Policy
Server authentication certificate template
Windows 11 25H2
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10, Windows10RT, Windows11, Windows7, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2008, WindowsServer2012, WindowsServer2012R2, WindowsServer2016, WindowsVista
This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically selected to authenticate an RD Session Host server. A certificate is needed to authenticate an RD Session Host server when TLS 1.0, 1.1 or 1.2 is used to secure communication between a client and an RD Session Host server during RDP connections. If you enable this policy setting, you need to specify a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authenticate the RD Session Host server is automatically selected. Automatic certificate selection only occurs when a specific certificate has not been selected. If no certificate can be found that was created with the specified certificate template, the RD Session Host server will issue a certificate enrollment request and will use the current certificate until the request is completed. If more than one certificate is found that was created with the specified certificate template, the certificate that will expire latest and that matches the current name of the RD Session Host server will be selected. If you disable or do not configure this policy, the certificate template name is not specified at the Group Policy level. By default, a self-signed certificate is used to authenticate the RD Session Host server. Note: If you select a specific certificate to be used to authenticate the RD Session Host server, that certificate will take precedence over this policy setting.
Registry values
How enabled and disabled states update the registry.
No explicit registry values are set for enabled or disabled states.
Policy elements
Inputs and configuration options exposed by this policy.
| Element | Type | Registry mapping | Constraints & behavior |
|---|---|---|---|
Certificate Template Name ID TS_CERTIFICATE_TEMPLATE_NAME | text | HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\CertTemplateName Type REG_SZ | None |
Other policies in this category
Explore related policies at the same level.
- ComputerAlways prompt for password upon connectionAt least Windows Server 2003 operating systems or Windows XP Professional
- ComputerDisconnect remote session on lock for legacy authenticationWindows 11 22H2 SERVER
- ComputerDisconnect remote session on lock for Microsoft identity platform authenticationWindows 11 22H2 SERVER
- ComputerDo not allow local administrators to customize permissionsAt least Windows Server 2003
- ComputerEnable Microsoft Entra ID Authentication EnforcementAt least Windows 11 Version 24H2
- ComputerRequire secure RPC communicationAt least Windows Server 2003
- ComputerRequire use of specific security layer for remote (RDP) connectionsAt least Windows Vista
- ComputerRequire user authentication for remote connections by using Network Level AuthenticationAt least Windows Vista
- ComputerSet client connection encryption levelAt least Windows Server 2003 operating systems or Windows XP Professional