Hyper-V Replica in a Workgroup: Self-Signed Cert Setup End-to-End

Hyper-V Replica is the built-in disaster-recovery layer that ships with every Hyper-V install. It asynchronously copies a VM’s disks (and optionally point-in-time snapshots) to a second standalone Hyper-V host so you can fail over if the primary disappears. In a domain environment, the auth between the two hosts uses Kerberos — easy because AD does the heavy lifting. In a workgroup, you don’t have AD, so Kerberos isn’t available and you fall back to mutual cert authentication over HTTPS:443. This post covers the workgroup path end-to-end: hosts file, DNS suffix, self-signed cert with manual trust, registry tweak to disable revocation checking, replica role configuration, and finally enabling replication on a VM. It’s more steps than the domain version but every step is mechanical — nothing gets clever.

Why workgroup needs certs at all

The replication channel between primary and replica is mutually authenticated — each host must prove it is who it says it is. In a domain, the proof is a Kerberos ticket from a domain controller both hosts trust. In a workgroup there’s no shared trust anchor, so each host presents a TLS certificate that the other host validates against its local Trusted Root store. Self-signed certs work for this if (and only if) the test root that signed them lives in BOTH hosts’ Trusted Root Certification Authorities store, AND the cert subject matches each host’s FQDN, AND certificate revocation checking is disabled (since self-signed certs have no CRL endpoint to check against).

Three constraints. Get all three right and replication works. Get any one wrong and replication fails with cryptic Event Viewer entries that don’t obviously point at the cert.

Prerequisites

Two standalone Hyper-V hosts in the SAME workgroup (or different workgroups, doesn’t matter — the cert chain provides the trust)
TCP 443 open between them in both directions
Administrator rights on both hosts
The VM you want to replicate has NO checkpoints (snapshots). If it does, merge them first via Hyper-V Manager > right-click VM > Delete Checkpoint > pick Apply now. Replicas don’t play nicely with chains of differencing disks.
Both hosts on the same network or with appropriate firewall rules end-to-end

Two hosts in the demo: HyperVHost01 (primary) and HyperVHost02 (replica). Substitute your actual hostnames everywhere.

How replication actually works

Hyper-V Replica is asynchronous — it does not block VM writes waiting for the replica to confirm. The primary host queues changes and ships them to the replica at a configured interval (default 5 minutes; options 30s, 5m, 15m). The replica applies them to its copy of the VM’s VHDX, then maintains a series of point-in-time recovery points so you can roll back to a known-good state during a failover.

Two flavours of recovery point:

File-consistent (crash-consistent) — the default. The replica VHDX is consistent at the filesystem level; if you boot it, it’s as if the VM had crashed and rebooted. Most workloads recover fine from this; databases may need to do crash-recovery on startup.
Application-consistent — uses VSS in the guest to flush in-memory state to disk before the snapshot. SQL, Exchange, anything that talks to VSS gets a clean point. Requires Hyper-V Integration Services running in the guest. Configurable interval (every Nth recovery point becomes app-consistent).

For lab and small-business use, file-consistent is fine. For databases under any non-trivial load, enable app-consistent at least every few hours.

Step 1 — static name resolution via the hosts file

Workgroup hosts can’t resolve each other by name (no DNS). Add static entries to the hosts file on BOTH hosts.

Open elevated PowerShell or Terminal (Admin).
notepad C:\Windows\System32\drivers\etc\hosts
Add lines like:

192.168.1.10   HyperVHost01.lab.com
192.168.1.11   HyperVHost02.lab.com

Use FQDNs (with a suffix like lab.com) — the cert subject in Step 3 must match these. Save and close.

Notepad open at C:\Windows\System32\drivers\etc\hosts on the primary host showing two static lines mapping IP addresses to the FQDNs HyperVHost01.lab.com and HyperVHost02.lab.com so the workgroup hosts can resolve each other without DNS — Step 1 — the hosts file edit. Workgroup means no DNS, so each host gets static entries mapping IP to FQDN for the OTHER host. Repeat on both. The FQDN must match what you’ll later use as the certificate subject — mismatches cause the cert validation to fail at replication setup.

Repeat on the other host. Each host gets BOTH entries (its own + the other one). Verify with ping HyperVHost02.lab.com — the FQDN should resolve to the IP you wrote.

Step 2 — set the Primary DNS Suffix and reboot

The host needs to report its full name as something.lab.com (or whatever suffix you used in the hosts file). Set the primary DNS suffix:

sysdm.cpl (Win+R then type) > System Properties.
Click Change next to the computer name.
Click More.
In Primary DNS suffix of this computer, type your suffix (e.g. lab.com).
OK twice, then Close.
Restart the host (Restart-Computer).

System Properties dialog Computer Name Changes dialog open with the More button clicked, exposing the Primary DNS Suffix field where lab.com has been entered to give the host a fully-qualified name that matches the certificate subject — Step 2 — set the Primary DNS Suffix so the computer reports its full name as something.lab.com (or whatever suffix you pick). Without a DNS suffix the certificate’s subject (FQDN) won’t match what the OS reports as its name, which breaks cert validation later.

After the reboot, verify the new FQDN:

$env:COMPUTERNAME    # short name
hostname             # short name, but...
[System.Net.Dns]::GetHostByName($env:COMPUTERNAME).HostName    # FQDN

Elevated PowerShell window after the post-suffix-change reboot showing the output of $env:COMPUTERNAME and a hostname command confirming the host now reports its FQDN as HyperVHost01.lab.com — After the reboot, $env:COMPUTERNAME shows the short name but hostname (or [System.Net.Dns]::GetHostByName().HostName) shows the FQDN now matches the cert subject convention.

The FQDN should be HyperVHost01.lab.com (or your equivalent). This must match the certificate subject in the next step.

Step 3 — create and trust a self-signed certificate

This is the meat of the workgroup setup. Three sub-steps: generate, copy the test root to Trusted Root, verify trust.

Generate the cert

In elevated PowerShell, on each host:

New-SelfSignedCertificate -DnsName "HyperVHost01.lab.com" -CertStoreLocation "Cert:\LocalMachine\My" -TestRoot -NotAfter (Get-Date).AddYears(5)

(Replace the DnsName with the host’s actual FQDN.) Critical: the -TestRoot parameter is what makes Hyper-V willing to accept the cert. Without it the cert generates fine but Hyper-V Replica refuses it because it can’t chain the cert to a recognised root. With -TestRoot, the cmdlet ALSO drops a “CertReq Test Root” cert into the Intermediate Certification Authorities store — that’s the root you’re going to manually trust in the next sub-step.

Manually trust the test root

Open the Local Computer certificate store: certlm.msc
Expand Personal > Certificates. Your new cert is here, with subject matching the FQDN. Double-click it — it shows as untrusted at the moment.
Expand Intermediate Certification Authorities > Certificates. Find CertReq Test Root. Right-click > Copy.
Expand Trusted Root Certification Authorities > Certificates. Right-click > Paste. The test root now lives in the trusted store.
Back in Personal, reopen your cert — it should now say “This certificate is OK” (no warnings). Note the expiration date.

Local Computer certificate store (certlm.msc) with three relevant nodes expanded: the Personal store containing the freshly-generated self-signed cert, the Intermediate Certification Authorities store containing the CertReq Test Root that came with -TestRoot, and the Trusted Root Certification Authorities store after the Test Root has been pasted in — Step 3 — the certificate trust setup. New-SelfSignedCertificate -TestRoot creates the cert in Personal AND drops a CertReq Test Root cert into Intermediate. You manually copy that test root from Intermediate into Trusted Root Certification Authorities. THIS step is what makes the local host trust its own cert chain.

Repeat the entire Step 3 on the other host with its own FQDN.

Step 4 — disable certificate revocation checking

Self-signed certs don’t have a CRL endpoint, so Windows’ default behaviour of checking revocation status fails closed (rejects the cert). Disable revocation checking specifically for Hyper-V Replica:

Open Registry Editor (regedit).
Navigate to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication. The Replication subkey may not exist if you haven’t enabled the replica role yet — create it if missing (right-click parent > New > Key).
Create or set a DWORD value named DisableCertRevocationCheck, value 1.
Close Registry Editor.

Registry Editor open at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication with a DWORD value named DisableCertRevocationCheck set to 1, the registry change that lets Hyper-V Replica accept self-signed certs that cannot be revocation-checked — Step 4 — the registry tweak that lets Hyper-V Replica accept self-signed certs. DisableCertRevocationCheck = 1 under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication. Without this, every replication attempt fails because Windows tries (and fails) to verify the cert against a CRL that doesn’t exist for self-signed certs.

Reboot the host:

Restart-Computer

Restart-Computer being invoked from PowerShell after the registry change, the mandatory reboot that lets the new DisableCertRevocationCheck value take effect across the host — Reboot after the registry change. The Replication service caches the revocation-check policy on startup; without a reboot the new setting is in the registry but the running service still enforces the old behaviour.

The reboot is mandatory — the Replication service caches the revocation-check policy at startup and won’t pick up the new value until the service restarts (cleanest via reboot).

Repeat on the other host.

Step 5 — enable the replica role in Hyper-V Settings

Now configure the replica role on the destination host (HyperVHost02 — the one that will RECEIVE replicas). For a bidirectional setup (where either host can be primary or replica for different VMs), repeat this step on both hosts.

Open Hyper-V Manager.
Right-click the host name in the navigation tree > Hyper-V Settings.
Navigate to Replication Configuration.
Tick Enable this computer as a Replica server.
Tick Use certificate-based Authentication (HTTPS).
Click Select Certificate and pick the cert you generated in Step 3. (If your cert doesn’t appear in the picker, the trust chain isn’t valid — recheck Step 3.)

Hyper-V Settings dialog Replication Configuration page on the replica host with Enable this computer as a Replica server checked, Use certificate-based Authentication (HTTPS) selected, and the self-signed certificate showing in the Select Certificate field — Step 5 — enable the replica role in Hyper-V Settings. Tick Enable this computer as a Replica server, pick HTTPS authentication, and select the cert you just made. The cert appears in the picker only if its subject matches the host’s FQDN AND its trust chain validates locally (steps 3+4 must have worked).

Lower section, Authorization and storage:

For lab use, pick Allow replication from any authenticated server.
For production, pick Allow replication from specified servers and explicitly add each primary host’s FQDN.
Set the storage path to a folder on a drive with enough capacity for the replicated VHDXes (e.g. D:\Replicas).

Same Replication Configuration page lower portion showing the Authorization and storage panel with Allow replication from any authenticated server selected and a custom storage path D:\Replicas typed into the field that will hold the replica VHDX files — Same page, lower section. For lab use, Allow replication from any authenticated server is fine. For production, switch to the more restrictive Allow replication from specified servers and explicitly list each primary host you trust. Pick a storage path on a drive with capacity for the full set of replicated VHDXes.

Click Apply. Hyper-V offers to enable the firewall rule for the HTTPS Listener — click OK to allow.

Verify the firewall rule

Open wf.msc > Inbound Rules. Find Hyper-V Replica HTTPS Listener (TCP-In) and confirm it’s enabled (right-click > Enable Rule if not).

Windows Defender Firewall with Advanced Security console (wf.msc) Inbound Rules pane with the Hyper-V Replica HTTPS Listener (TCP-In) rule highlighted and enabled, the firewall rule that opens TCP 443 specifically for the Replica listener — Apply the settings — Hyper-V offers to enable the firewall rule but verify it landed in wf.msc anyway. The HTTPS Listener (TCP-In) rule must be enabled; the HTTP Listener (TCP-In) rule (port 80) is for Kerberos-mode replication and not needed in a workgroup.

The HTTP Listener rule (port 80) is for Kerberos-mode replication and is not needed in workgroup mode — leave it disabled.

Step 6 — enable replication on the VM

This is the only step you do ONCE on the PRIMARY host (HyperVHost01) for the specific VM you want to protect.

Make sure the VM has no checkpoints. If it does, right-click the VM > Delete Checkpoint > Apply now (or use Remove-VMSnapshot in PowerShell). Replicas need a clean single-VHDX setup.

In Hyper-V Manager on the primary, right-click the VM (e.g. TestVM01) > Enable Replication.

Hyper-V Manager right-click context menu on TestVM01 with the Enable Replication action highlighted, the entry point into the Enable Replication wizard that pairs this VM with the replica host — On the PRIMARY host (NOT the replica), right-click the VM you want to protect and pick Enable Replication. This is the only step that runs only on one side — everything else is bilateral.

Click Next on the intro page.

Specify Replica Server: type the FQDN of the destination (e.g. HyperVHost02.lab.com). Click Next.

Enable Replication wizard Specify Replica Server page with HyperVHost02.lab.com typed into the Replica Server field and the Browse and Test buttons visible, ready to advance once the FQDN is validated — Wizard step — specify the replica server. Use the FQDN you put in the hosts file. Click Test (if available) or just Next; if name resolution fails, double-check the hosts file edits on this host and the FQDN matches exactly.

Specify Connection Parameters: pick HTTPS auth, port 443, and the cert from Step 3. The wizard validates against the destination here — if cert validation fails, recheck Step 3 and Step 4 on the destination host.

Enable Replication wizard Specify Connection Parameters page with Use certificate-based Authentication (HTTPS) selected, port 443 displayed, and the chosen certificate listed in the certificate selection box — Pick HTTPS auth and the cert. Hyper-V validates the cert against the replica server it discovered — if validation fails here the wizard refuses to advance. Most common cause: the replica host hasn’t been rebooted after the DisableCertRevocationCheck registry change.

Compress data: tick the box. Saves bandwidth without much CPU cost. Next.
Choose Replication VHDs: usually all of them. Uncheck only if you want to omit specific disks. Next.

Enable Replication wizard Choose Replication VHDs page showing all VHD files attached to the VM with checkboxes ticked, indicating every disk will be replicated to the destination — Tick the VHDs to replicate. Default is all of them; uncheck only if you want to leave some disks out (e.g. a temporary scratch disk you don’t need replicated).

Configure Replication Frequency: 5 minutes is the sensible default. 30 seconds is for very low-RPO needs and chews more bandwidth. 15 minutes is for low-priority workloads. Next.
Configure Recovery Points: for simple labs, default. For richer recovery options, raise the additional-recovery-points slider so the replica retains historical points (useful for ransomware rollback). Enable application-consistent if your workload talks to VSS (SQL, Exchange). Next.

Enable Replication wizard Configure Replication Frequency and Recovery Points page with the frequency dropdown set to 5 minutes and the additional-recovery-points slider set to retain a number of historical points alongside the latest — Replication frequency. Default 5 min is the sweet spot for most workloads — tight enough to keep RPO low, loose enough not to saturate the network. The additional-recovery-points slider keeps historical snapshots; useful for ransomware rollback (revert to a clean point from before infection).

Initial Replication Method: over the network is fine for small VMs. For large VMs, choose “Send initial replica using external media” and ship a USB drive with the VHDX export — saves hours of network time.
Summary > Finish. Replication starts.

Watch the VM’s state in Hyper-V Manager — on primary it shows Sending initial replica; on replica it shows Receiving changes. Once initial replication completes, the steady state is health = Normal and replication runs at the configured interval.

Verify and monitor

After initial replication completes:

On primary: right-click the VM > Replication > View Replication Health. Should show: Replication enabled, Primary server, Health: Normal. Stats include last replication time, average replication size, longest write latency.
On replica: same right-click > View Replication Health. Should show: Replica server, with the primary’s FQDN listed. Health: Normal.

If anything other than Normal shows up, check Event Viewer at Applications and Services Logs > Microsoft > Windows > Hyper-V-VMMS > Admin. Common errors:

“The certificate is not trusted” — revisit Step 3 (cert in Trusted Root)
“Revocation status of the certificate could not be determined” — revisit Step 4 (registry + reboot)
“The remote computer was not found” — revisit Step 1 (hosts file entries on BOTH sides)
“The host name in the certificate is invalid” — revisit Step 2 (DNS suffix matches cert subject)

Recovery points: how the math actually works

The recovery-points UI is genuinely confusing the first time you see it — the FAQ section in the source post addresses three common questions. Here’s the short version:

Does 24 recovery points mean 24x the storage?

No. Recovery points are differential, not full copies. Hyper-V uses copy-on-write under the hood — each point only stores the BLOCKS that changed since the previous point. A VM that’s mostly idle generates tiny deltas; one under heavy write load generates bigger ones. Total replica storage = full VHDX size + sum of deltas across retained points. For most workloads, retaining 24 hourly points adds 10–30% on top of the base VHDX size, not 24x.

If replication frequency is 5 min, doesn’t a 24-hour retention window mean huge RPO?

RPO and recovery-point retention are independent settings. RPO = how often replication copies changes (5 min in this example). Retention = how many historical points are kept on the replica for rollback purposes. A typical setup: 5-min RPO + 24 hourly recovery points retained. That means: under normal failover you recover to the latest replicated state (5 min behind primary). For ransomware rollback, you can also recover to any point up to 24 hours back. The 24-hour retention is for AUDIT and ROLLBACK; it doesn’t change RPO.

What if I only keep the latest recovery point?

RPO is determined by replication frequency, not retention. If frequency = 5 min, RPO is 5 min regardless of how many historical points you retain. Latest-only is the simplest and most space-efficient configuration; it just means you can’t roll back to a point in the past during failover — you can only resume from the most recent replicated state.

Enable Replication wizard Configure Recovery Points detail screen used in the FAQ section, the configurable panel that defines how many recovery points are retained, the application-consistent VSS interval, and the recovery point retention window — Recovery Points configuration in detail (FAQ context). Number of recovery points = number of point-in-time snapshots stored on the replica. They use copy-on-write, so 24 points doesn’t mean 24x storage — only the deltas between points consume extra space. The application-consistent interval picks every Nth point to be VSS-snapshotted (database-aware) instead of the default file-consistent (crash-consistent).

Things that bite people

Cert subject doesn’t match FQDN

You generate a cert with DnsName = “HyperVHost01” (no suffix) but the host is configured with DNS suffix “lab.com” so it reports as HyperVHost01.lab.com. Cert validation fails because the subject doesn’t match. Fix: regenerate the cert with the full FQDN as DnsName.

Forgetting to copy the test root on the OTHER host

Each host has its own self-signed cert. Each host generates its OWN test root (via -TestRoot). For mutual auth to work, host A must trust host B’s test root and vice versa. If you only configure trust on one side, replication fails at the auth step. Verify on each host that the trusted root store contains entries from both sides.

Forgetting the reboot after the registry change

You set DisableCertRevocationCheck = 1 and immediately try to enable replication. It fails with a revocation-check error. The registry value is correct but the running Replication service hasn’t reloaded. Reboot. (Restarting just the VMMS service might work; reboot is reliable.)

Trying to enable replication on a VM with checkpoints

Replicas need a clean single-VHDX setup. Checkpoints create chains of differencing disks; the wizard refuses with an unhelpful error. Merge checkpoints first via Hyper-V Manager > right-click VM > Delete Checkpoint > Apply now (do this on the active checkpoint to merge).

Bandwidth-bound initial replication

For a multi-hundred-gigabyte VM over a slow link, the initial replication can take days. Use the offline initial replication option: Hyper-V exports the VHDX to external media, you ship the drive to the replica site, import it, and replication starts from the imported state. Subsequent deltas use the network as normal.

Firewall on the OUTBOUND side

Most attention goes to the inbound HTTPS Listener rule on the replica side. Forgotten: the primary host also needs OUTBOUND TCP 443 allowed if its outbound firewall is restrictive. Check both directions if replication can’t establish.

Time skew between hosts

Cert validation is sensitive to clock differences. If primary and replica disagree on the time by more than ~5 minutes, validation can fail with cert-validity errors. Both hosts should sync to a common NTP source (workgroups can’t use the AD time hierarchy — configure w32time to point at pool.ntp.org or your internal time source).

Cert expires after 5 years (or whatever you specified)

Self-signed certs created with this recipe have an explicit expiration. After it expires, replication fails. Set a calendar reminder for 11 months before expiration to regenerate the cert (and re-add the new test root to the trusted store on both hosts).

Where this fits

Hyper-V Replica in workgroup mode is the standard DR pattern for small businesses, branch offices, and lab environments where a full domain isn’t justified. The certificate-trust gymnastics in this post are the price of admission for skipping AD. For broader Hyper-V context, see the Hyper-V Virtualization pathway — this post is the start of a 5-part Hyper-V Replica series (Parts 2–5 cover test failover, planned failover, and unplanned failover). For the Active Directory alternative path that uses Kerberos instead of certs, see the Active Directory pathway.

Tags: #Disaster Recovery #Hyper-V #Hyper-V Manager #Hyper-V Replica #PowerShell #Self-Signed Certificate #Virtualization #Workgroup