Why does my 2019 server delete my SSLCertificateSHA1Hash registry entry from the rdp-tcp folder when remote desktop services are restarted?

Question

I've been trying to set my rdp certificates to some issued certificates I have for my machines. I've done all the magic and nada. I imported my .cer into personal/remote desktop stores. changed the selfsignedcertstore to nul, set the SSLCertificateSHA1Hash in rdp-tcp. Everything is going perfectly.

Restart remote desktop services. System removes SSLCertificateSHA1Hash from rdp-tcp registry and reverts to using the self signed cert.

I have verified that there are not any gpo conflicts.

Has anyone experienced this? Does anybody know where I can look in the configs to see what in the Remote Desktop Services looks at and adjust that registry setting?

Answer 1

Hello

Thank you for posting in Q&A forum

You need to set three things to make your settings work

1. Registry
2. GPO
3. A server authentication certificate from CA

if it back to self-sign certificate, it may because the GPO is not set to SSL.

You can check below link which let RDP using CA certificates, if you don’t want RDP service using self-sign certificates.

Use custom certificate for TLS over RDS - Windows Server | Microsoft Learn

For more information link:

Remote Desktop listener certificate configurations - Windows Server | Microsoft Learn

Using certificates in Remote Desktop Services | Microsoft Learn

Best regards

Yanhong

=====================================

If the answer is helpful, please click "Accept answer" and upvote it