BSchwarz
Administrator
Hi,
I'm in the process of replacing self-signed RDP certificates with CA-signed ones. I'm working with Windows 10 Education clients, so RDS is not involved.
The certificate is installed in the local computer's "Personal" (and "Remote Desktop") certificate store, a corresponding private key is present on the machine and the Enhanced Key Usage extension has a value of "Server Authentication".
Unfortunately, I cannot seem to change the SSLCertificateSHA1Hash value:
$thumb = (gci -path "cert:/LocalMachine/My" | select -first 1).Thumbprint
Set-WmiInstance -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -argument @{SSLCertificateSHA1Hash="$thumb"}
Results in:
Set-WmiInstance :
At line:1 char:1
+ Set-WmiInstance -class "Win32_TSGeneralSetting" -Namespace root\cimv2 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: ) [Set-WmiInstance], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetWmiInstance
C:\Windows\system32> wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT"
Results in:
Updating property(s) of '\\CLIENT\root\CIMV2\TerminalServices:Win32_TSGeneralSetting.TerminalName="RDP-Tcp"'
ERROR:
Description = Invalid parameter
When creating the value SSLCertificateSHA1Hash in Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp, the entire value is deleted on rebooting the machine. Oddly, not even the hash of the self-signed certificate
appears to be present in that key.
Am I missing something?
Thanks, I appreciate your help!
More...
I'm in the process of replacing self-signed RDP certificates with CA-signed ones. I'm working with Windows 10 Education clients, so RDS is not involved.
The certificate is installed in the local computer's "Personal" (and "Remote Desktop") certificate store, a corresponding private key is present on the machine and the Enhanced Key Usage extension has a value of "Server Authentication".
Unfortunately, I cannot seem to change the SSLCertificateSHA1Hash value:
$thumb = (gci -path "cert:/LocalMachine/My" | select -first 1).Thumbprint
Set-WmiInstance -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -argument @{SSLCertificateSHA1Hash="$thumb"}
Results in:
Set-WmiInstance :
At line:1 char:1
+ Set-WmiInstance -class "Win32_TSGeneralSetting" -Namespace root\cimv2 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: ) [Set-WmiInstance], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetWmiInstance
C:\Windows\system32> wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT"
Results in:
Updating property(s) of '\\CLIENT\root\CIMV2\TerminalServices:Win32_TSGeneralSetting.TerminalName="RDP-Tcp"'
ERROR:
Description = Invalid parameter
When creating the value SSLCertificateSHA1Hash in Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp, the entire value is deleted on rebooting the machine. Oddly, not even the hash of the self-signed certificate
appears to be present in that key.
Am I missing something?
Thanks, I appreciate your help!
More...