question

LotfiBOUCHERIT-4930 avatar image
0 Votes"
LotfiBOUCHERIT-4930 asked ·

Powershell: add Binary value to regedit key

Hello,

I have the following PS code that gets the Remote desktop certificate "thumbprint":
$cert = Get-ChildItem -Path 'Cert:\LocalMachine\Remote Desktop'
$hostname = hostname
$thumbprint = $cert.Thumbprint

where $thumbprint is String value, like this : AABBCC...DD (40 caracters)
And i want to add it to the following key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\Servers

where $hostname, should be the key, and the binary value which CertHash should be Binary value and must contain $thumbprint (this should be create on other computers)

Could you please tell me how the second part of the script should be, since the thumbprint is stored in a text file on a file server, and the remote computer runs the second part, to add it as CertHash value?

Thanks in advance,




windows-server-powershellwindows-server-securitywindows-remote-desktop-client
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crypt32 avatar image
0 Votes"
Crypt32 answered ·

You can use SSLCertificateSha1Hash property which accepts hex string:

 $path = (Get-WmiObject -class "Win32_TSGeneralSetting" -ComputerName $Computer -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path
 Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="$($cert.Thumbprint)"}
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LotfiBOUCHERIT-4930 avatar image
0 Votes"
LotfiBOUCHERIT-4930 answered ·

hello @Crypt32 and thank you for your help,
here what i am trying to do exactly so you can understand my following codes:
- we are working in a workgroup environment, with windows 10 (only) machines.
- we have users that need to make RDP connections several times a day to machines in the same network, so they face the RDP warning several times a day, and there's a security note, that prohibits approving this warning.
We tested a workarround, that consists of adding the self-signed RDP certificate of computer B (acting as server) in the registry of computer A (acting as client) and it worked perfectly.
My codes are the following:
1/ in computer A (acting as server):

 $outfile = "\\192.168.1.222\c$\temp\Outfile.csv"
    
    
 $cert = Get-ChildItem -Path 'Cert:\LocalMachine\Remote Desktop'
 $hostname = hostname
 $thumbprint = $cert.Thumbprint
    
 $res = ($thumbprint -replace ‘(..)’,’$1,’).trim(‘,’)
    
 $array  = @()
    
 $cert = Get-ChildItem -Path 'Cert:\LocalMachine\Remote Desktop'
 $hostname = hostname
 $thumbprint = $cert.Thumbprint
    
 $obj = New-Object System.Object
 $obj | Add-Member -MemberType NoteProperty -Name Hostname -Value $hostname
 $obj | Add-Member -MemberType NoteProperty -Name ThumbPrint -Value $res
    
 $array  = @()
 $array += $obj
    
 $array | Export-Csv $outfile -Append

2/ in computer B (acting as client):

 #$null = New-Item -Path HKCU:\Software\Testkey3
 #Set-ItemProperty -Path HKCU:\Software\Testkey3 -Name Testvalue -Value 11,2,3,4 -Type Binar
    
 function addCertHash($hostname, $certHash){
     Write-Host Setting location to $hostname
    # Set-Location 'HKCU:\SOFTWARE\Microsoft\Terminal Server Client'
    
     Write-Host Testing path
     #if(-not (Test-RegistryValue -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client" -value $hostname)){
     #    Write-Host creating $hostname
     #    New-Item -Path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Servers\$hostname" -Force
     #}
    
     Write-Host Setting location 2
     #Set-Location .\$hostname
    
     Write-Host Setting value
 #    Set-ItemProperty -Path .\$hostname -Name CertHash -Value $certHash -Type Binary
 }
    
 function Test-RegistryValue {
    
 param (
    
  [parameter(Mandatory=$true)]
  [ValidateNotNullOrEmpty()]$Path,
    
 [parameter(Mandatory=$true)]
  [ValidateNotNullOrEmpty()]$Value
 )
    
 try {
    
 Get-ItemProperty -Path $Path | Select-Object -ExpandProperty $Value -ErrorAction Stop | Out-Null
  return $true
  }
    
 catch {
    
 return $false
    
 }
    
 }
    
    
 Set-Location C:\Windows
 $csv = Import-Csv "\\192.168.1.222\c$\temp\Outfile.csv" -Delimiter ','
    
    
 foreach($dev in $csv){
     #New-Item -Path HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Servers -name $dev.hostname
     #Set-ItemProperty -Path HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Servers\$dev.hostname -Name Testvalue -Value $dev.ThumbPrint -Type Binar
     $dev.Hostname
     $dev.ThumbPrint
     addCertHash($dev.Hostname, $dev.ThumbPrint)
 }

my problem is with 2nd script that refuses to:
- add the remote desktop servers in the registry of the computer B


Please, any help would be appreciated.
Regards




· 3 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

see updated answer with the option to run the command on a remote computer.

0 Votes 0 ·

Hi @LotfiBOUCHERIT-4930

Please check if above information is useful for you, If they are helpful, please don't forget accept it as answer.

0 Votes 0 ·

Hi,

is there any update?
Please let us know if there is reply helps to resolve your requirement.

---Please Accept answer if the reply is helpful---

0 Votes 0 ·