Remote Desktop Notes Server 2012 R2

Update 22 Nov 2017, provide sample commands and discuss Server Authentication settings. Windows servers including 2012 R2 allow up to two simultaneous remote desktop administrative sessions without installing the Remote Desktop Services role.

Unfortunately the old GUI tool for managing Remote Desktop TCP connectivity has been removed in 2012 R2 and administrators are directed by Microsoft to use WMI command-line tools to change the RDP TCP certificate if needed.

While investigating an RDP certificate issue (likely caused by group policy or faulty windows updates) – I discovered that the auto-generated RDP certificate is stored not in the computer personal store, but in the computer “remote desktop” cert folder (mmc – certificates – local computer – remote desktop). The good news is that certificates you create in the “Personal” computer certificate store are available to be assigned to the RDP TCP listener.

To change the RDP TCP connection certificate, use the instructions provided by Microsoft in the article: “Remote Desktop listener certificate configurations in Windows Server 2012 R2 and Windows Server 2012.” Some command notes based on the MS article.

  • wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=”THUMBPRINT”
    • Change the assigned certificate with WMIC “SET” command
  • wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting GET SSLCertificateSHA1Hash
    • Verify the assigned certificate with WMIC “GET” command
  • Use Powershell “CERT:\LocalMachine\My” and “CERT:\LocalMachine\Remote Desktop” virtual drive providers to view available certificates and associated thumbprints or use the MMC “Certificates” snap-in to view “Local Computer” cert store.
    • Get-ChildItem Cert:\LocalMachine\My

If you get errors regarding RDP Server Authentication failing, you might need to update the RDP Client Security setting on the server-side. This should be set to “Negotiate” to support both Kerberos (on-network domain members), and SSL/TLS off-network or non-domain-members server authentication. If this is set to “RDP Security Layer”, then server authentication is turned off and you’ll get the error even with correct cert assigned. See “Remote Desktop Services: Configure Server Authentication and Encryption Levels” (

Search keywords: RDP, RDS.

About notesbytom

Keeping technology notes on to free up my mind to solve new problems rather than figuring out the same ones repeatedly :-).
This entry was posted in System Administration and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s