RDS: Trusting the certificate used for publishing by GPO

When you run a published RDS RemoteApp and you are getting this following warning dialog box, that means the certificate used to publish the RemoteApp is not in trusted by the local computer.

“A website wants to run a RemoteApp program. Make sure that you trust the publisher before you connect to run the program.”


There is a easy fix, but not very well documented anywhere. Technet document says simply add the RDS Certificate thumbprint into credentials delegation section in GPO. It’s all well and good, but they forgot to mention thumbprint have to in UPPERCASE and no spaces. I have mentioned step by step instructions below to add the certificate thumbprint in to GPO. GPO needs to apply to all domain computers that used to access RDS RemoteApp.

1. Open your RDS Certificate like below and go to Details and find Thumbprint. (below is yahoo’s SSL certificate used as example)


2. Select and Copy the Thumbprint into clipboard. (e.g., ‎e9 c0 09 f9 4e f5 e9 92 e2 fa 56 5d 13 f5 a2 56 76 da 6e 7b)

3. Convert all characters to Uppercase and remove the spaces. You could use the following PowerShell commands to do just that. Replace your cert thumbprint with mine below.

$thumbprint = “‎e9 c0 09 f9 4e f5 e9 92 e2 fa 56 5d 13 f5 a2 56 76 da 6e 7b”

($thumbprint).ToUpper().Replace(” “,””)

Copy the Result to clipboard. Note: leave the first character.

My thumbprint converted to E9C009F94EF5E992E2FA565D13F5A25676DA6E7B.

4. Open GPMC (Group Policy Management Console). Create a new Policy or edit an existing policy that applies to all computers. E.g., Default Domain Policy.

5. Right click on GPO and select Edit the Policy.

6. Go to User Configuration ==>Policies ==>Administrative Templates ==> Windows Components ==> Remote Desktop Services ==>Remote Desktop Connection Client


7. Double click the setting: Specify SHA1 thumbprints of certificates representing trusted .rdp publishers. Enable this policy. Under Options, paste the converted thumbprint into the text box. Click OK.

8. Double click on the setting: Allow .rdp files from valid publishers and user’s default .rdp settings.

You can close the Group Policy Management Editor and apply the setting to the users. But you can do more. You can specify the servers to which the user’s default credentials can be delegated (default credentials are those that you use when first logging on to Windows). Edit the same GPO as below.

1. Go to Computer Configuration ==> Policies ==> Administrative Templates ==> System ==> Credentials Delegation


2. Double click on Allow delegating default credentials. Click Show button in Options next to “Add servers to the list”.


3. Add your Connection Broker, RDS Gateway and common name FQDN as following format.


4. Do the same for Apply delegating saved credentials.

That’s all. Enjoy.

2 thoughts on “RDS: Trusting the certificate used for publishing by GPO

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s