One of the most popular posts of all time on my blog has been Create Trusted Remote Desktop Services (RDP) SSL Certificates for Windows 2008R2/2012/Win7. That article is a few years old, so I thought I would update it for Windows Server 2019 and Windows 10. The fundamentals have not changed, but I had a few requests for an updated post...so here it is!
When you install Windows it installs self-signed certificates for use with RDP. As we all know self-signed certificates are not good, and represent a security risk. Even if you install a Microsoft CA in your environment the RDP certificates are not automatically trusted. This post will show you to to automate the process of distributing trusted SSL certificates to the RDP service. As a result of this post you will no longer see the warning below when you RDP into your servers.
The high level process is creating a new certificate authority template that's unique to RDP certificates. Next you setup a GPO to request these new certificate types, and finally on all servers covered by the GPO you now have a trusted RDP certificate. Fairly easy and once you configure it, you can forget about it. This blog post is based on Windows Server 2019, but the same steps work for Windows Server 2016 as well. The certificates are also good for Windows 10, if you need to RDP into a client OS (such as for VDI).
RDP Certificate Template
1. On your Microsoft certificate authority server open the Certificate Templates console.
2. Expand the CA and right click on Certificate Templates, then select Manage.
3. Right click on the Computer template and select Duplicate.
4. Change the template display name to RemoteDesktopComputer (no spaces). Verify the Template Name is exactly the same (no spaces). You can use a different name if you want, but both fields must match exactly. Change the validity period to match your company policy.
5. Now we need to create an application policy to limit the usage to RDS authentication, then remove the other application uses for the certificate. On the Extensions tab click on Application Policies then click on Edit.
6. Click on Add, then click on New. Set the value of Name to Remote Desktop Authentication. Change the object identifier (OID) to 126.96.36.199.4.1.3188.8.131.52.
7. From the Application Policies list, select Remote Desktop Authentication and click OK.
8. Back on the certificate template properties, remove all other entries. Only Remote Desktop Authentication should be present.
9. You probably want to secure your domain controllers as well, so for that we need to modify the security setting on the template. Open the Security tab and add the group Domain Controllers and give the group Enroll (not Autoenroll). Close out the certificate.
10. Open the MMC snap-in for managing your Certificate Authority and locate the Certificate Templates node. Right click, select New, then Certificate Template to Issue. Choose the RemoteDesktopComputer template.
Group Policy Configuration
1. Next up is configuring the GPO to utilize the new template. You can modify any GPO you wish, or create a new one. Obviously the scope of the GPO should cover any servers that you want to secure with TLS.
2. In the GPO editor locate the node Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security. Modify the Server Authentication Certificate Template setting. Enable the policy and enter the certificate template name that exactly matches what you created in your CA.
3. In the same GPO node, configure the Require use of specific security layer for remote (RDP) connections to use SSL.
4. Wait for the GPO to replicate, then refresh the GPO on a test server. Wait a minute, then open the Certificates MMC snap-in for the computer account. Look in the PersonalCertificates store for a certificate that has the Intended Purposes of Remote Desktop Authentication. If it’s not there, wait a minute, and refresh. If it never appears, something is wrong. Look at the gpresult to make sure your GPO is being applied to the server.
5. To use the new certificate restart the Remote Desktop Services service (or reboot).
6. Open the Certificate and look at the Thumbprint value. Remember the first few characters.
7. Open an elevated PowerShell prompt and run this command:
Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices
Validate that the Security Layer value is 2 and that the thumbprint matches the certificate. If both of those settings are correct, then you are good to go!
8. From another computer (domain joined) now RDP into this server and verify that you no longer get the certificate warning. In fact, it should just sail right through to your desktop.
The procedure for Windows Server 2019 and Windows 10 is basically the same as 5+ years ago when I documented it for Windows Server 2008 R2/2012/Win7. But it's good to validate that the procedure still works, and give the audience a fresh post. You can check out my 2013 post titled: Create Trusted Remote Desktop Services (RDP) SSL Certificate if you want it for 2008 R2/2012 servers.