Compare commits
3 Commits
efaceaa528
...
ab2bb0735b
| Author | SHA1 | Date | |
|---|---|---|---|
| ab2bb0735b | |||
| cbdfafef24 | |||
| a22732d38f |
@@ -0,0 +1,33 @@
|
|||||||
|
$desktopPath = [Environment]::GetFolderPath("CommonDesktopDirectory")
|
||||||
|
$certSubject = "CN=RDPSign"
|
||||||
|
|
||||||
|
# 1. Unsign RDP files
|
||||||
|
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp"
|
||||||
|
foreach ($file in $rdpFiles) {
|
||||||
|
$content = Get-Content $file.FullName
|
||||||
|
$cleaned = $content | Where-Object { $_ -notmatch "^signscope:s:" -and $_ -notmatch "^signature:s:" }
|
||||||
|
$cleaned | Set-Content $file.FullName -Encoding Unicode
|
||||||
|
Write-Host "Unsigned: $($file.Name)"
|
||||||
|
}
|
||||||
|
|
||||||
|
# 2. Remove certificate from all stores
|
||||||
|
foreach ($storeName in @("My", "Root", "TrustedPublisher")) {
|
||||||
|
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store($storeName, "LocalMachine")
|
||||||
|
$store.Open("ReadWrite")
|
||||||
|
$certs = $store.Certificates | Where-Object { $_.Subject -eq $certSubject }
|
||||||
|
foreach ($cert in $certs) {
|
||||||
|
$store.Remove($cert)
|
||||||
|
Write-Host "Removed certificate from store: $storeName"
|
||||||
|
}
|
||||||
|
$store.Close()
|
||||||
|
}
|
||||||
|
|
||||||
|
# 3. Remove thumbprint from registry
|
||||||
|
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
|
||||||
|
Remove-ItemProperty -Path $gpoPath -Name "TrustedCertThumbprints" -ErrorAction SilentlyContinue
|
||||||
|
Write-Host "Removed TrustedCertThumbprints"
|
||||||
|
|
||||||
|
# 4. Remove RedirectionWarningDialogVersion
|
||||||
|
$clientPath = "HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services\Client"
|
||||||
|
Remove-ItemProperty -Path $clientPath -Name "RedirectionWarningDialogVersion" -ErrorAction SilentlyContinue
|
||||||
|
Write-Host "Removed RedirectionWarningDialogVersion"
|
||||||
@@ -0,0 +1,43 @@
|
|||||||
|
# Setup logging
|
||||||
|
$baseFolder = Join-Path $env:SystemDrive "Intune"
|
||||||
|
$logFile = Join-Path $baseFolder "DesktopShortcuts.log"
|
||||||
|
$desktopPath = [Environment]::GetFolderPath("CommonDesktopDirectory")
|
||||||
|
|
||||||
|
# Create necessary folders
|
||||||
|
if (-not (Test-Path $baseFolder)) {
|
||||||
|
New-Item -Path $baseFolder -ItemType Directory -Force | Out-Null
|
||||||
|
}
|
||||||
|
|
||||||
|
function Write-Log {
|
||||||
|
param($Message)
|
||||||
|
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
|
||||||
|
Add-Content -Path $logFile -Value $logMessage
|
||||||
|
Write-Host $logMessage
|
||||||
|
}
|
||||||
|
|
||||||
|
$rdpFiles = Get-ChildItem -Path "$desktopPath\*.rdp" -ErrorAction SilentlyContinue
|
||||||
|
|
||||||
|
try {
|
||||||
|
if ($rdpFiles.Count -eq 0) {
|
||||||
|
Write-Log "DETECT [FAIL]: No .rdp files found on public desktop: $desktopPath"
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
$allFound = $true
|
||||||
|
foreach ($file in $rdpFiles) {
|
||||||
|
if (-not (Test-Path (Join-Path $desktopPath $file.Name))) {
|
||||||
|
Write-Log "DETECT [FAIL]: Missing: $($file.Name)"
|
||||||
|
$allFound = $false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($allFound) {
|
||||||
|
Write-Log "DETECT [OK]: All .rdp files found on public desktop: $desktopPath"
|
||||||
|
exit 0
|
||||||
|
} else {
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
} catch {
|
||||||
|
Write-Log "Detect error: $_"
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
@@ -0,0 +1,139 @@
|
|||||||
|
# Setup logging
|
||||||
|
$baseFolder = Join-Path $env:SystemDrive "Intune"
|
||||||
|
$logFile = Join-Path $baseFolder "DesktopShortcuts.log"
|
||||||
|
$desktopPath = [Environment]::GetFolderPath("CommonDesktopDirectory")
|
||||||
|
|
||||||
|
# Check if Sysnative exists (means script is running in 32-bit mode on x64 OS)
|
||||||
|
if (Test-Path "$($env:windir)\Sysnative") {
|
||||||
|
$rdpSignPath = "$($env:windir)\Sysnative\rdpsign.exe"
|
||||||
|
} else {
|
||||||
|
$rdpSignPath = "$($env:windir)\System32\rdpsign.exe"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Create necessary folders
|
||||||
|
if (-not (Test-Path $baseFolder)) {
|
||||||
|
New-Item -Path $baseFolder -ItemType Directory -Force | Out-Null
|
||||||
|
}
|
||||||
|
|
||||||
|
function Write-Log {
|
||||||
|
param($Message)
|
||||||
|
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
|
||||||
|
Add-Content -Path $logFile -Value $logMessage
|
||||||
|
Write-Host $logMessage
|
||||||
|
}
|
||||||
|
|
||||||
|
try {
|
||||||
|
# Copy RDP files to public desktop
|
||||||
|
Get-ChildItem -Path ".\rdp-files\*.rdp" | ForEach-Object {
|
||||||
|
try {
|
||||||
|
Copy-Item -Path $_.FullName -Destination $desktopPath -Force
|
||||||
|
} catch {
|
||||||
|
Write-Log "Error copying file: $_"
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Start-Sleep -Seconds 2 # Wait for files to be fully copied before signing
|
||||||
|
Write-Log "Copied .rdp files to public desktop: $desktopPath"
|
||||||
|
|
||||||
|
# Get RDP files from public desktop for signing
|
||||||
|
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -Recurse -ErrorAction SilentlyContinue
|
||||||
|
$certSubjectName = "RDPSign"
|
||||||
|
$certSubject = "CN=$certSubjectName"
|
||||||
|
|
||||||
|
Write-Log "Searching for existing certificate: $certSubjectName..."
|
||||||
|
|
||||||
|
$existingCert = Get-ChildItem Cert:\LocalMachine\My |
|
||||||
|
Where-Object { $_.Subject -eq $certSubject } |
|
||||||
|
Select-Object -First 1
|
||||||
|
|
||||||
|
if ($existingCert) {
|
||||||
|
Write-Log "Found existing certificate with Thumbprint: $($existingCert.Thumbprint)"
|
||||||
|
$thumbprint = $existingCert.Thumbprint
|
||||||
|
} else {
|
||||||
|
Write-Log "No existing certificate found. Creating new one..."
|
||||||
|
|
||||||
|
$cert = New-SelfSignedCertificate `
|
||||||
|
-Subject $certSubject `
|
||||||
|
-CertStoreLocation "Cert:\LocalMachine\My" `
|
||||||
|
-Type CodeSigningCert `
|
||||||
|
-KeyExportPolicy NonExportable `
|
||||||
|
-NotAfter (Get-Date).AddYears(25)
|
||||||
|
|
||||||
|
$thumbprint = $cert.Thumbprint
|
||||||
|
|
||||||
|
# Add to Trusted Root
|
||||||
|
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("Root", "LocalMachine")
|
||||||
|
$rootStore.Open("ReadWrite")
|
||||||
|
$rootStore.Add($cert)
|
||||||
|
$rootStore.Close()
|
||||||
|
|
||||||
|
# Add to Trusted Publishers
|
||||||
|
$pubStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("TrustedPublisher", "LocalMachine")
|
||||||
|
$pubStore.Open("ReadWrite")
|
||||||
|
$pubStore.Add($cert)
|
||||||
|
$pubStore.Close()
|
||||||
|
|
||||||
|
# Add thumbprint to RDP trusted certs in registry
|
||||||
|
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
|
||||||
|
$keyName = "TrustedCertThumbprints"
|
||||||
|
|
||||||
|
if (-not (Test-Path $gpoPath)) {
|
||||||
|
New-Item -Path $gpoPath -Force | Out-Null
|
||||||
|
}
|
||||||
|
|
||||||
|
$currentValue = (Get-ItemProperty -Path $gpoPath -Name $keyName -ErrorAction SilentlyContinue).$keyName
|
||||||
|
|
||||||
|
if ($currentValue -notmatch [regex]::Escape($thumbprint)) {
|
||||||
|
$newValue = if ([string]::IsNullOrWhiteSpace($currentValue)) { $thumbprint } else { "$currentValue,$thumbprint" }
|
||||||
|
|
||||||
|
if ($null -eq $currentValue) {
|
||||||
|
New-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue -PropertyType String -Force | Out-Null
|
||||||
|
} else {
|
||||||
|
Set-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue
|
||||||
|
}
|
||||||
|
Write-Log "Updated TrustedCertThumbprints registry value."
|
||||||
|
} else {
|
||||||
|
Write-Log "Thumbprint already exists in registry. Skipping update."
|
||||||
|
}
|
||||||
|
|
||||||
|
Write-Log "Certificate created and trusted successfully."
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($rdpFiles.Count -eq 0) {
|
||||||
|
Write-Log "No .rdp files found on Desktop: $desktopPath"
|
||||||
|
exit 0
|
||||||
|
}
|
||||||
|
|
||||||
|
Write-Log "Found $($rdpFiles.Count) file(s) to sign."
|
||||||
|
|
||||||
|
$successCount = 0
|
||||||
|
$failCount = 0
|
||||||
|
|
||||||
|
foreach ($rdpFile in $rdpFiles) {
|
||||||
|
Write-Log "Signing: $($rdpFile.Name)"
|
||||||
|
& $rdpSignPath /sha256 $thumbprint $rdpFile.FullName
|
||||||
|
|
||||||
|
if ($LASTEXITCODE -eq 0) {
|
||||||
|
Write-Log " [OK] $($rdpFile.Name)"
|
||||||
|
$successCount++
|
||||||
|
} else {
|
||||||
|
Write-Log " [FAILED] $($rdpFile.Name) - rdpsign exit code: $LASTEXITCODE"
|
||||||
|
$failCount++
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Set registry key to suppress RDP warning dialogs
|
||||||
|
reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client" /v RedirectionWarningDialogVersion /t REG_DWORD /d 1 /f
|
||||||
|
|
||||||
|
if ($failCount -eq 0) {
|
||||||
|
Write-Log "All $successCount file(s) signed successfully."
|
||||||
|
} else {
|
||||||
|
Write-Log "$successCount file(s) signed successfully, $failCount file(s) failed."
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
exit 0
|
||||||
|
} catch {
|
||||||
|
Write-Log "Error: $_"
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
@@ -0,0 +1,118 @@
|
|||||||
|
# RDP - IntuneWin Package
|
||||||
|
|
||||||
|
## Package Contents
|
||||||
|
|
||||||
|
| File | Purpose |
|
||||||
|
|------|---------|
|
||||||
|
| `Install.ps1` | Copies RDP files to public desktop, creates self-signed certificate and signs all RDP files |
|
||||||
|
| `Detect.ps1` | Detects whether all RDP files from the package are present on the public desktop |
|
||||||
|
| `Uninstall.ps1` | Removes RDP files from the public desktop |
|
||||||
|
| `SignOnly.ps1` | Signs existing RDP files on the public desktop — no file copy (standalone use) |
|
||||||
|
| `SignOnly_detect.ps1` | Detects whether certificate is present and all RDP files on the desktop are signed |
|
||||||
|
| `Clearsigning.ps1` | Removes signatures from RDP files and cleans up certificate and registry (cleanup/debug use) |
|
||||||
|
| `sandbox.ps1` | Combined install + detect script for local sandbox testing |
|
||||||
|
| `rdp-files\*.rdp` | Source RDP files deployed to the public desktop |
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Intune App Configuration
|
||||||
|
|
||||||
|
### Program
|
||||||
|
- **Install command:**
|
||||||
|
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1`
|
||||||
|
- **Uninstall command:**
|
||||||
|
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Uninstall.ps1`
|
||||||
|
- **Install behavior:** System
|
||||||
|
|
||||||
|
### Detection Rule
|
||||||
|
Use a custom detection script:
|
||||||
|
- **Script file:** `Detect.ps1`
|
||||||
|
- **Run script as 32-bit process on 64-bit clients:** No
|
||||||
|
- **Enforce script signature check:** No
|
||||||
|
|
||||||
|
Detection logic:
|
||||||
|
- Checks that all `.rdp` files from `rdp-files\` are present on the public desktop (`C:\Users\Public\Desktop`)
|
||||||
|
- Returns `exit 0` = installed
|
||||||
|
- Returns `exit 1` = not installed
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## What Install.ps1 Does
|
||||||
|
|
||||||
|
1. Copies all `.rdp` files from `.\rdp-files\` to the public desktop
|
||||||
|
2. Searches for an existing self-signed certificate (`CN=RDPSign`) in `Cert:\LocalMachine\My`
|
||||||
|
3. If not found, creates a new self-signed code signing certificate (valid 25 years, non-exportable)
|
||||||
|
4. Adds the certificate to `Trusted Root` and `Trusted Publishers` in the local machine store
|
||||||
|
5. Adds the certificate thumbprint to the registry key `TrustedCertThumbprints`
|
||||||
|
6. Signs all `.rdp` files on the public desktop using `rdpsign.exe /sha256`
|
||||||
|
7. Sets `RedirectionWarningDialogVersion = 1` in registry to suppress RDP warning dialogs
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Registry Changes
|
||||||
|
|
||||||
|
| Path | Value | Type | Data |
|
||||||
|
|------|-------|------|------|
|
||||||
|
| `HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services` | `TrustedCertThumbprints` | String | Certificate thumbprint |
|
||||||
|
| `HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client` | `RedirectionWarningDialogVersion` | DWORD | `1` |
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Logging and Troubleshooting
|
||||||
|
|
||||||
|
| Script | Log file |
|
||||||
|
|--------|----------|
|
||||||
|
| `Install.ps1` | `C:\Intune\DesktopShortcuts.log` |
|
||||||
|
| `Detect.ps1` | `C:\Intune\DesktopShortcuts.log` |
|
||||||
|
| `Uninstall.ps1` | `C:\Intune\DesktopShortcuts.log` |
|
||||||
|
| `SignOnly.ps1` | `C:\Intune\RDPSign.log` |
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## SignOnly Intune App Configuration
|
||||||
|
|
||||||
|
### Program
|
||||||
|
- **Install command:**
|
||||||
|
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1`
|
||||||
|
- **Uninstall command:**
|
||||||
|
`powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1`
|
||||||
|
- **Install behavior:** System
|
||||||
|
|
||||||
|
### Detection Rule
|
||||||
|
Use a custom detection script:
|
||||||
|
- **Script file:** `SignOnly_detect.ps1`
|
||||||
|
- **Run script as 32-bit process on 64-bit clients:** No
|
||||||
|
- **Enforce script signature check:** No
|
||||||
|
|
||||||
|
Detection logic:
|
||||||
|
- Checks that `CN=RDPSign` certificate exists in `My`, `Root`, and `TrustedPublisher` stores
|
||||||
|
- Checks that thumbprint is present in registry
|
||||||
|
- Checks that all `.rdp` files on the public desktop contain a valid signature
|
||||||
|
- Returns `exit 0` + `"Detected"` = installed
|
||||||
|
- Returns `exit 1` = not installed
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Utility Scripts (not part of Intune package)
|
||||||
|
|
||||||
|
### `SignOnly.ps1`
|
||||||
|
Signs all existing `.rdp` files on the public desktop without copying any files. Useful for re-signing after an update or if files are already deployed.
|
||||||
|
Run as administrator.
|
||||||
|
|
||||||
|
### `SignOnly_detect.ps1`
|
||||||
|
Detection script for use with `SignOnly.ps1` as an Intune package. Checks:
|
||||||
|
- Certificate exists in `My`, `Root`, and `TrustedPublisher` stores
|
||||||
|
- Thumbprint is present in registry
|
||||||
|
- All `.rdp` files on the desktop contain a valid signature
|
||||||
|
|
||||||
|
### `Clearsigning.ps1`
|
||||||
|
Removes all signing artifacts. Useful for testing or cleanup. Run as administrator.
|
||||||
|
- Strips `signscope` and `signature` lines from all `.rdp` files on the public desktop
|
||||||
|
- Removes `CN=RDPSign` certificate from `My`, `Root`, and `TrustedPublisher` stores
|
||||||
|
- Removes `TrustedCertThumbprints` from registry
|
||||||
|
- Removes `RedirectionWarningDialogVersion` from registry
|
||||||
|
|
||||||
|
### `sandbox.ps1`
|
||||||
|
Combines install and detect into a single script for local sandbox testing.
|
||||||
|
Run from the folder containing `rdp-files\` as administrator.
|
||||||
|
Output is written to both the console and `C:\Intune\DesktopShortcuts.log`.
|
||||||
@@ -0,0 +1,125 @@
|
|||||||
|
# Setup logging
|
||||||
|
$baseFolder = Join-Path $env:SystemDrive "Intune"
|
||||||
|
$logFile = Join-Path $baseFolder "RDPSign.log"
|
||||||
|
$desktopPath = [Environment]::GetFolderPath("CommonDesktopDirectory")
|
||||||
|
|
||||||
|
# Check if Sysnative exists (means script is running in 32-bit mode on x64 OS)
|
||||||
|
if (Test-Path "$($env:windir)\Sysnative") {
|
||||||
|
$rdpSignPath = "$($env:windir)\Sysnative\rdpsign.exe"
|
||||||
|
} else {
|
||||||
|
$rdpSignPath = "$($env:windir)\System32\rdpsign.exe"
|
||||||
|
}
|
||||||
|
|
||||||
|
if (-not (Test-Path $baseFolder)) {
|
||||||
|
New-Item -Path $baseFolder -ItemType Directory -Force | Out-Null
|
||||||
|
}
|
||||||
|
|
||||||
|
function Write-Log {
|
||||||
|
param($Message)
|
||||||
|
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
|
||||||
|
Add-Content -Path $logFile -Value $logMessage
|
||||||
|
Write-Host $logMessage
|
||||||
|
}
|
||||||
|
|
||||||
|
try {
|
||||||
|
# Get RDP files from public desktop for signing
|
||||||
|
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -Recurse -ErrorAction SilentlyContinue
|
||||||
|
$certSubjectName = "RDPSign"
|
||||||
|
$certSubject = "CN=$certSubjectName"
|
||||||
|
|
||||||
|
Write-Log "Searching for existing certificate: $certSubjectName..."
|
||||||
|
|
||||||
|
$existingCert = Get-ChildItem Cert:\LocalMachine\My |
|
||||||
|
Where-Object { $_.Subject -eq $certSubject } |
|
||||||
|
Select-Object -First 1
|
||||||
|
|
||||||
|
if ($existingCert) {
|
||||||
|
Write-Log "Found existing certificate with Thumbprint: $($existingCert.Thumbprint)"
|
||||||
|
$thumbprint = $existingCert.Thumbprint
|
||||||
|
} else {
|
||||||
|
Write-Log "No existing certificate found. Creating new one..."
|
||||||
|
|
||||||
|
$cert = New-SelfSignedCertificate `
|
||||||
|
-Subject $certSubject `
|
||||||
|
-CertStoreLocation "Cert:\LocalMachine\My" `
|
||||||
|
-Type CodeSigningCert `
|
||||||
|
-KeyExportPolicy NonExportable `
|
||||||
|
-NotAfter (Get-Date).AddYears(25)
|
||||||
|
|
||||||
|
$thumbprint = $cert.Thumbprint
|
||||||
|
|
||||||
|
# Add to Trusted Root
|
||||||
|
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("Root", "LocalMachine")
|
||||||
|
$rootStore.Open("ReadWrite")
|
||||||
|
$rootStore.Add($cert)
|
||||||
|
$rootStore.Close()
|
||||||
|
|
||||||
|
# Add to Trusted Publishers
|
||||||
|
$pubStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("TrustedPublisher", "LocalMachine")
|
||||||
|
$pubStore.Open("ReadWrite")
|
||||||
|
$pubStore.Add($cert)
|
||||||
|
$pubStore.Close()
|
||||||
|
|
||||||
|
# Add thumbprint to RDP trusted certs in registry
|
||||||
|
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
|
||||||
|
$keyName = "TrustedCertThumbprints"
|
||||||
|
|
||||||
|
if (-not (Test-Path $gpoPath)) {
|
||||||
|
New-Item -Path $gpoPath -Force | Out-Null
|
||||||
|
}
|
||||||
|
|
||||||
|
$currentValue = (Get-ItemProperty -Path $gpoPath -Name $keyName -ErrorAction SilentlyContinue).$keyName
|
||||||
|
|
||||||
|
if ($currentValue -notmatch [regex]::Escape($thumbprint)) {
|
||||||
|
$newValue = if ([string]::IsNullOrWhiteSpace($currentValue)) { $thumbprint } else { "$currentValue,$thumbprint" }
|
||||||
|
|
||||||
|
if ($null -eq $currentValue) {
|
||||||
|
New-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue -PropertyType String -Force | Out-Null
|
||||||
|
} else {
|
||||||
|
Set-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue
|
||||||
|
}
|
||||||
|
Write-Log "Updated TrustedCertThumbprints registry value."
|
||||||
|
} else {
|
||||||
|
Write-Log "Thumbprint already exists in registry. Skipping update."
|
||||||
|
}
|
||||||
|
|
||||||
|
Write-Log "Certificate created and trusted successfully."
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($rdpFiles.Count -eq 0) {
|
||||||
|
Write-Log "No .rdp files found on Desktop: $desktopPath"
|
||||||
|
exit 0
|
||||||
|
}
|
||||||
|
|
||||||
|
Write-Log "Found $($rdpFiles.Count) file(s) to sign."
|
||||||
|
|
||||||
|
$successCount = 0
|
||||||
|
$failCount = 0
|
||||||
|
|
||||||
|
foreach ($rdpFile in $rdpFiles) {
|
||||||
|
Write-Log "Signing: $($rdpFile.Name)"
|
||||||
|
& $rdpSignPath /sha256 $thumbprint $rdpFile.FullName
|
||||||
|
|
||||||
|
if ($LASTEXITCODE -eq 0) {
|
||||||
|
Write-Log " [OK] $($rdpFile.Name)"
|
||||||
|
$successCount++
|
||||||
|
} else {
|
||||||
|
Write-Log " [FAILED] $($rdpFile.Name) - rdpsign exit code: $LASTEXITCODE"
|
||||||
|
$failCount++
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Set registry key to suppress RDP warning dialogs
|
||||||
|
reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client" /v RedirectionWarningDialogVersion /t REG_DWORD /d 1 /f
|
||||||
|
|
||||||
|
if ($failCount -eq 0) {
|
||||||
|
Write-Log "All $successCount file(s) signed successfully."
|
||||||
|
} else {
|
||||||
|
Write-Log "$successCount file(s) signed successfully, $failCount file(s) failed."
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
exit 0
|
||||||
|
} catch {
|
||||||
|
Write-Log "Error: $_"
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
@@ -0,0 +1,36 @@
|
|||||||
|
$desktopPath = [Environment]::GetFolderPath("CommonDesktopDirectory")
|
||||||
|
$certSubject = "CN=RDPSign"
|
||||||
|
|
||||||
|
# Check certificate exists in all three stores
|
||||||
|
$certInMy = Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Subject -eq $certSubject }
|
||||||
|
$certInRoot = Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $_.Subject -eq $certSubject }
|
||||||
|
$certInPub = Get-ChildItem Cert:\LocalMachine\TrustedPublisher | Where-Object { $_.Subject -eq $certSubject }
|
||||||
|
|
||||||
|
if (-not $certInMy -or -not $certInRoot -or -not $certInPub) {
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
# Check registry thumbprint
|
||||||
|
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
|
||||||
|
$thumbprintValue = (Get-ItemProperty -Path $gpoPath -Name "TrustedCertThumbprints" -ErrorAction SilentlyContinue).TrustedCertThumbprints
|
||||||
|
if ([string]::IsNullOrWhiteSpace($thumbprintValue)) {
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
# Check that all RDP files on desktop are signed
|
||||||
|
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -ErrorAction SilentlyContinue
|
||||||
|
|
||||||
|
if ($rdpFiles.Count -eq 0) {
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
foreach ($file in $rdpFiles) {
|
||||||
|
$content = Get-Content $file.FullName -ErrorAction SilentlyContinue
|
||||||
|
$hasSig = $content | Where-Object { $_ -match "^signature:s:" }
|
||||||
|
if (-not $hasSig) {
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Write-Host "Detected"
|
||||||
|
exit 0
|
||||||
@@ -0,0 +1,38 @@
|
|||||||
|
# Setup logging
|
||||||
|
$baseFolder = Join-Path $env:SystemDrive "Intune"
|
||||||
|
$logFile = Join-Path $baseFolder "DesktopShortcuts.log"
|
||||||
|
$desktopPath = [Environment]::GetFolderPath("CommonDesktopDirectory")
|
||||||
|
|
||||||
|
# Create necessary folders
|
||||||
|
$folders = @(
|
||||||
|
$baseFolder
|
||||||
|
)
|
||||||
|
foreach ($folder in $folders) {
|
||||||
|
if (-not (Test-Path $folder)) {
|
||||||
|
New-Item -Path $folder -ItemType Directory -Force | Out-Null
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
function Write-Log {
|
||||||
|
param($Message)
|
||||||
|
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
|
||||||
|
Add-Content -Path $logFile -Value $logMessage
|
||||||
|
Write-Host $logMessage
|
||||||
|
}
|
||||||
|
|
||||||
|
try {
|
||||||
|
Get-ChildItem -Path ".\rdp-files\*.rdp" | ForEach-Object {
|
||||||
|
$targetFile = Join-Path $desktopPath $_.Name
|
||||||
|
if (Test-Path $targetFile) {
|
||||||
|
Remove-Item -Path $targetFile -Force
|
||||||
|
Write-Log "Removed: $($_.Name)"
|
||||||
|
} else {
|
||||||
|
Write-Log "Not found, skipping: $($_.Name)"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
Write-Log "Uninstall completed from public desktop: $desktopPath"
|
||||||
|
exit 0
|
||||||
|
} catch {
|
||||||
|
Write-Log "An error occurred: $_"
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
@@ -0,0 +1,176 @@
|
|||||||
|
# ============================================================
|
||||||
|
# INSTALL + DETECT - Sandbox test script
|
||||||
|
# ============================================================
|
||||||
|
|
||||||
|
# Setup logging
|
||||||
|
$baseFolder = Join-Path $env:SystemDrive "Intune"
|
||||||
|
$logFile = Join-Path $baseFolder "DesktopShortcuts.log"
|
||||||
|
$desktopPath = [Environment]::GetFolderPath("CommonDesktopDirectory")
|
||||||
|
|
||||||
|
# Check if Sysnative exists (means script is running in 32-bit mode on x64 OS)
|
||||||
|
if (Test-Path "$($env:windir)\Sysnative") {
|
||||||
|
$rdpSignPath = "$($env:windir)\Sysnative\rdpsign.exe"
|
||||||
|
} else {
|
||||||
|
$rdpSignPath = "$($env:windir)\System32\rdpsign.exe"
|
||||||
|
}
|
||||||
|
|
||||||
|
if (-not (Test-Path $baseFolder)) {
|
||||||
|
New-Item -Path $baseFolder -ItemType Directory -Force | Out-Null
|
||||||
|
}
|
||||||
|
|
||||||
|
function Write-Log {
|
||||||
|
param($Message)
|
||||||
|
$logMessage = "$(Get-Date -Format 'dd-MM-yyyy HH:mm'): $Message"
|
||||||
|
Add-Content -Path $logFile -Value $logMessage
|
||||||
|
Write-Host $logMessage
|
||||||
|
}
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
# INSTALL
|
||||||
|
# ============================================================
|
||||||
|
Write-Log "=== START INSTALL ==="
|
||||||
|
|
||||||
|
try {
|
||||||
|
# Copy RDP files to public desktop
|
||||||
|
Get-ChildItem -Path ".\rdp-files\*.rdp" | ForEach-Object {
|
||||||
|
try {
|
||||||
|
Copy-Item -Path $_.FullName -Destination $desktopPath -Force
|
||||||
|
} catch {
|
||||||
|
Write-Log "Error copying file: $_"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Start-Sleep -Seconds 2 # Wait for files to be fully copied before signing
|
||||||
|
Write-Log "Copied .rdp files to public desktop: $desktopPath"
|
||||||
|
|
||||||
|
# Get RDP files from public desktop for signing
|
||||||
|
$rdpFiles = Get-ChildItem -Path $desktopPath -Filter "*.rdp" -Recurse -ErrorAction SilentlyContinue
|
||||||
|
$certSubjectName = "RDPSign"
|
||||||
|
$certSubject = "CN=$certSubjectName"
|
||||||
|
|
||||||
|
Write-Log "Searching for existing certificate: $certSubjectName..."
|
||||||
|
|
||||||
|
$existingCert = Get-ChildItem Cert:\LocalMachine\My |
|
||||||
|
Where-Object { $_.Subject -eq $certSubject } |
|
||||||
|
Select-Object -First 1
|
||||||
|
|
||||||
|
if ($existingCert) {
|
||||||
|
Write-Log "Found existing certificate with Thumbprint: $($existingCert.Thumbprint)"
|
||||||
|
$thumbprint = $existingCert.Thumbprint
|
||||||
|
} else {
|
||||||
|
Write-Log "No existing certificate found. Creating new one..."
|
||||||
|
|
||||||
|
$cert = New-SelfSignedCertificate `
|
||||||
|
-Subject $certSubject `
|
||||||
|
-CertStoreLocation "Cert:\LocalMachine\My" `
|
||||||
|
-Type CodeSigningCert `
|
||||||
|
-KeyExportPolicy NonExportable `
|
||||||
|
-NotAfter (Get-Date).AddYears(25)
|
||||||
|
|
||||||
|
$thumbprint = $cert.Thumbprint
|
||||||
|
|
||||||
|
# Add to Trusted Root
|
||||||
|
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("Root", "LocalMachine")
|
||||||
|
$rootStore.Open("ReadWrite")
|
||||||
|
$rootStore.Add($cert)
|
||||||
|
$rootStore.Close()
|
||||||
|
|
||||||
|
# Add to Trusted Publishers
|
||||||
|
$pubStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("TrustedPublisher", "LocalMachine")
|
||||||
|
$pubStore.Open("ReadWrite")
|
||||||
|
$pubStore.Add($cert)
|
||||||
|
$pubStore.Close()
|
||||||
|
|
||||||
|
# Add thumbprint to RDP trusted certs in registry
|
||||||
|
$gpoPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
|
||||||
|
$keyName = "TrustedCertThumbprints"
|
||||||
|
|
||||||
|
if (-not (Test-Path $gpoPath)) {
|
||||||
|
New-Item -Path $gpoPath -Force | Out-Null
|
||||||
|
}
|
||||||
|
|
||||||
|
$currentValue = (Get-ItemProperty -Path $gpoPath -Name $keyName -ErrorAction SilentlyContinue).$keyName
|
||||||
|
|
||||||
|
if ($currentValue -notmatch [regex]::Escape($thumbprint)) {
|
||||||
|
$newValue = if ([string]::IsNullOrWhiteSpace($currentValue)) { $thumbprint } else { "$currentValue,$thumbprint" }
|
||||||
|
|
||||||
|
if ($null -eq $currentValue) {
|
||||||
|
New-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue -PropertyType String -Force | Out-Null
|
||||||
|
} else {
|
||||||
|
Set-ItemProperty -Path $gpoPath -Name $keyName -Value $newValue
|
||||||
|
}
|
||||||
|
Write-Log "Updated TrustedCertThumbprints registry value."
|
||||||
|
} else {
|
||||||
|
Write-Log "Thumbprint already exists in registry. Skipping update."
|
||||||
|
}
|
||||||
|
|
||||||
|
Write-Log "Certificate created and trusted successfully."
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($rdpFiles.Count -eq 0) {
|
||||||
|
Write-Log "No .rdp files found on Desktop: $desktopPath"
|
||||||
|
exit 0
|
||||||
|
}
|
||||||
|
|
||||||
|
Write-Log "Found $($rdpFiles.Count) file(s) to sign."
|
||||||
|
|
||||||
|
$successCount = 0
|
||||||
|
$failCount = 0
|
||||||
|
|
||||||
|
foreach ($rdpFile in $rdpFiles) {
|
||||||
|
Write-Log "Signing: $($rdpFile.Name)"
|
||||||
|
& $rdpSignPath /sha256 $thumbprint $rdpFile.FullName
|
||||||
|
|
||||||
|
if ($LASTEXITCODE -eq 0) {
|
||||||
|
Write-Log " [OK] $($rdpFile.Name)"
|
||||||
|
$successCount++
|
||||||
|
} else {
|
||||||
|
Write-Log " [FAILED] $($rdpFile.Name) - rdpsign exit code: $LASTEXITCODE"
|
||||||
|
$failCount++
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Set registry key to suppress RDP warning dialogs
|
||||||
|
reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client" /v RedirectionWarningDialogVersion /t REG_DWORD /d 1 /f
|
||||||
|
|
||||||
|
if ($failCount -eq 0) {
|
||||||
|
Write-Log "All $successCount file(s) signed successfully."
|
||||||
|
} else {
|
||||||
|
Write-Log "$successCount file(s) signed successfully, $failCount file(s) failed."
|
||||||
|
}
|
||||||
|
|
||||||
|
} catch {
|
||||||
|
Write-Log "Install error: $_"
|
||||||
|
}
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
# DETECT
|
||||||
|
# ============================================================
|
||||||
|
Write-Log "=== START DETECT ==="
|
||||||
|
|
||||||
|
$rdpFilesOnDesktop = Get-ChildItem -Path "$desktopPath\*.rdp" -ErrorAction SilentlyContinue
|
||||||
|
|
||||||
|
try {
|
||||||
|
if ($rdpFilesOnDesktop.Count -eq 0) {
|
||||||
|
Write-Log "DETECT [FAIL]: No .rdp files found on public desktop: $desktopPath"
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
$allFound = $true
|
||||||
|
foreach ($file in $rdpFilesOnDesktop) {
|
||||||
|
if (-not (Test-Path (Join-Path $desktopPath $file.Name))) {
|
||||||
|
Write-Log "DETECT [FAIL]: Missing: $($file.Name)"
|
||||||
|
$allFound = $false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($allFound) {
|
||||||
|
Write-Log "DETECT [OK]: All .rdp files found on public desktop: $desktopPath"
|
||||||
|
exit 0
|
||||||
|
} else {
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
} catch {
|
||||||
|
Write-Log "Detect error: $_"
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
Binary file not shown.
Reference in New Issue
Block a user