RDS – Replacing the Custom (Self Signed) Default Certificate on a Remote Desktop Session Host Server

10 November 2019 Off By Rached CHADER

Your RDS farm will use a custom (self-signed) certificate, at each remote connection you will get an error message

When you import or create a certificate through Active Directory Certificate Services (AD CS) on a Remote Desktop Session Host (RDSH) server, it will not be activated automatically.

Even if you delete the custom certificate (self-signed) it will not be replaced by the certificate import is at the next restart of the server it will reappear

This is a PowerShell solution that saves and sets the fingerprint of the first SSL certificate in the personal store of the computer. If your system has multiple certificates, you must add a -Filter option to the gci command to make sure you reference the correct certificate.

1
2
3
4
5
6
7
8
9
10
11
12
# get a reference to the config instance
$instance = gwmi -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'"

# grab the thumbprint of the first SSL cert in the computer store
$thumb = (gci -path cert:/LocalMachine/My | select -first 1).Thumbprint

# or Specify the SSL certificate fingerprint in the computer store

$thumb = (gci -path cert:/LocalMachine/My |? { $_.Thumbprint -eq 'A3A0303FFEB3FBE8C3AC148445AE952BBDBA8ACC' }).Thumbprint

# set the new thumbprint value
swmi -path $instance.__path -argument @{SSLCertificateSHA1Hash="$thumb"}

To get the fingerprint value

Open the properties dialog of your certificate and select the Details tab.
Scroll to the Fingerprint field and copy the hexagon enclosed by spaces in Notepad.
Delete all spaces in the chain.

This is the value you need to set in WMI. It should look like this: 1ea1fd5b25b8c327be2c4e4852263efdb4d16af4.

Now that you have the fingerprint value, here is a line that you can use to set the value using wmic:

1
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT"

Or via PowerShell:

1
2
$path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path
Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="THUMBPRINT"}

Visits: 10372