When you create custom .rdp files and deploy them to devices across the company, users will get warning messages like “The publisher of this remote connection cannot be identified. Do you want to connect anyway?”

To stop this, you need to sign the respective file and make the clients trust the used certificate. To do so, perform the below steps:

  1. Create a certificate (if you don’t already have one for this purpose)
    You can do so for example on an RD connection broker server and call it “RemoteFileSigning” or similar.
  2. Make computers trust the certificate
    On the (or “a”) server holding the certificate, open the certificates MMC and navigate to the certificate you want to use. Right-click it and copy the content of the “Thumbprint” field.
    Open group policy management, open Policies -> Administrative Templates -> Windows Components -> Remote Desktop Connection Client -> Specify SHA1 thumbprints of certificates representing trusted .rdp publishers
    Set this value to “Enable” and enter the Thumbprint you copied before.
  3. Sign the .rdp file
    On a server holding the certificate, open a command prompt and enter
    rdpsign /sha256 <certificatethumbprint> <path to .rdp file>
    for example:
    rdpsign /sha256 12345678901234567890 "C:\TEMP\MyConnectionfile.rdp"

An additional advantage of signing .rdp files is of course that users won’t be able to edit it anymore.

If you have an existing .rdp file and want to edit and then resign it, open it using a notepad and remove the lines beginning with “signscope:” and “signature:”