# This script will deny access to the System account for the Remote Desktop certificates registry key. Thus preventing certificate creation
# Ensure all self-signed certificates are removed before running ACAS again
# Taken from User Poirer, Steve on Learn.Microsoft.com/en-us/answers/questions/204015/prevent-remote-desktop-from-generating-a-self-sign

#Define the registry path
$registryPath = "HKLM\SOFTWARE\Microsoft\SystemCertificates\Remote Desktop\Certificates"

#Define the System account
$user = "NT AUTHORITY\SYSTEM" # SYSTEM account

#Get the current ACL for the registry key
$acl = Get-Acl -Path "Registry::$registryPath"

#Disable inheritance
$acl.SetAccessRuleProtection($true,$true) #True: Protect (Disable Inheritance), True: Copy inherited rules

#Create a deny access rule for Full Control on the System account
$denyRule = New-Object System.Security.AccessControl.RegistryAccessRule($user,"FullControl","ContainerInherit,ObjectInherit","None","Deny")

#Add the deny rule to the ACL
$acl.AddAccessRule($denyRule)

#Apply the updated ACL to the registry key
Set-Acl -Path "Registry::$registryPath" -AclObject $acl

#Display complete message
Write-Host "Inheritance disabled and FullControl denied for $user on $registryPath"