This script azure-rm-rdp-post-deployment.ps1 can be used to enumerate Azure Resource Manager environments for public Remote Deskop Protocol (RDP) connectivity using either public ip or RDWeb site. If the url for RDWeb site is known, Azure enumeration and requirements can be bypassed by using the -rdWebUrl switch with url as argument.

NOTE: PowerShell scripts require that the execution of scripts be enabled on the machine, current PowerShell session, or by starting PowerShell.exe with '-ExecutionPolicy' switch. To query current execution settings, type 'Get-ExecutionPolicy'. To enable script execution, from admin PowerShell prompt, type 'Set-ExecutionPolicy RemoteSigned -Force' or 'Set-ExecutionPolicy Bypass -Force'. The prior example shows two commonly used policy levels with 'RemoteSigned' being more restrictive than 'Bypass' (additional policy levels available). When finished running script, you can set the policy level back to the prior setting if needed. For additional information type 'help set-executionpolicy -online'.

NOTE: Scripts downloaded from technet may be blocked by default depending on type of download and configuration. If script fails to execute, run 'unblock-file .\azure-rm-rdp-post-deployment.ps1' or right click on file and verify that if 'Unblock' exists, it is checked.

Requirements:

- Admin PowerShell session - script will attempt to elevate if not

- Window Management Framework 5.0 + - script will prompt install if missing

- Azure RM SDK - script will attempt to install if missing

History:

- 170808 can now optionally add a public ip and network security group (nsg) for port 3389 to a vm -addPublicIp and -vmName

- 170715 added background jobs and additional IP checking. now defaults to current subscription

- 170518 script works with azurerm.resources less than and greater than 4.0.0.0

Functions:

- Checks for requirements

- Authenticates to Azure RM

- Enumerates all resource groups in subscription

- Searches for '/RDWeb' web sites and downloads certificate

- Searches for any public IP's for example load-balancers

- Searches for any public IP's attached to existing vm's

- Displays results for selection

- If an RDWeb site is selected:

 - Certificate store on local machine will be checked for existence of certificate downloaded from RDWeb site

 - If certificate is not in the certificate store, the certificate will be imported to the correct store depening on certificate type

 - The public IP address for the RDWeb site will be compared to IP address returned from DNS lookup.

 - If DNS lookup is different than IP address from RDWeb site, the IP address and FQDN of RDWeb site will be added to local hosts file

- Url to RDWeb site will be opened

- If VM or PUBIP connection is selected:

 - IP address of connection will be added to trusted connection list in registry

- mstsc.exe will be launched with /v and /admin switches

 

Reference:

Azure Quickstart Templates information

- Azure Quickstart Templates information for Remote Desktop Services (RDS)

- Github script repository for this script 

 

Example:

Help:

SYNOPSIS   

 powershell script to connect to quickstart rds deployments after deploying template        

SYNTAX   

 C:\temp\azure-rm-rdp-post-deployment.ps1 [[-certLocation] <String>] [-noprompt] [-noretry]     [[-publicIpAddressName] <String>] [[-rdWebUrl] <String>] [[-resourceGroupName] <String>] [-update]     [<CommonParameters>]        

DESCRIPTION   

 https://gallery.technet.microsoft.com/Azure-Resource-Manager-4ea7e328       

 ** REQUIRES AT LEAST WMF 5.0 AND AZURERM SDK **    script authenticates to azure rm     queries all resource groups for public ip name    gives list of resource groups    enumerates public ip of specified resource group    downloads certificate from RDWeb    adds cert to local machine trusted root store    tries to resolve subject name in dns    if not the same as public loadbalancer ip address it is added to hosts file

        start with -verbose if you need to troubleshoot script    

PARAMETERS   

-addPublicIp [<SwitchParameter>]

 add public ip address and nsg to selected virtual machine

 -certLocation <String>

Default value LocalMachine

-noprompt [<SwitchParameter>] 

to not prompt when adding cert to cert store or when modifying hosts file

-noretry [<SwitchParameter>]

 used by script

-publicIpAddressName <String>

optional parameter to override ip resource name public ip address

-rdWebUrl <String>

used to pass complete RDWeb url to script to bypass Azure enumeration.

will add self-signed cert to cert store.

-resourceGroupName <String>

-update [<SwitchParameter>]

optional parameter to check for updated script from github

-vmName <String>

used to pass virtual machine name for adding public IP

This cmdlet supports the common parameters: Verbose, Debug

NOTE: to remove certs from all stores Get-ChildItem -Recurse -Path cert:\ -DnsName *<%subject%>* | Remove-Item

-------------------------- EXAMPLE 1 --------------------------

PS C:\>.\azure-rm-rdp-post-deployment.ps1

        query azure rm for all resource groups with for all public ips.

-------------------------- EXAMPLE 2 --------------------------

PS C:\>.\azure-rm-rdp-post-deployment.ps1 -rdWebUrl https://contoso.eastus.cloudapp.azure.com/RDWeb

        used to bypass Azure enumeration and to copy cert from url to local cert store