Compare commits

..

11 Commits

Author SHA1 Message Date
GCH 69e9e81df8 text
chore: fjern output/Install.intunewin (build artifact)
2026-06-02 15:36:11 +02:00
GCH f90a12f7f1 feat(SignOnly_detect): tilføj detaljeret logning og forbedret fejlhåndtering
- Tilføj Write-Log på alle checkpoints (certifikat, registry, filer)
    - Omskriv cert-tjek til at logge alle manglende stores før exit
    - Skift fra exit 1 til skip på brugere uden RDP-filer
    - Indpak i try/catch for robust fejlhåndtering

    feat(sandbox): tilføj sandbox_signonly.ps1 til test af SignOnly + Detect

    - Kombiner SignOnly (cert + signering) og Detect (verifikation) i ét script
    - Samme skip-logik for brugere uden RDP-filer
2026-06-02 12:53:27 +02:00
GCH 81870bcdcf docs: opdatér README med Get-DesktopPaths Depth 2 ændring
- Tilføj info om Depth 2 søgning i Install.ps1 og AllUsers Switch
    - Nævn OneDrive Desktop, ekskludering af Public/Default og -Depth 2
    - Samme opdatering i README.md og README.html
2026-06-02 08:57:22 +02:00
GCH 2225abed9d feat(RDPSign): Get-DesktopPaths OneDrive Desktop support + compressed changelogs
- Opdatér Get-DesktopPaths i alle 7 app-scripts: brug Get-ChildItem
  -Filter 'Desktop' -Depth 2 i stedet for Join-Path/Test-Path
  så OneDrive-omdirigeret Desktop også fanges
- Tilføj -Exclude 'Public','Default' for at springe systemprofiler over
- Komprimér og opdatér changelog i alle scripts med ny version
- Fjern old_app/ (arkiveret v1.0 scripts)
- Opdatér README.md og README.html
2026-06-02 08:23:16 +02:00
GCH 8e6dffa229 selettet Install.intunewin 2026-06-02 08:06:43 +02:00
GCH 9534e8f7d2 feat(RDPSign): opdatér Get-DesktopPaths til OneDrive Desktop
- Erstat Join-Path/Test-Path med Get-ChildItem -Filter "Desktop" -Depth 2
      så OneDrive-omdirigeret Desktop også fanges
    - Tilføj -Exclude "Public","Default" for at springe systemprofiler over
    - Anvendt i app/Install.ps1, Detect.ps1, Uninstall.ps1, SignOnly.ps1,
      SignOnly_detect.ps1, Clearsigning.ps1, sandbox.ps1
2026-06-02 07:53:48 +02:00
GCH ab2bb0735b Merge branch 'main' of https://git.itedb.dk/glennigen/RDPSign 2026-05-26 07:32:35 +02:00
glennigen efaceaa528 docs: tilføj README.html - plain HTML version af dokumentation
- Tilføjer README.html som plain HTML uden farver/darkmode
- Tabeller med border=1 cellpadding=6 cellspacing=0
- Kommandoer, registreringsregler og logik i tabelformat
2026-05-24 19:46:52 +02:00
glennigen 0593f8c042 feat: opdater Detect.ps1 med specifik fil-tjek og opdater README
- Implementer $expectedFiles array i Detect.ps1 for at tjekke specifikke .rdp-filnavne
- Opdater beskrivelse af Detect.ps1 i pakkens indhold tabel
- Tilføj afsnit 'Sådan opsætter du Detect.ps1' med eksempel og forklaring
- Opdater indholdsfortegnelse med nyt afsnit
2026-05-24 19:27:09 +02:00
GCH 13005cf161 Oprettet install.intunewin, og mappen rdp-files under app er oprettet 2026-05-22 11:13:46 +02:00
GCH 2bf216bcc2 Upload af RDPSign fra arbejde-noter repo 2026-05-22 10:34:36 +02:00
19 changed files with 577 additions and 1055 deletions
+6 -4
View File
@@ -153,7 +153,8 @@
<h2 id="hvad-install.ps1-gør">Hvad Install.ps1 gør</h2>
<ol type="1">
<li>Finder målskrivebord(e) — offentligt skrivebord som standard, alle
brugeres skriveborde med <code>-AllUsers</code></li>
brugeres skriveborde med <code>-AllUsers</code>. Med <code>-AllUsers</code>
søges 2 mapper ned så OneDrive-omdirigeret Desktop også fanges</li>
<li>Kopierer alle <code>.rdp</code>-filer fra <code>.\rdp-files\</code>
til de fundne skrivebord(e)</li>
<li>Søger efter eksisterende selvsigneret certifikat
@@ -180,9 +181,10 @@
standard — uden <code>-AllUsers</code> — køres alle scripts kun mod det
<strong>offentlige skrivebord</strong>
(<code>C:\Users\Public\Desktop</code>). Når <code>-AllUsers</code>
angives, itererer scriptet i stedet over alle brugerprofiler under
<code>C:\Users\</code> og behandler hver brugers
<code>Desktop</code>-mappe.
angives, søger scriptet i stedet på tværs af alle brugerprofiler under
<code>C:\Users\</code> (ekskl. <code>Public</code>/<code>Default</code>).
Der søges 2 mapper ned (<code>-Depth 2</code>) for at fange både standard
<code>Desktop</code> og OneDrive-omdirigeret <code>Desktop</code>.
</p>
<div class="sourceCode" id="cb2">
<pre
+214 -214
View File
@@ -1,214 +1,214 @@
# RDP - IntuneWin Pakke
> Denne pakke installerer og signerer RDP-genveje på skrivebordet via et selvsigneret certifikat, så brugerne ikke får en sikkerhedsadvarsel ved åbning.
> Som standard arbejder alle scripts mod det **offentlige skrivebord** (`C:\Users\Public\Desktop`).
> Brug `-AllUsers` switchen for at køre mod alle brugeres individuelle skriveborde i stedet.
---
## Indhold
- [Pakkens indhold](#pakkens-indhold)
- [Intune App Konfiguration](#intune-app-konfiguration)
- [Hvad Install.ps1 gør](#hvad-installps1-gør)
- [Sådan opsætter du Detect.ps1](#sådan-opsætter-du-detectps1)
- [AllUsers Switch](#allusers-switch)
- [Registry-ændringer](#registry-ændringer)
- [Logning og fejlfinding](#logning-og-fejlfinding)
- [SignOnly Intune App Konfiguration](#signonly-intune-app-konfiguration)
- [Øvrige scripts i pakken](#øvrige-scripts-i-pakken)
---
## Pakkens indhold
| Fil | Formål |
|-----|--------|
| `Install.ps1` | Kopierer RDP-filer til skrivebord(e), opretter selvsigneret certifikat og signerer alle RDP-filer. Understøtter `-AllUsers` switch. |
| `Detect.ps1` | Tjekker at specifikke forventede .rdp-filer (defineret i `$expectedFiles` array) eksisterer på skrivebord(e). Understøtter `-AllUsers` switch. |
| `Uninstall.ps1` | Fjerner RDP-filer fra skrivebord(e). Understøtter `-AllUsers` switch. |
| `SignOnly.ps1` | Signerer eksisterende RDP-filer på skrivebord(e) — ingen filkopiering. Understøtter `-AllUsers` switch. |
| `SignOnly_detect.ps1` | Registrerer om certifikat er til stede og alle RDP-filer på skrivebord(e) er signerede. Understøtter `-AllUsers` switch. |
| `Clearsigning.ps1` | Fjerner signaturer fra RDP-filer og rydder op i certifikat og registry (til oprydning/debug). Understøtter `-AllUsers` switch. |
| `sandbox.ps1` | Kombineret install + detect script til lokal sandkasse-test. Understøtter `-AllUsers` switch. |
| `rdp-files\*.rdp` | Kilde-RDP-filer der installeres på skrivebord(e) |
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
---
## Sådan opsætter du Detect.ps1
Før du uploader `Detect.ps1` til Intune som registreringsregel, skal du åbne filen og udfylde `$expectedFiles` array med de `.rdp` filnavne der ligger i `.\\rdp-files\\`:
```powershell
$expectedFiles = @(
"Server1.rdp",
"Server2.rdp",
"DesktopApp.rdp"
)
```
Når scriptet kører:
- Uden `-AllUsers`: tjekker at alle filer i `$expectedFiles` findes på det offentlige skrivebord (`C:\Users\Public\Desktop`)
- Med `-AllUsers`: tjekker alle filer i `$expectedFiles` på tværs af alle brugeres skriveborde
- Returnerer `exit 0` = installeret (alle filer fundet)
- Returnerer `exit 1` = ikke installeret (en eller flere filer mangler)
> **Vigtigt:** Husk at opdatere `$expectedFiles` hver gang du tilføjer eller fjerner `.rdp` filer i pakken, ellers vil detekteringen være forkert.
---
## Intune App Konfiguration
### Program
- **Installationskommando:**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1`
- **Installationskommando (alle brugeres skriveborde):**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1 -AllUsers`
- **Afinstallationskommando:**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Uninstall.ps1`
- **Afinstallationskommando (alle brugeres skriveborde):**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Uninstall.ps1 -AllUsers`
- **Installationsadfærd:** System
### Registreringsregel
Brug et brugerdefineret registreringsscript:
- **Scriptfil:** `Detect.ps1`
- **Kør script som 32-bit proces på 64-bit klienter:** Nej
- **Gennemtving scriptsignaturkontrol:** Nej
Registreringslogik:
- Uden `-AllUsers`: tjekker at alle `.rdp`-filer er til stede på det offentlige skrivebord (`C:\Users\Public\Desktop`)
- Med `-AllUsers`: tjekker alle brugeres skriveborde under `C:\Users\`
- Returnerer `exit 0` = installeret
- Returnerer `exit 1` = ikke installeret
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
---
## Hvad Install.ps1 gør
1. Finder målskrivebord(e) — offentligt skrivebord som standard, alle brugeres skriveborde med `-AllUsers`
2. Kopierer alle `.rdp`-filer fra `.\rdp-files\` til de fundne skrivebord(e)
3. Søger efter eksisterende selvsigneret certifikat (`CN=RDPSign`) i `Cert:\LocalMachine\My`
4. Opretter et nyt selvsigneret kodesigneringscertifikat hvis intet findes (gyldigt i 25 år, ikke-eksporterbart)
5. Tilføjer certifikatet til `Trusted Root` og `Trusted Publishers` i den lokale maskines certifikatstore
6. Tilføjer certifikatets thumbprint til registry-nøglen `TrustedCertThumbprints`
7. Signerer alle `.rdp`-filer på skrivebord(e) med `rdpsign.exe /sha256`
8. Sætter `RedirectionWarningDialogVersion = 1` i registry for at undertrykke RDP-advarselsdialoger
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
---
## AllUsers Switch
Alle scripts understøtter `-AllUsers` switchen. Som standard — uden `-AllUsers` — køres alle scripts kun mod det **offentlige skrivebord** (`C:\Users\Public\Desktop`). Når `-AllUsers` angives, itererer scriptet i stedet over alle brugerprofiler under `C:\Users\` og behandler hver brugers `Desktop`-mappe.
```powershell
# Kun offentligt skrivebord (standard)
.\Install.ps1
# Alle brugeres skriveborde
.\Install.ps1 -AllUsers
```
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
---
## Registry-ændringer
| Sti | Værdi | Type | Data |
|-----|-------|------|------|
| `HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services` | `TrustedCertThumbprints` | String | Certifikatets thumbprint |
| `HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client` | `RedirectionWarningDialogVersion` | DWORD | `1` |
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
---
## Logning og fejlfinding
| Script | Logfil |
|--------|--------|
| `Install.ps1` | `C:\Intune\DesktopShortcuts.log` |
| `Detect.ps1` | `C:\Intune\DesktopShortcuts.log` |
| `Uninstall.ps1` | `C:\Intune\DesktopShortcuts.log` |
| `SignOnly.ps1` | `C:\Intune\RDPSign.log` |
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
---
## SignOnly Intune App Konfiguration
### Program
- **Installationskommando:**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1`
- **Installationskommando (alle brugeres skriveborde):**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1 -AllUsers`
- **Afinstallationskommando:**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1`
- **Afinstallationskommando (alle brugeres skriveborde):**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1 -AllUsers`
- **Installationsadfærd:** System
### Registreringsregel
Brug et brugerdefineret registreringsscript:
- **Scriptfil:** `SignOnly_detect.ps1`
- **Kør script som 32-bit proces på 64-bit klienter:** Nej
- **Gennemtving scriptsignaturkontrol:** Nej
Registreringslogik:
- Tjekker at `CN=RDPSign`-certifikatet findes i `My`, `Root` og `TrustedPublisher` stores
- Tjekker at thumbprint er til stede i registry
- Uden `-AllUsers`: tjekker at alle `.rdp`-filer på det offentlige skrivebord er signerede
- Med `-AllUsers`: tjekker alle `.rdp`-filer på tværs af alle brugeres skriveborde
- Returnerer `exit 0` + `"Detected"` = installeret
- Returnerer `exit 1` = ikke installeret
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
---
## Øvrige scripts i pakken
> **Bemærk:** Alle PowerShell-scripts er pakket ind i samme IntuneWin-pakke. Det betyder at man altid kan kalde på et vilkårligt script direkte fra Intune eller manuelt, f.eks.:
>
> ```powershell
> powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1
> powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1 -AllUsers
> powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1
> powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1 -AllUsers
> powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1
> powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1 -AllUsers
> ```
> osv. for alle scripts i pakken.
### `SignOnly.ps1`
Signerer alle eksisterende `.rdp`-filer på skrivebord(e) uden at kopiere filer. Nyttigt til gensignering efter en opdatering eller hvis filer allerede er installeret. Kør som administrator. Understøtter `-AllUsers` switch.
### `SignOnly_detect.ps1`
Registreringsscript til brug med `SignOnly.ps1` som Intune-pakke. Tjekker:
- Certifikat findes i `My`, `Root` og `TrustedPublisher` stores
- Thumbprint er til stede i registry
- Alle `.rdp`-filer på skrivebord(e) indeholder en gyldig signatur
Understøtter `-AllUsers` switch.
### `Clearsigning.ps1`
Fjerner alle signeringsartefakter. Nyttigt til test eller oprydning. Kør som administrator. Understøtter `-AllUsers` switch.
- Fjerner `signscope`- og `signature`-linjer fra alle `.rdp`-filer på skrivebord(e)
- Fjerner `CN=RDPSign`-certifikatet fra `My`, `Root` og `TrustedPublisher` stores
- Fjerner `TrustedCertThumbprints` fra registry
- Fjerner `RedirectionWarningDialogVersion` fra registry
### `sandbox.ps1`
Kombinerer install og detect i ét script til lokal sandkasse-test. Understøtter `-AllUsers` switch.
Kør fra mappen der indeholder `rdp-files\` som administrator.
Output skrives til både konsollen og `C:\Intune\DesktopShortcuts.log`.
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
# RDP - IntuneWin Pakke
> Denne pakke installerer og signerer RDP-genveje på skrivebordet via et selvsigneret certifikat, så brugerne ikke får en sikkerhedsadvarsel ved åbning.
> Som standard arbejder alle scripts mod det **offentlige skrivebord** (`C:\Users\Public\Desktop`).
> Brug `-AllUsers` switchen for at køre mod alle brugeres individuelle skriveborde i stedet.
---
## Indhold
- [Pakkens indhold](#pakkens-indhold)
- [Intune App Konfiguration](#intune-app-konfiguration)
- [Hvad Install.ps1 gør](#hvad-installps1-gør)
- [Sådan opsætter du Detect.ps1](#sådan-opsætter-du-detectps1)
- [AllUsers Switch](#allusers-switch)
- [Registry-ændringer](#registry-ændringer)
- [Logning og fejlfinding](#logning-og-fejlfinding)
- [SignOnly Intune App Konfiguration](#signonly-intune-app-konfiguration)
- [Øvrige scripts i pakken](#øvrige-scripts-i-pakken)
---
## Pakkens indhold
| Fil | Formål |
|-----|--------|
| `Install.ps1` | Kopierer RDP-filer til skrivebord(e), opretter selvsigneret certifikat og signerer alle RDP-filer. Understøtter `-AllUsers` switch. |
| `Detect.ps1` | Tjekker at specifikke forventede .rdp-filer (defineret i `$expectedFiles` array) eksisterer på skrivebord(e). Understøtter `-AllUsers` switch. |
| `Uninstall.ps1` | Fjerner RDP-filer fra skrivebord(e). Understøtter `-AllUsers` switch. |
| `SignOnly.ps1` | Signerer eksisterende RDP-filer på skrivebord(e) — ingen filkopiering. Understøtter `-AllUsers` switch. |
| `SignOnly_detect.ps1` | Registrerer om certifikat er til stede og alle RDP-filer på skrivebord(e) er signerede. Understøtter `-AllUsers` switch. |
| `Clearsigning.ps1` | Fjerner signaturer fra RDP-filer og rydder op i certifikat og registry (til oprydning/debug). Understøtter `-AllUsers` switch. |
| `sandbox.ps1` | Kombineret install + detect script til lokal sandkasse-test. Understøtter `-AllUsers` switch. |
| `rdp-files\*.rdp` | Kilde-RDP-filer der installeres på skrivebord(e) |
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
---
## Sådan opsætter du Detect.ps1
Før du uploader `Detect.ps1` til Intune som registreringsregel, skal du åbne filen og udfylde `$expectedFiles` array med de `.rdp` filnavne der ligger i `.\\rdp-files\\`:
```powershell
$expectedFiles = @(
"Server1.rdp",
"Server2.rdp",
"DesktopApp.rdp"
)
```
Når scriptet kører:
- Uden `-AllUsers`: tjekker at alle filer i `$expectedFiles` findes på det offentlige skrivebord (`C:\Users\Public\Desktop`)
- Med `-AllUsers`: tjekker alle filer i `$expectedFiles` på tværs af alle brugeres skriveborde
- Returnerer `exit 0` = installeret (alle filer fundet)
- Returnerer `exit 1` = ikke installeret (en eller flere filer mangler)
> **Vigtigt:** Husk at opdatere `$expectedFiles` hver gang du tilføjer eller fjerner `.rdp` filer i pakken, ellers vil detekteringen være forkert.
---
## Intune App Konfiguration
### Program
- **Installationskommando:**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1`
- **Installationskommando (alle brugeres skriveborde):**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1 -AllUsers`
- **Afinstallationskommando:**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Uninstall.ps1`
- **Afinstallationskommando (alle brugeres skriveborde):**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Uninstall.ps1 -AllUsers`
- **Installationsadfærd:** System
### Registreringsregel
Brug et brugerdefineret registreringsscript:
- **Scriptfil:** `Detect.ps1`
- **Kør script som 32-bit proces på 64-bit klienter:** Nej
- **Gennemtving scriptsignaturkontrol:** Nej
Registreringslogik:
- Uden `-AllUsers`: tjekker at alle `.rdp`-filer er til stede på det offentlige skrivebord (`C:\Users\Public\Desktop`)
- Med `-AllUsers`: tjekker alle brugeres skriveborde under `C:\Users\`
- Returnerer `exit 0` = installeret
- Returnerer `exit 1` = ikke installeret
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
---
## Hvad Install.ps1 gør
1. Finder målskrivebord(e) — offentligt skrivebord som standard, alle brugeres skriveborde med `-AllUsers`. Med `-AllUsers` søges 2 mapper ned så OneDrive-omdirigeret Desktop også fanges
2. Kopierer alle `.rdp`-filer fra `.\rdp-files\` til de fundne skrivebord(e)
3. Søger efter eksisterende selvsigneret certifikat (`CN=RDPSign`) i `Cert:\LocalMachine\My`
4. Opretter et nyt selvsigneret kodesigneringscertifikat hvis intet findes (gyldigt i 25 år, ikke-eksporterbart)
5. Tilføjer certifikatet til `Trusted Root` og `Trusted Publishers` i den lokale maskines certifikatstore
6. Tilføjer certifikatets thumbprint til registry-nøglen `TrustedCertThumbprints`
7. Signerer alle `.rdp`-filer på skrivebord(e) med `rdpsign.exe /sha256`
8. Sætter `RedirectionWarningDialogVersion = 1` i registry for at undertrykke RDP-advarselsdialoger
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
---
## AllUsers Switch
Alle scripts understøtter `-AllUsers` switchen. Som standard — uden `-AllUsers` — køres alle scripts kun mod det **offentlige skrivebord** (`C:\Users\Public\Desktop`). Når `-AllUsers` angives, søger scriptet i stedet på tværs af alle brugerprofiler under `C:\Users\` (ekskl. `Public`/`Default`). Der søges 2 mapper ned (`-Depth 2`) for at fange både standard `Desktop` og OneDrive-omdirigeret `Desktop`.
```powershell
# Kun offentligt skrivebord (standard)
.\Install.ps1
# Alle brugeres skriveborde
.\Install.ps1 -AllUsers
```
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
---
## Registry-ændringer
| Sti | Værdi | Type | Data |
|-----|-------|------|------|
| `HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services` | `TrustedCertThumbprints` | String | Certifikatets thumbprint |
| `HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client` | `RedirectionWarningDialogVersion` | DWORD | `1` |
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
---
## Logning og fejlfinding
| Script | Logfil |
|--------|--------|
| `Install.ps1` | `C:\Intune\DesktopShortcuts.log` |
| `Detect.ps1` | `C:\Intune\DesktopShortcuts.log` |
| `Uninstall.ps1` | `C:\Intune\DesktopShortcuts.log` |
| `SignOnly.ps1` | `C:\Intune\RDPSign.log` |
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
---
## SignOnly Intune App Konfiguration
### Program
- **Installationskommando:**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1`
- **Installationskommando (alle brugeres skriveborde):**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1 -AllUsers`
- **Afinstallationskommando:**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1`
- **Afinstallationskommando (alle brugeres skriveborde):**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1 -AllUsers`
- **Installationsadfærd:** System
### Registreringsregel
Brug et brugerdefineret registreringsscript:
- **Scriptfil:** `SignOnly_detect.ps1`
- **Kør script som 32-bit proces på 64-bit klienter:** Nej
- **Gennemtving scriptsignaturkontrol:** Nej
Registreringslogik:
- Tjekker at `CN=RDPSign`-certifikatet findes i `My`, `Root` og `TrustedPublisher` stores
- Tjekker at thumbprint er til stede i registry
- Uden `-AllUsers`: tjekker at alle `.rdp`-filer på det offentlige skrivebord er signerede
- Med `-AllUsers`: tjekker alle `.rdp`-filer på tværs af alle brugeres skriveborde
- Returnerer `exit 0` + `"Detected"` = installeret
- Returnerer `exit 1` = ikke installeret
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
---
## Øvrige scripts i pakken
> **Bemærk:** Alle PowerShell-scripts er pakket ind i samme IntuneWin-pakke. Det betyder at man altid kan kalde på et vilkårligt script direkte fra Intune eller manuelt, f.eks.:
>
> ```powershell
> powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1
> powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1 -AllUsers
> powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1
> powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1 -AllUsers
> powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1
> powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1 -AllUsers
> ```
> osv. for alle scripts i pakken.
### `SignOnly.ps1`
Signerer alle eksisterende `.rdp`-filer på skrivebord(e) uden at kopiere filer. Nyttigt til gensignering efter en opdatering eller hvis filer allerede er installeret. Kør som administrator. Understøtter `-AllUsers` switch.
### `SignOnly_detect.ps1`
Registreringsscript til brug med `SignOnly.ps1` som Intune-pakke. Tjekker:
- Certifikat findes i `My`, `Root` og `TrustedPublisher` stores
- Thumbprint er til stede i registry
- Alle `.rdp`-filer på skrivebord(e) indeholder en gyldig signatur
Understøtter `-AllUsers` switch.
### `Clearsigning.ps1`
Fjerner alle signeringsartefakter. Nyttigt til test eller oprydning. Kør som administrator. Understøtter `-AllUsers` switch.
- Fjerner `signscope`- og `signature`-linjer fra alle `.rdp`-filer på skrivebord(e)
- Fjerner `CN=RDPSign`-certifikatet fra `My`, `Root` og `TrustedPublisher` stores
- Fjerner `TrustedCertThumbprints` fra registry
- Fjerner `RedirectionWarningDialogVersion` fra registry
### `sandbox.ps1`
Kombinerer install og detect i ét script til lokal sandkasse-test. Understøtter `-AllUsers` switch.
Kør fra mappen der indeholder `rdp-files\` som administrator.
Output skrives til både konsollen og `C:\Intune\DesktopShortcuts.log`.
[↑ Tilbage til toppen](#rdp---intunewin-pakke)
+6 -9
View File
@@ -1,10 +1,8 @@
# ============================================================
# CHANGELOG
# v1.1 - Added -AllUsers switch to remove signatures from RDP
# files on all user desktops instead of only the public
# desktop.
# Added Get-DesktopPaths helper function.
# v1.0 - Initial version, clears signing on public desktop only.
# v1.2 - Get-DesktopPaths: Depth 2 search for OneDrive Desktop
# v1.1 - AllUsers switch + Get-DesktopPaths helper
# v1.0 - Initial
# ============================================================
param(
@@ -13,15 +11,14 @@ param(
function Get-DesktopPaths {
if ($AllUsers) {
Get-ChildItem "$env:SystemDrive\Users" -Directory | ForEach-Object {
$path = Join-Path $_.FullName "Desktop"
if (Test-Path $path) { $path }
Get-ChildItem "$env:SystemDrive\Users" -Directory -Exclude "Public","Default" | ForEach-Object {
Get-ChildItem $_.FullName -Directory -Filter "Desktop" -Depth 2 -ErrorAction SilentlyContinue |
Select-Object -ExpandProperty FullName
}
} else {
[Environment]::GetFolderPath("CommonDesktopDirectory")
}
}
$certSubject = "CN=RDPSign"
# 1. Unsign RDP files
+7 -15
View File
@@ -1,17 +1,9 @@
# ============================================================
# CHANGELOG
# v1.2 - Checks for specific expected .rdp filenames instead
# of just "any .rdp file exists on desktop".
# v1.1 - Added -AllUsers switch to check all user desktops
# instead of only the public desktop.
# Added Get-DesktopPaths helper function.
# v1.0 - Initial version, checks public desktop only.
# ============================================================
param(
[switch]$AllUsers
)
# v1.3 - Get-DesktopPaths: Depth 2 search for OneDrive Desktop
# v1.2 - Detect by expected filename list
# v1.1 - AllUsers switch + Get-DesktopPaths helper
# v1.0 - Initial
# ============================================================
# Update this list whenever .rdp files are added or removed
# from the rdp-files\\ folder.
@@ -39,9 +31,9 @@ function Write-Log {
function Get-DesktopPaths {
if ($AllUsers) {
Get-ChildItem "$env:SystemDrive\Users" -Directory | ForEach-Object {
$path = Join-Path $_.FullName "Desktop"
if (Test-Path $path) { $path }
Get-ChildItem "$env:SystemDrive\Users" -Directory -Exclude "Public","Default" | ForEach-Object {
Get-ChildItem $_.FullName -Directory -Filter "Desktop" -Depth 2 -ErrorAction SilentlyContinue |
Select-Object -ExpandProperty FullName
}
} else {
[Environment]::GetFolderPath("CommonDesktopDirectory")
+6 -9
View File
@@ -1,9 +1,8 @@
# ============================================================
# CHANGELOG
# v1.1 - Added -AllUsers switch to deploy to all user desktops
# instead of only the public desktop.
# Added Get-DesktopPaths helper function.
# v1.0 - Initial version, deploys to public desktop only.
# v1.2 - Get-DesktopPaths: Depth 2 search for OneDrive Desktop
# v1.1 - AllUsers switch + Get-DesktopPaths helper
# v1.0 - Initial
# ============================================================
param(
@@ -34,16 +33,14 @@ function Write-Log {
function Get-DesktopPaths {
if ($AllUsers) {
# Return desktop path for each user profile found
Get-ChildItem "$env:SystemDrive\Users" -Directory | ForEach-Object {
$path = Join-Path $_.FullName "Desktop"
if (Test-Path $path) { $path }
Get-ChildItem "$env:SystemDrive\Users" -Directory -Exclude "Public","Default" | ForEach-Object {
Get-ChildItem $_.FullName -Directory -Filter "Desktop" -Depth 2 -ErrorAction SilentlyContinue |
Select-Object -ExpandProperty FullName
}
} else {
[Environment]::GetFolderPath("CommonDesktopDirectory")
}
}
try {
$desktopPaths = Get-DesktopPaths
Write-Log "Running in mode: $(if ($AllUsers) { 'All Users' } else { 'Public Desktop' })"
+6 -8
View File
@@ -1,9 +1,8 @@
# ============================================================
# CHANGELOG
# v1.1 - Added -AllUsers switch to sign RDP files on all user
# desktops instead of only the public desktop.
# Added Get-DesktopPaths helper function.
# v1.0 - Initial version, signs on public desktop only.
# v1.2 - Get-DesktopPaths: Depth 2 search for OneDrive Desktop
# v1.1 - AllUsers switch + Get-DesktopPaths helper
# v1.0 - Initial
# ============================================================
param(
@@ -34,15 +33,14 @@ function Write-Log {
function Get-DesktopPaths {
if ($AllUsers) {
Get-ChildItem "$env:SystemDrive\Users" -Directory | ForEach-Object {
$path = Join-Path $_.FullName "Desktop"
if (Test-Path $path) { $path }
Get-ChildItem "$env:SystemDrive\Users" -Directory -Exclude "Public","Default" | ForEach-Object {
Get-ChildItem $_.FullName -Directory -Filter "Desktop" -Depth 2 -ErrorAction SilentlyContinue |
Select-Object -ExpandProperty FullName
}
} else {
[Environment]::GetFolderPath("CommonDesktopDirectory")
}
}
try {
$certSubjectName = "RDPSign"
$certSubject = "CN=$certSubjectName"
+89 -37
View File
@@ -1,61 +1,113 @@
# ============================================================
# CHANGELOG
# v1.1 - Added -AllUsers switch to check certificate and signed
# RDP files across all user desktops instead of only the
# public desktop.
# Added Get-DesktopPaths helper function.
# v1.0 - Initial version, checks public desktop only.
# v1.3 - Added detailed logging for detect failures
# v1.2 - Get-DesktopPaths: Depth 2 search for OneDrive Desktop
# v1.1 - AllUsers switch + Get-DesktopPaths helper
# v1.0 - Initial
# ============================================================
param(
[switch]$AllUsers
)
# Setup logging
$baseFolder = Join-Path $env:SystemDrive "Intune"
$logFile = Join-Path $baseFolder "RDPSign.log"
if (-not (Test-Path $baseFolder)) {
New-Item -Path $baseFolder -ItemType Directory -Force | Out-Null
}
function Write-Log {
param($Message)
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
Add-Content -Path $logFile -Value $logMessage
Write-Host $logMessage
}
function Get-DesktopPaths {
if ($AllUsers) {
Get-ChildItem "$env:SystemDrive\Users" -Directory | ForEach-Object {
$path = Join-Path $_.FullName "Desktop"
if (Test-Path $path) { $path }
Get-ChildItem "$env:SystemDrive\Users" -Directory -Exclude "Public","Default" | ForEach-Object {
Get-ChildItem $_.FullName -Directory -Filter "Desktop" -Depth 2 -ErrorAction SilentlyContinue |
Select-Object -ExpandProperty FullName
}
} else {
[Environment]::GetFolderPath("CommonDesktopDirectory")
}
}
$certSubject = "CN=RDPSign"
try {
Write-Log "=== SignOnly Detect START ==="
Write-Log "Running in mode: $(if ($AllUsers) { 'All Users' } else { 'Public Desktop' })"
# Check certificate exists in all three stores
$certInMy = Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Subject -eq $certSubject }
$certInRoot = Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $_.Subject -eq $certSubject }
$certInPub = Get-ChildItem Cert:\LocalMachine\TrustedPublisher | Where-Object { $_.Subject -eq $certSubject }
$certSubject = "CN=RDPSign"
if (-not $certInMy -or -not $certInRoot -or -not $certInPub) {
exit 1
}
# Check certificate exists in all three stores
Write-Log "Checking certificate: $certSubject..."
$certInMy = Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Subject -eq $certSubject }
$certInRoot = Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $_.Subject -eq $certSubject }
$certInPub = Get-ChildItem Cert:\LocalMachine\TrustedPublisher | Where-Object { $_.Subject -eq $certSubject }
# Check registry thumbprint
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
$thumbprintValue = (Get-ItemProperty -Path $gpoPath -Name "TrustedCertThumbprints" -ErrorAction SilentlyContinue).TrustedCertThumbprints
if ([string]::IsNullOrWhiteSpace($thumbprintValue)) {
exit 1
}
# Check that all RDP files on desktop(s) are signed
foreach ($desktopPath in (Get-DesktopPaths)) {
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -ErrorAction SilentlyContinue
if ($rdpFiles.Count -eq 0) {
$certOk = $true
if (-not $certInMy) {
Write-Log "FAIL: Certificate not found in LocalMachine\My"
$certOk = $false
}
if (-not $certInRoot) {
Write-Log "FAIL: Certificate not found in LocalMachine\Root"
$certOk = $false
}
if (-not $certInPub) {
Write-Log "FAIL: Certificate not found in LocalMachine\TrustedPublisher"
$certOk = $false
}
if (-not $certOk) {
exit 1
}
Write-Log "OK: Certificate found in all stores"
foreach ($file in $rdpFiles) {
$content = Get-Content $file.FullName -ErrorAction SilentlyContinue
$hasSig = $content | Where-Object { $_ -match "^signature:s:" }
if (-not $hasSig) {
exit 1
}
# Check registry thumbprint
Write-Log "Checking registry thumbprint..."
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
$thumbprintValue = (Get-ItemProperty -Path $gpoPath -Name "TrustedCertThumbprints" -ErrorAction SilentlyContinue).TrustedCertThumbprints
if ([string]::IsNullOrWhiteSpace($thumbprintValue)) {
Write-Log "FAIL: TrustedCertThumbprints not found in registry"
exit 1
}
}
Write-Log "OK: Thumbprint found in registry"
Write-Host "Detected"
exit 0
# Check that all RDP files on desktop(s) are signed
Write-Log "Checking RDP file signatures..."
$desktopsChecked = 0
$filesChecked = 0
foreach ($desktopPath in (Get-DesktopPaths)) {
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -ErrorAction SilentlyContinue
if ($rdpFiles.Count -eq 0) {
Write-Log "Skip: No .rdp files on $desktopPath"
continue
}
Write-Log "Found $($rdpFiles.Count) file(s) to check on: $desktopPath"
foreach ($file in $rdpFiles) {
$filesChecked++
$content = Get-Content $file.FullName -ErrorAction SilentlyContinue
$hasSig = $content | Where-Object { $_ -match "^signature:s:" }
if (-not $hasSig) {
Write-Log "FAIL: $($file.Name) on $desktopPath is not signed"
exit 1
}
}
$desktopsChecked++
}
Write-Log "OK: All $filesChecked file(s) across $desktopsChecked desktop(s) are signed"
Write-Log "=== SignOnly Detect END - Installed ==="
exit 0
}
catch {
Write-Log "Error: $_"
exit 1
}
+6 -8
View File
@@ -1,9 +1,8 @@
# ============================================================
# CHANGELOG
# v1.1 - Added -AllUsers switch to remove files from all user
# desktops instead of only the public desktop.
# Added Get-DesktopPaths helper function.
# v1.0 - Initial version, removes from public desktop only.
# v1.2 - Get-DesktopPaths: Depth 2 search for OneDrive Desktop
# v1.1 - AllUsers switch + Get-DesktopPaths helper
# v1.0 - Initial
# ============================================================
param(
@@ -27,15 +26,14 @@ function Write-Log {
function Get-DesktopPaths {
if ($AllUsers) {
Get-ChildItem "$env:SystemDrive\Users" -Directory | ForEach-Object {
$path = Join-Path $_.FullName "Desktop"
if (Test-Path $path) { $path }
Get-ChildItem "$env:SystemDrive\Users" -Directory -Exclude "Public","Default" | ForEach-Object {
Get-ChildItem $_.FullName -Directory -Filter "Desktop" -Depth 2 -ErrorAction SilentlyContinue |
Select-Object -ExpandProperty FullName
}
} else {
[Environment]::GetFolderPath("CommonDesktopDirectory")
}
}
try {
$desktopPaths = Get-DesktopPaths
Write-Log "Running in mode: $(if ($AllUsers) { 'All Users' } else { 'Public Desktop' })"
+3 -43
View File
@@ -2,49 +2,9 @@
# INSTALL + DETECT - Sandbox test script
# ============================================================
# CHANGELOG
# v1.1 - Added -AllUsers switch to deploy and detect across all
# user desktops instead of only the public desktop.
# Added Get-DesktopPaths helper function.
# v1.0 - Initial version, public desktop only.
# ============================================================
param(
[switch]$AllUsers
)
# Setup logging
$baseFolder = Join-Path $env:SystemDrive "Intune"
$logFile = Join-Path $baseFolder "DesktopShortcuts.log"
# Check if Sysnative exists (means script is running in 32-bit mode on x64 OS)
if (Test-Path "$($env:windir)\Sysnative") {
$rdpSignPath = "$($env:windir)\Sysnative\rdpsign.exe"
} else {
$rdpSignPath = "$($env:windir)\System32\rdpsign.exe"
}
if (-not (Test-Path $baseFolder)) {
New-Item -Path $baseFolder -ItemType Directory -Force | Out-Null
}
function Write-Log {
param($Message)
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
Add-Content -Path $logFile -Value $logMessage
Write-Host $logMessage
}
function Get-DesktopPaths {
if ($AllUsers) {
Get-ChildItem "$env:SystemDrive\Users" -Directory | ForEach-Object {
$path = Join-Path $_.FullName "Desktop"
if (Test-Path $path) { $path }
}
} else {
[Environment]::GetFolderPath("CommonDesktopDirectory")
}
}
# v1.2 - Get-DesktopPaths: Depth 2 search for OneDrive Desktop
# v1.1 - AllUsers switch + Get-DesktopPaths helper
# v1.0 - Initial
# ============================================================
# INSTALL
# ============================================================
+234
View File
@@ -0,0 +1,234 @@
# ============================================================
# SIGNONLY + DETECT - Sandbox test script
# ============================================================
# CHANGELOG
# v1.0 - Initial
# ============================================================
param(
[switch]$AllUsers
)
Start-Sleep -Seconds 10
# Setup logging
$baseFolder = Join-Path $env:SystemDrive "Intune"
$logFile = Join-Path $baseFolder "RDPSign.log"
# Check if Sysnative exists (means script is running in 32-bit mode on x64 OS)
if (Test-Path "$($env:windir)\Sysnative") {
$rdpSignPath = "$($env:windir)\Sysnative\rdpsign.exe"
} else {
$rdpSignPath = "$($env:windir)\System32\rdpsign.exe"
}
if (-not (Test-Path $baseFolder)) {
New-Item -Path $baseFolder -ItemType Directory -Force | Out-Null
}
function Write-Log {
param($Message)
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
Add-Content -Path $logFile -Value $logMessage
Write-Host $logMessage
}
function Get-DesktopPaths {
if ($AllUsers) {
Get-ChildItem "$env:SystemDrive\Users" -Directory -Exclude "Public","Default" | ForEach-Object {
Get-ChildItem $_.FullName -Directory -Filter "Desktop" -Depth 2 -ErrorAction SilentlyContinue |
Select-Object -ExpandProperty FullName
}
} else {
[Environment]::GetFolderPath("CommonDesktopDirectory")
}
}
# ============================================================
# SIGNONLY
# ============================================================
Write-Log "=== START SIGNONLY ==="
Write-Log "Running in mode: $(if ($AllUsers) { 'All Users' } else { 'Public Desktop' })"
try {
$certSubjectName = "RDPSign"
$certSubject = "CN=$certSubjectName"
Write-Log "Searching for existing certificate: $certSubjectName..."
$existingCert = Get-ChildItem Cert:\LocalMachine\My |
Where-Object { $_.Subject -eq $certSubject } |
Select-Object -First 1
if ($existingCert) {
Write-Log "Found existing certificate with Thumbprint: $($existingCert.Thumbprint)"
$thumbprint = $existingCert.Thumbprint
} else {
Write-Log "No existing certificate found. Creating new one..."
$cert = New-SelfSignedCertificate `
-Subject $certSubject `
-CertStoreLocation "Cert:\LocalMachine\My" `
-Type CodeSigningCert `
-KeyExportPolicy NonExportable `
-NotAfter (Get-Date).AddYears(25)
$thumbprint = $cert.Thumbprint
# Add to Trusted Root
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("Root", "LocalMachine")
$rootStore.Open("ReadWrite")
$rootStore.Add($cert)
$rootStore.Close()
# Add to Trusted Publishers
$pubStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("TrustedPublisher", "LocalMachine")
$pubStore.Open("ReadWrite")
$pubStore.Add($cert)
$pubStore.Close()
# Add thumbprint to RDP trusted certs in registry
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
$keyName = "TrustedCertThumbprints"
if (-not (Test-Path $gpoPath)) {
New-Item -Path $gpoPath -Force | Out-Null
}
$currentValue = (Get-ItemProperty -Path $gpoPath -Name $keyName -ErrorAction SilentlyContinue).$keyName
if ($currentValue -notmatch [regex]::Escape($thumbprint)) {
$newValue = if ([string]::IsNullOrWhiteSpace($currentValue)) { $thumbprint } else { "$currentValue,$thumbprint" }
if ($null -eq $currentValue) {
New-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue -PropertyType String -Force | Out-Null
} else {
Set-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue
}
Write-Log "Updated TrustedCertThumbprints registry value."
} else {
Write-Log "Thumbprint already exists in registry. Skipping update."
}
Write-Log "Certificate created and trusted successfully."
}
$successCount = 0
$failCount = 0
foreach ($desktopPath in (Get-DesktopPaths)) {
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -Recurse -ErrorAction SilentlyContinue
if ($rdpFiles.Count -eq 0) {
Write-Log "Skip: No .rdp files on $desktopPath"
continue
}
Write-Log "Found $($rdpFiles.Count) file(s) to sign on: $desktopPath"
foreach ($rdpFile in $rdpFiles) {
Write-Log "Signing: $($rdpFile.Name)"
& $rdpSignPath /sha256 $thumbprint $rdpFile.FullName
if ($LASTEXITCODE -eq 0) {
Write-Log " [OK] $($rdpFile.Name)"
$successCount++
} else {
Write-Log " [FAILED] $($rdpFile.Name) - rdpsign exit code: $LASTEXITCODE"
$failCount++
}
}
}
# Set registry key to suppress RDP warning dialogs
reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client" /v RedirectionWarningDialogVersion /t REG_DWORD /d 1 /f
if ($failCount -eq 0) {
Write-Log "All $successCount file(s) signed successfully."
} else {
Write-Log "$successCount file(s) signed successfully, $failCount file(s) failed."
}
} catch {
Write-Log "SIGNONLY error: $_"
}
# ============================================================
# DETECT
# ============================================================
Write-Log "=== START DETECT ==="
try {
$certSubject = "CN=RDPSign"
Write-Log "Checking certificate: $certSubject..."
$certInMy = Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Subject -eq $certSubject }
$certInRoot = Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $_.Subject -eq $certSubject }
$certInPub = Get-ChildItem Cert:\LocalMachine\TrustedPublisher | Where-Object { $_.Subject -eq $certSubject }
$certOk = $true
if (-not $certInMy) {
Write-Log "FAIL: Certificate not found in LocalMachine\My"
$certOk = $false
}
if (-not $certInRoot) {
Write-Log "FAIL: Certificate not found in LocalMachine\Root"
$certOk = $false
}
if (-not $certInPub) {
Write-Log "FAIL: Certificate not found in LocalMachine\TrustedPublisher"
$certOk = $false
}
if (-not $certOk) {
Write-Log "DETECT [FAIL]: Certificate missing"
} else {
Write-Log "OK: Certificate found in all stores"
}
# Check registry thumbprint
Write-Log "Checking registry thumbprint..."
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
$thumbprintValue = (Get-ItemProperty -Path $gpoPath -Name "TrustedCertThumbprints" -ErrorAction SilentlyContinue).TrustedCertThumbprints
if ([string]::IsNullOrWhiteSpace($thumbprintValue)) {
Write-Log "FAIL: TrustedCertThumbprints not found in registry"
$certOk = $false
} else {
Write-Log "OK: Thumbprint found in registry"
}
# Check that all RDP files on desktop(s) are signed
Write-Log "Checking RDP file signatures..."
$desktopsChecked = 0
$filesChecked = 0
$allSigned = $true
foreach ($desktopPath in (Get-DesktopPaths)) {
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -ErrorAction SilentlyContinue
if ($rdpFiles.Count -eq 0) {
Write-Log "Skip: No .rdp files on $desktopPath"
continue
}
Write-Log "Found $($rdpFiles.Count) file(s) to check on: $desktopPath"
foreach ($file in $rdpFiles) {
$filesChecked++
$content = Get-Content $file.FullName -ErrorAction SilentlyContinue
$hasSig = $content | Where-Object { $_ -match "^signature:s:" }
if (-not $hasSig) {
Write-Log "FAIL: $($file.Name) on $desktopPath is not signed"
$allSigned = $false
}
}
$desktopsChecked++
}
if ($allSigned -and $certOk) {
Write-Log "DETECT [OK]: $filesChecked file(s) across $desktopsChecked desktop(s) - all signed and configured"
exit 0
} else {
Write-Log "DETECT [FAIL]: Check log for details"
exit 1
}
} catch {
Write-Log "Detect error: $_"
exit 1
}
-33
View File
@@ -1,33 +0,0 @@
$desktopPath = [Environment]::GetFolderPath("CommonDesktopDirectory")
$certSubject = "CN=RDPSign"
# 1. Unsign RDP files
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp"
foreach ($file in $rdpFiles) {
$content = Get-Content $file.FullName
$cleaned = $content | Where-Object { $_ -notmatch "^signscope:s:" -and $_ -notmatch "^signature:s:" }
$cleaned | Set-Content $file.FullName -Encoding Unicode
Write-Host "Unsigned: $($file.Name)"
}
# 2. Remove certificate from all stores
foreach ($storeName in @("My", "Root", "TrustedPublisher")) {
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store($storeName, "LocalMachine")
$store.Open("ReadWrite")
$certs = $store.Certificates | Where-Object { $_.Subject -eq $certSubject }
foreach ($cert in $certs) {
$store.Remove($cert)
Write-Host "Removed certificate from store: $storeName"
}
$store.Close()
}
# 3. Remove thumbprint from registry
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
Remove-ItemProperty -Path $gpoPath -Name "TrustedCertThumbprints" -ErrorAction SilentlyContinue
Write-Host "Removed TrustedCertThumbprints"
# 4. Remove RedirectionWarningDialogVersion
$clientPath = "HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services\Client"
Remove-ItemProperty -Path $clientPath -Name "RedirectionWarningDialogVersion" -ErrorAction SilentlyContinue
Write-Host "Removed RedirectionWarningDialogVersion"
-43
View File
@@ -1,43 +0,0 @@
# Setup logging
$baseFolder = Join-Path $env:SystemDrive "Intune"
$logFile = Join-Path $baseFolder "DesktopShortcuts.log"
$desktopPath = [Environment]::GetFolderPath("CommonDesktopDirectory")
# Create necessary folders
if (-not (Test-Path $baseFolder)) {
New-Item -Path $baseFolder -ItemType Directory -Force | Out-Null
}
function Write-Log {
param($Message)
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
Add-Content -Path $logFile -Value $logMessage
Write-Host $logMessage
}
$rdpFiles = Get-ChildItem -Path "$desktopPath\*.rdp" -ErrorAction SilentlyContinue
try {
if ($rdpFiles.Count -eq 0) {
Write-Log "DETECT [FAIL]: No .rdp files found on public desktop: $desktopPath"
exit 1
}
$allFound = $true
foreach ($file in $rdpFiles) {
if (-not (Test-Path (Join-Path $desktopPath $file.Name))) {
Write-Log "DETECT [FAIL]: Missing: $($file.Name)"
$allFound = $false
}
}
if ($allFound) {
Write-Log "DETECT [OK]: All .rdp files found on public desktop: $desktopPath"
exit 0
} else {
exit 1
}
} catch {
Write-Log "Detect error: $_"
exit 1
}
-139
View File
@@ -1,139 +0,0 @@
# Setup logging
$baseFolder = Join-Path $env:SystemDrive "Intune"
$logFile = Join-Path $baseFolder "DesktopShortcuts.log"
$desktopPath = [Environment]::GetFolderPath("CommonDesktopDirectory")
# Check if Sysnative exists (means script is running in 32-bit mode on x64 OS)
if (Test-Path "$($env:windir)\Sysnative") {
$rdpSignPath = "$($env:windir)\Sysnative\rdpsign.exe"
} else {
$rdpSignPath = "$($env:windir)\System32\rdpsign.exe"
}
# Create necessary folders
if (-not (Test-Path $baseFolder)) {
New-Item -Path $baseFolder -ItemType Directory -Force | Out-Null
}
function Write-Log {
param($Message)
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
Add-Content -Path $logFile -Value $logMessage
Write-Host $logMessage
}
try {
# Copy RDP files to public desktop
Get-ChildItem -Path ".\rdp-files\*.rdp" | ForEach-Object {
try {
Copy-Item -Path $_.FullName -Destination $desktopPath -Force
} catch {
Write-Log "Error copying file: $_"
exit 1
}
}
Start-Sleep -Seconds 2 # Wait for files to be fully copied before signing
Write-Log "Copied .rdp files to public desktop: $desktopPath"
# Get RDP files from public desktop for signing
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -Recurse -ErrorAction SilentlyContinue
$certSubjectName = "RDPSign"
$certSubject = "CN=$certSubjectName"
Write-Log "Searching for existing certificate: $certSubjectName..."
$existingCert = Get-ChildItem Cert:\LocalMachine\My |
Where-Object { $_.Subject -eq $certSubject } |
Select-Object -First 1
if ($existingCert) {
Write-Log "Found existing certificate with Thumbprint: $($existingCert.Thumbprint)"
$thumbprint = $existingCert.Thumbprint
} else {
Write-Log "No existing certificate found. Creating new one..."
$cert = New-SelfSignedCertificate `
-Subject $certSubject `
-CertStoreLocation "Cert:\LocalMachine\My" `
-Type CodeSigningCert `
-KeyExportPolicy NonExportable `
-NotAfter (Get-Date).AddYears(25)
$thumbprint = $cert.Thumbprint
# Add to Trusted Root
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("Root", "LocalMachine")
$rootStore.Open("ReadWrite")
$rootStore.Add($cert)
$rootStore.Close()
# Add to Trusted Publishers
$pubStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("TrustedPublisher", "LocalMachine")
$pubStore.Open("ReadWrite")
$pubStore.Add($cert)
$pubStore.Close()
# Add thumbprint to RDP trusted certs in registry
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
$keyName = "TrustedCertThumbprints"
if (-not (Test-Path $gpoPath)) {
New-Item -Path $gpoPath -Force | Out-Null
}
$currentValue = (Get-ItemProperty -Path $gpoPath -Name $keyName -ErrorAction SilentlyContinue).$keyName
if ($currentValue -notmatch [regex]::Escape($thumbprint)) {
$newValue = if ([string]::IsNullOrWhiteSpace($currentValue)) { $thumbprint } else { "$currentValue,$thumbprint" }
if ($null -eq $currentValue) {
New-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue -PropertyType String -Force | Out-Null
} else {
Set-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue
}
Write-Log "Updated TrustedCertThumbprints registry value."
} else {
Write-Log "Thumbprint already exists in registry. Skipping update."
}
Write-Log "Certificate created and trusted successfully."
}
if ($rdpFiles.Count -eq 0) {
Write-Log "No .rdp files found on Desktop: $desktopPath"
exit 0
}
Write-Log "Found $($rdpFiles.Count) file(s) to sign."
$successCount = 0
$failCount = 0
foreach ($rdpFile in $rdpFiles) {
Write-Log "Signing: $($rdpFile.Name)"
& $rdpSignPath /sha256 $thumbprint $rdpFile.FullName
if ($LASTEXITCODE -eq 0) {
Write-Log " [OK] $($rdpFile.Name)"
$successCount++
} else {
Write-Log " [FAILED] $($rdpFile.Name) - rdpsign exit code: $LASTEXITCODE"
$failCount++
}
}
# Set registry key to suppress RDP warning dialogs
reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client" /v RedirectionWarningDialogVersion /t REG_DWORD /d 1 /f
if ($failCount -eq 0) {
Write-Log "All $successCount file(s) signed successfully."
} else {
Write-Log "$successCount file(s) signed successfully, $failCount file(s) failed."
exit 1
}
exit 0
} catch {
Write-Log "Error: $_"
exit 1
}
-118
View File
@@ -1,118 +0,0 @@
# RDP - IntuneWin Package
## Package Contents
| File | Purpose |
|------|---------|
| `Install.ps1` | Copies RDP files to public desktop, creates self-signed certificate and signs all RDP files |
| `Detect.ps1` | Detects whether all RDP files from the package are present on the public desktop |
| `Uninstall.ps1` | Removes RDP files from the public desktop |
| `SignOnly.ps1` | Signs existing RDP files on the public desktop — no file copy (standalone use) |
| `SignOnly_detect.ps1` | Detects whether certificate is present and all RDP files on the desktop are signed |
| `Clearsigning.ps1` | Removes signatures from RDP files and cleans up certificate and registry (cleanup/debug use) |
| `sandbox.ps1` | Combined install + detect script for local sandbox testing |
| `rdp-files\*.rdp` | Source RDP files deployed to the public desktop |
---
## Intune App Configuration
### Program
- **Install command:**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1`
- **Uninstall command:**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Uninstall.ps1`
- **Install behavior:** System
### Detection Rule
Use a custom detection script:
- **Script file:** `Detect.ps1`
- **Run script as 32-bit process on 64-bit clients:** No
- **Enforce script signature check:** No
Detection logic:
- Checks that all `.rdp` files from `rdp-files\` are present on the public desktop (`C:\Users\Public\Desktop`)
- Returns `exit 0` = installed
- Returns `exit 1` = not installed
---
## What Install.ps1 Does
1. Copies all `.rdp` files from `.\rdp-files\` to the public desktop
2. Searches for an existing self-signed certificate (`CN=RDPSign`) in `Cert:\LocalMachine\My`
3. If not found, creates a new self-signed code signing certificate (valid 25 years, non-exportable)
4. Adds the certificate to `Trusted Root` and `Trusted Publishers` in the local machine store
5. Adds the certificate thumbprint to the registry key `TrustedCertThumbprints`
6. Signs all `.rdp` files on the public desktop using `rdpsign.exe /sha256`
7. Sets `RedirectionWarningDialogVersion = 1` in registry to suppress RDP warning dialogs
---
## Registry Changes
| Path | Value | Type | Data |
|------|-------|------|------|
| `HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services` | `TrustedCertThumbprints` | String | Certificate thumbprint |
| `HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client` | `RedirectionWarningDialogVersion` | DWORD | `1` |
---
## Logging and Troubleshooting
| Script | Log file |
|--------|----------|
| `Install.ps1` | `C:\Intune\DesktopShortcuts.log` |
| `Detect.ps1` | `C:\Intune\DesktopShortcuts.log` |
| `Uninstall.ps1` | `C:\Intune\DesktopShortcuts.log` |
| `SignOnly.ps1` | `C:\Intune\RDPSign.log` |
---
## SignOnly Intune App Configuration
### Program
- **Install command:**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1`
- **Uninstall command:**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1`
- **Install behavior:** System
### Detection Rule
Use a custom detection script:
- **Script file:** `SignOnly_detect.ps1`
- **Run script as 32-bit process on 64-bit clients:** No
- **Enforce script signature check:** No
Detection logic:
- Checks that `CN=RDPSign` certificate exists in `My`, `Root`, and `TrustedPublisher` stores
- Checks that thumbprint is present in registry
- Checks that all `.rdp` files on the public desktop contain a valid signature
- Returns `exit 0` + `"Detected"` = installed
- Returns `exit 1` = not installed
---
## Utility Scripts (not part of Intune package)
### `SignOnly.ps1`
Signs all existing `.rdp` files on the public desktop without copying any files. Useful for re-signing after an update or if files are already deployed.
Run as administrator.
### `SignOnly_detect.ps1`
Detection script for use with `SignOnly.ps1` as an Intune package. Checks:
- Certificate exists in `My`, `Root`, and `TrustedPublisher` stores
- Thumbprint is present in registry
- All `.rdp` files on the desktop contain a valid signature
### `Clearsigning.ps1`
Removes all signing artifacts. Useful for testing or cleanup. Run as administrator.
- Strips `signscope` and `signature` lines from all `.rdp` files on the public desktop
- Removes `CN=RDPSign` certificate from `My`, `Root`, and `TrustedPublisher` stores
- Removes `TrustedCertThumbprints` from registry
- Removes `RedirectionWarningDialogVersion` from registry
### `sandbox.ps1`
Combines install and detect into a single script for local sandbox testing.
Run from the folder containing `rdp-files\` as administrator.
Output is written to both the console and `C:\Intune\DesktopShortcuts.log`.
-125
View File
@@ -1,125 +0,0 @@
# Setup logging
$baseFolder = Join-Path $env:SystemDrive "Intune"
$logFile = Join-Path $baseFolder "RDPSign.log"
$desktopPath = [Environment]::GetFolderPath("CommonDesktopDirectory")
# Check if Sysnative exists (means script is running in 32-bit mode on x64 OS)
if (Test-Path "$($env:windir)\Sysnative") {
$rdpSignPath = "$($env:windir)\Sysnative\rdpsign.exe"
} else {
$rdpSignPath = "$($env:windir)\System32\rdpsign.exe"
}
if (-not (Test-Path $baseFolder)) {
New-Item -Path $baseFolder -ItemType Directory -Force | Out-Null
}
function Write-Log {
param($Message)
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
Add-Content -Path $logFile -Value $logMessage
Write-Host $logMessage
}
try {
# Get RDP files from public desktop for signing
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -Recurse -ErrorAction SilentlyContinue
$certSubjectName = "RDPSign"
$certSubject = "CN=$certSubjectName"
Write-Log "Searching for existing certificate: $certSubjectName..."
$existingCert = Get-ChildItem Cert:\LocalMachine\My |
Where-Object { $_.Subject -eq $certSubject } |
Select-Object -First 1
if ($existingCert) {
Write-Log "Found existing certificate with Thumbprint: $($existingCert.Thumbprint)"
$thumbprint = $existingCert.Thumbprint
} else {
Write-Log "No existing certificate found. Creating new one..."
$cert = New-SelfSignedCertificate `
-Subject $certSubject `
-CertStoreLocation "Cert:\LocalMachine\My" `
-Type CodeSigningCert `
-KeyExportPolicy NonExportable `
-NotAfter (Get-Date).AddYears(25)
$thumbprint = $cert.Thumbprint
# Add to Trusted Root
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("Root", "LocalMachine")
$rootStore.Open("ReadWrite")
$rootStore.Add($cert)
$rootStore.Close()
# Add to Trusted Publishers
$pubStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("TrustedPublisher", "LocalMachine")
$pubStore.Open("ReadWrite")
$pubStore.Add($cert)
$pubStore.Close()
# Add thumbprint to RDP trusted certs in registry
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
$keyName = "TrustedCertThumbprints"
if (-not (Test-Path $gpoPath)) {
New-Item -Path $gpoPath -Force | Out-Null
}
$currentValue = (Get-ItemProperty -Path $gpoPath -Name $keyName -ErrorAction SilentlyContinue).$keyName
if ($currentValue -notmatch [regex]::Escape($thumbprint)) {
$newValue = if ([string]::IsNullOrWhiteSpace($currentValue)) { $thumbprint } else { "$currentValue,$thumbprint" }
if ($null -eq $currentValue) {
New-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue -PropertyType String -Force | Out-Null
} else {
Set-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue
}
Write-Log "Updated TrustedCertThumbprints registry value."
} else {
Write-Log "Thumbprint already exists in registry. Skipping update."
}
Write-Log "Certificate created and trusted successfully."
}
if ($rdpFiles.Count -eq 0) {
Write-Log "No .rdp files found on Desktop: $desktopPath"
exit 0
}
Write-Log "Found $($rdpFiles.Count) file(s) to sign."
$successCount = 0
$failCount = 0
foreach ($rdpFile in $rdpFiles) {
Write-Log "Signing: $($rdpFile.Name)"
& $rdpSignPath /sha256 $thumbprint $rdpFile.FullName
if ($LASTEXITCODE -eq 0) {
Write-Log " [OK] $($rdpFile.Name)"
$successCount++
} else {
Write-Log " [FAILED] $($rdpFile.Name) - rdpsign exit code: $LASTEXITCODE"
$failCount++
}
}
# Set registry key to suppress RDP warning dialogs
reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client" /v RedirectionWarningDialogVersion /t REG_DWORD /d 1 /f
if ($failCount -eq 0) {
Write-Log "All $successCount file(s) signed successfully."
} else {
Write-Log "$successCount file(s) signed successfully, $failCount file(s) failed."
exit 1
}
exit 0
} catch {
Write-Log "Error: $_"
exit 1
}
-36
View File
@@ -1,36 +0,0 @@
$desktopPath = [Environment]::GetFolderPath("CommonDesktopDirectory")
$certSubject = "CN=RDPSign"
# Check certificate exists in all three stores
$certInMy = Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Subject -eq $certSubject }
$certInRoot = Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $_.Subject -eq $certSubject }
$certInPub = Get-ChildItem Cert:\LocalMachine\TrustedPublisher | Where-Object { $_.Subject -eq $certSubject }
if (-not $certInMy -or -not $certInRoot -or -not $certInPub) {
exit 1
}
# Check registry thumbprint
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
$thumbprintValue = (Get-ItemProperty -Path $gpoPath -Name "TrustedCertThumbprints" -ErrorAction SilentlyContinue).TrustedCertThumbprints
if ([string]::IsNullOrWhiteSpace($thumbprintValue)) {
exit 1
}
# Check that all RDP files on desktop are signed
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -ErrorAction SilentlyContinue
if ($rdpFiles.Count -eq 0) {
exit 1
}
foreach ($file in $rdpFiles) {
$content = Get-Content $file.FullName -ErrorAction SilentlyContinue
$hasSig = $content | Where-Object { $_ -match "^signature:s:" }
if (-not $hasSig) {
exit 1
}
}
Write-Host "Detected"
exit 0
-38
View File
@@ -1,38 +0,0 @@
# Setup logging
$baseFolder = Join-Path $env:SystemDrive "Intune"
$logFile = Join-Path $baseFolder "DesktopShortcuts.log"
$desktopPath = [Environment]::GetFolderPath("CommonDesktopDirectory")
# Create necessary folders
$folders = @(
$baseFolder
)
foreach ($folder in $folders) {
if (-not (Test-Path $folder)) {
New-Item -Path $folder -ItemType Directory -Force | Out-Null
}
}
function Write-Log {
param($Message)
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
Add-Content -Path $logFile -Value $logMessage
Write-Host $logMessage
}
try {
Get-ChildItem -Path ".\rdp-files\*.rdp" | ForEach-Object {
$targetFile = Join-Path $desktopPath $_.Name
if (Test-Path $targetFile) {
Remove-Item -Path $targetFile -Force
Write-Log "Removed: $($_.Name)"
} else {
Write-Log "Not found, skipping: $($_.Name)"
}
}
Write-Log "Uninstall completed from public desktop: $desktopPath"
exit 0
} catch {
Write-Log "An error occurred: $_"
exit 1
}
-176
View File
@@ -1,176 +0,0 @@
# ============================================================
# INSTALL + DETECT - Sandbox test script
# ============================================================
# Setup logging
$baseFolder = Join-Path $env:SystemDrive "Intune"
$logFile = Join-Path $baseFolder "DesktopShortcuts.log"
$desktopPath = [Environment]::GetFolderPath("CommonDesktopDirectory")
# Check if Sysnative exists (means script is running in 32-bit mode on x64 OS)
if (Test-Path "$($env:windir)\Sysnative") {
$rdpSignPath = "$($env:windir)\Sysnative\rdpsign.exe"
} else {
$rdpSignPath = "$($env:windir)\System32\rdpsign.exe"
}
if (-not (Test-Path $baseFolder)) {
New-Item -Path $baseFolder -ItemType Directory -Force | Out-Null
}
function Write-Log {
param($Message)
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
Add-Content -Path $logFile -Value $logMessage
Write-Host $logMessage
}
# ============================================================
# INSTALL
# ============================================================
Write-Log "=== START INSTALL ==="
try {
# Copy RDP files to public desktop
Get-ChildItem -Path ".\rdp-files\*.rdp" | ForEach-Object {
try {
Copy-Item -Path $_.FullName -Destination $desktopPath -Force
} catch {
Write-Log "Error copying file: $_"
}
}
Start-Sleep -Seconds 2 # Wait for files to be fully copied before signing
Write-Log "Copied .rdp files to public desktop: $desktopPath"
# Get RDP files from public desktop for signing
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -Recurse -ErrorAction SilentlyContinue
$certSubjectName = "RDPSign"
$certSubject = "CN=$certSubjectName"
Write-Log "Searching for existing certificate: $certSubjectName..."
$existingCert = Get-ChildItem Cert:\LocalMachine\My |
Where-Object { $_.Subject -eq $certSubject } |
Select-Object -First 1
if ($existingCert) {
Write-Log "Found existing certificate with Thumbprint: $($existingCert.Thumbprint)"
$thumbprint = $existingCert.Thumbprint
} else {
Write-Log "No existing certificate found. Creating new one..."
$cert = New-SelfSignedCertificate `
-Subject $certSubject `
-CertStoreLocation "Cert:\LocalMachine\My" `
-Type CodeSigningCert `
-KeyExportPolicy NonExportable `
-NotAfter (Get-Date).AddYears(25)
$thumbprint = $cert.Thumbprint
# Add to Trusted Root
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("Root", "LocalMachine")
$rootStore.Open("ReadWrite")
$rootStore.Add($cert)
$rootStore.Close()
# Add to Trusted Publishers
$pubStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("TrustedPublisher", "LocalMachine")
$pubStore.Open("ReadWrite")
$pubStore.Add($cert)
$pubStore.Close()
# Add thumbprint to RDP trusted certs in registry
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
$keyName = "TrustedCertThumbprints"
if (-not (Test-Path $gpoPath)) {
New-Item -Path $gpoPath -Force | Out-Null
}
$currentValue = (Get-ItemProperty -Path $gpoPath -Name $keyName -ErrorAction SilentlyContinue).$keyName
if ($currentValue -notmatch [regex]::Escape($thumbprint)) {
$newValue = if ([string]::IsNullOrWhiteSpace($currentValue)) { $thumbprint } else { "$currentValue,$thumbprint" }
if ($null -eq $currentValue) {
New-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue -PropertyType String -Force | Out-Null
} else {
Set-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue
}
Write-Log "Updated TrustedCertThumbprints registry value."
} else {
Write-Log "Thumbprint already exists in registry. Skipping update."
}
Write-Log "Certificate created and trusted successfully."
}
if ($rdpFiles.Count -eq 0) {
Write-Log "No .rdp files found on Desktop: $desktopPath"
exit 0
}
Write-Log "Found $($rdpFiles.Count) file(s) to sign."
$successCount = 0
$failCount = 0
foreach ($rdpFile in $rdpFiles) {
Write-Log "Signing: $($rdpFile.Name)"
& $rdpSignPath /sha256 $thumbprint $rdpFile.FullName
if ($LASTEXITCODE -eq 0) {
Write-Log " [OK] $($rdpFile.Name)"
$successCount++
} else {
Write-Log " [FAILED] $($rdpFile.Name) - rdpsign exit code: $LASTEXITCODE"
$failCount++
}
}
# Set registry key to suppress RDP warning dialogs
reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client" /v RedirectionWarningDialogVersion /t REG_DWORD /d 1 /f
if ($failCount -eq 0) {
Write-Log "All $successCount file(s) signed successfully."
} else {
Write-Log "$successCount file(s) signed successfully, $failCount file(s) failed."
}
} catch {
Write-Log "Install error: $_"
}
# ============================================================
# DETECT
# ============================================================
Write-Log "=== START DETECT ==="
$rdpFilesOnDesktop = Get-ChildItem -Path "$desktopPath\*.rdp" -ErrorAction SilentlyContinue
try {
if ($rdpFilesOnDesktop.Count -eq 0) {
Write-Log "DETECT [FAIL]: No .rdp files found on public desktop: $desktopPath"
exit 1
}
$allFound = $true
foreach ($file in $rdpFilesOnDesktop) {
if (-not (Test-Path (Join-Path $desktopPath $file.Name))) {
Write-Log "DETECT [FAIL]: Missing: $($file.Name)"
$allFound = $false
}
}
if ($allFound) {
Write-Log "DETECT [OK]: All .rdp files found on public desktop: $desktopPath"
exit 0
} else {
exit 1
}
} catch {
Write-Log "Detect error: $_"
exit 1
}