Ondrej Sevecek's English Pages

The environment I support isn't perfect - Powershell remoting and scripting aren't enabled, and WMI is broken on a number of systems so I'm stuck using PSEXEC and CMD to solve this problem.  I also have some servers with German language, so there's accommodation for that here as well.  Hope this helps someone, and I really hope MS comes up with a solution for this problem!

$SetRDPSSL = @"
@echo off
setlocal EnableExtensions EnableDelayedExpansion
set certFlag=0
set archFlag=0
set xChange=TRUE
for /f "skip=1 usebackq" %%a in (``c:\windows\system32\wbem\wmic.exe /namespace:\\root\cimv2\terminalservices path win32_tsgeneralsetting get sslcertificatesha1hash ^| findstr /r "[^s]"``) do (
  set curTP=%%a
REM echo !curTP!
)
for /f "tokens=* usebackq" %%a in (``c:\windows\system32\certutil.exe -store my``) do (
  set z=%%a
  for /f "tokens=1,2 delims=:" %%a in ("!z!") do (
    set _key=%%a
    set _data=%%b
    if "!_key:~0,4!"=="====" set archFlag=0
    if "!_key:~0,9!"=="Archived!" set archFlag=1
    if "!_key:~0,9!"=="Archivier" set archFlag=1

    if "!_data:~1,12!"=="SecureServer" (
      if !archFlag!==0 set certFlag=1
    )
    set certchk=true
    if not "!_key:~0,15!"=="Cert Hash(sha1)" if not "!_key:~0,15!"=="Zertifikathash(" set certchk=false
    if "!certchk!"=="true" (
      if !certFlag!==1 (
        set certFlag=0
        set newTP=!_data: =!
        if /I NOT "!newTP!"=="!curTP!" (
          set xEligible=TRUE
          c:\windows\system32\wbem\wmic.exe /namespace:\\root\cimv2\terminalservices path win32_tsgeneralsetting set sslcertificatesha1hash="!newTP!"
        )
        for /f "skip=1 usebackq" %%a in (``c:\windows\system32\wbem\wmic.exe /namespace:\\root\cimv2\terminalservices path win32_tsgeneralsetting get sslcertificatesha1hash ^| findstr /r "[^s]"``) do (
          set xTP=%%a
        )
      )
    )
  )
)
for /f "usebackq tokens=*" %%a in (``c:\windows\system32\wbem\wmic.exe os get caption ^| findstr /C:"Microsoft"``) do (
  set xos=%%a
)
if "!xEligible!"=="TRUE" (
  if "!curTP!"=="!xTP!" set xChange=FALSE
)
  
echo %computername%,!xos!,!curTP!,!newTP!,!xTP!,!xEligible!,!xChange!

"@

$date = "{0:yyyyMMdd_HHmmss}" -f (Get-Date)

$servers = Get-ADComputer -filter {(OperatingSystem -like '*2008*' -or OperatingSystem -notlike '*') -and (Enabled -eq $True)} -property Name | ?{$exlist -notcontains $_.name} | Select -expand Name | Sort
$locpath = "c:\windows\temp"
$ScriptPath = Split-Path $script:MyInvocation.MyCommand.Path

$hdrs = @("Server","OS","CurrentThumbprint","NewThumbprint","ChangedThumbprint","Eligible","Pass","Note")
$servers = $servers | ?{$_ -notlike "wd*"}
$servercount = $servers.Count
$Count = 0
$results = $(foreach ($server in $servers) {
  $Count += 1
  Write-Progress -Activity "Checking RDP SSL Status" -Status "Checking $server, $count of $servercount" -percentComplete (($Count / $servercount) * 100)
  $result = "" | select $hdrs
  $result.Server = $server
  $rempath = "\\$server\c$\Windows\Temp"
  if (!$(Try{$(if(Test-Path $rempath -ea stop){$true}Else{$false})}Catch{$false})) {
    $result.NOTE = "INACCESSIBLE"
  } Else {
    Do {
      $tempfile = "$((([System.IO.Path]::GetTempFileName() -split "\\")[-1] -split "\.")[0])`.cmd"
    } Until (!(Test-Path "$rempath\$tempfile"))
    Try {
      $setRDPSSL | Out-File "$rempath\$tempfile" -encoding ascii
      $x = $null
      $x = (invoke-expression '& psexec /s \\$server cmd /c "$locpath\$tempfile" 2>c:\windows\temp\stderr.txt') -join "" -replace "`r" -split ","
      if (!($LastExitCode -eq 0)) {
        $result.NOTE = "PSEXEC:  $LastExitCode"
      } Else {
        if ($x) {
          $result.Server = ($x[0] -split "\.")[-1]
          $result.OS = $x[1] -replace ",",""
          $result.CurrentThumbprint = $x[2]
          $result.NewThumbprint = $x[3]
          $result.ChangedThumbprint = $x[4]
          $result.Eligible = $x[5]
          $result.Pass = $x[6]
        } Else {
          $result.NOTE = "No Script Output"
        }
      }
      del "$rempath\$tempfile"
    } Catch {
      $result.Note = $Error[0].Exception.Message
    }
  }
  $result
}) | select $hdrs | export-CSV "$scriptpath\Update_RDP-SSLCert_Results_$date`.csv" -notype