Extending certificate validity to avoid mouse/video refresh issues with the Hyper-V Virtual Machine Connection

This content is 14 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

In order to avoid man in the middle attacks, Hyper-V’s Virtual Machine Connection (vmconnect.exe) requires certificates for a successful connection.  At some point, the certificates expire, resulting in an error message when connecting to virtual machines, as described in Microsoft knowledge base article 967902, which also includes details of an update to resolve the issue, introducing an annual certificate renewal process.

Unfortunately, there is a bug in the annual certificate review process that can affect the refresh of mouse/video connections. The bug only applies to certain use cases with VMConnect (i.e. Remote Desktop connections are unaffected) and there are two possible workarounds:

  1. Save and restore the virtual machine (temporary workaround, until the certificate expires again in a year).
  2. Install new self-signed certficates on each host. It may not be the most elegant fix, but it is simple, and has a long-term effect.

Microsoft has not created an update to resolve this new issue, which only applies in certain use cases; instead they have produced a sample script that uses makecert.exe to create new Hyper-V Virtual Machine Management Service (VMMS) self-signing certificates that don’t expire until 2050.  This script should be run on every affected host and running it several times will result in multiple certificates, which is untidy, but will not cause issues.

After installing the new certificates (in the Local Computer store, at Trusted Root Certificate Authorities\Certificates and at \Personal\Certificates), the VMMS should be configured to use it and then restarted. Obviously, this will affect all virtual machines running on the host, so the activity should only be carried out during a scheduled maintenance window. For organisations that do not want to use self-signed certificates, it’s also possible to use a certificate issued by a certificate authority (CA).

More details will shortly become available in Microsoft knowledge base article 2413735.

2 thoughts on “Extending certificate validity to avoid mouse/video refresh issues with the Hyper-V Virtual Machine Connection

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.