Powershell: add Binary value to regedit key

Lotfi BOUCHERIT 91 Reputation points
2021-02-19T14:25:42.47+00:00

Hello,

I have the following PS code that gets the Remote desktop certificate "thumbprint":
$cert = Get-ChildItem -Path 'Cert:\LocalMachine\Remote Desktop'
$hostname = hostname
$thumbprint = $cert.Thumbprint

where $thumbprint is String value, like this : AABBCC...DD (40 caracters)
And i want to add it to the following key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\Servers

where $hostname, should be the key, and the binary value which CertHash should be Binary value and must contain $thumbprint (this should be create on other computers)

Could you please tell me how the second part of the script should be, since the thumbprint is stored in a text file on a file server, and the remote computer runs the second part, to add it as CertHash value?

Thanks in advance,

Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,236 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,720 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,362 questions
0 comments
Accepted answer
  1. Vadims Podāns 8,866 Reputation points MVP
    2021-02-19T15:32:17.623+00:00

    You can use SSLCertificateSha1Hash property which accepts hex string: 

    $path = (Get-WmiObject -class "Win32_TSGeneralSetting" -ComputerName $Computer -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path
Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="$($cert.Thumbprint)"}
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Lotfi BOUCHERIT 91 Reputation points
    2021-02-19T21:27:00.157+00:00

    hello @Vadims Podāns and thank you for your help,
    here what i am trying to do exactly so you can understand my following codes:

    • we are working in a workgroup environment, with windows 10 (only) machines.
    • we have users that need to make RDP connections several times a day to machines in the same network, so they face the RDP warning several times a day, and there's a security note, that prohibits approving this warning.
      We tested a workarround, that consists of adding the self-signed RDP certificate of computer B (acting as server) in the registry of computer A (acting as client) and it worked perfectly.
      My codes are the following:
      1/ in computer A (acting as server): $outfile = "\192.168.1.222\c$\temp\Outfile.csv" $cert = Get-ChildItem -Path 'Cert:\LocalMachine\Remote Desktop'
      $hostname = hostname
      $thumbprint = $cert.Thumbprint $res = ($thumbprint -replace ‘(..)’,’$1,’).trim(‘,’) $array = @() $cert = Get-ChildItem -Path 'Cert:\LocalMachine\Remote Desktop'
      $hostname = hostname
      $thumbprint = $cert.Thumbprint $obj = New-Object System.Object
      $obj | Add-Member -MemberType NoteProperty -Name Hostname -Value $hostname
      $obj | Add-Member -MemberType NoteProperty -Name ThumbPrint -Value $res $array = @()
      $array += $obj $array | Export-Csv $outfile -Append

    2/ in computer B (acting as client):

    #$null = New-Item -Path HKCU:\Software\Testkey3  
#Set-ItemProperty -Path HKCU:\Software\Testkey3 -Name Testvalue -Value 11,2,3,4 -Type Binar  

function addCertHash($hostname, $certHash){  
    Write-Host Setting location to $hostname  
   \# Set-Location 'HKCU:\SOFTWARE\Microsoft\Terminal Server Client'  

    Write-Host Testing path  
    #if(-not (Test-RegistryValue -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client" -value $hostname)){  
    \#    Write-Host creating $hostname  
    \#    New-Item -Path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Servers\$hostname" -Force  
    #}  

    Write-Host Setting location 2  
    #Set-Location .\$hostname  

    Write-Host Setting value  
\#    Set-ItemProperty -Path .\$hostname -Name CertHash -Value $certHash -Type Binary  
}  

function Test-RegistryValue {  

param (  

 [parameter(Mandatory=$true)]  
 [ValidateNotNullOrEmpty()]$Path,  

[parameter(Mandatory=$true)]  
 [ValidateNotNullOrEmpty()]$Value  
)  

try {  

Get-ItemProperty -Path $Path | Select-Object -ExpandProperty $Value -ErrorAction Stop | Out-Null  
 return $true  
 }  

catch {  

return $false  

}  

}  


Set-Location C:\Windows  
$csv = Import-Csv "\\192.168.1.222\c$\temp\Outfile.csv" -Delimiter ','  


foreach($dev in $csv){  
    #New-Item -Path HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Servers -name $dev.hostname  
    #Set-ItemProperty -Path HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Servers\$dev.hostname -Name Testvalue -Value $dev.ThumbPrint -Type Binar  
    $dev.Hostname  
    $dev.ThumbPrint  
    addCertHash($dev.Hostname, $dev.ThumbPrint)  
}

    my problem is with 2nd script that refuses to:

    • add the remote desktop servers in the registry of the computer B

    Please, any help would be appreciated.
    Regards