Method 1:  Using Windows Management Instrumentation (WMI) script

The configuration data for the RDS listener is stored in the Win32_TSGeneralSetting class in WMI under the Root\CimV2\TerminalServicesnamespace.

The certificate for the RDS listener is referenced through the Thumbprint value of that certificate on a SSLCertificateSHA1Hash property. The thumbprint value is unique to each certificate.

Note Before you run the wmic commands, the certificate that you want to use must be imported to the Personal certificate store for the computer account. If you do not import the certificate, you will receive an “Invalid Parameter” error.

To configure a certificate by using WMI, follow these steps:

  1. Open the properties dialog for your certificate and select the Details tab.
  2. Scroll down to the Thumbprint field and copy the space delimited hexadecimal string into something like Notepad.
    The following screen shot is an example of the certificate thumbprint in the Certificate properties:
    The screen shot of the certificate thumbprint in the Certificate propertiesIf you copy the string into Notepad, it should resemble the following screen shot:
    The screen shot of the string in NotepadAfter you remove the spaces in the string, it still contains the invisible ASCII character that is only visible at the command prompt. The following screen shot is an example:
    The screen shot for the invisible ASCII character

    Make sure that this ASCII character is removed before you run the command to import the certificate.

  3. Remove all spaces from the string. Also notice that there may be an invisible ACSII character that is also copied. This is not visible in Notepad. The only way to validate is to copy directly into the Command Prompt window.
  4. At command prompt, run the following wmic command together with the thumbprint value that you obtain in step 3:
    wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=”THUMBPRINT” 

    The following screen shot is a successful example:
    The screen shot of an successful example


Method 2:  Using registry editor

Important Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it,back up the registry for restoration in case problems occur.

To configure a certificate by using registry editor, follow these steps:

  1. Install a server authentication certificate to the Personal certificate store by using a computer account.
  2. Create the following registry value that contains the certificate’s SHA1 hash so that you can configure this custom certificate to support TLS instead of using the default self-signed certificate.
    Registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
    Value name:  SSLCertificateSHA1Hash
    Value type:  REG_BINARY
    Value data:  certificate thumbprint

    The value should be the thumbprint of the certificate and be separated by comma (,) without any empty spaces. For example, if you were to export that registry key, the SSLCertificateSHA1Hash value would be as follows:

  3. The Remote Desktop Host Services runs under the NETWORK SERVICE account. Therefore, you have to set the system access control list (SACL) of the key file that is used by RDS to include NETWORK SERVICE together with the “Read” permissions.To change the permissions, follow these steps on the Certificates snap-in for the local computer:
    1. Click Start, click Run, type mmc, and then click OK.
    2. On the File menu, click Add/Remove Snap-in.
    3. In the Add or Remove Snap-ins dialog box, on the Available snap-ins list, click Certificates, and then click Add.
    4. In the Certificates snap-in dialog box, click Computer account, and then click Next.
    5. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.
    6. In the Add or Remove Snap-ins dialog box, click OK.
    7. In the Certificates snap-in, on the console tree, expand Certificates (Local Computer), expand Personal, and then select the SSL certificate that you want to use.
    8. Right-click the certificate, select All Tasks, and then select Manage Private Keys.
    9. In the Permissions dialog box, click Add, type NETWORK SERVICE, click OK, select Read under the Allow check box, and then click OK.