RDS server roles bind to certificates using their thumbprints, and renewed certificates are not automatically bound. This script locates the current RDS certificate in the certificate store and rebinds it to all relevant roles.
To automate the rebinding process, you can run this script with a scheduled task triggered by Event ID 1001 from the Microsoft-Windows-CertificateServicesClient-Lifecycle-System event log, which signals certificate renewal.
# Find matching certificate or fail if not found
#
$templateOid = "1.3.6.1.4.1.311.21.7"
$templateName = "Corp-RDS"
Write-Output "[-] Looking for RDS certificate..."
$cert = Get-ChildItem -Path Cert:\LocalMachine\My |
Where-Object {
$_.Extensions |
Where-Object {
$_.Oid.Value -eq $templateOid -and $_.Format(0) -like "*${templateName}*"
}
} |
Sort-Object NotAfter -Descending |
Select-Object -First 1
if (-not $cert) {
Write-Error "[!] No certificate found issued from template '${templateName}'."
return
}
$thumbprint = $cert.Thumbprint
Write-Output "[-] Found certificate with thumbprint: ${thumbprint}"
# Bind certificate to RDS roles
#
$roles = @("RDWebAccess", "RDPublishing", "RDRedirector")
foreach ($role in $roles) {
Write-Output ""
$currentCert = Get-RDCertificate -Role $role
Write-Output "[-] Current certificate for ${role}: $($currentCert.Thumbprint)"
if ($currentCert.Thumbprint -eq $thumbprint) {
Write-Host "Certificate with thumbprint ${thumbprint} is already bound to ${role}."
}
else {
Write-Host "Binding certificate with thumbprint ${thumbprint} to ${role}."
Set-RDCertificate -Role $role -Thumbprint $thumbprint -Force
}
}
# Print current certificates
#
Get-RDCertificate | Select-Object Role, Thumbprint, IssuedTo, ExpiresOnNote that the script makes the assumption that the certificate was issued via a specific template and that all roles except the RDGateway are active.
Also note that the OID present in the script stands for szOID_CERTIFICATE_TEMPLATE. While it has a friendly name, relying on it can break the script in multilingual environments.