I'm following http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx. I have gotten it to work through GPO but not with the script. When I run 'cscript rdconfig.js dead3b957f442a97fc8086cb7d1347ecac4aa525' it doesn't seem to stick. Immediately after running the provided script I run 'gwmi -Namespace "root/cimv2/terminalservices" -Query "select * from win32_tsgeneralsetting"' and the old thumbprint is still there. How am I supposed to properly update this setting with a script? I'd like to know because there will be a scenario where I have to import a certificate into a non-domain joined computer and it won't be able to autoenroll for a certificate. Also, I'm curious how to see what certificate is being used during an RDP session. Is there a way? When I initially RDP to a computer that is using a certificate that my computer doesn't trust I am prompted to "Do you want to connect despite these certificate errors?" I can always see the certificate from the "View certificate..." button. But if I check the "Don't ask me again for connections to this computer" then I can't see the certificate with the "View certificate..." button because it's no longer presented. Is there a way to reverse this "Don't ask me again" dialogue?

Alright, I found a regkey that holds the hash. The key is listed under: HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers\SERVERNAME as CertHash. All I had to do was blank that out and now it will prompt me to trust the certificate again. I'm still curious about how to use a script to update the certificate hash...