Skip to main content

Microsoft Remote Desktop Certificates

Manually replacing RDP certificate

Install the new certificate in the Local Computer Personal store:

If no password is needed:

Import-PfxCertificate -CertStoreLocation Cert:\LocalMachine\My -FilePath cert.pfx

Or if a password is needed:

$mypwd = Get-Credential -UserName 'Enter password below' -Message 'Enter password below'
Import-PfxCertificate -CertStoreLocation Cert:\LocalMachine\My -Password $mypwd.Password -FilePath cert.pfx

After installing the new certificate in the Local Computer Personal store, run the following commands:

Set-Location Cert:\LocalMachine\my
Get-ChildItem

Pick the Thumbprint of the certificate you wish to use then run the following command using the proper thumbprint:

#Replace Certificate for RDS
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="[new_cert_thumbprint]"

This effectively updates the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SSLCertificateSHA1Hash

Use the following command to verify that the proper certificate is being used:

Get-WmiObject "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'"

Source

Windows Server 2022 method

Couldn't the WMI method to work on Windows Server 2022. This did.

$serverName = "MYTS01"
$certHash = "xxxxx"
$path = (Get-WmiObject "Win32_TSGeneralSetting" -ComputerName $serverName -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'")
Set-WmiInstance -Path $path -Arguments @{SSLCertificateSHA1Hash=$certHash}

Signing RDP files

Use the rdpsign app to

rdpsign /sha256 xxxxxxxx "Remote Desktop File.rdp"