RobertRo-0293 avatar image
0 Votes"
RobertRo-0293 asked RobertRo-0293 edited

Remote Desktop Certificate and TPM

We set up a GPO to install certificates from the internal Windows CA for Remote Desktop Services.

-> Administrative Templates / Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security / Server authentication certificate template -> [TEMPLATE NAME]

The template was created by duplicating the "Workstation Authentication" template and setting the Enhanced Key Usage extension to “Remote Desktop Authentication” ( The template also was configured to use the Microsoft Platform Crypto Provider (TPM) in the Cryptography tab:


Upon gpupdate all systems (servers and clients) correctly requested their RDP certificate. But whenever a TPM was available (e.g. my workstation), RDP would no longer work correctly. When connecting to the system, an error message appeared that the local security authority (lsass) was unavailable, similar to this picture:

RDP to all virtual systems - where no TPM is available - worked fine. It looks like remote desktop services cannot access the private key when it is stored in a TPM. Is this assumption correct? Is there a solution to this issue or is this by design?

image.png (20.5 KiB)
image.png (16.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

0 Answers