Software 
Remote Desktop Listener Certificate Configurations In Windows Server 2012 R2 And Windows Server 2012
Remote Desktop Listener Certificate Configurations In Windows Server 2012 R2 And Windows Server 2012This article describes the methods to configure listener certificates on a Windows Server 2012-based or Windows Server 2012-based server that is not part of a Remote Desktop Services (RDS) deployment.
About Remote Desktop server listener availability
The listener component runs on the Remote Desktop server and is responsible for listening to and accepting new Remote Desktop Protocol (RDP) client connections. This lets users establish new remote sessions on the Remote Desktop server. There is a listener for each Remote Desktop Services connection that exists on the Remote Desktop server. Connections can be created and configured by using the Remote Desktop Services Configuration tool.
How to configure listener certificate
In Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2, the Remote Desktop Configuration Manager MMC snap-in lets you to direct access to the RDP listener. In the snap-in, you can bind a certificate to the listener and in turn, enforce SSL security for the RDP sessions.
In Windows Server 2012 or Windows Server 2012 R2, this MMC snap-in does not exist. Therefore, the system provides no direct access to the RDP listener. To have us configure the listener certificates in Windows Server 2012 or Windows Server 2012 R2, go to the "Here's an easy fix" section. If you prefer to do this manually, go to the "Let me fix it myself" section.
In Windows Server 2012 or Windows Server 2012 R2, this MMC snap-in does not exist. Therefore, the system provides no direct access to the RDP listener. To have us configure the listener certificates in Windows Server 2012 or Windows Server 2012 R2, go to the "Here's an easy fix" section. If you prefer to do this manually, go to the "Let me fix it myself" section.
Here's an easy fix
To fix this problem automatically, click the Download button. In the File Download dialog box, click Run or Open, and then follow the steps in the easy fix wizard.- This wizard may be in English only. However, the automatic fix also works for other language versions of Windows.
- If you’re not on the computer that has the problem, save the easy fix solution to a flash drive or a CD, and then run it on the computer that has the problem.
Let me fix it myself
Easy fix 20151Method 1: Using Windows Management Instrumentation (WMI) script
The configuration data for the RDS listener is stored in the Win32_TSGeneralSetting class in WMI under the Root\CimV2\TerminalServicesnamespace.
The certificate for the RDS listener is referenced through the Thumbprint value of that certificate on a SSLCertificateSHA1Hash property. The thumbprint value is unique to each certificate.
Note Before you run the wmic commands, the certificate that you want to use must be imported to the Personal certificate store for the computer account. If you do not import the certificate, you will receive an "Invalid Parameter" error.
To configure a certificate by using WMI, follow these steps:
The certificate for the RDS listener is referenced through the Thumbprint value of that certificate on a SSLCertificateSHA1Hash property. The thumbprint value is unique to each certificate.
Note Before you run the wmic commands, the certificate that you want to use must be imported to the Personal certificate store for the computer account. If you do not import the certificate, you will receive an "Invalid Parameter" error.
To configure a certificate by using WMI, follow these steps:
- Open the properties dialog for your certificate and select the Details tab.
- Scroll down to the Thumbprint field and copy the space delimited hexadecimal string into something like Notepad.
The following screen shot is an example of the certificate thumbprint in the Certificate properties:
If you copy the string into Notepad, it should resemble the following screen shot:
After you remove the spaces in the string, it still contains the invisible ASCII character that is only visible at the command prompt. The following screen shot is an example:
Make sure that this ASCII character is removed before you run the command to import the certificate. - Remove all spaces from the string. Also notice that there may be an invisible ACSII character that is also copied. This is not visible in Notepad. The only way to validate is to copy directly into the Command Prompt window.
- At command prompt, run the following wmic command together with the thumbprint value that you obtain in step 3:
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT"The following screen shot is a successful example:
Method 2: Using registry editor
Important
Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.
Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.