Upload af RDPSign fra arbejde-noter repo

This commit is contained in:
GCH
2026-05-22 10:34:36 +02:00
parent a96d376856
commit a22732d38f
17 changed files with 1677 additions and 0 deletions
+118
View File
@@ -0,0 +1,118 @@
# RDP - IntuneWin Package
## Package Contents
| File | Purpose |
|------|---------|
| `Install.ps1` | Copies RDP files to public desktop, creates self-signed certificate and signs all RDP files |
| `Detect.ps1` | Detects whether all RDP files from the package are present on the public desktop |
| `Uninstall.ps1` | Removes RDP files from the public desktop |
| `SignOnly.ps1` | Signs existing RDP files on the public desktop — no file copy (standalone use) |
| `SignOnly_detect.ps1` | Detects whether certificate is present and all RDP files on the desktop are signed |
| `Clearsigning.ps1` | Removes signatures from RDP files and cleans up certificate and registry (cleanup/debug use) |
| `sandbox.ps1` | Combined install + detect script for local sandbox testing |
| `rdp-files\*.rdp` | Source RDP files deployed to the public desktop |
---
## Intune App Configuration
### Program
- **Install command:**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1`
- **Uninstall command:**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Uninstall.ps1`
- **Install behavior:** System
### Detection Rule
Use a custom detection script:
- **Script file:** `Detect.ps1`
- **Run script as 32-bit process on 64-bit clients:** No
- **Enforce script signature check:** No
Detection logic:
- Checks that all `.rdp` files from `rdp-files\` are present on the public desktop (`C:\Users\Public\Desktop`)
- Returns `exit 0` = installed
- Returns `exit 1` = not installed
---
## What Install.ps1 Does
1. Copies all `.rdp` files from `.\rdp-files\` to the public desktop
2. Searches for an existing self-signed certificate (`CN=RDPSign`) in `Cert:\LocalMachine\My`
3. If not found, creates a new self-signed code signing certificate (valid 25 years, non-exportable)
4. Adds the certificate to `Trusted Root` and `Trusted Publishers` in the local machine store
5. Adds the certificate thumbprint to the registry key `TrustedCertThumbprints`
6. Signs all `.rdp` files on the public desktop using `rdpsign.exe /sha256`
7. Sets `RedirectionWarningDialogVersion = 1` in registry to suppress RDP warning dialogs
---
## Registry Changes
| Path | Value | Type | Data |
|------|-------|------|------|
| `HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services` | `TrustedCertThumbprints` | String | Certificate thumbprint |
| `HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client` | `RedirectionWarningDialogVersion` | DWORD | `1` |
---
## Logging and Troubleshooting
| Script | Log file |
|--------|----------|
| `Install.ps1` | `C:\Intune\DesktopShortcuts.log` |
| `Detect.ps1` | `C:\Intune\DesktopShortcuts.log` |
| `Uninstall.ps1` | `C:\Intune\DesktopShortcuts.log` |
| `SignOnly.ps1` | `C:\Intune\RDPSign.log` |
---
## SignOnly Intune App Configuration
### Program
- **Install command:**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1`
- **Uninstall command:**
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1`
- **Install behavior:** System
### Detection Rule
Use a custom detection script:
- **Script file:** `SignOnly_detect.ps1`
- **Run script as 32-bit process on 64-bit clients:** No
- **Enforce script signature check:** No
Detection logic:
- Checks that `CN=RDPSign` certificate exists in `My`, `Root`, and `TrustedPublisher` stores
- Checks that thumbprint is present in registry
- Checks that all `.rdp` files on the public desktop contain a valid signature
- Returns `exit 0` + `"Detected"` = installed
- Returns `exit 1` = not installed
---
## Utility Scripts (not part of Intune package)
### `SignOnly.ps1`
Signs all existing `.rdp` files on the public desktop without copying any files. Useful for re-signing after an update or if files are already deployed.
Run as administrator.
### `SignOnly_detect.ps1`
Detection script for use with `SignOnly.ps1` as an Intune package. Checks:
- Certificate exists in `My`, `Root`, and `TrustedPublisher` stores
- Thumbprint is present in registry
- All `.rdp` files on the desktop contain a valid signature
### `Clearsigning.ps1`
Removes all signing artifacts. Useful for testing or cleanup. Run as administrator.
- Strips `signscope` and `signature` lines from all `.rdp` files on the public desktop
- Removes `CN=RDPSign` certificate from `My`, `Root`, and `TrustedPublisher` stores
- Removes `TrustedCertThumbprints` from registry
- Removes `RedirectionWarningDialogVersion` from registry
### `sandbox.ps1`
Combines install and detect into a single script for local sandbox testing.
Run from the folder containing `rdp-files\` as administrator.
Output is written to both the console and `C:\Intune\DesktopShortcuts.log`.