Prevent remote desktop from generating a self-signed certificate

This script will deny access to the System account for the Remote Desktop certificates registry key. Thus preventing certificate creation

#Define the registry path

$registryPath = "HKLM\SOFTWARE\Microsoft\SystemCertificates\Remote Desktop\Certificates"

#Define the System account

$user = "NT AUTHORITY\SYSTEM" # SYSTEM account

#Get the current ACL for the registry key

$acl = Get-Acl -Path "Registry::$registryPath"

#Disable inheritance

$acl.SetAccessRuleProtection($true,$true) #True: Protect (Disable Inheritance), True: Copy inherited rules

#Create a deny access rule for Full Control on the System account

$denyRule = New-Object System.Security.AccessControl.RegistryAccessRule($user,"FullControl","ContainerInherit,ObjectInherit","None","Deny")

#Add the deny rule to the ACL

$acl.AddAccessRule($denyRule)

#Apply the updated ACL to the registry key

Set-Acl -Path "Registry::$registryPath" -AclObject $acl

#Display complete message

Write-Host "Inheritance disabled and FullControl denied for $user on $registryPath"

Hi,

After research, I found below setting can prevent the self-signed certificate generation. But it will generate 1057 error in your system event log. If you do not mind this, you can have a try.

Open Regisrtry Editor > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations > set the value of "SelfSignedCertStore" to "NUL"

Thanks,

Eleven

If the Answer is helpful, please click "Accept Answer" and upvote it. Thanks.

Has anyone found the solution to this?

I've configured the GPO to automatically enroll the RDP certificate. Now I need to get rid of the self signed certificate that is getting installed automatically.

The easiest way to block the creation of self signed certificates for Remote Desktop is to disable the system's access to the registry entry.

1. Ensure that the self signed certificate is removed from the certificate store
2. Open regedit and navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Remote Desktop\Certificates
3. Right click the Key (folder)
4. Click Permissions
5. Click Advanced
6. Click Disable Inheritance
7. Click the convert option
8. Click apply then OK to close the advanced settings box
9. Click System from the User Name list
10. Check the Deny box across from Full Control
11. Click apply then OK to close the Permissions box
12. Reboot the computer

At this point, the computer will not generate its own self signed certificate and will not throw errors in the event log.

Note: If you do not have your CA set to distribute RDP certificates, and your group policy to recognize that certificate template, you will get a 0x04 error when attempting to Remote Desktop

Edit: the Group Policy setting I was referring to above is located in Computer Configuration/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security. The setting for Server Authentication Certificate Template must match the template name that creates your Remote Desktop certificates, NOT the template display name.