Add RPC encryption CA reg key

JonasBK · JonasBK · commit 633663021941 · 2025-08-06T11:14:44.000+02:00
diff --git a/src/Runtime/ObjectProcessors.cs b/src/Runtime/ObjectProcessors.cs
@@ -761,17 +761,21 @@ await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus
                 }
             }
 
-            if (_methods.HasFlag(CollectionMethod.CARegistry)) {
+            if (_methods.HasFlag(CollectionMethod.CARegistry))
+            {
                 // Collect properties from CA server registry
                 var cASecurityCollected = false;
                 var enrollmentAgentRestrictionsCollected = false;
                 var isUserSpecifiesSanEnabledCollected = false;
                 var roleSeparationEnabledCollected = false;
+                var rPCEncryptionCollected = false;
                 var caName = entry.GetProperty(LDAPProperties.Name);
                 var dnsHostName = entry.GetProperty(LDAPProperties.DNSHostName);
-                if (caName != null && dnsHostName != null) {
+                if (caName != null && dnsHostName != null)
+                {
                     if (await _context.LDAPUtils.ResolveHostToSid(dnsHostName, resolvedSearchResult.DomainSid) is
-                            (true, var sid) && sid.StartsWith("S-1-")) {
+                            (true, var sid) && sid.StartsWith("S-1-"))
+                    {
                         await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus
                         {
                             Status = ComputerStatus.Success,
@@ -780,15 +784,19 @@ await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus
                         },
                         _cancellationToken);
                         ret.HostingComputer = sid;
-                    } else {
+                    }
+                    else
+                    {
                         _log.LogWarning("CA {Name} host ({Dns}) could not be resolved to a SID.", caName, dnsHostName);
                     }
 
-                    CARegistryData cARegistryData = new() {
+                    CARegistryData cARegistryData = new()
+                    {
                         IsUserSpecifiesSanEnabled = _certAbuseProcessor.IsUserSpecifiesSanEnabled(dnsHostName, caName),
                         EnrollmentAgentRestrictions = await _certAbuseProcessor.ProcessEAPermissions(caName,
                             resolvedSearchResult.Domain, dnsHostName, ret.HostingComputer),
                         RoleSeparationEnabled = _certAbuseProcessor.RoleSeparationEnabled(dnsHostName, caName),
+                        RPCEncryptionEnforced = _certAbuseProcessor.RPCEncryptionEnforced(dnsHostName, caName),
 
                         // The CASecurity exist in the AD object DACL and in registry of the CA server. We prefer to use the values from registry as they are the ground truth.
                         // If changes are made on the CA server, registry and the AD object is updated. If changes are made directly on the AD object, the CA server registry is not updated.
@@ -800,15 +808,19 @@ await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus
                     enrollmentAgentRestrictionsCollected = cARegistryData.EnrollmentAgentRestrictions.Collected;
                     isUserSpecifiesSanEnabledCollected = cARegistryData.IsUserSpecifiesSanEnabled.Collected;
                     roleSeparationEnabledCollected = cARegistryData.RoleSeparationEnabled.Collected;
+                    rPCEncryptionCollected = cARegistryData.RPCEncryptionEnforced.Collected;
                     ret.CARegistryData = cARegistryData;
-                } else {
+                }
+                else
+                {
                     _log.LogWarning("The CA name or dnsHostname properties are null.");
                 }
 
                 ret.Properties.Add("casecuritycollected", cASecurityCollected);
                 ret.Properties.Add("enrollmentagentrestrictionscollected", enrollmentAgentRestrictionsCollected);
                 ret.Properties.Add("isuserspecifiessanenabledcollected", isUserSpecifiesSanEnabledCollected);
                 ret.Properties.Add("roleseparationenabledcollected", roleSeparationEnabledCollected);
+                ret.Properties.Add("rpcencryptioncollected", rPCEncryptionCollected);
             }
 
             return ret;
