Microsoft Remote Desktop Certificates
Manually replacing RDP certificate
Install the new certificate in the Local Computer Personal store:
If no password is needed:
Import-PfxCertificate -CertStoreLocation Cert:\LocalMachine\My -FilePath cert.pfx
Or if a password is needed:
$mypwd = Get-Credential -UserName 'Enter password below' -Message 'Enter password below'
Import-PfxCertificate -CertStoreLocation Cert:\LocalMachine\My -Password $mypwd.Password -FilePath cert.pfx
After installing the new certificate in the Local Computer Personal store, run the following commands:
Set-Location Cert:\LocalMachine\my
Get-ChildItem
Pick the Thumbprint of the certificate you wish to use then run the following command using the proper thumbprint:
#Replace Certificate for RDS
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="[new_cert_thumbprint]"
This effectively updates the registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SSLCertificateSHA1Hash
Use the following command to verify that the proper certificate is being used:
Get-WmiObject "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'"
Windows Server 2022 method
Couldn't the WMI method to work on Windows Server 2022. This did.
$serverName = "MYTS01"
$certHash = "xxxxx"
$path = (Get-WmiObject "Win32_TSGeneralSetting" -ComputerName $serverName -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'")
Set-WmiInstance -Path $path -Arguments @{SSLCertificateSHA1Hash=$certHash}
Signing RDP files
Use the rdpsign app to
rdpsign /sha256 xxxxxxxx "Remote Desktop File.rdp"