Delay when opening VM Connect on disconnected systems

When I am building Hyper-V systems for big public demonstrations – I often build them with zero Internet connectivity.  The reason why I do this is because I never know what level of internet connection I am going to have as I travel around the world showing off cool new features.

For a while now I have struggled with the fact that when I open the VM Connect window on a virtual machine – and the host as no internet connection – it can take a really long time.  30 seconds in fact.  Well, I now know the reason for this – and I know how to work around it.

Short answer – it is all to do with certificates.

Long answer: when ever you connect to a virtual machine using the VM Connect window – we secure the connection using a certificate.  You can manually configure your own certificate (details here: https://technet.microsoft.com/en-us/library/ff935311(v=ws.10).aspx) but for most people you will use the certificate that Hyper-V auto-generates for you.  Ordinarily, when we attempt to use this certificate for the first time – we check with the Microsoft certificate authority to make sure that all the Microsoft root certificates are up to date. However, this fails if the physical computer has no Internet connection.  But we will try for 30 seconds before failing.

Now – at this point in time you might be thinking: “I use Hyper-V on my laptop without Internet connection – and I do not see a delay.  What is Ben talking about?”.  This is a problem that you will only see if your computer has *never* been connected to the Internet.  If you were connected in the past – we will have checked and stored the results in cache.

But if the Hyper-V host has never been connected to the Internet – you will see a 30 second delay each time you open VM Connect.

So what can you do about this?

Well – there are three options:

  • Connect your system to the Internet momentarily and open VM Connect once
  • Create your own certificate (per the article above)
  • Tell Windows to not attempt to update the root certificate by running these commands in PowerShell:


New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot -Name DisableRootAutoUpdate -PropertyType DWord -Value 1 –Force

Note – you are lowering the security of your system with the third option, so you should not do this on a production system, unless you have a method for manually updating root certificates in your environment.

Cheers,
Ben