05. Create and Deploy RDP TLS Certificate with GPO

Рет қаралды 31,927

MSFT WebCast

Күн бұрын

Пікірлер: 45

@eranthagunawardena2638 4 жыл бұрын

Thank you so much. Great video series. This is the best I have ever found. Keep up the good work !

@zawlinhtet4654 2 жыл бұрын

It is very useful video to learn for PKI . Really appreciate it

@MSFTWebCast 2 жыл бұрын

Thanks for liking

@alexs5588 5 жыл бұрын

Also, another great topic for a video would be deploying Windows Hello via GPO. Thanks for all the great content that you post!!!!

@MSFTWebCast 5 жыл бұрын

I need to test it first in virtual environment.

@fbifido2 3 жыл бұрын

@12:47 - could you run mmc /w certificate to see where windows put the RDP certificate ??? Did it remove the self-signed RDS certificate?

@simonselvin1 2 жыл бұрын

Very informative, Thanks for the video.

@MSFTWebCast 2 жыл бұрын

Thank You.

@ZareerBhathena Жыл бұрын

Great video. I would like to see a video where you have a third party vendor digicert and you want to deploy it thru CA server

@salirehman Жыл бұрын

Great video.

@sudhirsharma6807 4 жыл бұрын

Great video . You have it so easy to digest. I have a quick question. Why did we not select "Auto Enroll" in this case? Also why did we not use the group policy in security settings related to PKI like we did for computer certificate in the last video.

@bryandelgado1103 2 жыл бұрын

Hello! what happens if I connected by RDP from a PC out of the domain? Apply the certificate equally? Thank for your videos, was very helpfull.

@MSFTWebCast 2 жыл бұрын

You can manually import certificate on the PC (outside of your domain).

@khemarin2007 4 жыл бұрын

Why do we need to put Object ID: 1.3.6.1.4.1.311.54.1.2? Is it must be the same your Object ID number or can be anything?

@branislavnagy5424 4 ай бұрын

The highlighted policy above is Microsoft’s OID designation for Remote Desktop Authentication (1.3.6.1.4.1.311.54.1.2) but isn’t present by default and must be created.

@rub1345 2 жыл бұрын

What would be the process when using a public SSL? Like from go daddy, Namecheap?

@assamerp2292 4 жыл бұрын

Hi, can we use public SSL certificate from let's encrypt in rd webaccess?

@PottsTheDruid 4 жыл бұрын

What permissions are set on the CA? Do domain computers need enrol permissions?

@PottsTheDruid 4 жыл бұрын

Tested it. Yes they do.

@branislavnagy5424 4 ай бұрын

As I already wrote you. You make very nice videos and I consider you as the man in the right place. Wherefore I will allow myself one question. I have no certificate at client side and I can connect to my servers (Win2k19) via RDP. I set up NLA on the servers as it has been recommended in reason hight security. But I want to increse level of security by setting up servers to allow RD connection only to client own correct certificate. in other words If the certificate is unvalid, connection will be unsacsesfuly. Thank you for your answer what your video solve this problem.

@marcorusso81 3 жыл бұрын

Hi, this is also good for RemoteApp by RDS Servers?

@MSFTWebCast 3 жыл бұрын

yes to fix certificate related errors.

@HithamMelhem-w2m Жыл бұрын

i have question please if use computer name the connection is secure but if use ip address the connection is not secure how to solve this issue

@MSFTWebCast Жыл бұрын

Because the IP address is not included in the certificate.

@sankareshkannan9239 4 жыл бұрын

Where we can get the object identifier??

@MSFTWebCast 4 жыл бұрын

“Remote Desktop Authentication” Object Identifier (1.3.6.1.4.1.311.54.1.2). Link: docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn781533(v=ws.11)

@sankareshkannan9239 4 жыл бұрын

@@MSFTWebCast Thanks

@revianravilathala4246 Жыл бұрын

and how if without gpo

@AhmedMohamed-xs5ij 5 жыл бұрын

Please, Can you tell me .. what the benefits of using the Certificate ... this can stop hacker to steal RDP Connection?

@MSFTWebCast 5 жыл бұрын

Custom certificate (maybe from your local ca) will replace self-signed certificate. As we all know that self-signed certificates are not good, and represent a security risk. By using custom certificate, You can setup the encryption related settings as per your organization requirement. It helps to protect your server from bruteforce attacks and Man in the Middle attacks.

@przemcio6867 3 жыл бұрын

you need connection monitoring system like PAM - priviledged access monitoring, opening RDP to the internet without any gateway is very bad idea... at least use VPN

@satyajitswain2618 3 жыл бұрын

authority certificate will expired and invalid

@AnwarKhanWorld 3 жыл бұрын

Excellent.

@alexs5588 5 жыл бұрын

Great video!!! Can you show us how to deploy Bitlocker via GPO?

@MSFTWebCast 5 жыл бұрын

yeah sure.. will be very soon.

@fabiozaccardi5918 3 жыл бұрын

Be mo co tzì devficent?

@kadirdd 4 жыл бұрын

Thanks a lot.

@hasan135 4 жыл бұрын

Good video

@przemcio6867 3 жыл бұрын

this might be a nice tutorial but two things are missing: - certificate enrollment process, it was just skipped, - the server name on the certificate is incorrect - that's huge issue,

@MSFTWebCast 3 жыл бұрын

Which server name is wrong? can you be more specific. As it can be seen in video the servers fqdn is ws2k19-srv02.mylab.local and the same is available in certificate as well. And second didn't I create and configure GPO for it? Also I have change the permission of certificate template for auto-enrollment. Might be you are in little hurry, so you have skipped some part of the video.

@bobliton2423 2 жыл бұрын

@@MSFTWebCast You are still getting the warning about cert mismatch because you are connecting via IP address and the cert is the computer name.

@MrDrumCube 10 ай бұрын

thta is because he used the server ip instead of FQDN. In case he would use FQDN the warning would not show. @@bobliton2423