In Windows 2008 R2 we used to have a way to set a certificate on the RDP Protocol (named rdp-tcp) through the tsconfig.msc

In 2012 R2 we don’t have such a tool. MS has blogged on how to use your own CA to roll out your own certificates here. But they also say to use a public wildcard in such cases, but they neglect to say how to do this.

There is one option how to get your old tools working, basically copy your old tools to the new 2012 server. I’m guessing that is not supported, although it might work well for you.

Here is a way that’s more likely to be supported and scriptable. First off, your certificate (with private key) has to be imported into the personal store of the local machine.
Now we need the Thumbprint of the certificate:
And after removing all spaces, we can use it in the following powershell script:

$path = (Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices -Filter “TerminalName=’RDP-tcp'”).__path
Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash=”ThumbprintWithoutSpaces”}

Which binds the desired certificate to the RDP protocol:

By the way, if you also want to set the security on the RDP protocol (like you used to in the RDP-tcp properties on the security tab), you can read our earlier blogpost here.