118 lines
4.7 KiB
Markdown
118 lines
4.7 KiB
Markdown
|
|
# RDP - IntuneWin Package
|
||
|
|
|
||
|
|
## Package Contents
|
||
|
|
|
||
|
|
| File | Purpose |
|
||
|
|
|------|---------|
|
||
|
|
| `Install.ps1` | Copies RDP files to public desktop, creates self-signed certificate and signs all RDP files |
|
||
|
|
| `Detect.ps1` | Detects whether all RDP files from the package are present on the public desktop |
|
||
|
|
| `Uninstall.ps1` | Removes RDP files from the public desktop |
|
||
|
|
| `SignOnly.ps1` | Signs existing RDP files on the public desktop — no file copy (standalone use) |
|
||
|
|
| `SignOnly_detect.ps1` | Detects whether certificate is present and all RDP files on the desktop are signed |
|
||
|
|
| `Clearsigning.ps1` | Removes signatures from RDP files and cleans up certificate and registry (cleanup/debug use) |
|
||
|
|
| `sandbox.ps1` | Combined install + detect script for local sandbox testing |
|
||
|
|
| `rdp-files\*.rdp` | Source RDP files deployed to the public desktop |
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## Intune App Configuration
|
||
|
|
|
||
|
|
### Program
|
||
|
|
- **Install command:**
|
||
|
|
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1`
|
||
|
|
- **Uninstall command:**
|
||
|
|
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Uninstall.ps1`
|
||
|
|
- **Install behavior:** System
|
||
|
|
|
||
|
|
### Detection Rule
|
||
|
|
Use a custom detection script:
|
||
|
|
- **Script file:** `Detect.ps1`
|
||
|
|
- **Run script as 32-bit process on 64-bit clients:** No
|
||
|
|
- **Enforce script signature check:** No
|
||
|
|
|
||
|
|
Detection logic:
|
||
|
|
- Checks that all `.rdp` files from `rdp-files\` are present on the public desktop (`C:\Users\Public\Desktop`)
|
||
|
|
- Returns `exit 0` = installed
|
||
|
|
- Returns `exit 1` = not installed
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## What Install.ps1 Does
|
||
|
|
|
||
|
|
1. Copies all `.rdp` files from `.\rdp-files\` to the public desktop
|
||
|
|
2. Searches for an existing self-signed certificate (`CN=RDPSign`) in `Cert:\LocalMachine\My`
|
||
|
|
3. If not found, creates a new self-signed code signing certificate (valid 25 years, non-exportable)
|
||
|
|
4. Adds the certificate to `Trusted Root` and `Trusted Publishers` in the local machine store
|
||
|
|
5. Adds the certificate thumbprint to the registry key `TrustedCertThumbprints`
|
||
|
|
6. Signs all `.rdp` files on the public desktop using `rdpsign.exe /sha256`
|
||
|
|
7. Sets `RedirectionWarningDialogVersion = 1` in registry to suppress RDP warning dialogs
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## Registry Changes
|
||
|
|
|
||
|
|
| Path | Value | Type | Data |
|
||
|
|
|------|-------|------|------|
|
||
|
|
| `HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services` | `TrustedCertThumbprints` | String | Certificate thumbprint |
|
||
|
|
| `HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client` | `RedirectionWarningDialogVersion` | DWORD | `1` |
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## Logging and Troubleshooting
|
||
|
|
|
||
|
|
| Script | Log file |
|
||
|
|
|--------|----------|
|
||
|
|
| `Install.ps1` | `C:\Intune\DesktopShortcuts.log` |
|
||
|
|
| `Detect.ps1` | `C:\Intune\DesktopShortcuts.log` |
|
||
|
|
| `Uninstall.ps1` | `C:\Intune\DesktopShortcuts.log` |
|
||
|
|
| `SignOnly.ps1` | `C:\Intune\RDPSign.log` |
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## SignOnly Intune App Configuration
|
||
|
|
|
||
|
|
### Program
|
||
|
|
- **Install command:**
|
||
|
|
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1`
|
||
|
|
- **Uninstall command:**
|
||
|
|
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1`
|
||
|
|
- **Install behavior:** System
|
||
|
|
|
||
|
|
### Detection Rule
|
||
|
|
Use a custom detection script:
|
||
|
|
- **Script file:** `SignOnly_detect.ps1`
|
||
|
|
- **Run script as 32-bit process on 64-bit clients:** No
|
||
|
|
- **Enforce script signature check:** No
|
||
|
|
|
||
|
|
Detection logic:
|
||
|
|
- Checks that `CN=RDPSign` certificate exists in `My`, `Root`, and `TrustedPublisher` stores
|
||
|
|
- Checks that thumbprint is present in registry
|
||
|
|
- Checks that all `.rdp` files on the public desktop contain a valid signature
|
||
|
|
- Returns `exit 0` + `"Detected"` = installed
|
||
|
|
- Returns `exit 1` = not installed
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## Utility Scripts (not part of Intune package)
|
||
|
|
|
||
|
|
### `SignOnly.ps1`
|
||
|
|
Signs all existing `.rdp` files on the public desktop without copying any files. Useful for re-signing after an update or if files are already deployed.
|
||
|
|
Run as administrator.
|
||
|
|
|
||
|
|
### `SignOnly_detect.ps1`
|
||
|
|
Detection script for use with `SignOnly.ps1` as an Intune package. Checks:
|
||
|
|
- Certificate exists in `My`, `Root`, and `TrustedPublisher` stores
|
||
|
|
- Thumbprint is present in registry
|
||
|
|
- All `.rdp` files on the desktop contain a valid signature
|
||
|
|
|
||
|
|
### `Clearsigning.ps1`
|
||
|
|
Removes all signing artifacts. Useful for testing or cleanup. Run as administrator.
|
||
|
|
- Strips `signscope` and `signature` lines from all `.rdp` files on the public desktop
|
||
|
|
- Removes `CN=RDPSign` certificate from `My`, `Root`, and `TrustedPublisher` stores
|
||
|
|
- Removes `TrustedCertThumbprints` from registry
|
||
|
|
- Removes `RedirectionWarningDialogVersion` from registry
|
||
|
|
|
||
|
|
### `sandbox.ps1`
|
||
|
|
Combines install and detect into a single script for local sandbox testing.
|
||
|
|
Run from the folder containing `rdp-files\` as administrator.
|
||
|
|
Output is written to both the console and `C:\Intune\DesktopShortcuts.log`.
|