AllUsers) {
|
if ($AllUsers) {
|
||||||
Get-ChildItem "$env:SystemDrive\Users" -Directory | ForEach-Object {
|
Get-ChildItem "$env:SystemDrive\Users" -Directory -Exclude "Public","Default" | ForEach-Object {
|
||||||
$path = Join-Path $_.FullName "Desktop"
|
Get-ChildItem $_.FullName -Directory -Filter "Desktop" -Depth 2 -ErrorAction SilentlyContinue |
|
||||||
if (Test-Path $path) { $path }
|
Select-Object -ExpandProperty FullName
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
[Environment]::GetFolderPath("CommonDesktopDirectory")
|
[Environment]::GetFolderPath("CommonDesktopDirectory")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$certSubject = "CN=RDPSign"
|
try {
|
||||||
|
Write-Log "=== SignOnly Detect START ==="
|
||||||
|
Write-Log "Running in mode: $(if ($AllUsers) { 'All Users' } else { 'Public Desktop' })"
|
||||||
|
|
||||||
# Check certificate exists in all three stores
|
$certSubject = "CN=RDPSign"
|
||||||
$certInMy = Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Subject -eq $certSubject }
|
|
||||||
$certInRoot = Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $_.Subject -eq $certSubject }
|
|
||||||
$certInPub = Get-ChildItem Cert:\LocalMachine\TrustedPublisher | Where-Object { $_.Subject -eq $certSubject }
|
|
||||||
|
|
||||||
if (-not $certInMy -or -not $certInRoot -or -not $certInPub) {
|
# Check certificate exists in all three stores
|
||||||
exit 1
|
Write-Log "Checking certificate: $certSubject..."
|
||||||
}
|
$certInMy = Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Subject -eq $certSubject }
|
||||||
|
$certInRoot = Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $_.Subject -eq $certSubject }
|
||||||
|
$certInPub = Get-ChildItem Cert:\LocalMachine\TrustedPublisher | Where-Object { $_.Subject -eq $certSubject }
|
||||||
|
|
||||||
# Check registry thumbprint
|
$certOk = $true
|
||||||
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
|
if (-not $certInMy) {
|
||||||
$thumbprintValue = (Get-ItemProperty -Path $gpoPath -Name "TrustedCertThumbprints" -ErrorAction SilentlyContinue).TrustedCertThumbprints
|
Write-Log "FAIL: Certificate not found in LocalMachine\My"
|
||||||
if ([string]::IsNullOrWhiteSpace($thumbprintValue)) {
|
$certOk = $false
|
||||||
exit 1
|
}
|
||||||
}
|
if (-not $certInRoot) {
|
||||||
|
Write-Log "FAIL: Certificate not found in LocalMachine\Root"
|
||||||
# Check that all RDP files on desktop(s) are signed
|
$certOk = $false
|
||||||
foreach ($desktopPath in (Get-DesktopPaths)) {
|
}
|
||||||
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -ErrorAction SilentlyContinue
|
if (-not $certInPub) {
|
||||||
|
Write-Log "FAIL: Certificate not found in LocalMachine\TrustedPublisher"
|
||||||
if ($rdpFiles.Count -eq 0) {
|
$certOk = $false
|
||||||
|
}
|
||||||
|
if (-not $certOk) {
|
||||||
exit 1
|
exit 1
|
||||||
}
|
}
|
||||||
|
Write-Log "OK: Certificate found in all stores"
|
||||||
|
|
||||||
foreach ($file in $rdpFiles) {
|
# Check registry thumbprint
|
||||||
$content = Get-Content $file.FullName -ErrorAction SilentlyContinue
|
Write-Log "Checking registry thumbprint..."
|
||||||
$hasSig = $content | Where-Object { $_ -match "^signature:s:" }
|
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
|
||||||
if (-not $hasSig) {
|
$thumbprintValue = (Get-ItemProperty -Path $gpoPath -Name "TrustedCertThumbprints" -ErrorAction SilentlyContinue).TrustedCertThumbprints
|
||||||
exit 1
|
if ([string]::IsNullOrWhiteSpace($thumbprintValue)) {
|
||||||
}
|
Write-Log "FAIL: TrustedCertThumbprints not found in registry"
|
||||||
|
exit 1
|
||||||
}
|
}
|
||||||
}
|
Write-Log "OK: Thumbprint found in registry"
|
||||||
|
|
||||||
Write-Host "Detected"
|
# Check that all RDP files on desktop(s) are signed
|
||||||
exit 0
|
Write-Log "Checking RDP file signatures..."
|
||||||
|
$desktopsChecked = 0
|
||||||
|
$filesChecked = 0
|
||||||
|
|
||||||
|
foreach ($desktopPath in (Get-DesktopPaths)) {
|
||||||
|
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -ErrorAction SilentlyContinue
|
||||||
|
|
||||||
|
if ($rdpFiles.Count -eq 0) {
|
||||||
|
Write-Log "Skip: No .rdp files on $desktopPath"
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
Write-Log "Found $($rdpFiles.Count) file(s) to check on: $desktopPath"
|
||||||
|
|
||||||
|
foreach ($file in $rdpFiles) {
|
||||||
|
$filesChecked++
|
||||||
|
$content = Get-Content $file.FullName -ErrorAction SilentlyContinue
|
||||||
|
$hasSig = $content | Where-Object { $_ -match "^signature:s:" }
|
||||||
|
if (-not $hasSig) {
|
||||||
|
Write-Log "FAIL: $($file.Name) on $desktopPath is not signed"
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
}
|
||||||
|
$desktopsChecked++
|
||||||
|
}
|
||||||
|
|
||||||
|
Write-Log "OK: All $filesChecked file(s) across $desktopsChecked desktop(s) are signed"
|
||||||
|
Write-Log "=== SignOnly Detect END - Installed ==="
|
||||||
|
exit 0
|
||||||
|
}
|
||||||
|
catch {
|
||||||
|
Write-Log "Error: $_"
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|||||||
+6
-8
@@ -1,9 +1,8 @@
|
|||||||
# ============================================================
|
# ============================================================
|
||||||
# CHANGELOG
|
# CHANGELOG
|
||||||
# v1.1 - Added -AllUsers switch to remove files from all user
|
# v1.2 - Get-DesktopPaths: Depth 2 search for OneDrive Desktop
|
||||||
# desktops instead of only the public desktop.
|
# v1.1 - AllUsers switch + Get-DesktopPaths helper
|
||||||
# Added Get-DesktopPaths helper function.
|
# v1.0 - Initial
|
||||||
# v1.0 - Initial version, removes from public desktop only.
|
|
||||||
# ============================================================
|
# ============================================================
|
||||||
|
|
||||||
param(
|
param(
|
||||||
@@ -27,15 +26,14 @@ function Write-Log {
|
|||||||
|
|
||||||
function Get-DesktopPaths {
|
function Get-DesktopPaths {
|
||||||
if ($AllUsers) {
|
if ($AllUsers) {
|
||||||
Get-ChildItem "$env:SystemDrive\Users" -Directory | ForEach-Object {
|
Get-ChildItem "$env:SystemDrive\Users" -Directory -Exclude "Public","Default" | ForEach-Object {
|
||||||
$path = Join-Path $_.FullName "Desktop"
|
Get-ChildItem $_.FullName -Directory -Filter "Desktop" -Depth 2 -ErrorAction SilentlyContinue |
|
||||||
if (Test-Path $path) { $path }
|
Select-Object -ExpandProperty FullName
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
[Environment]::GetFolderPath("CommonDesktopDirectory")
|
[Environment]::GetFolderPath("CommonDesktopDirectory")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
$desktopPaths = Get-DesktopPaths
|
$desktopPaths = Get-DesktopPaths
|
||||||
Write-Log "Running in mode: $(if ($AllUsers) { 'All Users' } else { 'Public Desktop' })"
|
Write-Log "Running in mode: $(if ($AllUsers) { 'All Users' } else { 'Public Desktop' })"
|
||||||
|
|||||||
+3
-43
@@ -2,49 +2,9 @@
|
|||||||
# INSTALL + DETECT - Sandbox test script
|
# INSTALL + DETECT - Sandbox test script
|
||||||
# ============================================================
|
# ============================================================
|
||||||
# CHANGELOG
|
# CHANGELOG
|
||||||
# v1.1 - Added -AllUsers switch to deploy and detect across all
|
# v1.2 - Get-DesktopPaths: Depth 2 search for OneDrive Desktop
|
||||||
# user desktops instead of only the public desktop.
|
# v1.1 - AllUsers switch + Get-DesktopPaths helper
|
||||||
# Added Get-DesktopPaths helper function.
|
# v1.0 - Initial
|
||||||
# v1.0 - Initial version, public desktop only.
|
|
||||||
# ============================================================
|
|
||||||
|
|
||||||
param(
|
|
||||||
[switch]$AllUsers
|
|
||||||
)
|
|
||||||
|
|
||||||
# Setup logging
|
|
||||||
$baseFolder = Join-Path $env:SystemDrive "Intune"
|
|
||||||
$logFile = Join-Path $baseFolder "DesktopShortcuts.log"
|
|
||||||
|
|
||||||
# Check if Sysnative exists (means script is running in 32-bit mode on x64 OS)
|
|
||||||
if (Test-Path "$($env:windir)\Sysnative") {
|
|
||||||
$rdpSignPath = "$($env:windir)\Sysnative\rdpsign.exe"
|
|
||||||
} else {
|
|
||||||
$rdpSignPath = "$($env:windir)\System32\rdpsign.exe"
|
|
||||||
}
|
|
||||||
|
|
||||||
if (-not (Test-Path $baseFolder)) {
|
|
||||||
New-Item -Path $baseFolder -ItemType Directory -Force | Out-Null
|
|
||||||
}
|
|
||||||
|
|
||||||
function Write-Log {
|
|
||||||
param($Message)
|
|
||||||
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
|
|
||||||
Add-Content -Path $logFile -Value $logMessage
|
|
||||||
Write-Host $logMessage
|
|
||||||
}
|
|
||||||
|
|
||||||
function Get-DesktopPaths {
|
|
||||||
if ($AllUsers) {
|
|
||||||
Get-ChildItem "$env:SystemDrive\Users" -Directory | ForEach-Object {
|
|
||||||
$path = Join-Path $_.FullName "Desktop"
|
|
||||||
if (Test-Path $path) { $path }
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
[Environment]::GetFolderPath("CommonDesktopDirectory")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# ============================================================
|
# ============================================================
|
||||||
# INSTALL
|
# INSTALL
|
||||||
# ============================================================
|
# ============================================================
|
||||||
|
|||||||
@@ -0,0 +1,234 @@
|
|||||||
|
# ============================================================
|
||||||
|
# SIGNONLY + DETECT - Sandbox test script
|
||||||
|
# ============================================================
|
||||||
|
# CHANGELOG
|
||||||
|
# v1.0 - Initial
|
||||||
|
# ============================================================
|
||||||
|
|
||||||
|
param(
|
||||||
|
[switch]$AllUsers
|
||||||
|
)
|
||||||
|
Start-Sleep -Seconds 10
|
||||||
|
# Setup logging
|
||||||
|
$baseFolder = Join-Path $env:SystemDrive "Intune"
|
||||||
|
$logFile = Join-Path $baseFolder "RDPSign.log"
|
||||||
|
|
||||||
|
# Check if Sysnative exists (means script is running in 32-bit mode on x64 OS)
|
||||||
|
if (Test-Path "$($env:windir)\Sysnative") {
|
||||||
|
$rdpSignPath = "$($env:windir)\Sysnative\rdpsign.exe"
|
||||||
|
} else {
|
||||||
|
$rdpSignPath = "$($env:windir)\System32\rdpsign.exe"
|
||||||
|
}
|
||||||
|
|
||||||
|
if (-not (Test-Path $baseFolder)) {
|
||||||
|
New-Item -Path $baseFolder -ItemType Directory -Force | Out-Null
|
||||||
|
}
|
||||||
|
|
||||||
|
function Write-Log {
|
||||||
|
param($Message)
|
||||||
|
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
|
||||||
|
Add-Content -Path $logFile -Value $logMessage
|
||||||
|
Write-Host $logMessage
|
||||||
|
}
|
||||||
|
|
||||||
|
function Get-DesktopPaths {
|
||||||
|
if ($AllUsers) {
|
||||||
|
Get-ChildItem "$env:SystemDrive\Users" -Directory -Exclude "Public","Default" | ForEach-Object {
|
||||||
|
Get-ChildItem $_.FullName -Directory -Filter "Desktop" -Depth 2 -ErrorAction SilentlyContinue |
|
||||||
|
Select-Object -ExpandProperty FullName
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
[Environment]::GetFolderPath("CommonDesktopDirectory")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
# SIGNONLY
|
||||||
|
# ============================================================
|
||||||
|
Write-Log "=== START SIGNONLY ==="
|
||||||
|
Write-Log "Running in mode: $(if ($AllUsers) { 'All Users' } else { 'Public Desktop' })"
|
||||||
|
|
||||||
|
try {
|
||||||
|
$certSubjectName = "RDPSign"
|
||||||
|
$certSubject = "CN=$certSubjectName"
|
||||||
|
|
||||||
|
Write-Log "Searching for existing certificate: $certSubjectName..."
|
||||||
|
$existingCert = Get-ChildItem Cert:\LocalMachine\My |
|
||||||
|
Where-Object { $_.Subject -eq $certSubject } |
|
||||||
|
Select-Object -First 1
|
||||||
|
|
||||||
|
if ($existingCert) {
|
||||||
|
Write-Log "Found existing certificate with Thumbprint: $($existingCert.Thumbprint)"
|
||||||
|
$thumbprint = $existingCert.Thumbprint
|
||||||
|
} else {
|
||||||
|
Write-Log "No existing certificate found. Creating new one..."
|
||||||
|
|
||||||
|
$cert = New-SelfSignedCertificate `
|
||||||
|
-Subject $certSubject `
|
||||||
|
-CertStoreLocation "Cert:\LocalMachine\My" `
|
||||||
|
-Type CodeSigningCert `
|
||||||
|
-KeyExportPolicy NonExportable `
|
||||||
|
-NotAfter (Get-Date).AddYears(25)
|
||||||
|
|
||||||
|
$thumbprint = $cert.Thumbprint
|
||||||
|
|
||||||
|
# Add to Trusted Root
|
||||||
|
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("Root", "LocalMachine")
|
||||||
|
$rootStore.Open("ReadWrite")
|
||||||
|
$rootStore.Add($cert)
|
||||||
|
$rootStore.Close()
|
||||||
|
|
||||||
|
# Add to Trusted Publishers
|
||||||
|
$pubStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("TrustedPublisher", "LocalMachine")
|
||||||
|
$pubStore.Open("ReadWrite")
|
||||||
|
$pubStore.Add($cert)
|
||||||
|
$pubStore.Close()
|
||||||
|
|
||||||
|
# Add thumbprint to RDP trusted certs in registry
|
||||||
|
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
|
||||||
|
$keyName = "TrustedCertThumbprints"
|
||||||
|
|
||||||
|
if (-not (Test-Path $gpoPath)) {
|
||||||
|
New-Item -Path $gpoPath -Force | Out-Null
|
||||||
|
}
|
||||||
|
|
||||||
|
$currentValue = (Get-ItemProperty -Path $gpoPath -Name $keyName -ErrorAction SilentlyContinue).$keyName
|
||||||
|
|
||||||
|
if ($currentValue -notmatch [regex]::Escape($thumbprint)) {
|
||||||
|
$newValue = if ([string]::IsNullOrWhiteSpace($currentValue)) { $thumbprint } else { "$currentValue,$thumbprint" }
|
||||||
|
|
||||||
|
if ($null -eq $currentValue) {
|
||||||
|
New-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue -PropertyType String -Force | Out-Null
|
||||||
|
} else {
|
||||||
|
Set-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue
|
||||||
|
}
|
||||||
|
Write-Log "Updated TrustedCertThumbprints registry value."
|
||||||
|
} else {
|
||||||
|
Write-Log "Thumbprint already exists in registry. Skipping update."
|
||||||
|
}
|
||||||
|
|
||||||
|
Write-Log "Certificate created and trusted successfully."
|
||||||
|
}
|
||||||
|
|
||||||
|
$successCount = 0
|
||||||
|
$failCount = 0
|
||||||
|
|
||||||
|
foreach ($desktopPath in (Get-DesktopPaths)) {
|
||||||
|
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -Recurse -ErrorAction SilentlyContinue
|
||||||
|
|
||||||
|
if ($rdpFiles.Count -eq 0) {
|
||||||
|
Write-Log "Skip: No .rdp files on $desktopPath"
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
Write-Log "Found $($rdpFiles.Count) file(s) to sign on: $desktopPath"
|
||||||
|
|
||||||
|
foreach ($rdpFile in $rdpFiles) {
|
||||||
|
Write-Log "Signing: $($rdpFile.Name)"
|
||||||
|
& $rdpSignPath /sha256 $thumbprint $rdpFile.FullName
|
||||||
|
|
||||||
|
if ($LASTEXITCODE -eq 0) {
|
||||||
|
Write-Log " [OK] $($rdpFile.Name)"
|
||||||
|
$successCount++
|
||||||
|
} else {
|
||||||
|
Write-Log " [FAILED] $($rdpFile.Name) - rdpsign exit code: $LASTEXITCODE"
|
||||||
|
$failCount++
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Set registry key to suppress RDP warning dialogs
|
||||||
|
reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client" /v RedirectionWarningDialogVersion /t REG_DWORD /d 1 /f
|
||||||
|
|
||||||
|
if ($failCount -eq 0) {
|
||||||
|
Write-Log "All $successCount file(s) signed successfully."
|
||||||
|
} else {
|
||||||
|
Write-Log "$successCount file(s) signed successfully, $failCount file(s) failed."
|
||||||
|
}
|
||||||
|
|
||||||
|
} catch {
|
||||||
|
Write-Log "SIGNONLY error: $_"
|
||||||
|
}
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
# DETECT
|
||||||
|
# ============================================================
|
||||||
|
Write-Log "=== START DETECT ==="
|
||||||
|
|
||||||
|
try {
|
||||||
|
$certSubject = "CN=RDPSign"
|
||||||
|
|
||||||
|
Write-Log "Checking certificate: $certSubject..."
|
||||||
|
$certInMy = Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Subject -eq $certSubject }
|
||||||
|
$certInRoot = Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $_.Subject -eq $certSubject }
|
||||||
|
$certInPub = Get-ChildItem Cert:\LocalMachine\TrustedPublisher | Where-Object { $_.Subject -eq $certSubject }
|
||||||
|
|
||||||
|
$certOk = $true
|
||||||
|
if (-not $certInMy) {
|
||||||
|
Write-Log "FAIL: Certificate not found in LocalMachine\My"
|
||||||
|
$certOk = $false
|
||||||
|
}
|
||||||
|
if (-not $certInRoot) {
|
||||||
|
Write-Log "FAIL: Certificate not found in LocalMachine\Root"
|
||||||
|
$certOk = $false
|
||||||
|
}
|
||||||
|
if (-not $certInPub) {
|
||||||
|
Write-Log "FAIL: Certificate not found in LocalMachine\TrustedPublisher"
|
||||||
|
$certOk = $false
|
||||||
|
}
|
||||||
|
if (-not $certOk) {
|
||||||
|
Write-Log "DETECT [FAIL]: Certificate missing"
|
||||||
|
} else {
|
||||||
|
Write-Log "OK: Certificate found in all stores"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Check registry thumbprint
|
||||||
|
Write-Log "Checking registry thumbprint..."
|
||||||
|
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
|
||||||
|
$thumbprintValue = (Get-ItemProperty -Path $gpoPath -Name "TrustedCertThumbprints" -ErrorAction SilentlyContinue).TrustedCertThumbprints
|
||||||
|
if ([string]::IsNullOrWhiteSpace($thumbprintValue)) {
|
||||||
|
Write-Log "FAIL: TrustedCertThumbprints not found in registry"
|
||||||
|
$certOk = $false
|
||||||
|
} else {
|
||||||
|
Write-Log "OK: Thumbprint found in registry"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Check that all RDP files on desktop(s) are signed
|
||||||
|
Write-Log "Checking RDP file signatures..."
|
||||||
|
$desktopsChecked = 0
|
||||||
|
$filesChecked = 0
|
||||||
|
$allSigned = $true
|
||||||
|
|
||||||
|
foreach ($desktopPath in (Get-DesktopPaths)) {
|
||||||
|
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -ErrorAction SilentlyContinue
|
||||||
|
|
||||||
|
if ($rdpFiles.Count -eq 0) {
|
||||||
|
Write-Log "Skip: No .rdp files on $desktopPath"
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
Write-Log "Found $($rdpFiles.Count) file(s) to check on: $desktopPath"
|
||||||
|
|
||||||
|
foreach ($file in $rdpFiles) {
|
||||||
|
$filesChecked++
|
||||||
|
$content = Get-Content $file.FullName -ErrorAction SilentlyContinue
|
||||||
|
$hasSig = $content | Where-Object { $_ -match "^signature:s:" }
|
||||||
|
if (-not $hasSig) {
|
||||||
|
Write-Log "FAIL: $($file.Name) on $desktopPath is not signed"
|
||||||
|
$allSigned = $false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
$desktopsChecked++
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($allSigned -and $certOk) {
|
||||||
|
Write-Log "DETECT [OK]: $filesChecked file(s) across $desktopsChecked desktop(s) - all signed and configured"
|
||||||
|
exit 0
|
||||||
|
} else {
|
||||||
|
Write-Log "DETECT [FAIL]: Check log for details"
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
} catch {
|
||||||
|
Write-Log "Detect error: $_"
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
@@ -1,33 +0,0 @@
|
|||||||
$desktopPath = [Environment]::GetFolderPath("CommonDesktopDirectory")
|
|
||||||
$certSubject = "CN=RDPSign"
|
|
||||||
|
|
||||||
# 1. Unsign RDP files
|
|
||||||
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp"
|
|
||||||
foreach ($file in $rdpFiles) {
|
|
||||||
$content = Get-Content $file.FullName
|
|
||||||
$cleaned = $content | Where-Object { $_ -notmatch "^signscope:s:" -and $_ -notmatch "^signature:s:" }
|
|
||||||
$cleaned | Set-Content $file.FullName -Encoding Unicode
|
|
||||||
Write-Host "Unsigned: $($file.Name)"
|
|
||||||
}
|
|
||||||
|
|
||||||
# 2. Remove certificate from all stores
|
|
||||||
foreach ($storeName in @("My", "Root", "TrustedPublisher")) {
|
|
||||||
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store($storeName, "LocalMachine")
|
|
||||||
$store.Open("ReadWrite")
|
|
||||||
$certs = $store.Certificates | Where-Object { $_.Subject -eq $certSubject }
|
|
||||||
foreach ($cert in $certs) {
|
|
||||||
$store.Remove($cert)
|
|
||||||
Write-Host "Removed certificate from store: $storeName"
|
|
||||||
}
|
|
||||||
$store.Close()
|
|
||||||
}
|
|
||||||
|
|
||||||
# 3. Remove thumbprint from registry
|
|
||||||
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
|
|
||||||
Remove-ItemProperty -Path $gpoPath -Name "TrustedCertThumbprints" -ErrorAction SilentlyContinue
|
|
||||||
Write-Host "Removed TrustedCertThumbprints"
|
|
||||||
|
|
||||||
# 4. Remove RedirectionWarningDialogVersion
|
|
||||||
$clientPath = "HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services\Client"
|
|
||||||
Remove-ItemProperty -Path $clientPath -Name "RedirectionWarningDialogVersion" -ErrorAction SilentlyContinue
|
|
||||||
Write-Host "Removed RedirectionWarningDialogVersion"
|
|
||||||
@@ -1,43 +0,0 @@
|
|||||||
# Setup logging
|
|
||||||
$baseFolder = Join-Path $env:SystemDrive "Intune"
|
|
||||||
$logFile = Join-Path $baseFolder "DesktopShortcuts.log"
|
|
||||||
$desktopPath = [Environment]::GetFolderPath("CommonDesktopDirectory")
|
|
||||||
|
|
||||||
# Create necessary folders
|
|
||||||
if (-not (Test-Path $baseFolder)) {
|
|
||||||
New-Item -Path $baseFolder -ItemType Directory -Force | Out-Null
|
|
||||||
}
|
|
||||||
|
|
||||||
function Write-Log {
|
|
||||||
param($Message)
|
|
||||||
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
|
|
||||||
Add-Content -Path $logFile -Value $logMessage
|
|
||||||
Write-Host $logMessage
|
|
||||||
}
|
|
||||||
|
|
||||||
$rdpFiles = Get-ChildItem -Path "$desktopPath\*.rdp" -ErrorAction SilentlyContinue
|
|
||||||
|
|
||||||
try {
|
|
||||||
if ($rdpFiles.Count -eq 0) {
|
|
||||||
Write-Log "DETECT [FAIL]: No .rdp files found on public desktop: $desktopPath"
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
|
|
||||||
$allFound = $true
|
|
||||||
foreach ($file in $rdpFiles) {
|
|
||||||
if (-not (Test-Path (Join-Path $desktopPath $file.Name))) {
|
|
||||||
Write-Log "DETECT [FAIL]: Missing: $($file.Name)"
|
|
||||||
$allFound = $false
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($allFound) {
|
|
||||||
Write-Log "DETECT [OK]: All .rdp files found on public desktop: $desktopPath"
|
|
||||||
exit 0
|
|
||||||
} else {
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
} catch {
|
|
||||||
Write-Log "Detect error: $_"
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
@@ -1,139 +0,0 @@
|
|||||||
# Setup logging
|
|
||||||
$baseFolder = Join-Path $env:SystemDrive "Intune"
|
|
||||||
$logFile = Join-Path $baseFolder "DesktopShortcuts.log"
|
|
||||||
$desktopPath = [Environment]::GetFolderPath("CommonDesktopDirectory")
|
|
||||||
|
|
||||||
# Check if Sysnative exists (means script is running in 32-bit mode on x64 OS)
|
|
||||||
if (Test-Path "$($env:windir)\Sysnative") {
|
|
||||||
$rdpSignPath = "$($env:windir)\Sysnative\rdpsign.exe"
|
|
||||||
} else {
|
|
||||||
$rdpSignPath = "$($env:windir)\System32\rdpsign.exe"
|
|
||||||
}
|
|
||||||
|
|
||||||
# Create necessary folders
|
|
||||||
if (-not (Test-Path $baseFolder)) {
|
|
||||||
New-Item -Path $baseFolder -ItemType Directory -Force | Out-Null
|
|
||||||
}
|
|
||||||
|
|
||||||
function Write-Log {
|
|
||||||
param($Message)
|
|
||||||
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
|
|
||||||
Add-Content -Path $logFile -Value $logMessage
|
|
||||||
Write-Host $logMessage
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
|
||||||
# Copy RDP files to public desktop
|
|
||||||
Get-ChildItem -Path ".\rdp-files\*.rdp" | ForEach-Object {
|
|
||||||
try {
|
|
||||||
Copy-Item -Path $_.FullName -Destination $desktopPath -Force
|
|
||||||
} catch {
|
|
||||||
Write-Log "Error copying file: $_"
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
Start-Sleep -Seconds 2 # Wait for files to be fully copied before signing
|
|
||||||
Write-Log "Copied .rdp files to public desktop: $desktopPath"
|
|
||||||
|
|
||||||
# Get RDP files from public desktop for signing
|
|
||||||
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -Recurse -ErrorAction SilentlyContinue
|
|
||||||
$certSubjectName = "RDPSign"
|
|
||||||
$certSubject = "CN=$certSubjectName"
|
|
||||||
|
|
||||||
Write-Log "Searching for existing certificate: $certSubjectName..."
|
|
||||||
|
|
||||||
$existingCert = Get-ChildItem Cert:\LocalMachine\My |
|
|
||||||
Where-Object { $_.Subject -eq $certSubject } |
|
|
||||||
Select-Object -First 1
|
|
||||||
|
|
||||||
if ($existingCert) {
|
|
||||||
Write-Log "Found existing certificate with Thumbprint: $($existingCert.Thumbprint)"
|
|
||||||
$thumbprint = $existingCert.Thumbprint
|
|
||||||
} else {
|
|
||||||
Write-Log "No existing certificate found. Creating new one..."
|
|
||||||
|
|
||||||
$cert = New-SelfSignedCertificate `
|
|
||||||
-Subject $certSubject `
|
|
||||||
-CertStoreLocation "Cert:\LocalMachine\My" `
|
|
||||||
-Type CodeSigningCert `
|
|
||||||
-KeyExportPolicy NonExportable `
|
|
||||||
-NotAfter (Get-Date).AddYears(25)
|
|
||||||
|
|
||||||
$thumbprint = $cert.Thumbprint
|
|
||||||
|
|
||||||
# Add to Trusted Root
|
|
||||||
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("Root", "LocalMachine")
|
|
||||||
$rootStore.Open("ReadWrite")
|
|
||||||
$rootStore.Add($cert)
|
|
||||||
$rootStore.Close()
|
|
||||||
|
|
||||||
# Add to Trusted Publishers
|
|
||||||
$pubStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("TrustedPublisher", "LocalMachine")
|
|
||||||
$pubStore.Open("ReadWrite")
|
|
||||||
$pubStore.Add($cert)
|
|
||||||
$pubStore.Close()
|
|
||||||
|
|
||||||
# Add thumbprint to RDP trusted certs in registry
|
|
||||||
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
|
|
||||||
$keyName = "TrustedCertThumbprints"
|
|
||||||
|
|
||||||
if (-not (Test-Path $gpoPath)) {
|
|
||||||
New-Item -Path $gpoPath -Force | Out-Null
|
|
||||||
}
|
|
||||||
|
|
||||||
$currentValue = (Get-ItemProperty -Path $gpoPath -Name $keyName -ErrorAction SilentlyContinue).$keyName
|
|
||||||
|
|
||||||
if ($currentValue -notmatch [regex]::Escape($thumbprint)) {
|
|
||||||
$newValue = if ([string]::IsNullOrWhiteSpace($currentValue)) { $thumbprint } else { "$currentValue,$thumbprint" }
|
|
||||||
|
|
||||||
if ($null -eq $currentValue) {
|
|
||||||
New-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue -PropertyType String -Force | Out-Null
|
|
||||||
} else {
|
|
||||||
Set-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue
|
|
||||||
}
|
|
||||||
Write-Log "Updated TrustedCertThumbprints registry value."
|
|
||||||
} else {
|
|
||||||
Write-Log "Thumbprint already exists in registry. Skipping update."
|
|
||||||
}
|
|
||||||
|
|
||||||
Write-Log "Certificate created and trusted successfully."
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($rdpFiles.Count -eq 0) {
|
|
||||||
Write-Log "No .rdp files found on Desktop: $desktopPath"
|
|
||||||
exit 0
|
|
||||||
}
|
|
||||||
|
|
||||||
Write-Log "Found $($rdpFiles.Count) file(s) to sign."
|
|
||||||
|
|
||||||
$successCount = 0
|
|
||||||
$failCount = 0
|
|
||||||
|
|
||||||
foreach ($rdpFile in $rdpFiles) {
|
|
||||||
Write-Log "Signing: $($rdpFile.Name)"
|
|
||||||
& $rdpSignPath /sha256 $thumbprint $rdpFile.FullName
|
|
||||||
|
|
||||||
if ($LASTEXITCODE -eq 0) {
|
|
||||||
Write-Log " [OK] $($rdpFile.Name)"
|
|
||||||
$successCount++
|
|
||||||
} else {
|
|
||||||
Write-Log " [FAILED] $($rdpFile.Name) - rdpsign exit code: $LASTEXITCODE"
|
|
||||||
$failCount++
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# Set registry key to suppress RDP warning dialogs
|
|
||||||
reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client" /v RedirectionWarningDialogVersion /t REG_DWORD /d 1 /f
|
|
||||||
|
|
||||||
if ($failCount -eq 0) {
|
|
||||||
Write-Log "All $successCount file(s) signed successfully."
|
|
||||||
} else {
|
|
||||||
Write-Log "$successCount file(s) signed successfully, $failCount file(s) failed."
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
exit 0
|
|
||||||
} catch {
|
|
||||||
Write-Log "Error: $_"
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
@@ -1,118 +0,0 @@
|
|||||||
# RDP - IntuneWin Package
|
|
||||||
|
|
||||||
## Package Contents
|
|
||||||
|
|
||||||
| File | Purpose |
|
|
||||||
|------|---------|
|
|
||||||
| `Install.ps1` | Copies RDP files to public desktop, creates self-signed certificate and signs all RDP files |
|
|
||||||
| `Detect.ps1` | Detects whether all RDP files from the package are present on the public desktop |
|
|
||||||
| `Uninstall.ps1` | Removes RDP files from the public desktop |
|
|
||||||
| `SignOnly.ps1` | Signs existing RDP files on the public desktop — no file copy (standalone use) |
|
|
||||||
| `SignOnly_detect.ps1` | Detects whether certificate is present and all RDP files on the desktop are signed |
|
|
||||||
| `Clearsigning.ps1` | Removes signatures from RDP files and cleans up certificate and registry (cleanup/debug use) |
|
|
||||||
| `sandbox.ps1` | Combined install + detect script for local sandbox testing |
|
|
||||||
| `rdp-files\*.rdp` | Source RDP files deployed to the public desktop |
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## Intune App Configuration
|
|
||||||
|
|
||||||
### Program
|
|
||||||
- **Install command:**
|
|
||||||
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1`
|
|
||||||
- **Uninstall command:**
|
|
||||||
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Uninstall.ps1`
|
|
||||||
- **Install behavior:** System
|
|
||||||
|
|
||||||
### Detection Rule
|
|
||||||
Use a custom detection script:
|
|
||||||
- **Script file:** `Detect.ps1`
|
|
||||||
- **Run script as 32-bit process on 64-bit clients:** No
|
|
||||||
- **Enforce script signature check:** No
|
|
||||||
|
|
||||||
Detection logic:
|
|
||||||
- Checks that all `.rdp` files from `rdp-files\` are present on the public desktop (`C:\Users\Public\Desktop`)
|
|
||||||
- Returns `exit 0` = installed
|
|
||||||
- Returns `exit 1` = not installed
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## What Install.ps1 Does
|
|
||||||
|
|
||||||
1. Copies all `.rdp` files from `.\rdp-files\` to the public desktop
|
|
||||||
2. Searches for an existing self-signed certificate (`CN=RDPSign`) in `Cert:\LocalMachine\My`
|
|
||||||
3. If not found, creates a new self-signed code signing certificate (valid 25 years, non-exportable)
|
|
||||||
4. Adds the certificate to `Trusted Root` and `Trusted Publishers` in the local machine store
|
|
||||||
5. Adds the certificate thumbprint to the registry key `TrustedCertThumbprints`
|
|
||||||
6. Signs all `.rdp` files on the public desktop using `rdpsign.exe /sha256`
|
|
||||||
7. Sets `RedirectionWarningDialogVersion = 1` in registry to suppress RDP warning dialogs
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## Registry Changes
|
|
||||||
|
|
||||||
| Path | Value | Type | Data |
|
|
||||||
|------|-------|------|------|
|
|
||||||
| `HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services` | `TrustedCertThumbprints` | String | Certificate thumbprint |
|
|
||||||
| `HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client` | `RedirectionWarningDialogVersion` | DWORD | `1` |
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## Logging and Troubleshooting
|
|
||||||
|
|
||||||
| Script | Log file |
|
|
||||||
|--------|----------|
|
|
||||||
| `Install.ps1` | `C:\Intune\DesktopShortcuts.log` |
|
|
||||||
| `Detect.ps1` | `C:\Intune\DesktopShortcuts.log` |
|
|
||||||
| `Uninstall.ps1` | `C:\Intune\DesktopShortcuts.log` |
|
|
||||||
| `SignOnly.ps1` | `C:\Intune\RDPSign.log` |
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## SignOnly Intune App Configuration
|
|
||||||
|
|
||||||
### Program
|
|
||||||
- **Install command:**
|
|
||||||
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1`
|
|
||||||
- **Uninstall command:**
|
|
||||||
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1`
|
|
||||||
- **Install behavior:** System
|
|
||||||
|
|
||||||
### Detection Rule
|
|
||||||
Use a custom detection script:
|
|
||||||
- **Script file:** `SignOnly_detect.ps1`
|
|
||||||
- **Run script as 32-bit process on 64-bit clients:** No
|
|
||||||
- **Enforce script signature check:** No
|
|
||||||
|
|
||||||
Detection logic:
|
|
||||||
- Checks that `CN=RDPSign` certificate exists in `My`, `Root`, and `TrustedPublisher` stores
|
|
||||||
- Checks that thumbprint is present in registry
|
|
||||||
- Checks that all `.rdp` files on the public desktop contain a valid signature
|
|
||||||
- Returns `exit 0` + `"Detected"` = installed
|
|
||||||
- Returns `exit 1` = not installed
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## Utility Scripts (not part of Intune package)
|
|
||||||
|
|
||||||
### `SignOnly.ps1`
|
|
||||||
Signs all existing `.rdp` files on the public desktop without copying any files. Useful for re-signing after an update or if files are already deployed.
|
|
||||||
Run as administrator.
|
|
||||||
|
|
||||||
### `SignOnly_detect.ps1`
|
|
||||||
Detection script for use with `SignOnly.ps1` as an Intune package. Checks:
|
|
||||||
- Certificate exists in `My`, `Root`, and `TrustedPublisher` stores
|
|
||||||
- Thumbprint is present in registry
|
|
||||||
- All `.rdp` files on the desktop contain a valid signature
|
|
||||||
|
|
||||||
### `Clearsigning.ps1`
|
|
||||||
Removes all signing artifacts. Useful for testing or cleanup. Run as administrator.
|
|
||||||
- Strips `signscope` and `signature` lines from all `.rdp` files on the public desktop
|
|
||||||
- Removes `CN=RDPSign` certificate from `My`, `Root`, and `TrustedPublisher` stores
|
|
||||||
- Removes `TrustedCertThumbprints` from registry
|
|
||||||
- Removes `RedirectionWarningDialogVersion` from registry
|
|
||||||
|
|
||||||
### `sandbox.ps1`
|
|
||||||
Combines install and detect into a single script for local sandbox testing.
|
|
||||||
Run from the folder containing `rdp-files\` as administrator.
|
|
||||||
Output is written to both the console and `C:\Intune\DesktopShortcuts.log`.
|
|
||||||
@@ -1,125 +0,0 @@
|
|||||||
# Setup logging
|
|
||||||
$baseFolder = Join-Path $env:SystemDrive "Intune"
|
|
||||||
$logFile = Join-Path $baseFolder "RDPSign.log"
|
|
||||||
$desktopPath = [Environment]::GetFolderPath("CommonDesktopDirectory")
|
|
||||||
|
|
||||||
# Check if Sysnative exists (means script is running in 32-bit mode on x64 OS)
|
|
||||||
if (Test-Path "$($env:windir)\Sysnative") {
|
|
||||||
$rdpSignPath = "$($env:windir)\Sysnative\rdpsign.exe"
|
|
||||||
} else {
|
|
||||||
$rdpSignPath = "$($env:windir)\System32\rdpsign.exe"
|
|
||||||
}
|
|
||||||
|
|
||||||
if (-not (Test-Path $baseFolder)) {
|
|
||||||
New-Item -Path $baseFolder -ItemType Directory -Force | Out-Null
|
|
||||||
}
|
|
||||||
|
|
||||||
function Write-Log {
|
|
||||||
param($Message)
|
|
||||||
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
|
|
||||||
Add-Content -Path $logFile -Value $logMessage
|
|
||||||
Write-Host $logMessage
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
|
||||||
# Get RDP files from public desktop for signing
|
|
||||||
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -Recurse -ErrorAction SilentlyContinue
|
|
||||||
$certSubjectName = "RDPSign"
|
|
||||||
$certSubject = "CN=$certSubjectName"
|
|
||||||
|
|
||||||
Write-Log "Searching for existing certificate: $certSubjectName..."
|
|
||||||
|
|
||||||
$existingCert = Get-ChildItem Cert:\LocalMachine\My |
|
|
||||||
Where-Object { $_.Subject -eq $certSubject } |
|
|
||||||
Select-Object -First 1
|
|
||||||
|
|
||||||
if ($existingCert) {
|
|
||||||
Write-Log "Found existing certificate with Thumbprint: $($existingCert.Thumbprint)"
|
|
||||||
$thumbprint = $existingCert.Thumbprint
|
|
||||||
} else {
|
|
||||||
Write-Log "No existing certificate found. Creating new one..."
|
|
||||||
|
|
||||||
$cert = New-SelfSignedCertificate `
|
|
||||||
-Subject $certSubject `
|
|
||||||
-CertStoreLocation "Cert:\LocalMachine\My" `
|
|
||||||
-Type CodeSigningCert `
|
|
||||||
-KeyExportPolicy NonExportable `
|
|
||||||
-NotAfter (Get-Date).AddYears(25)
|
|
||||||
|
|
||||||
$thumbprint = $cert.Thumbprint
|
|
||||||
|
|
||||||
# Add to Trusted Root
|
|
||||||
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("Root", "LocalMachine")
|
|
||||||
$rootStore.Open("ReadWrite")
|
|
||||||
$rootStore.Add($cert)
|
|
||||||
$rootStore.Close()
|
|
||||||
|
|
||||||
# Add to Trusted Publishers
|
|
||||||
$pubStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("TrustedPublisher", "LocalMachine")
|
|
||||||
$pubStore.Open("ReadWrite")
|
|
||||||
$pubStore.Add($cert)
|
|
||||||
$pubStore.Close()
|
|
||||||
|
|
||||||
# Add thumbprint to RDP trusted certs in registry
|
|
||||||
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
|
|
||||||
$keyName = "TrustedCertThumbprints"
|
|
||||||
|
|
||||||
if (-not (Test-Path $gpoPath)) {
|
|
||||||
New-Item -Path $gpoPath -Force | Out-Null
|
|
||||||
}
|
|
||||||
|
|
||||||
$currentValue = (Get-ItemProperty -Path $gpoPath -Name $keyName -ErrorAction SilentlyContinue).$keyName
|
|
||||||
|
|
||||||
if ($currentValue -notmatch [regex]::Escape($thumbprint)) {
|
|
||||||
$newValue = if ([string]::IsNullOrWhiteSpace($currentValue)) { $thumbprint } else { "$currentValue,$thumbprint" }
|
|
||||||
|
|
||||||
if ($null -eq $currentValue) {
|
|
||||||
New-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue -PropertyType String -Force | Out-Null
|
|
||||||
} else {
|
|
||||||
Set-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue
|
|
||||||
}
|
|
||||||
Write-Log "Updated TrustedCertThumbprints registry value."
|
|
||||||
} else {
|
|
||||||
Write-Log "Thumbprint already exists in registry. Skipping update."
|
|
||||||
}
|
|
||||||
|
|
||||||
Write-Log "Certificate created and trusted successfully."
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($rdpFiles.Count -eq 0) {
|
|
||||||
Write-Log "No .rdp files found on Desktop: $desktopPath"
|
|
||||||
exit 0
|
|
||||||
}
|
|
||||||
|
|
||||||
Write-Log "Found $($rdpFiles.Count) file(s) to sign."
|
|
||||||
|
|
||||||
$successCount = 0
|
|
||||||
$failCount = 0
|
|
||||||
|
|
||||||
foreach ($rdpFile in $rdpFiles) {
|
|
||||||
Write-Log "Signing: $($rdpFile.Name)"
|
|
||||||
& $rdpSignPath /sha256 $thumbprint $rdpFile.FullName
|
|
||||||
|
|
||||||
if ($LASTEXITCODE -eq 0) {
|
|
||||||
Write-Log " [OK] $($rdpFile.Name)"
|
|
||||||
$successCount++
|
|
||||||
} else {
|
|
||||||
Write-Log " [FAILED] $($rdpFile.Name) - rdpsign exit code: $LASTEXITCODE"
|
|
||||||
$failCount++
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# Set registry key to suppress RDP warning dialogs
|
|
||||||
reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client" /v RedirectionWarningDialogVersion /t REG_DWORD /d 1 /f
|
|
||||||
|
|
||||||
if ($failCount -eq 0) {
|
|
||||||
Write-Log "All $successCount file(s) signed successfully."
|
|
||||||
} else {
|
|
||||||
Write-Log "$successCount file(s) signed successfully, $failCount file(s) failed."
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
exit 0
|
|
||||||
} catch {
|
|
||||||
Write-Log "Error: $_"
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
@@ -1,36 +0,0 @@
|
|||||||
$desktopPath = [Environment]::GetFolderPath("CommonDesktopDirectory")
|
|
||||||
$certSubject = "CN=RDPSign"
|
|
||||||
|
|
||||||
# Check certificate exists in all three stores
|
|
||||||
$certInMy = Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Subject -eq $certSubject }
|
|
||||||
$certInRoot = Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $_.Subject -eq $certSubject }
|
|
||||||
$certInPub = Get-ChildItem Cert:\LocalMachine\TrustedPublisher | Where-Object { $_.Subject -eq $certSubject }
|
|
||||||
|
|
||||||
if (-not $certInMy -or -not $certInRoot -or -not $certInPub) {
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
|
|
||||||
# Check registry thumbprint
|
|
||||||
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
|
|
||||||
$thumbprintValue = (Get-ItemProperty -Path $gpoPath -Name "TrustedCertThumbprints" -ErrorAction SilentlyContinue).TrustedCertThumbprints
|
|
||||||
if ([string]::IsNullOrWhiteSpace($thumbprintValue)) {
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
|
|
||||||
# Check that all RDP files on desktop are signed
|
|
||||||
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -ErrorAction SilentlyContinue
|
|
||||||
|
|
||||||
if ($rdpFiles.Count -eq 0) {
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
|
|
||||||
foreach ($file in $rdpFiles) {
|
|
||||||
$content = Get-Content $file.FullName -ErrorAction SilentlyContinue
|
|
||||||
$hasSig = $content | Where-Object { $_ -match "^signature:s:" }
|
|
||||||
if (-not $hasSig) {
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
Write-Host "Detected"
|
|
||||||
exit 0
|
|
||||||
@@ -1,38 +0,0 @@
|
|||||||
# Setup logging
|
|
||||||
$baseFolder = Join-Path $env:SystemDrive "Intune"
|
|
||||||
$logFile = Join-Path $baseFolder "DesktopShortcuts.log"
|
|
||||||
$desktopPath = [Environment]::GetFolderPath("CommonDesktopDirectory")
|
|
||||||
|
|
||||||
# Create necessary folders
|
|
||||||
$folders = @(
|
|
||||||
$baseFolder
|
|
||||||
)
|
|
||||||
foreach ($folder in $folders) {
|
|
||||||
if (-not (Test-Path $folder)) {
|
|
||||||
New-Item -Path $folder -ItemType Directory -Force | Out-Null
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
function Write-Log {
|
|
||||||
param($Message)
|
|
||||||
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
|
|
||||||
Add-Content -Path $logFile -Value $logMessage
|
|
||||||
Write-Host $logMessage
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
|
||||||
Get-ChildItem -Path ".\rdp-files\*.rdp" | ForEach-Object {
|
|
||||||
$targetFile = Join-Path $desktopPath $_.Name
|
|
||||||
if (Test-Path $targetFile) {
|
|
||||||
Remove-Item -Path $targetFile -Force
|
|
||||||
Write-Log "Removed: $($_.Name)"
|
|
||||||
} else {
|
|
||||||
Write-Log "Not found, skipping: $($_.Name)"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
Write-Log "Uninstall completed from public desktop: $desktopPath"
|
|
||||||
exit 0
|
|
||||||
} catch {
|
|
||||||
Write-Log "An error occurred: $_"
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
@@ -1,176 +0,0 @@
|
|||||||
# ============================================================
|
|
||||||
# INSTALL + DETECT - Sandbox test script
|
|
||||||
# ============================================================
|
|
||||||
|
|
||||||
# Setup logging
|
|
||||||
$baseFolder = Join-Path $env:SystemDrive "Intune"
|
|
||||||
$logFile = Join-Path $baseFolder "DesktopShortcuts.log"
|
|
||||||
$desktopPath = [Environment]::GetFolderPath("CommonDesktopDirectory")
|
|
||||||
|
|
||||||
# Check if Sysnative exists (means script is running in 32-bit mode on x64 OS)
|
|
||||||
if (Test-Path "$($env:windir)\Sysnative") {
|
|
||||||
$rdpSignPath = "$($env:windir)\Sysnative\rdpsign.exe"
|
|
||||||
} else {
|
|
||||||
$rdpSignPath = "$($env:windir)\System32\rdpsign.exe"
|
|
||||||
}
|
|
||||||
|
|
||||||
if (-not (Test-Path $baseFolder)) {
|
|
||||||
New-Item -Path $baseFolder -ItemType Directory -Force | Out-Null
|
|
||||||
}
|
|
||||||
|
|
||||||
function Write-Log {
|
|
||||||
param($Message)
|
|
||||||
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
|
|
||||||
Add-Content -Path $logFile -Value $logMessage
|
|
||||||
Write-Host $logMessage
|
|
||||||
}
|
|
||||||
|
|
||||||
# ============================================================
|
|
||||||
# INSTALL
|
|
||||||
# ============================================================
|
|
||||||
Write-Log "=== START INSTALL ==="
|
|
||||||
|
|
||||||
try {
|
|
||||||
# Copy RDP files to public desktop
|
|
||||||
Get-ChildItem -Path ".\rdp-files\*.rdp" | ForEach-Object {
|
|
||||||
try {
|
|
||||||
Copy-Item -Path $_.FullName -Destination $desktopPath -Force
|
|
||||||
} catch {
|
|
||||||
Write-Log "Error copying file: $_"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
Start-Sleep -Seconds 2 # Wait for files to be fully copied before signing
|
|
||||||
Write-Log "Copied .rdp files to public desktop: $desktopPath"
|
|
||||||
|
|
||||||
# Get RDP files from public desktop for signing
|
|
||||||
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -Recurse -ErrorAction SilentlyContinue
|
|
||||||
$certSubjectName = "RDPSign"
|
|
||||||
$certSubject = "CN=$certSubjectName"
|
|
||||||
|
|
||||||
Write-Log "Searching for existing certificate: $certSubjectName..."
|
|
||||||
|
|
||||||
$existingCert = Get-ChildItem Cert:\LocalMachine\My |
|
|
||||||
Where-Object { $_.Subject -eq $certSubject } |
|
|
||||||
Select-Object -First 1
|
|
||||||
|
|
||||||
if ($existingCert) {
|
|
||||||
Write-Log "Found existing certificate with Thumbprint: $($existingCert.Thumbprint)"
|
|
||||||
$thumbprint = $existingCert.Thumbprint
|
|
||||||
} else {
|
|
||||||
Write-Log "No existing certificate found. Creating new one..."
|
|
||||||
|
|
||||||
$cert = New-SelfSignedCertificate `
|
|
||||||
-Subject $certSubject `
|
|
||||||
-CertStoreLocation "Cert:\LocalMachine\My" `
|
|
||||||
-Type CodeSigningCert `
|
|
||||||
-KeyExportPolicy NonExportable `
|
|
||||||
-NotAfter (Get-Date).AddYears(25)
|
|
||||||
|
|
||||||
$thumbprint = $cert.Thumbprint
|
|
||||||
|
|
||||||
# Add to Trusted Root
|
|
||||||
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("Root", "LocalMachine")
|
|
||||||
$rootStore.Open("ReadWrite")
|
|
||||||
$rootStore.Add($cert)
|
|
||||||
$rootStore.Close()
|
|
||||||
|
|
||||||
# Add to Trusted Publishers
|
|
||||||
$pubStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("TrustedPublisher", "LocalMachine")
|
|
||||||
$pubStore.Open("ReadWrite")
|
|
||||||
$pubStore.Add($cert)
|
|
||||||
$pubStore.Close()
|
|
||||||
|
|
||||||
# Add thumbprint to RDP trusted certs in registry
|
|
||||||
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
|
|
||||||
$keyName = "TrustedCertThumbprints"
|
|
||||||
|
|
||||||
if (-not (Test-Path $gpoPath)) {
|
|
||||||
New-Item -Path $gpoPath -Force | Out-Null
|
|
||||||
}
|
|
||||||
|
|
||||||
$currentValue = (Get-ItemProperty -Path $gpoPath -Name $keyName -ErrorAction SilentlyContinue).$keyName
|
|
||||||
|
|
||||||
if ($currentValue -notmatch [regex]::Escape($thumbprint)) {
|
|
||||||
$newValue = if ([string]::IsNullOrWhiteSpace($currentValue)) { $thumbprint } else { "$currentValue,$thumbprint" }
|
|
||||||
|
|
||||||
if ($null -eq $currentValue) {
|
|
||||||
New-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue -PropertyType String -Force | Out-Null
|
|
||||||
} else {
|
|
||||||
Set-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue
|
|
||||||
}
|
|
||||||
Write-Log "Updated TrustedCertThumbprints registry value."
|
|
||||||
} else {
|
|
||||||
Write-Log "Thumbprint already exists in registry. Skipping update."
|
|
||||||
}
|
|
||||||
|
|
||||||
Write-Log "Certificate created and trusted successfully."
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($rdpFiles.Count -eq 0) {
|
|
||||||
Write-Log "No .rdp files found on Desktop: $desktopPath"
|
|
||||||
exit 0
|
|
||||||
}
|
|
||||||
|
|
||||||
Write-Log "Found $($rdpFiles.Count) file(s) to sign."
|
|
||||||
|
|
||||||
$successCount = 0
|
|
||||||
$failCount = 0
|
|
||||||
|
|
||||||
foreach ($rdpFile in $rdpFiles) {
|
|
||||||
Write-Log "Signing: $($rdpFile.Name)"
|
|
||||||
& $rdpSignPath /sha256 $thumbprint $rdpFile.FullName
|
|
||||||
|
|
||||||
if ($LASTEXITCODE -eq 0) {
|
|
||||||
Write-Log " [OK] $($rdpFile.Name)"
|
|
||||||
$successCount++
|
|
||||||
} else {
|
|
||||||
Write-Log " [FAILED] $($rdpFile.Name) - rdpsign exit code: $LASTEXITCODE"
|
|
||||||
$failCount++
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# Set registry key to suppress RDP warning dialogs
|
|
||||||
reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client" /v RedirectionWarningDialogVersion /t REG_DWORD /d 1 /f
|
|
||||||
|
|
||||||
if ($failCount -eq 0) {
|
|
||||||
Write-Log "All $successCount file(s) signed successfully."
|
|
||||||
} else {
|
|
||||||
Write-Log "$successCount file(s) signed successfully, $failCount file(s) failed."
|
|
||||||
}
|
|
||||||
|
|
||||||
} catch {
|
|
||||||
Write-Log "Install error: $_"
|
|
||||||
}
|
|
||||||
|
|
||||||
# ============================================================
|
|
||||||
# DETECT
|
|
||||||
# ============================================================
|
|
||||||
Write-Log "=== START DETECT ==="
|
|
||||||
|
|
||||||
$rdpFilesOnDesktop = Get-ChildItem -Path "$desktopPath\*.rdp" -ErrorAction SilentlyContinue
|
|
||||||
|
|
||||||
try {
|
|
||||||
if ($rdpFilesOnDesktop.Count -eq 0) {
|
|
||||||
Write-Log "DETECT [FAIL]: No .rdp files found on public desktop: $desktopPath"
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
|
|
||||||
$allFound = $true
|
|
||||||
foreach ($file in $rdpFilesOnDesktop) {
|
|
||||||
if (-not (Test-Path (Join-Path $desktopPath $file.Name))) {
|
|
||||||
Write-Log "DETECT [FAIL]: Missing: $($file.Name)"
|
|
||||||
$allFound = $false
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($allFound) {
|
|
||||||
Write-Log "DETECT [OK]: All .rdp files found on public desktop: $desktopPath"
|
|
||||||
exit 0
|
|
||||||
} else {
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
} catch {
|
|
||||||
Write-Log "Detect error: $_"
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
Binary file not shown.
Reference in New Issue
Block a user