Selfsigned certificate with RDP, error 0x8004005 and can not save credentials

So, have a .local domain or similar and this is giving you a headache?

This is due to two things:

1- Some GPO settings

2- The certificate has to be imported into the root AND trustedpublisher for it to work… Go figure.

This is how to solve it with powershell:

First you have to create the GPO settings. These settings will allow for the RDP to store its credentials even if the machine is not domain joined.

#Creates the keys

New-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\” -Name “AllowDefaultCredentials” -Value “1” -PropertyType DWORD -Force
New-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\” -Name “AllowDefCredentialsWhenNTLMOnly” -Value “1” -PropertyType DWORD -Force
New-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\” -Name “AllowSavedCredentials” -Value “1” -PropertyType DWORD -Force
New-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\” -Name “AllowSavedCredentialsWhenNTLMOnly” -Value “1” -PropertyType DWORD -Force

#Populates the keys – remove | Out-Null if you want to see any error info.

New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefaultCredentials -Force | Out-Null
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefaultCredentials -Name 1 -Value TERMSRV/* -PropertyType STRING -Force

New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefCredentialsWhenNTLMOnly -Force | Out-Null
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefCredentialsWhenNTLMOnly -Name 1 -Value TERMSRV/* -PropertyType STRING -Force

New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentials -Force | Out-Null
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentials -Name 1 -Value TERMSRV/* -PropertyType STRING -Force

New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentialsWhenNTLMOnly -Force | Out-Null
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentialsWhenNTLMOnly -Name 1 -Value TERMSRV/* -PropertyType STRING -Forc

These settings will not be reflected when you run gpedit.msc! But its there 🙂 This is due to the fact that gpedit does not read from registry, but can send changes to it.

When you have exported the certificate from the server (the same selfsigned cert that you created and added in the RDS server) you will have to import it to the local machine that will try to access the server.

Make sure you have the certificate in the same folder as the powershell script. Yes, you will need to save the script and run it as admin (ps1). Else you can just doubleclick on the cert and install it manually selecting the root and trustedpublisher store.

$file = ( Get-ChildItem -Path $PSScriptRoot\XXXX.cer )
$file | Import-Certificate -CertStoreLocation cert:\LocalMachine\Root
$file | Import-Certificate -CertStoreLocation cert:\LocalMachine\TrustedPublisher

Done! Restart the machine and it should work now.