# RDP - IntuneWin Package ## Package Contents | File | Purpose | |------|---------| | `Install.ps1` | Copies RDP files to public desktop, creates self-signed certificate and signs all RDP files | | `Detect.ps1` | Detects whether all RDP files from the package are present on the public desktop | | `Uninstall.ps1` | Removes RDP files from the public desktop | | `SignOnly.ps1` | Signs existing RDP files on the public desktop — no file copy (standalone use) | | `SignOnly_detect.ps1` | Detects whether certificate is present and all RDP files on the desktop are signed | | `Clearsigning.ps1` | Removes signatures from RDP files and cleans up certificate and registry (cleanup/debug use) | | `sandbox.ps1` | Combined install + detect script for local sandbox testing | | `rdp-files\*.rdp` | Source RDP files deployed to the public desktop | --- ## Intune App Configuration ### Program - **Install command:** `powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Install.ps1` - **Uninstall command:** `powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Uninstall.ps1` - **Install behavior:** System ### Detection Rule Use a custom detection script: - **Script file:** `Detect.ps1` - **Run script as 32-bit process on 64-bit clients:** No - **Enforce script signature check:** No Detection logic: - Checks that all `.rdp` files from `rdp-files\` are present on the public desktop (`C:\Users\Public\Desktop`) - Returns `exit 0` = installed - Returns `exit 1` = not installed --- ## What Install.ps1 Does 1. Copies all `.rdp` files from `.\rdp-files\` to the public desktop 2. Searches for an existing self-signed certificate (`CN=RDPSign`) in `Cert:\LocalMachine\My` 3. If not found, creates a new self-signed code signing certificate (valid 25 years, non-exportable) 4. Adds the certificate to `Trusted Root` and `Trusted Publishers` in the local machine store 5. Adds the certificate thumbprint to the registry key `TrustedCertThumbprints` 6. Signs all `.rdp` files on the public desktop using `rdpsign.exe /sha256` 7. Sets `RedirectionWarningDialogVersion = 1` in registry to suppress RDP warning dialogs --- ## Registry Changes | Path | Value | Type | Data | |------|-------|------|------| | `HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services` | `TrustedCertThumbprints` | String | Certificate thumbprint | | `HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client` | `RedirectionWarningDialogVersion` | DWORD | `1` | --- ## Logging and Troubleshooting | Script | Log file | |--------|----------| | `Install.ps1` | `C:\Intune\DesktopShortcuts.log` | | `Detect.ps1` | `C:\Intune\DesktopShortcuts.log` | | `Uninstall.ps1` | `C:\Intune\DesktopShortcuts.log` | | `SignOnly.ps1` | `C:\Intune\RDPSign.log` | --- ## SignOnly Intune App Configuration ### Program - **Install command:** `powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\SignOnly.ps1` - **Uninstall command:** `powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File .\Clearsigning.ps1` - **Install behavior:** System ### Detection Rule Use a custom detection script: - **Script file:** `SignOnly_detect.ps1` - **Run script as 32-bit process on 64-bit clients:** No - **Enforce script signature check:** No Detection logic: - Checks that `CN=RDPSign` certificate exists in `My`, `Root`, and `TrustedPublisher` stores - Checks that thumbprint is present in registry - Checks that all `.rdp` files on the public desktop contain a valid signature - Returns `exit 0` + `"Detected"` = installed - Returns `exit 1` = not installed --- ## Utility Scripts (not part of Intune package) ### `SignOnly.ps1` Signs all existing `.rdp` files on the public desktop without copying any files. Useful for re-signing after an update or if files are already deployed. Run as administrator. ### `SignOnly_detect.ps1` Detection script for use with `SignOnly.ps1` as an Intune package. Checks: - Certificate exists in `My`, `Root`, and `TrustedPublisher` stores - Thumbprint is present in registry - All `.rdp` files on the desktop contain a valid signature ### `Clearsigning.ps1` Removes all signing artifacts. Useful for testing or cleanup. Run as administrator. - Strips `signscope` and `signature` lines from all `.rdp` files on the public desktop - Removes `CN=RDPSign` certificate from `My`, `Root`, and `TrustedPublisher` stores - Removes `TrustedCertThumbprints` from registry - Removes `RedirectionWarningDialogVersion` from registry ### `sandbox.ps1` Combines install and detect into a single script for local sandbox testing. Run from the folder containing `rdp-files\` as administrator. Output is written to both the console and `C:\Intune\DesktopShortcuts.log`.