Azure Arc connected servers: 1 or 2 expired self signed certificates in machine My store

Question

Azure Arc connected servers: 1 or 2 expired self signed certificates in machine My store

Andre++ 21

We find that after a year any onboarded Arc connected server has 1 or 2 expired self signed certificates in its machine My store. (Microsoft.Azure.AzureDefenderForServers.MDE.Windows, Microsoft.EnterpriseCloud.Monitoring.MicrosoftMonitoringAgent, resp.)

Everything seems working normally. Agent is connected and all looks fine. However, in Defender for Servers, TVM, Certificate inventory we see thousands of these expired certificates.
Should these be renewed? Or could these safely be removed? If so, what is/was the purpose of these certificates (only used during enrollment? Why are these not removed then?)
User's image

User's image

Akshay-MSFT 17,941 Reputation points Microsoft Employee Moderator

2023-12-12T08:24:50.8533333+00:00

@Andre++

Thank you for posting your query on Microsoft Q&A. I am reviewing this and will get back to you with further inputs.

Thanks,

Akshay Kaushik

Accepted answer

0 additional answers

Your answer

Akshay-MSFT 17,941 Reputation points Microsoft Employee Moderator

2023-12-12T08:24:50.8533333+00:00

@Andre++

Thank you for posting your query on Microsoft Q&A. I am reviewing this and will get back to you with further inputs.

Thanks,

Akshay Kaushik

Answer 1

Akshay-MSFT 17,941 Microsoft Employee Moderator

@Andre++

Thank you for your time and patience, from above description I could understand that you are looking for advisory on the following:

What is the purpose of certificate issued from Microsoft Defender for endpoint or Microsoft Monitoring agent?
Is it safe to remove the expired certificates?

Please do correct me if you find any discrepancies in above ask by responding in the comments:

Purpose of the certificate is that each extension creates a certificate to establish secure connection with the backend (Azure service, in your case MDE and Azure Monitor). Also, certificate is used for authentication. A new certificate should automatically renew when the certificate expired.

You may delete the expired certificates as new one should automatically be renewed after the predefined threshold by Azure services. As the services don't have any mechanism to delete the certificate from any VMs/Azure ARC.

Thanks,

Akshay Kaushik

Please "Accept the answer(Yes)" and "share your feedback ". This will help us and others in the community as well.

Andre++ 21 Reputation points

2023-12-12T09:11:50.0533333+00:00

Thank you for your response. Though I accept the answer as this helps me a bit further, I don't see any renewed certificates for the same Subject and purpose. In fact, except from a machine certificate from our internal PKI, these are the only two certificates in the My store of the machine.

What then strikes as odd is that the communication for both the Connected Machine Agent as well as the Defender for Endpoint shows no issues at all, for none of the about 2000 servers.
Akshay-MSFT 17,941 Reputation points Microsoft Employee Moderator

2023-12-12T09:51:17.2166667+00:00

@Andre++

Thank you for your response. Please be informed that for each extension you there is a separate certificate issued and the multiple certs you see could be due to Stopping and starting the VM every day.

As per documented cause on Azure IAAS, The multiple-certificate issue can occur if you stop and start the VM every day. When you use the VM in this manner, a new certificate must be issued after each VM restart and this has following solutions:

Solution 1: Delete the old certificates

You can delete the old certificates and keep only the latest certificates. The VM agent automatically re-creates the certificate if it's necessary.

Solution 2: Update the VM agent

You can update to a more recent version of the VM agent so that the old certificates are automatically deleted. For more information, refer to the following table.

Windows Azure Windows VM Agent overview

Linux Azure Linux VM Agent overview

Hope this gives you more insight.

Thanks,

Akshay Kaushik

Hope
Andre++ 21 Reputation points

2023-12-12T10:55:56.8966667+00:00

Hi, please note it is an Arc enabled on-premises server. No Azure VM.
These are the entire contents of the store
Akshay-MSFT 17,941 Reputation points Microsoft Employee Moderator

2023-12-12T11:46:02.9033333+00:00

@Andre++

Yes, this applies to Virtual machine extension management with Azure Arc-enabled servers. Please refer to Windows extensions for some of the extensions on Azure ARC server. In your scinario anytime you feel inaccuracy in the data, kindly refer to Windows extensions to install a new connector.

Thanks,

Akshay Kaushik


Windows	Azure Windows VM Agent overview
Linux	Azure Linux VM Agent overview

Share via

Azure Arc connected servers: 1 or 2 expired self signed certificates in machine My store

0 additional answers

Your answer