Powershell: add Binary value to regedit key

Lotfi BOUCHERIT 91 Reputation points
2021-02-19T14:25:42.47+00:00

Hello,

I have the following PS code that gets the Remote desktop certificate "thumbprint":
$cert = Get-ChildItem -Path 'Cert:\LocalMachine\Remote Desktop'
$hostname = hostname
$thumbprint = $cert.Thumbprint

where $thumbprint is String value, like this : AABBCC...DD (40 caracters)
And i want to add it to the following key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\Servers

where $hostname, should be the key, and the binary value which CertHash should be Binary value and must contain $thumbprint (this should be create on other computers)

Could you please tell me how the second part of the script should be, since the thumbprint is stored in a text file on a file server, and the remote computer runs the second part, to add it as CertHash value?

Thanks in advance,

Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,341 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,767 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,435 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vadims Podāns 9,116 Reputation points MVP
    2021-02-19T15:32:17.623+00:00

    You can use SSLCertificateSha1Hash property which accepts hex string:

    $path = (Get-WmiObject -class "Win32_TSGeneralSetting" -ComputerName $Computer -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path
    Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="$($cert.Thumbprint)"}
    
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Lotfi BOUCHERIT 91 Reputation points
    2021-02-19T21:27:00.157+00:00

    hello @Vadims Podāns and thank you for your help,
    here what i am trying to do exactly so you can understand my following codes:

    • we are working in a workgroup environment, with windows 10 (only) machines.
    • we have users that need to make RDP connections several times a day to machines in the same network, so they face the RDP warning several times a day, and there's a security note, that prohibits approving this warning.
      We tested a workarround, that consists of adding the self-signed RDP certificate of computer B (acting as server) in the registry of computer A (acting as client) and it worked perfectly.
      My codes are the following:
      1/ in computer A (acting as server): $outfile = "\192.168.1.222\c$\temp\Outfile.csv" $cert = Get-ChildItem -Path 'Cert:\LocalMachine\Remote Desktop'
      $hostname = hostname
      $thumbprint = $cert.Thumbprint $res = ($thumbprint -replace ‘(..)’,’$1,’).trim(‘,’) $array = @() $cert = Get-ChildItem -Path 'Cert:\LocalMachine\Remote Desktop'
      $hostname = hostname
      $thumbprint = $cert.Thumbprint $obj = New-Object System.Object
      $obj | Add-Member -MemberType NoteProperty -Name Hostname -Value $hostname
      $obj | Add-Member -MemberType NoteProperty -Name ThumbPrint -Value $res $array = @()
      $array += $obj $array | Export-Csv $outfile -Append

    2/ in computer B (acting as client):

    #$null = New-Item -Path HKCU:\Software\Testkey3  
    #Set-ItemProperty -Path HKCU:\Software\Testkey3 -Name Testvalue -Value 11,2,3,4 -Type Binar  
    
    function addCertHash($hostname, $certHash){  
        Write-Host Setting location to $hostname  
       \# Set-Location 'HKCU:\SOFTWARE\Microsoft\Terminal Server Client'  
    
        Write-Host Testing path  
        #if(-not (Test-RegistryValue -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client" -value $hostname)){  
        \#    Write-Host creating $hostname  
        \#    New-Item -Path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Servers\$hostname" -Force  
        #}  
    
        Write-Host Setting location 2  
        #Set-Location .\$hostname  
    
        Write-Host Setting value  
    \#    Set-ItemProperty -Path .\$hostname -Name CertHash -Value $certHash -Type Binary  
    }  
    
    function Test-RegistryValue {  
    
    param (  
    
     [parameter(Mandatory=$true)]  
     [ValidateNotNullOrEmpty()]$Path,  
    
    [parameter(Mandatory=$true)]  
     [ValidateNotNullOrEmpty()]$Value  
    )  
    
    try {  
    
    Get-ItemProperty -Path $Path | Select-Object -ExpandProperty $Value -ErrorAction Stop | Out-Null  
     return $true  
     }  
    
    catch {  
    
    return $false  
    
    }  
    
    }  
    
    
    Set-Location C:\Windows  
    $csv = Import-Csv "\\192.168.1.222\c$\temp\Outfile.csv" -Delimiter ','  
    
    
    foreach($dev in $csv){  
        #New-Item -Path HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Servers -name $dev.hostname  
        #Set-ItemProperty -Path HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Servers\$dev.hostname -Name Testvalue -Value $dev.ThumbPrint -Type Binar  
        $dev.Hostname  
        $dev.ThumbPrint  
        addCertHash($dev.Hostname, $dev.ThumbPrint)  
    }  
    

    my problem is with 2nd script that refuses to:

    • add the remote desktop servers in the registry of the computer B

    Please, any help would be appreciated.
    Regards