The default RDP service on a Windows machine uses a self signed certificate that is not automatically trusted by remote machines. Here is how to switch to a public PKI cert.
When you enable Remote Desktop Protocol (RDP) on your computer and attempt to establish a remote connection, you might encounter a warning message indicating the use of an untrusted certificate.
This indicates that the computer is relying on a self-signed certificate, which the remote client does not recognize as trustworthy. If you possess a valid Public Key Infrastructure (PKI) certificate that is trusted and wish to configure the RDP service on the target computer to utilize it, follow these steps.
First, locate the trusted certificate you wish to use and copy its thumbprint. Then, execute the following PowerShell command on the target computer, replacing "THUMBPRINT" with the actual thumbprint you obtained from the certificate:
```powershell
Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices | Set-WmiInstance -Arguments @{SSLCertificateSHA1Hash="THUMBPRINT"}
```
This command will apply the trusted certificate for the RDP service.
You should see something like:
This message confirms that the certificate has been successfully updated to the trusted one.
It's important to note that the RDP client provides an option to bypass certificate errors. However, this may cause connectivity issues with the target system, particularly when using tools like Guacamole, unless the option to ignore certificate errors is enabled.