Skip to content

Instantly share code, notes, and snippets.

@tsmarvin

tsmarvin/!README.MD

Last active August 22, 2022 22:33
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save tsmarvin/97e7b14e86e20d6e06aa982e3822c4dd to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save tsmarvin/97e7b14e86e20d6e06aa982e3822c4dd to your computer and use it in GitHub Desktop.
Download ZIP
Remote Desktop Device Certificate
Raw
!README.MD

Remote Desktop Device Certificate

This gist contains instructions for configuring a RDP Device Certificate.

The primary instructions show how to accomplish the task using a MS CA and the GUI.

There are also partially completed steps for accomplishing the same task using powershell.

Raw
LICENSE
MIT License
Copyright (c) 2022 Taylor Marvin
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Raw
RDPDeviceCert.md

MS CA Steps:

  1. Open certmpl.msc using cert owner credentials.
  2. Right click on default computer template and duplicate it.
  3. The New Template properties menu will open.
    • Go to the Extensions tab
      • Edit the Application Policies Extension.
      • Remove both the Client and Server Authentication policies.
      • Select "add" application policy
        • Deselect whatever defaults are selected.
        • Select the "New" button.
        • Enter in a name (I used "Remote Desktop Authentication" like the guide suggests)
        • Remove the automatically generated OID and replace it with "1.3.6.1.4.1.311.54.1.2"
        • Make sure no other policies are selected and hit OK.
      • Hit OK.
    • Go to the Security Tab.
      • Add permissions to any groups you need as appropriate.
        (I just set Domain Computers to Read/Enroll)
    • Go to the General Tab.
      • Set both the Template Name/Display name to the same name with no spaces in either. (I used RemoteDesktopTemplate)
      • The guide did not specify this but I also set "Publish certificate in Active Directory" & "Do not automatically reenroll if a duplicate certificate exists in Active Directory"
    • Hit Apply.
  4. Open certsrv.msc as cert owner.
    • Ensure you're connected to the same DC that you created the template on (or wait for those settings to sync.)
    • Go to Certificate Templates
    • Select New -> Certificate Template to issue.
    • Find your Remote Desktop Template and select Ok.

Connect to DC for GPO setup:

  1. Open up group policy management.
  2. Create a new GPO (or use an existing one)
  3. Open setting:
    Computer Configuration -> Policies -> Administrative Templates -> Windows Components ->
    -> Remote Desktop Services -> Remote Desktop Session Host -> Security -> Server Authentication certificate template
  4. Change settings:
    • Enable the setting.
    • Enter the certificate template name (the guide also says you can use the OID.)
    • select OK.
  5. Publish your GPO.
  6. Run GPUpdate on the effected computers.
Raw
RDPDeviceCertPwsh.md

Step 1: Export PFX from Root CA.

TODO: Show export using openssl.


Step 2: Import PFX from Root CA into trusted root store & Export Der encoded cert.

$password = 'CertPassword'
$PfxPath = 'C:\Test-Certificate.pfx'
$DerPath = 'C:\Test-Certificate.cer'
$cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::New($PfxPath, $password, 'DefaultKeySet')
$RootCertRegPath = 'HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates'
$CertRegKeyPath = "$RootCertRegPath\$($cert.Thumbprint)"
$ExistingCert = Get-Item -Path $CertRegKeyPath -ErrorAction Ignore

if ($null -eq $ExistingCert) {
	$importPfxCertificateSplat = @{
		CertStoreLocation = 'CERT:\LocalMachine\Root'
		FilePath          = $PfxPath
		Password          = $password
	}
	Import-PfxCertificate @importPfxCertificateSplat;
}
$Cert = Get-ChildItem Cert:\LocalMachine\Root\$cert.Thumbprint | Where-Object { $_.Thumbprint -eq $cert.Thumbprint }
Export-Certificate -Cert $cert -FilePath $DerPath

Step 3: Create New GPO & link to target OU

$InitGPOSplat = @{
	Name    = 'TestDeployRootCert'
	Comment = 'Deploys the root CA cert to all computers in the domain.'
}
$GPO = new-gpo @InitGPOSplat

$setGPPermissionsSplat = @{
	PermissionLevel = 'GpoEdit'
	TargetName      = 'Domain Admins'
	TargetType      = 'Group'
}

$TargetDistinguishedName = 'dc=contoso,dc=com' # We're targetting the whole domain here.
$GPO | New-GPLink -Target $TargetDistinguishedName | Set-GPPermissions @setGPPermissionsSplat

Step 4: Add Root Certificate registry setting to GPO.

$DerPath = 'C:\Test-Certificate.cer'
$cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::New($DerPath)
$setGPPrefRegistryValueSplat = @{
	Name      = 'TestDeployRootCert'
	Context   = 'Computer'
	Key       = "HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\$($cert.Thumbprint)"
	ValueName = 'Blob'
	Value     = Get-Content -Path $DerPath -Raw -AsByteStream
	Type      = 'Binary'
	Action    = 'Update'
}

Set-GPPrefRegistryValue @setGPPrefRegistryValueSplat


Group Policy For Steps 5 And 6 (img)

Step 5: Enable Remote Desktop Template

TODO: Need to correlate GP location: Computer Configuration/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security/Server authentication certificate template with its registry values.


Step 6: Enable Auto-Enrollment.

TODO: Need to correlate GP location: Computer Configuration/Policies/Windows Setting/Security Settings/Public Key Policies/Certificate Services Client -Auto Enrollment Settings with its registry values.

@tsmarvin

tsmarvin commented Jun 20, 2021

Copy link
Copy Markdown
Author

This is the consolidated steps from this guide: https://www.pkisolutions.com/creating-rdp-certificates/

JBorean93 was also able to implement RDP device certs strictly using powershell - he did not use an MS CA.
Original pastebin: https://pastebin.com/QXkwd9q4

Contents for posterity:

# Whatever method you want, this gets the first cert thumbprint used in WinRM
$thumbprint = Get-Item WSMan:\localhost\Listener\*\* |
    Where-Object { $_.Name -eq 'CertificateThumbprint' -and $_.Value } |
    Select-Object -First 1 -ExpandProperty Value
 
Get-CimInstance -ClassName Win32_TSGeneralSetting -Namespace ROOT\CIMV2\TerminalServices |
    Set-CimInstance -Property @{ SSLCertificateSHA1Hash = $thumbprint }

He noted that this has the advantage of taking effect immediately.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment