How to Remove and Regenerate an Expired RDP Certificate using Custom Script Extension

Symptom:
Unable to connect to VM corrupt or expired RDP Certificate

Resolution:  

1. Open up a Blank Notepad and paste the following into it:

   #sets the Certificate Store path
   $path = get-childitem -Recurse 'Cert:\LocalMachine\Remote Desktop'
   #Check the certificate date
   $path.NotAfter
   #sets the thumbprint from the cert
   $thumb = $path |Select-Object -ExpandProperty Thumbprint
   #pulls just the Machine Key Name based thumbprint
   $cert = $path.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
   #Machine key properties based on the thumbprint
   $key = Get-ChildItem C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys |Where-Object {$_.Name -eq $cert}
   ###destructive part###
   #Removes the certificate
   Remove-Item -path "Cert:\LocalMachine\Remote Desktop\$thumb"
   #deletes the key
   $key | % { $_.Delete() }
   #reboot to generate a new cert
   restart-service TermService -force

2. Save the file as RemoveMachineKeyCert.ps1

3. Navigate to the Azure Portal

4. Select the impacted VM

5. Select extensions
   

6. Select Add

7. Select Custom Script Extension
   

8. Select Create

9. Select the RemoveMachineKeyCert.ps1 created in the previous steps

10. Install the .ps1 file. No arguments are needed.
    

11. Go back to the extensions tab and wait for the Custom Script to report as successful

12. Restart the virtual machine so the certificate can be regenerated

13. Attempt to RDP to the machine.