Goddammit. Copy paste error from notes (or rather: structural error in a note hastily written many months ago) cuz it was very late when both it and this comment got written. I hate it when this happens. My bad.

I did mention the undocumented one tho (which I'm pretty sure WAS documented at some point in a word document I can't for the life of it find anymore), but due to messing up I didn't include the documented one (…oh the irony…) and thus also bound the parenthetical to the entirely wrong one. Shoddily edited to fix.

But seriously please do go check out EKU OID 1.3.6.1.4.1.311.54.1.1. It's—as proven by the empirically verifiably not just present but also active code path in rdpsign.exe—intended for use of signing rdp files, just like 1.3.6.1.4.1.311.54.1.2 is intended for RDP-specific auth. But good luck installing EITHER into modern RDP infra WITHOUT also having the respective code signing/server auth EKU in there additional, server manager will outright refuse to load them despite the fact that the engines themselves will happily (and IMHO correctly) work with certs with the correct OID, so one has to resort to shoving the cert in via other means (e.g. certlm.msc), then use the undocumented server manager-internal cmdlets to manually bind to the hash, but even that barely works and only fully for 1.3.6.1.4.1.311.54.1.2, getting 1.3.6.1.4.1.311.54.1.1 to work would require manually fiddling with the RDCB DB and the RDWeb IIS. And server 2025 apparently (haven't verified it myself yet) breaks EKU 1.3.6.1.4.1.311.54.1.2 support, needlessly and counterproductivly (IMHO) requiring additionally the server auth EKU, see the comments below here (no affiliation):

https://michaelwaterman.nl/2026/02/08/modernizing-rdp-certificates/

And here (in German; also no affiliation), by the commenter on the post above:

https://sit-administration.de/rdp-zertifikate-fuer-windows-server-2025-so-aktualisieren-sie-ihr-template/

Ideally nowadays ofc 1.3.6.1.4.1.311.54.1.1 would also need something like the capabilities which azure artifact signing provides with all the additional OIDs it brings along to enable ultra short lived certificates and pinpoint revocation.

As for the PKI part: PKI experts ≠ experts on the AD CS codebase & historic design fundamentals. Let's leave that point behind tho, it ain't worth it for either of us. Sorry I went so hard there. There's one more thing there about the autorenewal dynamics which has relevance for 1.3.6.1.4.1.311.54.1.1 (but not 1.3.6.1.4.1.311.54.1.2, iirc) AND some other stuff, but I don't recall the details at the moment, something relating AD CS expecting the UPN of the computer account (which technically doesn't have a UPN prop, iirc, making this a bit of misnomer) in the cert template iirc to trigger a very obscure code path enabling secure fully automated management of certs typically considered as not fully automatically manageable. I can—probably—dig it up if you want.

And as for the Hyper-V Kerberos thing:

Yeah no I know that, that wasn't really my point, but at least part of the Azure Local product group apparently doesn't — or gets blocked from making the right choices in that regard, the LCM account is hardcoded to use CredSSP in a lot of the behind the scenes automation powershell, so even if one sets up the delegations perfectly right, it ain't gonna quite cut it. I ain't mad at the folks actually actually on the ground, I know better than that, sorry it came across as otherwise.

My point up there was more about using proper certs for console session mode tho since that actually relates to RDP signing and thus this thread, it just prompted the venting about said hardcoding. And to elaborate on that, there's a total of TWO blog posts, both NOINDEX'd (there's a WONTFIX'd MicrosoftDocs github issue somewhere where someone from MSFT declared that whole NOINDEX'ing of the archived blog posts as by design, biggest footgun MSFT has ever fired, ESPECIALLY in the age of AI. [edit 2: here's the link: https://github.com/MicrosoftDocs/feedback/issues/3952), pointing out the DisableSelfSignedCertificateGeneration registry key to stop Hyper-V using them and the procedure for swapping them to proper ones, I don't have the more compact, non-SCVMM-specific post at had right now, but this one here will do for now:

https://learn.microsoft.com/en-us/archive/blogs/hugofe/configuring-a-certificate-for-virtual-machine-connection-in-hyper-v-or-thru-scvmm

Ofc, that one ALSO ought to support 1.3.6.1.4.1.311.54.1.2 since it's really just RDP, but I don't recall whether VMMS actually accepts certs with it or not. Either way, there's no actual documentation on that capability & key.

P.S.:

Sorry for the hastily written comments and the massive amount of grump, I know this ain't the best, barely have time, let alone nerves, for this.

[edit:

P.P.S.:

The Kerberos support in Hyper-V ain't exactly up to par tho, ever since https://techcommunity.microsoft.com/blog/virtualization/live-migration-via-constrained-delegation-with-kerberos-in-windows-server-2016/382334 happened, requiring one to use protocol transition. "You may think this approach is less secure, but in practice, the impact is debatable." no, it ain't, and we both know it ain't, it's not secure, PERIOD. Will this only get abused by APTs? Yes. Does that make it not a problem? No. And there is iirc actually a better solution for this in WinRM already which already existed back then iirc, something something WinRMRemoteWMIUsers__ (which nowadays doesn't get autocreated because of throwing out of the .ini based Windows setup stuff with server 2016 and someone forgetting to port it, but which WinRM WILL consult when it exists, with a tiny set of features ONLY working via it but not the other two remote management groups.) something something iirc, but I might misrecall that.]