Replace the self-signed Remote Destkop Certificate with an e.g. PKI Certficate from your internal CA
Copy the Thumbprint of the Certificate you want to use for the RDP Connection and copy it to the $Hash variable.
$TSGeneralSetting = Get-WmiObject "Win32_TSGeneralSetting" -ComputerName "<Server Name>" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'" $Hash = "<hash of new certificate>" $TSGeneralSetting.SSLCertificateSHA1Hash = $Hash $TSGeneralSetting.put()
Or via command line
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="<THUMBPRINT>"
After fire off the put() command, the new Certificate will kick in! No need to restart the computer.
Copy the thumbprint from the new certficate over the details tab from the certificate and paste it into powershell to cut out the spaces.
Since Windows Server 2019 the thumbprint will be displayed without spaces within the certificate itself😊.
But before you can use the powershell replace command instead deleting it manual.