Remote Desktop Certificate and TPM
We set up a GPO to install certificates from the internal Windows CA for Remote Desktop Services.
-> Administrative Templates / Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security / Server authentication certificate template -> [TEMPLATE NAME]
The template was created by duplicating the "Workstation Authentication" template and setting the Enhanced Key Usage extension to “Remote Desktop Authentication” (1.3.6.1.4.1.311.54.1.2). The template also was configured to use the Microsoft Platform Crypto Provider (TPM) in the Cryptography tab:
Upon gpupdate all systems (servers and clients) correctly requested their RDP certificate. But whenever a TPM was available (e.g. my workstation), RDP would no longer work correctly. When connecting to the system, an error message appeared that the local security authority (lsass) was unavailable, similar to this picture:
RDP to all virtual systems - where no TPM is available - worked fine. It looks like remote desktop services cannot access the private key when it is stored in a TPM. Is this assumption correct? Is there a solution to this issue or is this by design?