Windows Certificate Authority - Auto Enroll RDP certificates trusted CA error

So I'm running into an odd issue. I just setup a Windows Certificate Authority server and am able to use the web interface to issue Web SSL certs. My Fortigate and Fortianalyzer both have certs from this server and Google Chrome is all happy. I have already installed the Root CA into my workstations Trusted Root store. I am trying now to setup auto-enroll for RDP certificates so my servers can all automatically get RDP certs. This works, I am able to see a request come in and a cert get issued for a server. The problem is, when I RDP, I still get the warning that the certificate is not from a trusted certifying authority. If I view the certificate chain, Windows says "Certificate is OK". Am I missing something?

Root CA is installed. Web apps show a valid certificate and CA. (Google Chrome is happy) Windows Server auto-enrolls and obtains an RDP cert. I try to connect but still get a root CA error. RDP-Error-Screenshot


I suspect that your root certificate installed in Local Machine\Trusted Root CAs. It may be installed in Current User\Trusted Root CAs. This is sufficient for Chrome and certificate viewer, however RDP clients looks for valid roots in Local Machine store.

Open certlm.msc and confirm if your root certificate is there. If not, then install it.

What process you use for RDP certificate deployment? Keep in mind that you cannot use classic certificate autoenrollment process and you must use dedicated GPO configuration to automatically provision RDP certificates.