Why Does an Old Certificate Reappear After Reboot in Azure VMs?

Microsoft

Oct 29, 2025

Issue Observed

A customer removed an expired SSL certificate from their Azure VM after installing a renewed one. However, after every reboot, the old certificate reappeared, and IIS site bindings automatically started picking it up.

Investigation Steps

1. Identify the Process Bringing Back the Certificate

To trace the root cause, we configured Sysmon following this guide:
Auditing Scenarios for Web Application Hosted in IIS - Part 1 - SSL Binding Modified | Microsoft Community Hub

We asked the customer to remove the certificate and reboot the server to reproduce the issue.
After rebooting, the certificate was reinstalled. Event logs revealed a process named akvvm_service.exe was responsible for bringing the certificate back.

Following is the screenshot from the event log:

I then checked the task manager to check about the process (7964) and see following:

2. What is akvvm_service.exe?

akvvm_service.exe is the service executable for the Azure Key Vault VM extension.
Purpose of this service:
- Monitors certificates stored in Azure Key Vault that the VM is configured to observe.
- Automatically downloads, installs, and refreshes those certificates into the Windows certificate store (e.g., LocalMachine\My) at a defined polling interval:
  - Azure Key Vault VM extension for Windows - Azure Virtual Machines | Microsoft Learn

3. Why Was This Happening?

The customer had multiple certificates in their Key Vault. The VM extension KeyVaultForWindows was pulling all configured certificates back into the server during every reboot.

To check the extensions:
Go to Azure VM -> Search for Extensions -> Select Extensions + applications:

We see all the Extensions + applications configured with the VM and here we see this extension KeyVaultForWindows configured:

Further checks revealed:

Issue was only happening in DEV, TEST and STG environment and not in PROD

DEV, TEST, and STG environments had the KeyVaultForWindows extension installed.
PROD environment did not have this extension, which explained why the issue was isolated to non-PROD environments.

Resolution

We shared the following action plan:

Option 1: Uninstall the Key Vault VM extension to match the PROD setup.
Option 2: Delete or disable certificates that are no longer required in Key Vault.

The customer chose Option 2 and confirmed:

“Disabling expired certificates within Key Vault fixed the issue.”

Key Takeaways

If old certificates reappear after reboot, check for Azure Key Vault VM extension.
This extension automatically syncs certificates from Key Vault to your VM.
To prevent unwanted certificates:
- Remove the extension if not needed.
- Or disable/delete unnecessary certificates in Key Vault.

Updated Oct 29, 2025

Version 1.0

Shekhar

Microsoft

Joined May 24, 2022

View Profile

IIS Support Blog

Follow this blog board to get notified when there's new activity