How to Remove and Regenerate an Expired RDP Certificate using Custom Script Extension

Symptom:
Unable to connect to VM corrupt or expired RDP Certificate

Resolution:  

  1. Open up a Blank Notepad and paste the following into it:

    #sets the Certificate Store path
    $path = get-childitem -Recurse 'Cert:\LocalMachine\Remote Desktop'
    #Check the certificate date
    $path.NotAfter
    #sets the thumbprint from the cert
    $thumb = $path |Select-Object -ExpandProperty Thumbprint
    #pulls just the Machine Key Name based thumbprint
    $cert = $path.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
    #Machine key properties based on the thumbprint
    $key = Get-ChildItem C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys |Where-Object {$_.Name -eq $cert}
    ###destructive part###
    #Removes the certificate
    Remove-Item -path "Cert:\LocalMachine\Remote Desktop\$thumb"
    #deletes the key
    $key | % { $_.Delete() }
    #reboot to generate a new cert
    restart-service TermService -force

  2. Save the file as RemoveMachineKeyCert.ps1

  3. Navigate to the Azure Portal

  4. Select the impacted VM

  5. Select extensions
    1

  6. Select Add

  7. Select Custom Script Extension
    2

  8. Select Create

  9. Select the RemoveMachineKeyCert.ps1 created in the previous steps

  10. Install the .ps1 file. No arguments are needed.
    3

  11. Go back to the extensions tab and wait for the Custom Script to report as successful

  12. Restart the virtual machine so the certificate can be regenerated

  13. Attempt to RDP to the machine.