RDP file signing

Signotaur signs Microsoft Remote Desktop connection files (.rdp) so Windows Remote Desktop Connection will show the publisher name when a user opens the file instead of a "Caution: Unknown remote connection" warning. Signotaur produces a signature format that is byte-structurally equivalent to what Microsoft's rdpsign.exe produces — the same canonicalisation, detached CMS/PKCS#7 envelope, and header layout — so any Windows client accepts the result as a real signed .rdp.

Signing an RDP file

Use the sign command with the .rdp path — no special flags required, the file type is auto-detected:

SignotaurTool.exe sign -a <APIKey> -s <SignServer> -t <Thumbprint> --fd SHA256 connection.rdp

The other common sign options work as usual. See the sign command reference for full details. RFC 3161 timestamping (--tr, --td) is supported but has an important caveat for .rdp files specifically — see Timestamping and certificate expiry below.

Certificate Requirements

The signing cert must be registered in Signotaur as a code-signing certificate. RDP signing currently requires an RSA code-signing certificate.

For background on supported certificate types, key sizes, and the CA/Browser Forum RSA 3072-bit minimum for publicly-trusted code signing certificates, see Code Signing Certificates.

How Windows Remote Desktop Connection handles signed .rdp files

After Windows installs the April 2026 cumulative update (KB5083769, part of CVE-2026-26151), Remote Desktop Connection has three distinct behaviours for a signed .rdp file based on client-side trust state:

Client trust state Dialog
Signing cert's chain is not trusted on the client Red "Caution: Unknown remote connection", publisher shown as "Unknown publisher"
Signing cert's chain is trusted (commercial root or user-added CA) Yellow "Verify the publisher of this remote connection", publisher name shown
Trusted chain and the publisher is in the trusted-thumbprint policy No dialog — proceeds straight to the connection settings

The goal for production deployment is to get recipient machines to the no-dialog state. This needs two layers of configuration on the recipient side, described below.

Recipient configuration

Layer 1 — trust the signing cert's chain

If the signing cert is a commercial code-signing certificate that chains to a Microsoft-preinstalled root (e.g. DigiCert, Sectigo, GlobalSign), no recipient action is needed for this layer — the root is already trusted on every Windows machine.

If the signing cert is self-signed or chains to a private/internal CA, each recipient machine needs the cert (or the CA's cert, for chained certs) imported into the Root store:

Import-Certificate -FilePath <cert-or-ca>.cer -CertStoreLocation Cert:\CurrentUser\Root

Use Cert:\LocalMachine\Root instead for machine-wide trust (requires admin). This moves the dialog from red to yellow.

The TrustedPublisher store does not affect Remote Desktop Connection's trust evaluation. It applies to Authenticode (.exe / .dll signing) but not to .rdp file signing.

Layer 2 — add the publisher's thumbprint to the trust policy

Adding the signing cert's SHA-1 thumbprint to the Remote Desktop Connection trust policy elevates the dialog from yellow to no-dialog.

Per-user (no admin needed):

$p = 'HKCU:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
New-Item -Path $p -Force | Out-Null
Set-ItemProperty -Path $p -Name AllowSignedFiles -Value 1 -Type DWord
Set-ItemProperty -Path $p -Name TrustedCertThumbprints -Value '<SIGNING_THUMBPRINT>' -Type String

Machine-wide (admin required — suitable for GPO / Intune deployment):

$p = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
New-Item -Path $p -Force | Out-Null
Set-ItemProperty -Path $p -Name AllowSignedFiles -Value 1 -Type DWord
Set-ItemProperty -Path $p -Name TrustedCertThumbprints -Value '<SIGNING_THUMBPRINT>' -Type String

The thumbprint must be uppercase, no spaces. Multiple publishers can be trusted by semicolon-separating their thumbprints in the TrustedCertThumbprints value, e.g. 'AABB...CCDD;1122...3344'.

Fleet deployment via Group Policy

The same two policy values are exposed in the Group Policy Editor at:

Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Connection Client

  • Allow .rdp files from valid publishers and user's default .rdp settings → Enabled
  • Specify SHA1 thumbprints of certificates representing trusted .rdp publishers → Enabled, and add the signing cert's thumbprint to the list.

For domain-joined fleets these settings can be deployed via a GPO; for MDM-managed devices use the equivalent Intune / CSP settings under ADMX_TerminalServer.

Timestamping and certificate expiry

When you pass --tr <url> while signing a .rdp file, Signotaur embeds a standards-compliant RFC 3161 timestamp token into the CMS signature as an unsigned attribute. You can confirm this by base64-decoding the signature:s: value, stripping the 12-byte Microsoft header, and inspecting the resulting CMS — the signature-time-stamp attribute (OID 1.2.840.113549.1.9.16.2.14) will be present.

Unlike Authenticode (.exe, .dll, .msi), where Windows' WinVerifyTrust honours the embedded RFC 3161 timestamp and treats the signature as valid past certificate expiry, mstsc.exe does not consult the timestamp when validating an RDP signature. It only checks whether the signing certificate is currently within its validity window at the moment the file is opened. Once the signing certificate's NotAfter date passes, signed .rdp files revert to the "Caution: Unknown remote connection" dialog regardless of whether a timestamp is present.

Microsoft has never documented this behaviour, but the strongest indirect evidence is that Microsoft's own rdpsign.exe (shipped with Windows) has no timestamping support at all — no /tr flag, no timestamp in its output. The Microsoft Community thread asking exactly this question sits unanswered.

The timestamp is still worth applying:

  • The CMS structure is standards-compliant — general-purpose tools (OpenSSL, audit scripts, third-party verifiers including Signotaur's own verify command) can read the signing time.
  • It provides a tamper-evident audit record of when each .rdp file was signed.
  • If Microsoft ever updates mstsc to honour RFC 3161 timestamps for .rdp files (plausible given the April 2026 push toward signed .rdp files), files signed today will already be future-proof.

Practical implication: plan around your signing certificate's lifetime — a 2–3 year code-signing certificate is typical — and re-sign distributed .rdp files when the certificate is renewed. Signotaur makes the renewal nearly transparent: use --label <name> (e.g. --label production) instead of --thumbprint, and your scripts will automatically pick up the renewed certificate once an admin uploads it under the same label. Re-signing itself is just running the same sign command again, so it can be wired into a CI/CD pipeline or a scheduled task with no special handling.

Separate timestamping

For CI pipelines where signing and timestamping are staged separately — for example, signing offline and timestamping later after releasing the file — the timestamp subcommand supports .rdp files the same way it does for .nupkg, .vsix, and CMS files:

SignotaurTool.exe sign -a <APIKey> -s <SignServer> -t <Thumbprint> --fd SHA256 connection.rdp
SignotaurTool.exe timestamp --tr http://timestamp.digicert.com --td SHA256 connection.rdp

The timestamp step strips the Microsoft 12-byte header, adds an RFC 3161 unsigned attribute to the embedded CMS SignedData, re-wraps the header, and rewrites the file atomically. Running timestamp against an unsigned .rdp skips it with a "not signed" message rather than failing.

See the timestamp command reference for full syntax and fallback-server options.

Post-sign guidance output

After Signotaur successfully signs an RDP file, it prints a guidance block containing the signing cert's thumbprint already substituted into the PowerShell recipe — recipients can copy it verbatim. When running interactively on Windows, the tool additionally offers to apply the policy to the current user's registry so you can test the signed file locally without further setup.

To suppress the guidance (for CI / automation where it's just log noise):

SignotaurTool.exe sign ... --nmg connection.rdp

Equivalent long form: --no-mstsc-guidance.

Troubleshooting

Symptom Likely cause Fix
Red banner "Caution: Unknown remote connection" Signing cert's chain is not trusted on the recipient machine Import the cert (or the chain's root CA) into Cert:\*\Root
Yellow banner "Verify the publisher..." Chain is trusted but the publisher is not in the trust-thumbprint policy Apply the Layer 2 policy recipe
SignotaurTool.exe sign fails with ExitCode.CertificateRevocationFailure (36) during the post-sign verify step The --vf verify step couldn't reach a CRL/OCSP endpoint for the cert's chain Add --rm NoCheck for test certs that don't publish a CRL, or let the verify run online normally for production certs
Signed file works fine in rdpsign /v or mstsc but Signotaur's own verifier rejects it Likely a stale / local issue — Signotaur and Microsoft's verifiers agree structurally (verified by the regression test) Confirm the file hasn't been modified after signing; check --skip-signed isn't masking a previous failed sign
Previously-signed .rdp files show "Caution: Unknown remote connection" once the signing cert's NotAfter date passes, even though they were signed with --tr mstsc.exe does not honour RFC 3161 timestamps for .rdp files (unlike Authenticode) Re-sign the affected files with a current certificate. See Timestamping and certificate expiry

References

  • Microsoft Learn: Understanding security warnings when opening RDP files
  • Microsoft Learn: ADMX_TerminalServer Policy CSP
  • Sign command reference
  • Verify command reference