使用 Let's Encrypt 來作為 VDI - RDCB 憑證時更新 GPO 派送 Thumbprints 的處理

連接 RemoteAPP 或 VM 的時候會跳出以下訊息
A website is trying to run a RemoteApp Program. Make sure that you trust the publisher before you connect to run the program
This Remoteapp program could harm your local or remote computer.

已知這個必須以 GPO 派送 RDCB 憑證的 Thumbprints
GPO 設定路徑如下:

Windows Components\Remote Desktop Services\Remote Desktop Connection Client

>> Specify SHA1 thumbprints of certificates representing trusted .rdp publishers
但要使用 Let's Encrypt 這種兩、三個月就要更換一次憑證的免費方案的話
還要手動更新 GPO 設定中的指紋太麻煩了，於是找到相關的 PowerShell 指令可以用

搭配服用: 使用 PowerShell 自動佈署基於 Let's Encrypt 公開憑證的 Microsoft RDS (VDI/RemoteApp) 環境

A. 取得目前 GPO 設定中的 Thumbprints

Computer:

$GPOName = "ThumbprintAndSettingsForRDS"
Get-GPRegistryValue -Name $GPOName -key "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -valuename "TrustedCertThumbprints"

User:

$GPOName = "ThumbprintAndSettingsForRDS"
Get-GPRegistryValue -Name $GPOName -key "HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -valuename "TrustedCertThumbprints"

B. 更新 GPO 設定中的 Thumbprints

Computer:

$GPOName = "ThumbprintAndSettingsForRDS"
Set-GPRegistryValue -Name $GPOName -key "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -valuename "TrustedCertThumbprints" -Type "String" -value "oooooooooooooooooooooooooooooooooooooooo"

User:

$GPOName = "ThumbprintAndSettingsForRDS"
Set-GPRegistryValue -Name $GPOName -key "HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -valuename "TrustedCertThumbprints" -Type "String" -value "oooooooooooooooooooooooooooooooooooooooo"

以下 Script 搭配 Let's Encrypy 自動更新憑證後自動更新 GPO

處理 GPO 的肯定不會是 RDS Server
可能是一台 Management Console VM，所以要與 Let's Encrypt Renew 分開跑
並且作時間區隔

$GPOName = 'ThumbprintAndSettingsForRDS';
$FixedThumbPrint = 'oooooooooooooooooooooooooooooooooooooooo';

$ThumbprintURL = 'http://RDWeb.Contoso.com/Thumbprint.txt';

$Response = try { 
    (Invoke-WebRequest -URI $ThumbprintURL -ErrorAction Stop).BaseResponse
} catch [System.Net.WebException] { 
    Write-Verbose "An exception was caught: $($_.Exception.Message)"
    $_.Exception.Response 
} 
if ($Response.StatusCode -ne 'OK') {
exit;
};

$Thumbprint = ((($(Invoke-WebRequest -URI $ThumbprintURL).Content) -Replace "`n","" -Replace "`r","") -split(',') | Get-Unique) -Join ","

If ($FixedThumbPrint -ne '') {
$Thumbprint = ($FixedThumbPrint + ',' + $Thumbprint)
};

if ($Thumbprint -ne (Get-GPRegistryValue -Name $GPOName -key "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -valuename "TrustedCertThumbprints").Value) {
Set-GPRegistryValue -Name $GPOName -key "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -valuename "TrustedCertThumbprints" -Type "String" -value $Thumbprint
};
if ($Thumbprint -ne (Get-GPRegistryValue -Name $GPOName -key "HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -valuename "TrustedCertThumbprints").Value) {
Set-GPRegistryValue -Name $GPOName -key "HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -valuename "TrustedCertThumbprints" -Type "String" -value $Thumbprint
};