How to Remove and Regenerate an Expired RDP Certificate using Custom Script Extension


Unable to connect to VM corrupt or expired RDP Certificate


  1. Open up a Blank Notepad and paste the following into it:#sets the Certificate Store path

    $path = get-childitem -Recurse ‘Cert:LocalMachineRemote Desktop’

    #Check the certificate date


    #sets the thumbprint from the cert

    $thumb = $path |Select-Object -ExpandProperty Thumbprint

    #pulls just the Machine Key Name based thumbprint

    $cert = $path.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName

    #Machine key properties based on the thumbprint

    $key = Get-ChildItem C:ProgramDataMicrosoftCryptoRSAMachineKeys |Where-Object {$_.Name -eq $cert}

    ###destructive part###

    #Removes the certificate

    Remove-Item -path “Cert:LocalMachineRemote Desktop$thumb”

    #deletes the key

    $key | % { $_.Delete() }

    #reboot to generate a new cert

    restart-service TermService -force


  2. Save the file as RemoveMachineKeyCert.ps1
  3. Navigate to the Azure Portal
  4. Select the impacted VM
  5. Select extensions


  6. Select Add
  7. Select Custom Script Extension


  8. Select Create
  9. Select the RemoveMachineKeyCert.ps1 created in the previous steps
  10. Install the .ps1 file. No arguments are needed.


  11. Go back to the extensions tab and wait for the Custom Script to report as successful
  12. Restart the virtual machine so the certificate can be regenerated
  13. Attempt to RDP to the machine.

Author: micahmckittrick

28 years old. Azure Engineer @Microsoft