Windows: Set Machine certificate as Remote Desktop Certificate

if a Windows computer is member of a domain and the certificate autoenrollment is in place then you can use the machine certificate provided by the active directory as the RDP TLS certificate.

Get Remote Desktop WMI Path

$oTSWMIPath = (Get-WmiObject -Namespace root\cimv2\terminalservices -class "Win32_TSGeneralSetting" -Filter "TerminalName='RDP-tcp'").__path

Get the Machine Certificate issued by your domain

$oWMIComputer=Get-WmiObject -class "Win32_ComputerSystem" -Filter "DomainRole=1"
if($oWMIComputer)
{
    $oDomainCert=get-item Cert:\LocalMachine\My\*|?{$_.Subject -match ("^CN="+$oWMIComputer.Name+"."+$oWMIComputer.Domain+'$')}
}

Just one certificate found?

if($oDomainCert.Count -eq 1)
{
    Set-WmiInstance -Path $oTSWMIPath -argument @{SSLCertificateSHA1Hash=$oDomainCert.Thumbprint}
}

Michael

My Knowledgebase for things about Linux, Windows, VMware, Electronic and so on…

Michls Tech Blog

Windows: Set Machine certificate as Remote Desktop Certificate

Leave a Reply Cancel reply

My Knowledgebase for things about Linux, Windows, VMware, Electronic and so on…