By default, Windows servers use self-signed certificates for the RDP connection. The self-signed certificates then provide a certificate warning when the RDP connection to a Windows server is established:
This warning can be avoided by automatically rolling out certificates from a Windows certification authority to the servers and renewing them if necessary. I have described the installation of a Windows PKI in this article described. This article is about the automatic rolling out of certificates for the RDP connection.
Create template for certificates
A new certificate template is first required so that certificates for RDP connections can be rolled out:
The existing template "Computer" is already quite suitable for RDP certificates and can therefore be duplicated:
In the duplicated template, the "Application Policies" must first be edited on the "Extensions" tab:
The two existing policies "Client Authentication" and "Server Authentication" are removed:
A new application policy can now be added:
However, as there is no policy for RDP yet, this policy must first be created:
The new application policy is named "Remote Desktop Authentication" and the OID "1.3.6.1.4.1.311.54.1.2" is used as the object identifier." (the pre-filled OIDs are deleted):
The dialogs can now be closed with OK:
On the Security tab, the "Domain Computer" group now has the appropriate authorizations to request the certificate:
Finally, a name for the template is assigned on the General tab, in this case it is RDPCertificates. The validity can also be defined accordingly:
The dialog can be closed with OK and the new certificate template is displayed in the overview:
In order for certificates to be issued via the template, the template must be specified in the certification body as the template to be set up:
The template you have just created can be selected and added:
A group policy can now be created which requests the certificate and activates it for RDP connections.
Group policy for RDP certificates
A new group policy can now be created on an OU and linked directly:
The name of the group policy is freely selectable:
Under the path "Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Seurity" you will find the setting "Server authentication certificate template". This setting must be activated and the name of the previously created certificate template must be specified. In my case, this is "RDPCertificates":
The group policy can now be linked to other OUs. As soon as the group policy is applied to the servers, a certificate is requested via the template and activated for RDP.
Nothing more needs to be done, it is only important that RDP connections are established with the FQDN (not with the UNC name), as only the FQDN is specified on the certificate:
