Upload af RDPSign fra arbejde-noter repo
This commit is contained in:
@@ -0,0 +1,58 @@
|
||||
# ============================================================
|
||||
# CHANGELOG
|
||||
# v1.1 - Added -AllUsers switch to remove signatures from RDP
|
||||
# files on all user desktops instead of only the public
|
||||
# desktop.
|
||||
# Added Get-DesktopPaths helper function.
|
||||
# v1.0 - Initial version, clears signing on public desktop only.
|
||||
# ============================================================
|
||||
|
||||
param(
|
||||
[switch]$AllUsers
|
||||
)
|
||||
|
||||
function Get-DesktopPaths {
|
||||
if ($AllUsers) {
|
||||
Get-ChildItem "$env:SystemDrive\Users" -Directory | ForEach-Object {
|
||||
$path = Join-Path $_.FullName "Desktop"
|
||||
if (Test-Path $path) { $path }
|
||||
}
|
||||
} else {
|
||||
[Environment]::GetFolderPath("CommonDesktopDirectory")
|
||||
}
|
||||
}
|
||||
|
||||
$certSubject = "CN=RDPSign"
|
||||
|
||||
# 1. Unsign RDP files
|
||||
foreach ($desktopPath in (Get-DesktopPaths)) {
|
||||
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp"
|
||||
foreach ($file in $rdpFiles) {
|
||||
$content = Get-Content $file.FullName
|
||||
$cleaned = $content | Where-Object { $_ -notmatch "^signscope:s:" -and $_ -notmatch "^signature:s:" }
|
||||
$cleaned | Set-Content $file.FullName -Encoding Unicode
|
||||
Write-Host "Unsigned: $($file.Name) on $desktopPath"
|
||||
}
|
||||
}
|
||||
|
||||
# 2. Remove certificate from all stores
|
||||
foreach ($storeName in @("My", "Root", "TrustedPublisher")) {
|
||||
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store($storeName, "LocalMachine")
|
||||
$store.Open("ReadWrite")
|
||||
$certs = $store.Certificates | Where-Object { $_.Subject -eq $certSubject }
|
||||
foreach ($cert in $certs) {
|
||||
$store.Remove($cert)
|
||||
Write-Host "Removed certificate from store: $storeName"
|
||||
}
|
||||
$store.Close()
|
||||
}
|
||||
|
||||
# 3. Remove thumbprint from registry
|
||||
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
|
||||
Remove-ItemProperty -Path $gpoPath -Name "TrustedCertThumbprints" -ErrorAction SilentlyContinue
|
||||
Write-Host "Removed TrustedCertThumbprints"
|
||||
|
||||
# 4. Remove RedirectionWarningDialogVersion
|
||||
$clientPath = "HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services\Client"
|
||||
Remove-ItemProperty -Path $clientPath -Name "RedirectionWarningDialogVersion" -ErrorAction SilentlyContinue
|
||||
Write-Host "Removed RedirectionWarningDialogVersion"
|
||||
@@ -0,0 +1,69 @@
|
||||
# ============================================================
|
||||
# CHANGELOG
|
||||
# v1.1 - Added -AllUsers switch to check all user desktops
|
||||
# instead of only the public desktop.
|
||||
# Added Get-DesktopPaths helper function.
|
||||
# v1.0 - Initial version, checks public desktop only.
|
||||
# ============================================================
|
||||
|
||||
param(
|
||||
[switch]$AllUsers
|
||||
)
|
||||
|
||||
# Setup logging
|
||||
$baseFolder = Join-Path $env:SystemDrive "Intune"
|
||||
$logFile = Join-Path $baseFolder "DesktopShortcuts.log"
|
||||
|
||||
if (-not (Test-Path $baseFolder)) {
|
||||
New-Item -Path $baseFolder -ItemType Directory -Force | Out-Null
|
||||
}
|
||||
|
||||
function Write-Log {
|
||||
param($Message)
|
||||
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
|
||||
Add-Content -Path $logFile -Value $logMessage
|
||||
Write-Host $logMessage
|
||||
}
|
||||
|
||||
function Get-DesktopPaths {
|
||||
if ($AllUsers) {
|
||||
Get-ChildItem "$env:SystemDrive\Users" -Directory | ForEach-Object {
|
||||
$path = Join-Path $_.FullName "Desktop"
|
||||
if (Test-Path $path) { $path }
|
||||
}
|
||||
} else {
|
||||
[Environment]::GetFolderPath("CommonDesktopDirectory")
|
||||
}
|
||||
}
|
||||
|
||||
try {
|
||||
$desktopPaths = Get-DesktopPaths
|
||||
$allFound = $true
|
||||
|
||||
foreach ($desktopPath in $desktopPaths) {
|
||||
$rdpFiles = Get-ChildItem -Path "$desktopPath\*.rdp" -ErrorAction SilentlyContinue
|
||||
|
||||
if ($rdpFiles.Count -eq 0) {
|
||||
Write-Log "DETECT [FAIL]: No .rdp files found on desktop: $desktopPath"
|
||||
$allFound = $false
|
||||
continue
|
||||
}
|
||||
|
||||
foreach ($file in $rdpFiles) {
|
||||
if (-not (Test-Path (Join-Path $desktopPath $file.Name))) {
|
||||
Write-Log "DETECT [FAIL]: Missing: $($file.Name) on $desktopPath"
|
||||
$allFound = $false
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if ($allFound) {
|
||||
Write-Log "DETECT [OK]: All .rdp files found on all desktop(s)"
|
||||
exit 0
|
||||
} else {
|
||||
exit 1
|
||||
}
|
||||
} catch {
|
||||
Write-Log "Detect error: $_"
|
||||
exit 1
|
||||
}
|
||||
+172
@@ -0,0 +1,172 @@
|
||||
# ============================================================
|
||||
# CHANGELOG
|
||||
# v1.1 - Added -AllUsers switch to deploy to all user desktops
|
||||
# instead of only the public desktop.
|
||||
# Added Get-DesktopPaths helper function.
|
||||
# v1.0 - Initial version, deploys to public desktop only.
|
||||
# ============================================================
|
||||
|
||||
param(
|
||||
[switch]$AllUsers
|
||||
)
|
||||
|
||||
# Setup logging
|
||||
$baseFolder = Join-Path $env:SystemDrive "Intune"
|
||||
$logFile = Join-Path $baseFolder "DesktopShortcuts.log"
|
||||
|
||||
# Check if Sysnative exists (means script is running in 32-bit mode on x64 OS)
|
||||
if (Test-Path "$($env:windir)\Sysnative") {
|
||||
$rdpSignPath = "$($env:windir)\Sysnative\rdpsign.exe"
|
||||
} else {
|
||||
$rdpSignPath = "$($env:windir)\System32\rdpsign.exe"
|
||||
}
|
||||
|
||||
if (-not (Test-Path $baseFolder)) {
|
||||
New-Item -Path $baseFolder -ItemType Directory -Force | Out-Null
|
||||
}
|
||||
|
||||
function Write-Log {
|
||||
param($Message)
|
||||
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
|
||||
Add-Content -Path $logFile -Value $logMessage
|
||||
Write-Host $logMessage
|
||||
}
|
||||
|
||||
function Get-DesktopPaths {
|
||||
if ($AllUsers) {
|
||||
# Return desktop path for each user profile found
|
||||
Get-ChildItem "$env:SystemDrive\Users" -Directory | ForEach-Object {
|
||||
$path = Join-Path $_.FullName "Desktop"
|
||||
if (Test-Path $path) { $path }
|
||||
}
|
||||
} else {
|
||||
[Environment]::GetFolderPath("CommonDesktopDirectory")
|
||||
}
|
||||
}
|
||||
|
||||
try {
|
||||
$desktopPaths = Get-DesktopPaths
|
||||
Write-Log "Running in mode: $(if ($AllUsers) { 'All Users' } else { 'Public Desktop' })"
|
||||
|
||||
foreach ($desktopPath in $desktopPaths) {
|
||||
Write-Log "Processing desktop: $desktopPath"
|
||||
|
||||
# Copy RDP files to desktop
|
||||
Get-ChildItem -Path ".\rdp-files\*.rdp" | ForEach-Object {
|
||||
try {
|
||||
Copy-Item -Path $_.FullName -Destination $desktopPath -Force
|
||||
} catch {
|
||||
Write-Log "Error copying file: $_"
|
||||
exit 1
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Start-Sleep -Seconds 2 # Wait for files to be fully copied before signing
|
||||
Write-Log "Copied .rdp files to desktop(s)"
|
||||
|
||||
# Certificate setup
|
||||
$certSubjectName = "RDPSign"
|
||||
$certSubject = "CN=$certSubjectName"
|
||||
|
||||
Write-Log "Searching for existing certificate: $certSubjectName..."
|
||||
|
||||
$existingCert = Get-ChildItem Cert:\LocalMachine\My |
|
||||
Where-Object { $_.Subject -eq $certSubject } |
|
||||
Select-Object -First 1
|
||||
|
||||
if ($existingCert) {
|
||||
Write-Log "Found existing certificate with Thumbprint: $($existingCert.Thumbprint)"
|
||||
$thumbprint = $existingCert.Thumbprint
|
||||
} else {
|
||||
Write-Log "No existing certificate found. Creating new one..."
|
||||
|
||||
$cert = New-SelfSignedCertificate `
|
||||
-Subject $certSubject `
|
||||
-CertStoreLocation "Cert:\LocalMachine\My" `
|
||||
-Type CodeSigningCert `
|
||||
-KeyExportPolicy NonExportable `
|
||||
-NotAfter (Get-Date).AddYears(25)
|
||||
|
||||
$thumbprint = $cert.Thumbprint
|
||||
|
||||
# Add to Trusted Root
|
||||
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("Root", "LocalMachine")
|
||||
$rootStore.Open("ReadWrite")
|
||||
$rootStore.Add($cert)
|
||||
$rootStore.Close()
|
||||
|
||||
# Add to Trusted Publishers
|
||||
$pubStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("TrustedPublisher", "LocalMachine")
|
||||
$pubStore.Open("ReadWrite")
|
||||
$pubStore.Add($cert)
|
||||
$pubStore.Close()
|
||||
|
||||
# Add thumbprint to RDP trusted certs in registry
|
||||
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
|
||||
$keyName = "TrustedCertThumbprints"
|
||||
|
||||
if (-not (Test-Path $gpoPath)) {
|
||||
New-Item -Path $gpoPath -Force | Out-Null
|
||||
}
|
||||
|
||||
$currentValue = (Get-ItemProperty -Path $gpoPath -Name $keyName -ErrorAction SilentlyContinue).$keyName
|
||||
|
||||
if ($currentValue -notmatch [regex]::Escape($thumbprint)) {
|
||||
$newValue = if ([string]::IsNullOrWhiteSpace($currentValue)) { $thumbprint } else { "$currentValue,$thumbprint" }
|
||||
|
||||
if ($null -eq $currentValue) {
|
||||
New-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue -PropertyType String -Force | Out-Null
|
||||
} else {
|
||||
Set-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue
|
||||
}
|
||||
Write-Log "Updated TrustedCertThumbprints registry value."
|
||||
} else {
|
||||
Write-Log "Thumbprint already exists in registry. Skipping update."
|
||||
}
|
||||
|
||||
Write-Log "Certificate created and trusted successfully."
|
||||
}
|
||||
|
||||
# Sign RDP files on all desktop paths
|
||||
$successCount = 0
|
||||
$failCount = 0
|
||||
|
||||
foreach ($desktopPath in $desktopPaths) {
|
||||
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -Recurse -ErrorAction SilentlyContinue
|
||||
|
||||
if ($rdpFiles.Count -eq 0) {
|
||||
Write-Log "No .rdp files found on desktop: $desktopPath"
|
||||
continue
|
||||
}
|
||||
|
||||
Write-Log "Found $($rdpFiles.Count) file(s) to sign on: $desktopPath"
|
||||
|
||||
foreach ($rdpFile in $rdpFiles) {
|
||||
Write-Log "Signing: $($rdpFile.Name)"
|
||||
& $rdpSignPath /sha256 $thumbprint $rdpFile.FullName
|
||||
|
||||
if ($LASTEXITCODE -eq 0) {
|
||||
Write-Log " [OK] $($rdpFile.Name)"
|
||||
$successCount++
|
||||
} else {
|
||||
Write-Log " [FAILED] $($rdpFile.Name) - rdpsign exit code: $LASTEXITCODE"
|
||||
$failCount++
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Set registry key to suppress RDP warning dialogs
|
||||
reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client" /v RedirectionWarningDialogVersion /t REG_DWORD /d 1 /f
|
||||
|
||||
if ($failCount -eq 0) {
|
||||
Write-Log "All $successCount file(s) signed successfully."
|
||||
} else {
|
||||
Write-Log "$successCount file(s) signed successfully, $failCount file(s) failed."
|
||||
exit 1
|
||||
}
|
||||
exit 0
|
||||
} catch {
|
||||
Write-Log "Error: $_"
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,150 @@
|
||||
# ============================================================
|
||||
# CHANGELOG
|
||||
# v1.1 - Added -AllUsers switch to sign RDP files on all user
|
||||
# desktops instead of only the public desktop.
|
||||
# Added Get-DesktopPaths helper function.
|
||||
# v1.0 - Initial version, signs on public desktop only.
|
||||
# ============================================================
|
||||
|
||||
param(
|
||||
[switch]$AllUsers
|
||||
)
|
||||
|
||||
# Setup logging
|
||||
$baseFolder = Join-Path $env:SystemDrive "Intune"
|
||||
$logFile = Join-Path $baseFolder "RDPSign.log"
|
||||
|
||||
# Check if Sysnative exists (means script is running in 32-bit mode on x64 OS)
|
||||
if (Test-Path "$($env:windir)\Sysnative") {
|
||||
$rdpSignPath = "$($env:windir)\Sysnative\rdpsign.exe"
|
||||
} else {
|
||||
$rdpSignPath = "$($env:windir)\System32\rdpsign.exe"
|
||||
}
|
||||
|
||||
if (-not (Test-Path $baseFolder)) {
|
||||
New-Item -Path $baseFolder -ItemType Directory -Force | Out-Null
|
||||
}
|
||||
|
||||
function Write-Log {
|
||||
param($Message)
|
||||
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
|
||||
Add-Content -Path $logFile -Value $logMessage
|
||||
Write-Host $logMessage
|
||||
}
|
||||
|
||||
function Get-DesktopPaths {
|
||||
if ($AllUsers) {
|
||||
Get-ChildItem "$env:SystemDrive\Users" -Directory | ForEach-Object {
|
||||
$path = Join-Path $_.FullName "Desktop"
|
||||
if (Test-Path $path) { $path }
|
||||
}
|
||||
} else {
|
||||
[Environment]::GetFolderPath("CommonDesktopDirectory")
|
||||
}
|
||||
}
|
||||
|
||||
try {
|
||||
$certSubjectName = "RDPSign"
|
||||
$certSubject = "CN=$certSubjectName"
|
||||
|
||||
Write-Log "Running in mode: $(if ($AllUsers) { 'All Users' } else { 'Public Desktop' })"
|
||||
Write-Log "Searching for existing certificate: $certSubjectName..."
|
||||
|
||||
$existingCert = Get-ChildItem Cert:\LocalMachine\My |
|
||||
Where-Object { $_.Subject -eq $certSubject } |
|
||||
Select-Object -First 1
|
||||
|
||||
if ($existingCert) {
|
||||
Write-Log "Found existing certificate with Thumbprint: $($existingCert.Thumbprint)"
|
||||
$thumbprint = $existingCert.Thumbprint
|
||||
} else {
|
||||
Write-Log "No existing certificate found. Creating new one..."
|
||||
|
||||
$cert = New-SelfSignedCertificate `
|
||||
-Subject $certSubject `
|
||||
-CertStoreLocation "Cert:\LocalMachine\My" `
|
||||
-Type CodeSigningCert `
|
||||
-KeyExportPolicy NonExportable `
|
||||
-NotAfter (Get-Date).AddYears(25)
|
||||
|
||||
$thumbprint = $cert.Thumbprint
|
||||
|
||||
# Add to Trusted Root
|
||||
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("Root", "LocalMachine")
|
||||
$rootStore.Open("ReadWrite")
|
||||
$rootStore.Add($cert)
|
||||
$rootStore.Close()
|
||||
|
||||
# Add to Trusted Publishers
|
||||
$pubStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("TrustedPublisher", "LocalMachine")
|
||||
$pubStore.Open("ReadWrite")
|
||||
$pubStore.Add($cert)
|
||||
$pubStore.Close()
|
||||
|
||||
# Add thumbprint to RDP trusted certs in registry
|
||||
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
|
||||
$keyName = "TrustedCertThumbprints"
|
||||
|
||||
if (-not (Test-Path $gpoPath)) {
|
||||
New-Item -Path $gpoPath -Force | Out-Null
|
||||
}
|
||||
|
||||
$currentValue = (Get-ItemProperty -Path $gpoPath -Name $keyName -ErrorAction SilentlyContinue).$keyName
|
||||
|
||||
if ($currentValue -notmatch [regex]::Escape($thumbprint)) {
|
||||
$newValue = if ([string]::IsNullOrWhiteSpace($currentValue)) { $thumbprint } else { "$currentValue,$thumbprint" }
|
||||
|
||||
if ($null -eq $currentValue) {
|
||||
New-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue -PropertyType String -Force | Out-Null
|
||||
} else {
|
||||
Set-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue
|
||||
}
|
||||
Write-Log "Updated TrustedCertThumbprints registry value."
|
||||
} else {
|
||||
Write-Log "Thumbprint already exists in registry. Skipping update."
|
||||
}
|
||||
|
||||
Write-Log "Certificate created and trusted successfully."
|
||||
}
|
||||
|
||||
$successCount = 0
|
||||
$failCount = 0
|
||||
|
||||
foreach ($desktopPath in (Get-DesktopPaths)) {
|
||||
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -Recurse -ErrorAction SilentlyContinue
|
||||
|
||||
if ($rdpFiles.Count -eq 0) {
|
||||
Write-Log "No .rdp files found on desktop: $desktopPath"
|
||||
continue
|
||||
}
|
||||
|
||||
Write-Log "Found $($rdpFiles.Count) file(s) to sign on: $desktopPath"
|
||||
|
||||
foreach ($rdpFile in $rdpFiles) {
|
||||
Write-Log "Signing: $($rdpFile.Name)"
|
||||
& $rdpSignPath /sha256 $thumbprint $rdpFile.FullName
|
||||
|
||||
if ($LASTEXITCODE -eq 0) {
|
||||
Write-Log " [OK] $($rdpFile.Name)"
|
||||
$successCount++
|
||||
} else {
|
||||
Write-Log " [FAILED] $($rdpFile.Name) - rdpsign exit code: $LASTEXITCODE"
|
||||
$failCount++
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Set registry key to suppress RDP warning dialogs
|
||||
reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client" /v RedirectionWarningDialogVersion /t REG_DWORD /d 1 /f
|
||||
|
||||
if ($failCount -eq 0) {
|
||||
Write-Log "All $successCount file(s) signed successfully."
|
||||
} else {
|
||||
Write-Log "$successCount file(s) signed successfully, $failCount file(s) failed."
|
||||
exit 1
|
||||
}
|
||||
exit 0
|
||||
} catch {
|
||||
Write-Log "Error: $_"
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,61 @@
|
||||
# ============================================================
|
||||
# CHANGELOG
|
||||
# v1.1 - Added -AllUsers switch to check certificate and signed
|
||||
# RDP files across all user desktops instead of only the
|
||||
# public desktop.
|
||||
# Added Get-DesktopPaths helper function.
|
||||
# v1.0 - Initial version, checks public desktop only.
|
||||
# ============================================================
|
||||
|
||||
param(
|
||||
[switch]$AllUsers
|
||||
)
|
||||
|
||||
function Get-DesktopPaths {
|
||||
if ($AllUsers) {
|
||||
Get-ChildItem "$env:SystemDrive\Users" -Directory | ForEach-Object {
|
||||
$path = Join-Path $_.FullName "Desktop"
|
||||
if (Test-Path $path) { $path }
|
||||
}
|
||||
} else {
|
||||
[Environment]::GetFolderPath("CommonDesktopDirectory")
|
||||
}
|
||||
}
|
||||
|
||||
$certSubject = "CN=RDPSign"
|
||||
|
||||
# Check certificate exists in all three stores
|
||||
$certInMy = Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Subject -eq $certSubject }
|
||||
$certInRoot = Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $_.Subject -eq $certSubject }
|
||||
$certInPub = Get-ChildItem Cert:\LocalMachine\TrustedPublisher | Where-Object { $_.Subject -eq $certSubject }
|
||||
|
||||
if (-not $certInMy -or -not $certInRoot -or -not $certInPub) {
|
||||
exit 1
|
||||
}
|
||||
|
||||
# Check registry thumbprint
|
||||
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
|
||||
$thumbprintValue = (Get-ItemProperty -Path $gpoPath -Name "TrustedCertThumbprints" -ErrorAction SilentlyContinue).TrustedCertThumbprints
|
||||
if ([string]::IsNullOrWhiteSpace($thumbprintValue)) {
|
||||
exit 1
|
||||
}
|
||||
|
||||
# Check that all RDP files on desktop(s) are signed
|
||||
foreach ($desktopPath in (Get-DesktopPaths)) {
|
||||
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -ErrorAction SilentlyContinue
|
||||
|
||||
if ($rdpFiles.Count -eq 0) {
|
||||
exit 1
|
||||
}
|
||||
|
||||
foreach ($file in $rdpFiles) {
|
||||
$content = Get-Content $file.FullName -ErrorAction SilentlyContinue
|
||||
$hasSig = $content | Where-Object { $_ -match "^signature:s:" }
|
||||
if (-not $hasSig) {
|
||||
exit 1
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Write-Host "Detected"
|
||||
exit 0
|
||||
@@ -0,0 +1,60 @@
|
||||
# ============================================================
|
||||
# CHANGELOG
|
||||
# v1.1 - Added -AllUsers switch to remove files from all user
|
||||
# desktops instead of only the public desktop.
|
||||
# Added Get-DesktopPaths helper function.
|
||||
# v1.0 - Initial version, removes from public desktop only.
|
||||
# ============================================================
|
||||
|
||||
param(
|
||||
[switch]$AllUsers
|
||||
)
|
||||
|
||||
# Setup logging
|
||||
$baseFolder = Join-Path $env:SystemDrive "Intune"
|
||||
$logFile = Join-Path $baseFolder "DesktopShortcuts.log"
|
||||
|
||||
if (-not (Test-Path $baseFolder)) {
|
||||
New-Item -Path $baseFolder -ItemType Directory -Force | Out-Null
|
||||
}
|
||||
|
||||
function Write-Log {
|
||||
param($Message)
|
||||
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
|
||||
Add-Content -Path $logFile -Value $logMessage
|
||||
Write-Host $logMessage
|
||||
}
|
||||
|
||||
function Get-DesktopPaths {
|
||||
if ($AllUsers) {
|
||||
Get-ChildItem "$env:SystemDrive\Users" -Directory | ForEach-Object {
|
||||
$path = Join-Path $_.FullName "Desktop"
|
||||
if (Test-Path $path) { $path }
|
||||
}
|
||||
} else {
|
||||
[Environment]::GetFolderPath("CommonDesktopDirectory")
|
||||
}
|
||||
}
|
||||
|
||||
try {
|
||||
$desktopPaths = Get-DesktopPaths
|
||||
Write-Log "Running in mode: $(if ($AllUsers) { 'All Users' } else { 'Public Desktop' })"
|
||||
|
||||
foreach ($desktopPath in $desktopPaths) {
|
||||
Get-ChildItem -Path ".\rdp-files\*.rdp" | ForEach-Object {
|
||||
$targetFile = Join-Path $desktopPath $_.Name
|
||||
if (Test-Path $targetFile) {
|
||||
Remove-Item -Path $targetFile -Force
|
||||
Write-Log "Removed: $($_.Name) from $desktopPath"
|
||||
} else {
|
||||
Write-Log "Not found, skipping: $($_.Name) on $desktopPath"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Write-Log "Uninstall completed."
|
||||
exit 0
|
||||
} catch {
|
||||
Write-Log "An error occurred: $_"
|
||||
exit 1
|
||||
}
|
||||
+208
@@ -0,0 +1,208 @@
|
||||
# ============================================================
|
||||
# INSTALL + DETECT - Sandbox test script
|
||||
# ============================================================
|
||||
# CHANGELOG
|
||||
# v1.1 - Added -AllUsers switch to deploy and detect across all
|
||||
# user desktops instead of only the public desktop.
|
||||
# Added Get-DesktopPaths helper function.
|
||||
# v1.0 - Initial version, public desktop only.
|
||||
# ============================================================
|
||||
|
||||
param(
|
||||
[switch]$AllUsers
|
||||
)
|
||||
|
||||
# Setup logging
|
||||
$baseFolder = Join-Path $env:SystemDrive "Intune"
|
||||
$logFile = Join-Path $baseFolder "DesktopShortcuts.log"
|
||||
|
||||
# Check if Sysnative exists (means script is running in 32-bit mode on x64 OS)
|
||||
if (Test-Path "$($env:windir)\Sysnative") {
|
||||
$rdpSignPath = "$($env:windir)\Sysnative\rdpsign.exe"
|
||||
} else {
|
||||
$rdpSignPath = "$($env:windir)\System32\rdpsign.exe"
|
||||
}
|
||||
|
||||
if (-not (Test-Path $baseFolder)) {
|
||||
New-Item -Path $baseFolder -ItemType Directory -Force | Out-Null
|
||||
}
|
||||
|
||||
function Write-Log {
|
||||
param($Message)
|
||||
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
|
||||
Add-Content -Path $logFile -Value $logMessage
|
||||
Write-Host $logMessage
|
||||
}
|
||||
|
||||
function Get-DesktopPaths {
|
||||
if ($AllUsers) {
|
||||
Get-ChildItem "$env:SystemDrive\Users" -Directory | ForEach-Object {
|
||||
$path = Join-Path $_.FullName "Desktop"
|
||||
if (Test-Path $path) { $path }
|
||||
}
|
||||
} else {
|
||||
[Environment]::GetFolderPath("CommonDesktopDirectory")
|
||||
}
|
||||
}
|
||||
|
||||
# ============================================================
|
||||
# INSTALL
|
||||
# ============================================================
|
||||
Write-Log "=== START INSTALL ==="
|
||||
Write-Log "Running in mode: $(if ($AllUsers) { 'All Users' } else { 'Public Desktop' })"
|
||||
|
||||
try {
|
||||
$desktopPaths = Get-DesktopPaths
|
||||
|
||||
foreach ($desktopPath in $desktopPaths) {
|
||||
Write-Log "Copying files to: $desktopPath"
|
||||
Get-ChildItem -Path ".\rdp-files\*.rdp" | ForEach-Object {
|
||||
try {
|
||||
Copy-Item -Path $_.FullName -Destination $desktopPath -Force
|
||||
} catch {
|
||||
Write-Log "Error copying file: $_"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Start-Sleep -Seconds 2 # Wait for files to be fully copied before signing
|
||||
Write-Log "Copied .rdp files to desktop(s)"
|
||||
|
||||
# Certificate setup
|
||||
$certSubjectName = "RDPSign"
|
||||
$certSubject = "CN=$certSubjectName"
|
||||
|
||||
Write-Log "Searching for existing certificate: $certSubjectName..."
|
||||
|
||||
$existingCert = Get-ChildItem Cert:\LocalMachine\My |
|
||||
Where-Object { $_.Subject -eq $certSubject } |
|
||||
Select-Object -First 1
|
||||
|
||||
if ($existingCert) {
|
||||
Write-Log "Found existing certificate with Thumbprint: $($existingCert.Thumbprint)"
|
||||
$thumbprint = $existingCert.Thumbprint
|
||||
} else {
|
||||
Write-Log "No existing certificate found. Creating new one..."
|
||||
|
||||
$cert = New-SelfSignedCertificate `
|
||||
-Subject $certSubject `
|
||||
-CertStoreLocation "Cert:\LocalMachine\My" `
|
||||
-Type CodeSigningCert `
|
||||
-KeyExportPolicy NonExportable `
|
||||
-NotAfter (Get-Date).AddYears(25)
|
||||
|
||||
$thumbprint = $cert.Thumbprint
|
||||
|
||||
# Add to Trusted Root
|
||||
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("Root", "LocalMachine")
|
||||
$rootStore.Open("ReadWrite")
|
||||
$rootStore.Add($cert)
|
||||
$rootStore.Close()
|
||||
|
||||
# Add to Trusted Publishers
|
||||
$pubStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("TrustedPublisher", "LocalMachine")
|
||||
$pubStore.Open("ReadWrite")
|
||||
$pubStore.Add($cert)
|
||||
$pubStore.Close()
|
||||
|
||||
# Add thumbprint to RDP trusted certs in registry
|
||||
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
|
||||
$keyName = "TrustedCertThumbprints"
|
||||
|
||||
if (-not (Test-Path $gpoPath)) {
|
||||
New-Item -Path $gpoPath -Force | Out-Null
|
||||
}
|
||||
|
||||
$currentValue = (Get-ItemProperty -Path $gpoPath -Name $keyName -ErrorAction SilentlyContinue).$keyName
|
||||
|
||||
if ($currentValue -notmatch [regex]::Escape($thumbprint)) {
|
||||
$newValue = if ([string]::IsNullOrWhiteSpace($currentValue)) { $thumbprint } else { "$currentValue,$thumbprint" }
|
||||
|
||||
if ($null -eq $currentValue) {
|
||||
New-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue -PropertyType String -Force | Out-Null
|
||||
} else {
|
||||
Set-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue
|
||||
}
|
||||
Write-Log "Updated TrustedCertThumbprints registry value."
|
||||
} else {
|
||||
Write-Log "Thumbprint already exists in registry. Skipping update."
|
||||
}
|
||||
|
||||
Write-Log "Certificate created and trusted successfully."
|
||||
}
|
||||
|
||||
$successCount = 0
|
||||
$failCount = 0
|
||||
|
||||
foreach ($desktopPath in $desktopPaths) {
|
||||
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -Recurse -ErrorAction SilentlyContinue
|
||||
|
||||
if ($rdpFiles.Count -eq 0) {
|
||||
Write-Log "No .rdp files found on desktop: $desktopPath"
|
||||
continue
|
||||
}
|
||||
|
||||
Write-Log "Found $($rdpFiles.Count) file(s) to sign on: $desktopPath"
|
||||
|
||||
foreach ($rdpFile in $rdpFiles) {
|
||||
Write-Log "Signing: $($rdpFile.Name)"
|
||||
& $rdpSignPath /sha256 $thumbprint $rdpFile.FullName
|
||||
|
||||
if ($LASTEXITCODE -eq 0) {
|
||||
Write-Log " [OK] $($rdpFile.Name)"
|
||||
$successCount++
|
||||
} else {
|
||||
Write-Log " [FAILED] $($rdpFile.Name) - rdpsign exit code: $LASTEXITCODE"
|
||||
$failCount++
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Set registry key to suppress RDP warning dialogs
|
||||
reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client" /v RedirectionWarningDialogVersion /t REG_DWORD /d 1 /f
|
||||
|
||||
if ($failCount -eq 0) {
|
||||
Write-Log "All $successCount file(s) signed successfully."
|
||||
} else {
|
||||
Write-Log "$successCount file(s) signed successfully, $failCount file(s) failed."
|
||||
}
|
||||
|
||||
} catch {
|
||||
Write-Log "Install error: $_"
|
||||
}
|
||||
|
||||
# ============================================================
|
||||
# DETECT
|
||||
# ============================================================
|
||||
Write-Log "=== START DETECT ==="
|
||||
|
||||
try {
|
||||
$allFound = $true
|
||||
|
||||
foreach ($desktopPath in (Get-DesktopPaths)) {
|
||||
$rdpFilesOnDesktop = Get-ChildItem -Path "$desktopPath\*.rdp" -ErrorAction SilentlyContinue
|
||||
|
||||
if ($rdpFilesOnDesktop.Count -eq 0) {
|
||||
Write-Log "DETECT [FAIL]: No .rdp files found on desktop: $desktopPath"
|
||||
$allFound = $false
|
||||
continue
|
||||
}
|
||||
|
||||
foreach ($file in $rdpFilesOnDesktop) {
|
||||
if (-not (Test-Path (Join-Path $desktopPath $file.Name))) {
|
||||
Write-Log "DETECT [FAIL]: Missing: $($file.Name) on $desktopPath"
|
||||
$allFound = $false
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if ($allFound) {
|
||||
Write-Log "DETECT [OK]: All .rdp files found on all desktop(s)"
|
||||
exit 0
|
||||
} else {
|
||||
exit 1
|
||||
}
|
||||
} catch {
|
||||
Write-Log "Detect error: $_"
|
||||
exit 1
|
||||
}
|
||||
Reference in New Issue
Block a user