You shouldn't need to delete the self-signed certificate to get Windows to use your CA generated certificate. It's possible Windows needs that self-signed cert for other non-RDP related things as well.
What group policy are you using to generate the certificate? Is it the auto-enrollment policies? Have you verified that the certificate whose thumbprint you're referencing actually exists on the target system in the Local Computer's store?
If it was working a month ago and not now, might the certificate have been renewed? If so, it would have a new thumbprint value.
If the right certificate is there, you should also check that it has a valid private key. There would be a little key icon on top of the normal cert icon in the Certificates snap-in. It would also say that in the certificate details window similar to this screenshot:
I checked our farm yesterday and noticed that is Windows 2008... Yours is 2012. I'm sure there are big differences, but I hope my info helps.
Opening MMC -> Certificates -> Computer account I see 2 certificates in "personal/Certificates" folder:
- Selfsigned Certificate (same Issuer an Subject)
- Certificate issued by our Domain CA
The selfsigned shows an error in the details, has your certificate the same error?
To solve this error, just copy and paste the certificate from "personal/Certificates" subfolder to "Trusted Root Certification Authorities/Certificates". With that step the same certificate gives no error.
After that, there's only two places where you configure the certificate (in RDS Windows 2008) that I've found.
Our RemoteApp Manager shows:
The Digital Signature settings:
And in the 'RD Session Host Configuration, in the settings of the connection:
At the end, and if I remember correct, we solved it checking all options, the event viewer, making sure of no certificate errors, populating some local groups, giving them access by the Security Policy...
Good Luck.
---- Updated ----
Remember to import in the user profile, the Issuer CA or the certificate (if it's self signed) in the "Trusted Root Certification Authorities/Certificates" so the client didnt get any certificate error. This point was important in our system.
Best Answer
The certificate and related private key are gone. You could get the certificate from a client but not the private key. Unless you have a backup you should consider it as lost.