I use remote desktop to admin a number of Server 2012r2 servers and through a vulnerability scan it was found that a self-signed certificate is being used for remote desktop which is frowned upon.
The servers are in a workgroup behind a firewall and my workstation is on the network and domain joined. The servers are NOT running Remote Desktop Services and don't have IIS installed. I am able to click through the warning about the certificate when I have the RDP properties set that way and remote in with no issue.
I have searched and found a lot of good info and procedures to change the certificate RDP is using when authenticating to the server, having to do with updating the thumb hash using Set-WmiInstance. I continually have an error of Invalid Parameter when I run it through Powershell or otherwise. I have searched on the error and all the things mentioned are ok. Location of the cert I want to use, the extended data, the hash being correct in the code. The certificate I want to use is the same one I have on the server along with the intermediate cert and the root cert for normal SSL (443) server access (It is running a web app using Apache)
The only thing I have not been able to find out does Remote Desktop Services have to be installed for this change to be made? It seems without finding this out for sure I am on a rabbit hunt. If this cannot be done with RDS installed , fine I will then not try and fuss with it further but if it can, I would appreciate any help in doing so.
Thanks,
Jeff
**** Update 9-12-16 - while I tried to use the fixes provided to change the hash for the thumbprint for which certificate is being used for RDP, it always fails as I stated. From what I can tell all those answers are servers running RDS, which mine is not. Again this server is not running IIS or RDS.
