How to Create RDP Certificate Enrollment GPO?

by | Jan 31, 2024 | How-To

Wow, I found a second blog and video that I didn’t publish from 2022. So here is it. Now that that you have created the Remote Desktop (RDP) Certificate template. How do you enroll ensure that computer will use it? Group Policy Object (GPO) is the easiest way. This article will show you How to How to Create RDP Certificate enrollment GPO. This article includes both the step-by-step to create the GPO with video, as well as the steps to confirm that a computer has enrolled.

How to Create RDP Certificate Enrollment GPO?

This Article assume that you have already created the RDP Certificate template, if you have not done that step, go back and review. How to Create RDP Certificates?

Group Policy Management Admin tool.

Starting on you domain controller (DC), start the Group Policy Management administrative tool.

Editing an existing GPO for Remote Desktop

Select a GPO to edit or create and new GPO. In my case I will use the GPO Remote Desktop, Right click and select Edit…

Location the GPO setting

The Group Policy Management Editor appears. Browser to Computer | Configuration Policies | Administrative Templates: Policy | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Security.

Enabling the setting and defining the cert template to use.

Double-click Server authentication certificate template setting. Then select Enabled, enter the Certificate Template Name in the text box. If you are not sure what the template name is, Please see the section below How to Confirm the Certificate Template name? Click OK to close the windows then close the Group Policy Management Editor. With that last step done, in approximately an hour when each computer refreshes it’s GPO settings, they will enroll the RDP cert for their computer.

How to Confirm the Certificate Template name?

If you forgot to save you template name to notepad, you can look it up within your Certificate Authority (CA).

Using you CA to find your template name.

Open your CA, select Certificate Templates node, The right-click and select Manage.

Using the Change Name option to grab template name.

In the Certificate Template Console window, find your certificate and right-click and select Change Name.

Selecting the Template Name.

Copy the Template Name. Use this for your GPO setting.

How to Confirm that RDP Certificate was Created?

You would think that the cert would be found within Remote Desktop | Certificates node. But you would be wrong.

RDP Cert listed within Personal store for local computer.

It is found within the Local Computer | Personal | Certificate node. Notice that the intended purpose is listed as RDP. This is the name of the certificate application that I created in a previous article. Again, there are no tricks to validating this certificate. You would do that as you would any other cert.

RDP cert which is valid for 1 year

The one thing that you can notice if you double-click the cert is that is shows without any errors or warning. You can also notice that it is valid for a year vs 6 months.

How to Create RDP Certificate Enrollment GPO?

In this video, I will go over the step listed above so that you can see the whole processes in action.

Please also subscribe to my YouTube channel and newsletter to stay on top of the latest trips and tricks. Additionally, if you have any questions, please feel free to touch base @Garthmj.