Prevent remote desktop from generating a self-signed certificate

Question

Hello,

Does anyone know a way to prevent remote desktop from creating a self-signed certificate? I would like to avoid having to implement anything that will generate errors and I have a requirement to ensure there are no self-signed certificates. I have also already gotten RDP to use CA generated certificates as well.

Answer 1

Hi,

After research, I found below setting can prevent the self-signed certificate generation. But it will generate 1057 error in your system event log. If you do not mind this, you can have a try.

Open Regisrtry Editor > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations > set the value of "SelfSignedCertStore" to "NUL"

Thanks,

Eleven

If the Answer is helpful, please click "Accept Answer" and upvote it. Thanks.

Answer 2

Has anyone found the solution to this?

I've configured the GPO to automatically enroll the RDP certificate. Now I need to get rid of the self signed certificate that is getting installed automatically.

Answer 3

The easiest way to block the creation of self signed certificates for Remote Desktop is to disable the system's access to the registry entry.

1. Ensure that the self signed certificate is removed from the certificate store
2. Open regedit and navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Remote Desktop\Certificates
3. Right click the Key (folder)
4. Click Permissions
5. Click Advanced
6. Click Disable Inheritance
7. Click the convert option
8. Click apply then OK to close the advanced settings box
9. Click System from the User Name list
10. Check the Deny box across from Full Control
11. Click apply then OK to close the Permissions box
12. Reboot the computer

At this point, the computer will not generate its own self signed certificate and will not throw errors in the event log.

Note: If you do not have your CA set to distribute RDP certificates, and your group policy to recognize that certificate template, you will get a 0x04 error when attempting to Remote Desktop

Edit: the Group Policy setting I was referring to above is located in Computer Configuration/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security. The setting for Server Authentication Certificate Template must match the template name that creates your Remote Desktop certificates, NOT the template display name.

Answer 4

Define the registry path (modify to your specific registry key)$registryPath = "HKLM\SOFTWARE\Microsoft\SystemCertificates\Remote Desktop\Certificates"

 

Define the SYSTEM account (since we're targeting SYSTEM group)

$user = "NT AUTHORITY\SYSTEM"  # SYSTEM account

 

Get the current ACL for the registry key

$acl = Get-Acl -Path "Registry::$registryPath"

 

Disable inheritance (this will copy current permissions but prevent new inheritance)

$acl.SetAccessRuleProtection($true, $true)  # True: Protect (disable inheritance), True: Copy inherited rules

 

Create a deny access rule for FullControl for SYSTEM account

$denyRule = New-Object System.Security.AccessControl.RegistryAccessRule(

    $user, "FullControl", "ContainerInherit,ObjectInherit", "None", "Deny"

)

 

Add the deny rule to the ACL

$acl.AddAccessRule($denyRule)

 

Apply the updated ACL to the registry key

Set-Acl -Path "Registry::$registryPath" -AclObject $acl

 

Write-Host "Inheritance disabled and FullControl denied for $user on $registryPath"