2019-05-09

使用 Let's Encrypt 來作為 VDI - RDCB 憑證時更新 GPO 派送 Thumbprints 的處理

連接 RemoteAPP 或 VM 的時候會跳出以下訊息
A website is trying to run a RemoteApp Program. Make sure that you trust the publisher before you connect to run the program
This Remoteapp program could harm your local or remote computer.



已知這個必須以 GPO 派送 RDCB 憑證的 Thumbprints
GPO 設定路徑如下:
Windows Components\Remote Desktop Services\Remote Desktop Connection Client
>> Specify SHA1 thumbprints of certificates representing trusted .rdp publishers
但要使用 Let's Encrypt 這種兩、三個月就要更換一次憑證的免費方案的話
還要手動更新 GPO 設定中的指紋太麻煩了,於是找到相關的 PowerShell 指令可以用

A. 取得目前 GPO 設定中的 Thumbprints

Computer:

Get-GPRegistryValue -Name "ThumbprintAndSettingsForRDS" -key "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -valuename "TrustedCertThumbprints"

User:

Get-GPRegistryValue -Name "ThumbprintAndSettingsForRDS" -key "HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -valuename "TrustedCertThumbprints"

B. 更新 GPO 設定中的 Thumbprints

Computer:

Set-GPRegistryValue -Name "ThumbprintAndSettingsForRDS" -key "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -valuename "TrustedCertThumbprints" -Type "String" -value "oooooooooooooooooooooooooooooooooooooooo"

User:

Set-GPRegistryValue -Name "ThumbprintAndSettingsForRDS" -key "HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -valuename "TrustedCertThumbprints" -Type "String" -value "oooooooooooooooooooooooooooooooooooooooo"

沒有留言:

張貼留言