$desktopPath = [Environment]::GetFolderPath("CommonDesktopDirectory") $certSubject = "CN=RDPSign" # Check certificate exists in all three stores $certInMy = Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Subject -eq $certSubject } $certInRoot = Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $_.Subject -eq $certSubject } $certInPub = Get-ChildItem Cert:\LocalMachine\TrustedPublisher | Where-Object { $_.Subject -eq $certSubject } if (-not $certInMy -or -not $certInRoot -or -not $certInPub) { exit 1 } # Check registry thumbprint $gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" $thumbprintValue = (Get-ItemProperty -Path $gpoPath -Name "TrustedCertThumbprints" -ErrorAction SilentlyContinue).TrustedCertThumbprints if ([string]::IsNullOrWhiteSpace($thumbprintValue)) { exit 1 } # Check that all RDP files on desktop are signed $rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -ErrorAction SilentlyContinue if ($rdpFiles.Count -eq 0) { exit 1 } foreach ($file in $rdpFiles) { $content = Get-Content $file.FullName -ErrorAction SilentlyContinue $hasSig = $content | Where-Object { $_ -match "^signature:s:" } if (-not $hasSig) { exit 1 } } Write-Host "Detected" exit 0