Michael Waterman

Ramblings on IT and Security

Modernizing RDP Certificates

February 8, 2026 / / 8 Comments

This post is a small (promise!) but practical addition to my PKI series.

I wrote this blog because I wanted my own version of “how to set up RDP certificates.” Mostly as personal documentation, I can’t remember everything off the top of my head anymore… getting old.

During my initial research, I was surprised to see that many blogs still recommend older practices, SHA1 signatures, legacy cryptographic providers, or RSA 2048-bit keys without much explanation. And to be clear, I’m not saying RSA 2048 is bad. It’s absolutely still secure and widely used.

But RSA does have one downside, it gets exponentially slower as key sizes increase. That got me thinking, why not try Elliptic Curve instead? Is it supported for RDP? Does it actually work in practice? I couldn’t find much concrete information on the topic. Maybe my Google-Fu was failing, but it seemed like a lazy Sunday well spend researching the topic. So instead of guessing, I spent an afternoon testing, researching, and writing some PowerShell along the way, all so you don’t have to. In this post I’ll show you how to:

  • Set up a modern certificate template for Remote Desktop
    • Use the Key Storage Provider (KSP) instead of the legacy CSP
    • Enforce Elliptic Curve 256 (roughly equivalent to RSA 3072-bit)
    • Ensure certificates are signed with SHA256
  • Configure a GPO with:
    • Automatic Remote Desktop configuration
    • Automatic deployment of RDP certificates
  • And most importantly: validate the result with PowerShell

Let dive in!

Build the RDP certificate template

Before I can deploy anything, I first need a proper certificate template.
And since the goal of this post is to move away from older practices, I’m going to do this the modern way: Elliptic Curve cryptography only. Most existing guides focus on RSA-based templates. That works fine, but RSA keys become large and computationally expensive as you increase security levels. With ECC I can achieve the same security with much smaller and faster keys. For this setup I will use:

  • Elliptic Curve P-256
  • SHA256 signatures
  • The Microsoft Key Storage Provider
  • A dedicated EKU for Remote Desktop

Let’s build it from scratch.

Step 1 – Verify the RDP EKU OID

Remote Desktop certificates require a specific Enhanced Key Usage identifier:

1.3.6.1.4.1.311.54.1.2

Before creating anything, it’s a good idea to check whether this OID is already available in your environment. You can verify this in the Certificate Templates console:

  1. Open “certtmpl.msc
  2. Expand “Object Identifiers
  3. Look for an entry named something like “Remote Desktop Authentication
  4. Confirm that it has OID “1.3.6.1.4.1.311.54.1.2

If it’s not available, I show you how to create it in the next step as part of the template configuration.

An already existing Remote Desktop OID

Step 2 – Create the template

Open the Certificate Templates console and:

  • Locate the built-in “Computer” template
  • Right-click → Duplicate Template
  • On the “Compatibility” tab
    • Certification Authority: Windows Server 2016
    • Certificate recipient: Windows 10 / Windows Server 2016
  • On the “General” tab:
    • Template display name: Remote Desktop Authentication
    • Validity period: 45 days, anticipating the coming changes
    • Renewal period: 7 hours, in line with the previous remark
  • On the “Cryptography” tab:
    • Provider Category: Key Storage Provider
    • Algorithm name: ECDH_P256
    • Minimum key size: 256
    • Provider: Microsoft Software Key Storage Provider
    • Request hash: SHA256
  • On the “Extensions” tab:
    • Select the “Application Policies” → “Edit”
    • Remove the “Client Authentication” & “Server Authentication (Please note that Server Authentication is a requirement according the documentation found here. Testing has shown that this is only for a standalone server and has been enforced as of server 2025)”
    • Click “Add” → “New
      • Name: Remote Desktop Authentication
      • Object Identifier: 1.3.6.1.4.1.311.54.1.2
    • Click “OK” twice.
  • On the “Subject Name” tab:
    • Select “Build from this Active Directory information
    • Subject name format: DNS Name
    • Include this information in subject alternate name: DNS
  • On the “Security” tab:
    • Add “Domain Controllers“, Enroll, Autoenroll
    • Add “Domain Computers”, Enroll, Autoenroll
    • leave the remaining defaults
  • Click “OK

Step 2 -Publish the template

Finally, make the template available on the CA. On the Certification Authority server:

  • Open the Certification Authority console
  • Right-click Certificate Templates
  • Choose New → Certificate Template to Issue
  • Select your new Remote Desktop Authentication template

In the next chapter I’ll configure Group Policy to automatically deploy this certificate and bind it to Remote Desktop.

Configuring the Group Policy object

In this chapter I’ll configure the Group Policy settings required to deploy and activate our Remote Desktop certificates. Important note, this post assumes that certificate auto-enrollment is already configured in your environment. The settings below only cover the RDP-specific configuration and firewall rules.The configuration consists of three main parts:

  1. Windows Firewall rules
  2. Remote Desktop enabling
  3. Certificate template binding

Below are the exact paths and settings as configured.

Windows Firewall – Allow RDP Traffic

Computer Configuration
 └ Policies
   └ Windows Settings
     └ Security Settings
       └ Windows Firewall with Advanced Security
         └ Inbound Rules

Add these default rule settings:

  • Remote Desktop – Shadow (TCP-In)
  • Remote Desktop – User Mode (TCP-In)
  • Remote Desktop – User Mode (UDP-In)

Security configuration and certificate binding

Computer Configuration
 └ Policies
   └ Administrative Templates
     └ Windows Components
       └ Remote Desktop Services
         └ Remote Desktop Session Host
           └ Security

Configure the following settings:

  • Require user authentication for remote connections by using Network Level Authentication: “Enable
  • Server authentication certificate template: “RemoteDesktopAuthentication

Tip! You can also use the OID of the certificate template. It’s located in the “Extension” tab or use this PowerShell code (yeah I know, wayyy cooler right)

Get-ADObject -LDAPFilter "(&(objectClass=pKICertificateTemplate)(cn=RemoteDesktopAuthentication))" `
	-SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=michaelwaterman,DC=nl" `
	-Properties msPKI-Cert-Template-OID

Tip! A helpful deep-dive into the exact selection logic was shared by Marc-André Moreau (CTO of Devolutions) on X (Twitter): https://x.com/awakecoding/status/1785036413592818139

If your not a PowerShell person (why not!?) but still want to quickly verify how a template is actually stored in Active Directory, use: 

certutil -adtemplate -v RemoteDesktopAuthentication

Enable Remote Desktop

Computer Configuration
 └ Policies
   └ Administrative Templates
     └ Windows Components
       └ Remote Desktop Services
         └ Remote Desktop Session Host
           └ Connections

Configure the following settings:

  • Allow users to connect remotely by using Remote Desktop Services: “Enable

With the GPO configured, all that’s left is a bit of patience. By default it can take up to 90 minutes before the new settings apply, or you can force an immediate update using:

gpupdate /force

Validation

Up to this point everything has been configuration, creating the template and setting up the GPO. Now comes the important part, making sure it actually worked. First, a small reality check. Even after the GPO has been applied, it can take a little while before the new certificate actually appears on the system. Auto-enrollment doesn’t always happen instantly. So don’t panic if nothing shows up right away. The easiest first step is simply to look in the local machine certificate store:

Get-ChildItem Cert:\LocalMachine\My

At some point you should see a new certificate appear that matches the Remote Desktop template. If you don’t want to wait, you can always force things a bit by refreshing Group Policy. After a policy refresh and a short wait, the certificate should be enrolled automatically.

Inspect the certificate

Seeing a certificate in the store is a good start, but it doesn’t tell the whole story.
I want to know exactly what kind of certificate it is. That’s where my Get-CertificateCryptoInfo function comes in (yes, again PowerShell). Using this script I can verify:

  • Whether the certificate is RSA or ECC
  • Which curve or key size is being used
  • The signature algorithm
  • And whether the correct EKU is present

Simply run:

Get-ChildItem Cert:\LocalMachine\My | Get-CertificateCryptoInfo -EkuOidToCheck "1.3.6.1.4.1.311.54.1.2"

This gives a clear, human-readable overview of the cryptographic properties of the certificates on the system. As you can see the certificate that matches the settings from the template has the intended ECC P-256, SHA256 and the Remote Desktop OID. You can get the script from my GitHub repository here.

Validate from a client perspective

A certificate in the store is great, but the real question is:

Is Remote Desktop actually using it?

To answer that, I’ll switch to a Windows 11 client and use a client side validation function I created specifically for this purpose:

Test-RDPCertificateBinding -ComputerName <servername>

As you can see in the image above, the thumbprint matches the exact same thumbprint I generated with the Get-CertificateCryptoInfo function on the server itself, validating that this certificate is the one used with the RDP connection. You can get my script from Test-RDPCertificateBinding my GitHub repository here.

And that’s it. You can now connect to your remote machines over RDP without any warnings, confident that the connection is secured with properly configured, modern encryption.

In conclusion

Well, this turned out to be a fun little project. What started as “let me quickly set up RDP certificates” turned into a deep dive into ECC, templates, and validation. The result is a setup that’s modern, secure, and easy to maintain. No legacy providers, no weak algorithms, and no certificate warnings, just a solid configuration you can trust, exactly how it should be. Hope I kept my promise and gave you a small, practical and to the point blog!

As always, feedback is very welcome! Until next time…

References

Use certificates in Remote Desktop Services | Microsoft Learn (Thanks to André Stuhr, check out his website here)

Automation, Cryptography, Cybersecurity, Windows

8 Comments

  1. Pradeep

    Love this article! I’m looking to enable RDP certificates for our DMZ servers and automate the certificate installation via script with self-enrollment. Any guidance or recommendations would be greatly appreciated!

    Reply
  2. André Stuhr

    A beautiful article.

    Addition:
    An RDP certificate that only contains the Microsoft-specific EKU “Remote Desktop Authentication” is no longer sufficient on modern servers starting with version 2025. The certificate can no longer be successfully bound to the RDP listener!

    The certificate template now also needs “Server Authentication” as an extension. In earlier versions, “Remote Desktop Authentication” was sufficient and accepted by the system. Windows Server 2025 will no longer accept certificates that are missing the “Server Authentication” extension!

    I only learned about this myself a few weeks ago and documented it on my blog.

    Reply
    • Michael Waterman (Post author)

      Hello there!

      Thanks for the reply! Appreciate you reading my blog. As for your remark, I’ve tested this on my Windows Server 2025 environment and had a different experience than you describe. Including the OID for Remote Desktop was sufficient in my case. Were you able to find any documentation on the Server Authentication requirement part? Perhaps you have a specific hardening policy that dictates the Server Authentication OID as well?

      I’m really curious what the difference between your and mine environment would be to force the inclusion of Server Authentication. Thanks in advance for sharing!

      Reply
      • André Stuhr

        I actually have a slightly different installation scenario.

        In my case, I wanted to equip a standalone Windows Server 2025 (hardened using the Microsoft Security Baselines) in a DMZ with its own Remote Desktop certificate. However, I repeatedly failed when trying to bind the certificate to the local RDP listener (RDP-Tcp).

        During troubleshooting, I started searching for clues and eventually came across the following Microsoft page, which documents the certificate requirements for Remote Desktop Services (RDS) deployments:

        https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/remote-desktop-services-certificates

        This documentation clearly requires the Server Authentication EKU for RDS roles.

        However, Microsoft has not yet published any dedicated documentation for the classic standalone RDP listener on a single Windows Server. So at the moment, this RDS article is the closest thing to an official reference — even though it does not explicitly describe the RDP‑Tcp listener on standalone hosts.

        After extending my existing certificate template with the Server Authentication EKU for testing purposes, the certificate binding finally succeeded.

        My previously used template — containing only Remote Desktop Authentication — continued to work fine on older systems, so I simply reused it and added the missing EKU.
        I haven’t yet tested this behavior inside an Active Directory domain.

        So far, all Windows Server versions up to 2022 work perfectly with certificates that only include the Remote Desktop Authentication EKU in my environment.

        Windows Server 2025 seems to be the first version that refuses such certificates for the standalone RDP listener.

        Reply
        • Michael Waterman (Post author)

          Hi André,

          it seems that your situation is indeed very different than mine. I think that the server authentication in the case of a domain is handled by Kerberos where both parties involved are verified before a connection is setup.

          Regardless of that, I’ll update my blog to reflect the requirements, good catch, I can’t remember reading that page before today, so thanks! I’ll put the page in the reference section.

          Thanks again, always good to learn from a different perspective.

          Reply
  3. Mark Gregory

    Hi Michael, I use office365 and have several computers that are entra enrolled -> so that the login / environment is the same on all computers. I use a lot of VMs and I access the VMs from a lot of machines, including from the VMs themselves. I don’t have a server. My rdp files are in onedrive so that I can access the files from any of my computers.

    How would I create signed rdp files that can be stored in onedrive and would work from any of my computers to connect to any of my VMs?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

© 2026 Michael Waterman

Theme by Anders NorenUp ↑