Adding TLS Certificates to RDP Connections

Last updated on Jun 25, 2024

This is an overview of a YouTube video which does a really good rundown of this topic.

Overview

This video goes over how to remove the Remote Desktop Connection warning message by implementing certificates on that connection.

It requires a PKI system to be already setup and configured.

My notes are based on this video:

Key Parts

To start off with this is based on Computer certificate (clone), set validity and publish to AD.

3:57 - Remove client authentication

Cert Properties -> Key Usage -> Application Policy -> Client Authentication -> Remove

4:53 - create custom application for Remote Desktop Authentication, where OID is 1.3.6.1.4.1.311.54.1.2

5:34 - set certificate security and allow to enroll / autoenroll

5:54 - change key size

6:26 - publish certificate template

8:19 - Create GPO and change "Server auth template" under RDP settings and use certificate template name

Computer Settings -> Remote Desktop Services -> Remote Desktop Session Host -> Security -> Server Authentication certificate template

Template Name matches in Certification Authority Template console

9:09 - set SSL setings

GPUPDATE and reboot

12:15 - check certificate locally or RDP (using IP address which isn't on the name on of the cert)

As long as the name you're connecting to matches the name on the certificate then there shouldn't be a warning. Obviously using IP addresses and short names might cause the cert warnings to appear as those names won't be on the certificate unless otherwise configured.