If you have SSL certificate, you can configure your connection to be more secure using standard security technology to establish an encrypted link between the server and RDP. This link ensures that all data passed between the server and RDP remain private and integral.

This option is ideal for smaller deployments that don't have more than 1 session host server. For bigger deployments, you can enable RD Gateway that will work as a bouncer for all the connections before they for the the session host.

SSL can be enabled from the top right corner, click the gear icon to select Settings:

You will get the setting screen where you can enable RD Security Certificate. Browse for the certificate in your local PC and provide the password. Hit Save.


Then, the certificate (with private key) has to be imported into the personal store of the local machine.

Double click your .pfx file to begin the certificate import wizard, select Local Machine in the Store Location option and click Next 

In the File to Import window leave the path already populated and click Next 

In the Private Key Protection window type in the password for the pfx file (Password should have been given when exporting the cert or should be safely stored by the partner) leave the import options as they are and click on Next 

In the Certificate Store leave the option to automatically select the certificate store based on the type of certificate selected and click Next 

Click Finish to complete the certificate import wizard.

Launch an mmc console

Hit Ctrl+m to open the add or remove snap-in window and add the Certificates snap-in

  1. In the Certificates snap-in window select Computer account and click Next 

     2. In the Select Computer window leave Local computer selected and click Finish

Back in the Add or Remove snap-ins window click OK which opens the Certificates console 

Select the certificate which was imported and double click it to open the certs properties. Go to the Details tab and scroll to the bottom and highlight Thumbprint 

Once you have the Thumbprint value paste it in a notepad and remove all the spaces between the characters. 

Launch Porwershell and use the following command to change the local cert to your own (remember to replace THUMBPRINT with the information you just copied into a notepad and removed the spaces from):

$path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path

Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="THUMBPRINT"}

Once these steps are completed you should no longer get any SSL warnings when connecting to your remote server. Please note the cert used above is a wildcard (*) and will not work for your domain. In the case of a partner the ssl that needs to be used is for whatever domain was selected during provision.

Did this answer your question?