Suppress SPN registration for Hyper-V services
In domain environments when the Hyper-V Virtual Machine Management service starts it registers six SPNs on the system's computer account in AD corresponding to three services:
- Hyper-V Replica Service
- Microsoft Virtual Console Service
- Microsoft Virtual System Migration Service
In some scenarios it would be useful to suppress the automatic registration of these SPNs. For example, I manage several secure networks which include Windows Server 2016 VMs which utilise Virtualization Based Security features. These VMs require the Hyper-V role to be installed as a dependency of VBS but do not host any VMs. There is no valid scenario where any clients should be connecting to these systems using any of these SPNs.
A registry option for advanced users to toggle this behaviour would be ideal. Another option could be to simply disable the VMMS service on such systems, but it's unclear if has an impact on VBS (or future) features which may depend on the service. It would also be less flexible, as there are some edge cases where suppression of SPN registration may be desirable even on systems which do have the Hyper-V role installed (e.g. developer systems where remote access to Hyper-V services is not required).