Manual assignment of a Remote Desktop certificate fails with error message "Invalid parameter".

Assume the following scenario:

• A Manually requested Remote Desktop certificate should be on a computer be assigned to the remote desktop session host.
• The operation fails with the following error message:

Set-WMIInstance : Invalid parameter
 At line:1 char:1
 Set-WMIInstance -path $TerminalServicesConfig.__path -argument @{SSLC ...
 ~~~~~~~~~~~~~~~~~ CategoryInfo : InvalidOperation: (:) [Set-WmiInstance], ManagementException
 FullyQualifiedErrorId : SetWMIManagementException,Microsoft.PowerShell.Commands.SetWmiInstance 

Cause/Solution

The target system is a certification authority.

The following logic was used to determine the SHA1 fingerprint for the Remote Desktop certificate:

$RdcCertHash = (Get-ChildItem -path Cert:\LocalMachine\My | Where-Object { $_.Extensions.EnhancedKeyUsages.Value -eq "1.3.6.1.4.1.311.54.1.2" } | Sort-Object -Property NotAfter -Descending | Select-Object -First 1).Thumbprint

The certification authority certificate on the target system contains a Constraint on the issuance of Remote Desktop certificates.

Therefore, the previous command incorrectly selected the certificate authority certificate that also exists in the machine certificate store from this system, which cannot be assigned to the Remote Desktop session host.

Related links:

• Manually assigning a Remote Desktop (RDP) certificate
• Manually requesting a Remote Desktop (RDP) certificate
• Restrict extended key usage (EKU) for imported root certification authority certificates