Prevent remote desktop from generating a self-signed certificate

Mark Thompson 6 Reputation points
2020-12-18T19:36:07.217+00:00

Hello,

Does anyone know a way to prevent remote desktop from creating a self-signed certificate? I would like to avoid having to implement anything that will generate errors and I have a requirement to ensure there are no self-signed certificates. I have also already gotten RDP to use CA generated certificates as well.

Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,612 questions
{count} vote

4 answers

Sort by: Most helpful
  1. Poirier, Steve 5 Reputation points
    2024-11-07T19:44:52.9333333+00:00

    This script will deny access to the System account for the Remote Desktop certificates registry key. Thus preventing certificate creation

    #Define the registry path

    $registryPath = "HKLM\SOFTWARE\Microsoft\SystemCertificates\Remote Desktop\Certificates"

    #Define the System account

    $user = "NT AUTHORITY\SYSTEM" # SYSTEM account

    #Get the current ACL for the registry key

    $acl = Get-Acl -Path "Registry::$registryPath"

    #Disable inheritance

    $acl.SetAccessRuleProtection($true,$true) #True: Protect (Disable Inheritance), True: Copy inherited rules

    #Create a deny access rule for Full Control on the System account

    $denyRule = New-Object System.Security.AccessControl.RegistryAccessRule($user,"FullControl","ContainerInherit,ObjectInherit","None","Deny")

    #Add the deny rule to the ACL

    $acl.AddAccessRule($denyRule)

    #Apply the updated ACL to the registry key

    Set-Acl -Path "Registry::$registryPath" -AclObject $acl

    #Display complete message

    Write-Host "Inheritance disabled and FullControl denied for $user on $registryPath"

    1 person found this answer helpful.

  2. Eleven Yu (Shanghai Wicresoft Co,.Ltd.) 10,761 Reputation points Microsoft Vendor
    2020-12-21T03:10:29.07+00:00

    Hi,

    After research, I found below setting can prevent the self-signed certificate generation. But it will generate 1057 error in your system event log. If you do not mind this, you can have a try.

    Open Regisrtry Editor > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations > set the value of "SelfSignedCertStore" to "NUL"

    Thanks,

    Eleven

    If the Answer is helpful, please click "Accept Answer" and upvote it. Thanks.


  3. Vijay Kumar 0 Reputation points
    2023-04-11T15:35:02.36+00:00

    Has anyone found the solution to this?

    I've configured the GPO to automatically enroll the RDP certificate. Now I need to get rid of the self signed certificate that is getting installed automatically.


  4. Seth Garman 0 Reputation points
    2024-10-30T20:56:39.2166667+00:00

    The easiest way to block the creation of self signed certificates for Remote Desktop is to disable the system's access to the registry entry.

    1. Ensure that the self signed certificate is removed from the certificate store
    2. Open regedit and navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Remote Desktop\Certificates
    3. Right click the Key (folder)
    4. Click Permissions
    5. Click Advanced
    6. Click Disable Inheritance
    7. Click the convert option
    8. Click apply then OK to close the advanced settings box
    9. Click System from the User Name list
    10. Check the Deny box across from Full Control
    11. Click apply then OK to close the Permissions box
    12. Reboot the computer

    At this point, the computer will not generate its own self signed certificate and will not throw errors in the event log.

    Note: If you do not have your CA set to distribute RDP certificates, and your group policy to recognize that certificate template, you will get a 0x04 error when attempting to Remote Desktop

    Edit: the Group Policy setting I was referring to above is located in Computer Configuration/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security. The setting for Server Authentication Certificate Template must match the template name that creates your Remote Desktop certificates, NOT the template display name.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.