TenantEncryptionCert on VM created in Azure
TenantEncryptionCert certificates are used by the Azure Guest Agent (GA) & extensions.
You’ll usually see it when extensions are using Protected Settings like passwords, and we need to securely transfer the payloads with the WireServer (the host node). So they are encrypted and a certificate is needed.
The certificate is automatically created and managed by the GA. You shouldn’t really care about it.
GA checks for the presence of certificate on startup / update. If you delete it, or if it’s not there for other reasons, then it’ll create a new one.
Note that the GA doesn’t clean the expired certificates… so you might end up with a lot of certs in the certmgr console. For this reason you can safely delete the expired ones.
HTH