# Microsoft Remote Desktop Certificates

## Manually replacing RDP certificate

#### Install the new certificate in the Local Computer Personal store:

If no password is needed:

```
Import-PfxCertificate -CertStoreLocation Cert:\LocalMachine\My -FilePath cert.pfx
```

Or if a password is needed:

```
$mypwd = Get-Credential -UserName 'Enter password below' -Message 'Enter password below'
Import-PfxCertificate -CertStoreLocation Cert:\LocalMachine\My -Password $mypwd.Password -FilePath cert.pfx
```

After installing the new certificate in the Local Computer Personal store, run the following commands:

```
Set-Location Cert:\LocalMachine\my
Get-ChildItem
```

Pick the Thumbprint of the certificate you wish to use then run the following command using the proper thumbprint:

```
#Replace Certificate for RDS
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="[new_cert_thumbprint]"
```

This effectively updates the registry key:  
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SSLCertificateSHA1Hash`

Use the following command to verify that the proper certificate is being used:

```
Get-WmiObject "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'"
```

[Source](https://www.aventistech.com/2019/08/replace-rdp-default-self-sign-certificate/)

#### Windows Server 2022 method

Couldn't the WMI method to work on Windows Server 2022. This did.

```
$serverName = "MYTS01"
$certHash = "xxxxx"
$path = (Get-WmiObject "Win32_TSGeneralSetting" -ComputerName $serverName -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'")
Set-WmiInstance -Path $path -Arguments @{SSLCertificateSHA1Hash=$certHash}
```

#### Signing RDP files

Use the rdpsign app to

```
rdpsign /sha256 xxxxxxxx "Remote Desktop File.rdp"
```

## Windows Server 2022 Remote Desktop Services Deployment Management

Work in progress

```powershell
$computerName = 'Somecomputer'
$remotePath = '\\10.10.10.10'
$certFilePath = '\\10.10.10.10\tmp\certs\mycert.pfx'

Enter-PSSession $computerName

# for non-domain RemotePath prefix the username with localhost: localhost\admin
$nasCredential = Get-Credential
New-SmbMapping -RemotePath $remotePath -UserName $nasCredential.UserName -Password $nasCredential.GetNetworkCredential().Password

# import the cert
Import-PfxCertificate -FilePath $certFilePath -CertStoreLocation Cert:\LocalMachine\My

cd Cert:\LocalMachine\My
dir
$certThumbprint = ''

# Check the Remote Desktop Services Deployment
Get-RDCertificate

# Update the RDS roles to use the provided certificate
Set-RDCertificate -Role RDRedirector -Thumbprint $certThumbprint
Set-RDCertificate -Role RDPublishing -Thumbprint $certThumbprint
Set-RDCertificate -Role RDWebAccess -Thumbprint $certThumbprint
Set-RDCertificate -Role RDGateway -Thumbprint $certThumbprint

# Check the Remote Desktop Services Deployment
Get-RDCertificate
```

\#end