April 17, 2026May 12, 2026

RDP Changes April 2026 – Sign Your RDP Files

If you’re not yet in the cloud and your users are used to the practice of double-clicking a .rdp file to remote into internal resources, then you’re going to be impacted by the latest change to RDP via the April 2026 Windows Updates.

This change impacts endpoints, not the servers your are RDP-ing into.

In the very near future, your end users will be prompted with security warnings when launching their .rdp files.

The first prompt is mandatory, but the 2nd one can be altered into a one-time prompt. I’m here to show you the quick-and-dirty way to change these pesky prompts and keep your end users happy.

(Because at the end of the day, the less complaints I hear, the less I feel the need to crack open a cold one when I get home.)

Note: I am not declaring that any of this is best practice nor is it the most secure practice.

Help! I don’t have a Certificate Authority! What do I do?!

The answer is unfortuantely: self-sign your certificate. Here’s the PowerShell code to do such:

New-SelfSignedCertificate `
  -Subject "CN=<Insert Name Here>" `
  -Type CodeSigning `
  -KeyAlgorithm RSA `
  -KeyLength 2048 `
  -KeyExportPolicy Exportable `
  -CertStoreLocation Cert:\CurrentUser\My `
  -HashAlgorithm SHA256

Obviously, change the CN name to something of your liking.

Next, let’s get the thumprint of your cert. We will use this to sign our .rdp file.

$cert = Get-ChildItem Cert:\CurrentUser\My |
Where-Object { $_.EnhancedKeyUsageList -match "<Insert Name Here Again>" }
$cert.Thumbprint

Ok, now we’re going to export the cert and private key for testing:

$cert = Get-ChildItem Cert:\CurrentUser\My |
Where-Object { $_.Subject -eq "CN=<Insert Name Here Again Again>" }

Export-Certificate `
  -Cert $cert `
  -FilePath <Insert File Path \ Insert Cert Name>.cer

Now that you’ve exported the cert, go ahead and install it into the proper Current User’s Trusted Root Certification Authorities store.

Now open up a command line and do the following:

rdpsign /sha256 <Insert Thumbprint Here> "<Insert RDP File Here>"

As always, test, test, test before pushing to production users!

When double-clicking your .rdp file, it should now look similar to this with a “Remember my choice” toggle:

But Wait! I Have Intune!

After thoroughly testing your new self-signed .rdp file, we can push the cert to our users via Microsoft Intune. Let’s export our cert without the private key first:

$cert = Get-ChildItem Cert:\CurrentUser\My |
Where-Object { $_.EnhancedKeyUsageList -match "<Insert Name Here>" }

Export-Certificate `
  -Cert $cert `
  -FilePath <Insert Name and File Path Here>.cer

Now make your Intune Configuration Profile. You’ll want to choose:

Platform = Windows 10 and later

Profile type = Templates

Template name = Trusted certificate

Under Configuration Settings, upload your cert, and select “Computer Certificate store – Root” for the Destination store.

Then follow through the next pages, assigning your policy and so on.

Finishing Touches

To finish things off, you’ll need to deploy (copy) your signed .rdp file to your endpoints. You can package it up with PSADT, deploy it as a Win32 app via Intune, or you can sneakernet it over to your users. The possibilities are endless!

Me? I’m writing a simple package using PSADT and deploying it via a Win32 app from Intune, but you do you, boo.

Closing the Deal

Obviously self-signed certs are not best practice in 2026. I recommend using your Certificate Authority if you have one, or purchasing one from a certificate broker online. If you’re tight on time and resources, this is going to help in a pinch.

Routine cautionary warning is below:

This project is provided “as is” without any warranty of any kind, express or implied. Use it at your own risk. The authors and contributors are not responsible for any damage, data loss, or other issues that may arise from using this software. You are solely responsible for any actions taken based on this code.