So I’m not an RDP expert but here is our built-in deployment task code for RDP Gateway (Tasks > Add Deployment Task)- note that if you want to restart services you need to enable that in the task parameters UI and I would recommend using the Manual trigger type so you can run the task during a maintenance window if it will interrupt other users.
I don’t know if it applies to your version/configuration and some users prefer to script their own. It works in the 2016 version I tested when developing this script in a simple environment (no other machines involved):
param($result, [switch] $restartServices = $false)
Import-Module RemoteDesktopServices
# Apply certificate
Set-Item -Path RDS:\GatewayServer\SSLCertificate\Thumbprint -Value $result.ManagedItem.CertificateThumbprintHash -ErrorAction Stop
# Optionally restart TSGateway and related service
if ($restartServices -eq $true)
{
Restart-Service IAS -Force -ErrorAction Stop
Restart-Service TSGateway -Force -ErrorAction Stop
Restart-Service SSTPSvc -Force -ErrorAction Stop
Write-Host "Services Restarted."
}
In general, if a service is using IIS for it’s website then by default Certify will take care of the IIS side, but for other things you need to ensure you are applying the new certificate thumbprint etc to the service.
Sometimes this involves powershell, registry settings, WMI or just copying the file somewhere. Usually you then have to restart the service, as you know. For some services this can get extremely complicated/unpredictable and sometimes the best result is to not apply the new cert until a maintenance windows then do a full reboot, so for instance to make it part of your monthly updates etc.
Some of this stems from not knowing the full dependency chain of services and sometimes it because the service was not designed to change it’s certificate more frequently than about once per year (the old way of doing it before Let’s Encrypt existed), so reboots were normal. If the problem persists (and the built in certify deployment task is not right for you) then I would contact microsoft support to ask them.