The only reason a self-signed certificate would be trusted would be because the root certificate that signed it was already trusted. – Ramhound – 2018-01-02T13:05:40.050

Is the machine part of a domain? – I say Reinstate Monica – 2018-01-02T13:18:57.997

Is your question, "[How to] block RDP connection when server is using a self-signed certificate?", or, "Why is my server's self-signed certificate trusted by my client?" It seems like your end goal is to answer the first, yet your question title is the second. – I say Reinstate Monica – 2018-01-02T16:02:33.507

@Ramhound No it is a self-signed not trusted by my client desktop (not signed by any custom or official root) – crypto-learner – 2018-01-02T16:29:35.207

@TwistyImpersonator My question is the first : "How to block..." but I also want to understand why my RDP client does validate a self-signed certificate, it should not be the case by default, and when I enabled "Server authentication" in RDP local strategy, same result... It seems that my RDP client only validates that server host = certificate CN, but does validate the certification path – crypto-learner – 2018-01-02T16:31:19.580

@crypto-learner please at least [edit] your question title to be what you're really asking. Please also answer my question about domain membership. – I say Reinstate Monica – 2018-01-02T16:47:52.363

“No it is a self-signed not trusted by my client desktop” Something isn’t adding up. – Ramhound – 2018-01-02T17:02:24.930

@Ramhound Sorry, I wanted to say "a self signed certificate trusted by my client" – crypto-learner – 2018-01-03T08:55:14.457

Are the client and server domain-joined (same domain)? – I say Reinstate Monica – 2018-01-03T12:51:36.140

@Twisty Impersonator Yes they are – crypto-learner – 2018-01-03T12:53:21.683