In order to avoid man in the middle attacks, Hyper-V’s Virtual Machine Connection (
vmconnect.exe) requires certificates for a successful connection.Â At some point, the certificates expire, resulting in an error message when connecting to virtual machines, as described in Microsoft knowledge base article 967902, which also includes details of an update to resolve the issue, introducing an annual certificate renewal process.
Unfortunately, there is a bug in the annual certificate review process that can affect the refresh of mouse/video connections. The bug only applies to certain use cases with VMConnect (i.e. Remote Desktop connections are unaffected) and there are two possible workarounds:
- Save and restore the virtual machine (temporary workaround, until the certificate expires again in a year).
- Install new self-signed certficates on each host. It may not be the most elegant fix, but it is simple, and has a long-term effect.
Microsoft has not created an update to resolve this new issue, which only applies in certain use cases; instead they have produced a sample script that uses
makecert.exe to createÂ new Hyper-V Virtual Machine Management Service (VMMS) self-signing certificates that donâ€™t expire until 2050.Â This script should be run on every affected host and running it several times will result in multiple certificates, which is untidy, but will not cause issues.
After installing the new certificates (in the Local Computer store, at Trusted Root Certificate Authorities\Certificates and at \Personal\Certificates), theÂ VMMS should be configured to use it and then restarted. Obviously, this will affect all virtual machines running on the host, so the activity should only be carried out during a scheduled maintenance window. For organisations that do not want to use self-signed certificates, it’s also possible to use a certificate issued by a certificate authority (CA).
More details will shortly become available in Microsoft knowledge base article 2413735.