Assign custom SSL certificate to RDP on Windows Server 2012+ without RDS role (Remote Administration mode)
Windows Server 2012 removed tsconfig.msc and the RDP-Tcp properties GUI, making it non-obvious how to assign a custom SSL certificate to RDP when the Remote Desktop Services role is not installed. The certificate binding is stored in WMI under Win32_TSGeneralSetting and can be set directly via WMIC or PowerShell by writing the certificate's SHA1 thumbprint to the SSLCertificateSHA1Hash property. Without this configuration the server presents a self-signed certificate, which generates untrusted-certificate warnings for connecting clients.
Indicators
- tsconfig.msc (Remote Desktop Session Host Configuration) is absent on Windows Server 2012 or later
- Server Manager RDS certificate assignment UI is unavailable because the Remote Desktop Services role is not installed
- RDP connections present a self-signed certificate despite a valid custom certificate being present on the server
- Clients receive certificate trust warnings when connecting via RDP in Remote Administration mode
- Unable to locate an RDP certificate assignment option through any GUI on a non-RDS server
Likely causes
- Windows Server 2012 deliberately removed tsconfig.msc and the legacy RDP-Tcp properties dialog
- The replacement certificate workflow in Server Manager is only exposed when the Remote Desktop Services role is deployed
- Remote Administration mode (the default, allowing up to 2 concurrent admin sessions) does not surface RDS deployment properties
- Administrators are unaware that the certificate binding is stored in WMI and can be set directly
Diagnostic steps
-
Confirm the custom SSL certificate is installed in the Computer account Personal store: open certlm.msc > Personal > Certificates and verify the certificate appears with the correct subject and expiry.
-
Retrieve the certificate SHA1 thumbprint from the Details tab in certlm.msc, or via PowerShell: gci -path cert:/LocalMachine/My | Select-Object Subject, Thumbprint | Format-List
-
Clean the thumbprint string: remove all spaces and check for hidden non-ASCII characters that certlm.msc sometimes inserts at the start. The clean string should resemble: 1ea1fd5b25b8c327be2c4e4852263efdb4d16af4
-
Query the current RDP-Tcp WMI configuration to confirm access and view the existing thumbprint: Get-WmiObject -Class 'Win32_TSGeneralSetting' -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'" | Select-Object SSLCertificateSHA1Hash
-
Set the certificate via WMIC: wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="<THUMBPRINT>"
-
Alternatively, set the certificate via PowerShell: $path = (Get-WmiObject -Class 'Win32_TSGeneralSetting' -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path; Set-WmiInstance -Path $path -Argument @{SSLCertificateSHA1Hash='<THUMBPRINT>'}
-
Verify the change by re-querying Win32_TSGeneralSetting and confirming SSLCertificateSHA1Hash matches the new thumbprint.
-
Open a new RDP session to the server and inspect the presented certificate to confirm the custom certificate is now in use.
Resolution path
- Install the desired SSL certificate into the Local Computer Personal certificate store (certlm.msc > Personal > Certificates) on the target server.
- Retrieve the certificate SHA1 thumbprint: open the certificate > Details > Thumbprint, or run: gci -path cert:/LocalMachine/My | Where-Object { $_.Subject -match '<hostname>' } | Select-Object Thumbprint
- Clean the thumbprint: remove all whitespace and verify no hidden non-ASCII characters are present at the start of the string.
- Write the thumbprint to the RDP-Tcp WMI object using WMIC: wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="<CLEAN_THUMBPRINT>" — or the equivalent PowerShell Set-WmiInstance command.
- Re-query Win32_TSGeneralSetting to confirm SSLCertificateSHA1Hash reflects the new thumbprint.
- Open a fresh RDP session and verify the server presents the expected custom certificate without trust warnings.
Prevention
- Automate thumbprint reassignment: create a scheduled PowerShell script that runs after each certificate renewal event to re-apply the thumbprint to Win32_TSGeneralSetting.
- Use a dynamic thumbprint lookup in automation scripts to avoid manual copy errors: gci -path cert:/LocalMachine/My | Where-Object { $_.Subject -match 'hostname' -and $_.NotAfter -gt (Get-Date) } | Sort-Object NotAfter -Descending | Select-Object -First 1 -ExpandProperty Thumbprint
- Always import RDP certificates into the Computer Personal store (not a user store) before attempting assignment.
- When multiple certificates exist in the store, filter by subject name or thumbprint prefix to prevent assigning the wrong certificate.
- Document the WMI-based assignment procedure in the server's build runbook so it is repeated consistently after OS rebuild or certificate rotation.
- Consider deploying a Group Policy object (Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Security > Server authentication certificate template) if the environment uses ADCS auto-enrollment.
Tools
- PowerShell – Get-WmiObject / Set-WmiInstance targeting root\cimv2\terminalservices
- WMIC – wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting
- Certificate Manager MMC snap-in (certlm.msc) – Computer account Personal store
- WMI namespace: root\cimv2\TerminalServices
- WMI class: Win32_TSGeneralSetting, property: SSLCertificateSHA1Hash