Windows 10 RDP CA certificate

BSchwarz

Administrator
Joined
Sep 26, 2003
Messages
1,918
Location
Florida U.S.A.
Hi,

I'm in the process of replacing self-signed RDP certificates with CA-signed ones. I'm working with Windows 10 Education clients, so RDS is not involved.

The certificate is installed in the local computer's "Personal" (and "Remote Desktop") certificate store, a corresponding private key is present on the machine and the Enhanced Key Usage extension has a value of "Server Authentication".

Unfortunately, I cannot seem to change the SSLCertificateSHA1Hash value:


$thumb = (gci -path "cert:/LocalMachine/My" | select -first 1).Thumbprint
Set-WmiInstance -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -argument @{SSLCertificateSHA1Hash="$thumb"}
Results in:

Set-WmiInstance :
At line:1 char:1
+ Set-WmiInstance -class "Win32_TSGeneralSetting" -Namespace root\cimv2 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Set-WmiInstance], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetWmiInstance





C:\Windows\system32> wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT"

Results in:

Updating property(s) of '\\CLIENT\root\CIMV2\TerminalServices:Win32_TSGeneralSetting.TerminalName="RDP-Tcp"'
ERROR:
Description = Invalid parameter

When creating the value SSLCertificateSHA1Hash in Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp, the entire value is deleted on rebooting the machine. Oddly, not even the hash of the self-signed certificate
appears to be present in that key.

Am I missing something?

Thanks, I appreciate your help!


More...
 
Back
Top