Azure Arc Windows Admin Center Extension: RetrieveCertificate: Failed to retrieve certificate from key vault using app service

👁 Image

Jshot 15 Reputation points

I'm seeing the following extension error when attempting to install the Windows Admin Center extension. The install process occurs but then the extension goes into a "Failed" state with the following message - anyone else run into this problem?

RetrieveCertificate: Failed to retrieve certificate from key vault using app service

👁 Image

Leonardo Mariano Côco 155 Reputation points

Hi — yes, I’ve seen that one. It usually means the WAC extension’s app service identity can’t read the certificate from the Key Vault (permissions/network), so the install completes and then flips to Failed when it tries to fetch the cert.

Quick things to check:

Key Vault access: make sure the identity used by the extension/app service has Get permission for Certificates and Secrets (KV certs are backed by a secret).

Networking: if the Key Vault has public access disabled, firewall restrictions, or private endpoint only, the app service won’t be able to reach it unless you’ve set that up accordingly.

Correct vault/cert: confirm the cert exists, isn’t disabled/expired, and you’re pointing to the right Key Vault and certificate name/version.

If you can share whether your Key Vault is using RBAC or access policies, and whether public network access is disabled, it’s usually possible to pinpoint the exact fix in one step.
👁 Image

Jshot 15 Reputation points

Isn’t it all managed by the azure arc service? I don’t recall seeing anything about Key Vaults within the arc documentation.
👁 Image
Suchitra Suregaunkar 14,595 Reputation points • Microsoft External Staff • Moderator
Hello Jshot

The error “RetrieveCertificate: Failed to retrieve certificate from key vault using app service” typically indicates that the Windows Admin Center (WAC) extension's managed identity isn't able to fetch the certificate from Key Vault. This occurs after installation, when it attempts to access the certificate and fails, flipping the extension state to "Failed".

As a resolution Confirm Key Vault Permissions:

Ensure the principal identity that the extension is using, typically the system- or user-assigned managed identity of the WAC App Service, has these Key Vault access rights:

Get permissions on Certificates and Secrets (since certificate objects are backed by secrets).

To check and assign:

In the Key Vault, navigate to Access policies (if using Vault policies) or Role assignments (if using Azure RBAC).

Add or assign:

Certificates → Get

Secrets → Get

Target the specific identity (e.g., Microsoft.Web/sites/WAC…).

Verify Network Access: If your Key Vault has a restricted network policy:

Confirm public network access is enabled, or

If using a private endpoint, ensure the App Service can reach it via VNet integration or Private Endpoint configuration.

Double-check:

Firewall and VNet/subnet access

Integration of App Service with the required VNet

Validate Certificate Availability: Make sure The certificate exists and is not disabled, expired, or deleted and The URL, certificate name, and version (if specified) match exactly

Identify Identity Configuration:

Note whether:

You’re using Access policies or Azure RBAC

The managed identity is system-assigned or user-assigned

Often issues arise when mixing RBAC and certificate identity methods even slight misconfigurations here disrupt retrieval.

If you have any other queries, please do let us know.

Thanks,
Suchitra.
👁 Image

Jshot 15 Reputation points

I don't believe this is needed for the Azure Arc WAC extension - it's a managed service/extension. What else could be the problem, preventing the extension from working?
👁 Image

Leonardo Mariano Côco 155 Reputation points

You’re right that you don’t “host” the app service yourself, but the extension still has to pull a cert from your Key Vault somehow — so it ends up being the same two buckets: identity/permissions or network.

What I’d check next:

How the Key Vault is locked down: if Public network access is disabled / firewall is restricted / private endpoint only, the managed extension often can’t reach it and you’ll get exactly this error.

Which access model the vault is using: if the vault is set to RBAC, but the expected permissions were configured under Access Policies (or vice-versa), retrieval will fail even though it “looks configured”.

Scope of permissions: the identity needs Secrets Get as well as Certificates Get (KV certs are backed by a secret). If only Certificates are granted, it still fails.

Wrong identity: verify which managed identity/service principal the extension is actually using (system vs user-assigned) and grant access to that exact object.

If you can share two things — (1) whether Key Vault public access is disabled / private endpoint only, and (2) whether the vault is using RBAC or access policies — we can usually pinpoint the cause quickly.
👁 Image

Jshot 15 Reputation points

How do I instruct the extension to use the specific key vault?
👁 Image

Suchitra Suregaunkar 14,595 Reputation points • Microsoft External Staff • Moderator

Hello Jshot

Even though the WAC extension is managed by Azure Arc, it still depends on the Connected Machine Agent, local services on the server, and outbound connectivity to Azure. If the agent is unhealthy, outdated, blocked by firewall/proxy, or the local WAC service fails to start, the extension can install successfully and then transition to Failed during post‑install initialization.

Thanks,
Suchitra.
👁 Image
Suchitra Suregaunkar 14,595 Reputation points • Microsoft External Staff • Moderator
Hello Jshot

You explicitly specify which Key Vault and certificate the Azure Arc WAC extension should use when you deploy or update the extension, it’s not automatic. Use the KeyVaultForWindows extension, and configure it with your vault URI and certificate details in the settings.

Prepare your settings JSON:

Define your certificate and Key Vault details like this:

$Settings = @{ secretsManagementSettings = @{ observedCertificates = @( "https://<YourVaultName>.vault.azure.net/secrets/<YourCertName>" ) certificateStoreLocation = "LocalMachine" certificateStoreName = "My" pollingIntervalInS = "3600" } authenticationSettings = @{ msiEndpoint = "http://localhost:40342/metadata/identity" } }

observedCertificates uses the full certificate Secret URI → vault + cert name.

Deploy the extension using Azure PowerShell:

Run this to deploy it to your Arc-enabled server:

New-AzConnectedMachineExtension ` -ResourceGroupName $rg ` -MachineName $arcMachine ` -Name "KeyVaultForWindows" ` -Publisher "Microsoft.Azure.KeyVault" ` -ExtensionType "KeyVaultForWindows" ` -Location $location ` -Setting (ConvertTo-Json $Settings)

This tells the extension which vault and cert to watch and download.

Reference: https://www.markou.me/2024/09/how-to-use-the-key-vault-extension-to-acquire-certificates-on-arc-enabled-windows-servers/

(Optional) Update the extension

To change vault/cert later, use:

Set-AzConnectedMachineExtension ` -ResourceGroupName $rg ` -MachineName $arcMachine ` -Name "KeyVaultForWindows" ` -Setting (ConvertTo-Json $NewSettings)

This reconfigures the extension to use the new certificate details.

Please let me know if this is helpfull.

Thanks,
Suchitra.
👁 Image

Jshot 15 Reputation points

I don't see this in the Azure portal UI. When you attempt to setup the Windows Admin Center extension for an Arc-enabled machine it simply asks for the port to use and that's it.
👁 Image

Suchitra Suregaunkar 14,595 Reputation points • Microsoft External Staff • Moderator

Hello Jshot

Some extensions, such as the Azure Key Vault VM extension, don't support deployment from the Azure portal. Use the Azure CLI, Azure PowerShell, or an ARM template to deploy this extension.

please follow the above steps that I have provided and also refer below documents for more details.

👁 User's image

Reference:

https://www.markou.me/2024/09/how-to-use-the-key-vault-extension-to-acquire-certificates-on-arc-enabled-windows-servers/

https://docs.azure.cn/en-us/azure-arc/servers/manage-vm-extensions-portal#enable-extensions

https://docs.azure.cn/en-us/azure-arc/servers/manage-vm-extensions-cli#list-extensions-installed

https://learn.microsoft.com/en-us/cli/azure/connectedmachine/extension?view=azure-cli-latest

https://learn.microsoft.com/en-us/azure/cloud-services-extended-support/enable-key-vault-virtual-machine?source=recommendations

Thanks,

Suchitra.
👁 Image

Jshot 15 Reputation points

I'm not trying to install the vault extension - I'm simply trying to install the Windows Admin Center extension onto an Azure-enabled machine.
👁 Image
Suchitra Suregaunkar 14,595 Reputation points • Microsoft External Staff • Moderator
Hello Jshot

Could you please run below command and let us know the status?
azcmagent show

Which azcmagent version is installed?

Also please share us the error message screenshots?

Thanks,

Suchitra.
👁 Image

Jshot 15 Reputation points

👁 User's image

👁 User's image

👁 User's image

Extension Message: Executing Enable operation, CheckingCompatibility: Checking if system is compatible with Windows Admin Center, CheckingWACInstallationStarted: Checking if Windows Admin Center installation has started, SearchingForWindowsAdminCenter: Windows Admin Center is not installed, ExecutingWindowsAdminCenterInstaller: Executing Windows Admin Center installer (attempt number: 1), AttemptingToInstallWindowsAdminCenter: Attempting to install Windows Admin Center, SettingDnsRecords: Creating/updating DNS records, GetDataFromMetadataService: Getting data from Azure metadata service, GetInstanceMetadataForArc: Retrieving the virtual machine instance metadata information, GettingWacPort: Getting Windows Admin Centers configured port, UpdatingWindowsAdminCenterConfiguration: Updating Windows Admin Center Configuration, StoppingWindowsAdminCenterService: Stopping Windows Admin Center service, UpdatingInstallationTypeSettings: Updating Installation type for Windows Admin Center, UpdatingCSPSettings: Updating CSP Frame Ancestors for Windows Admin Center, UpdatingCORSSettings: Updating CORS origins for Windows Admin Center, UpdatingPort: Updating port for Windows Admin Center, UpdatingWebSocketValidationOverride: Updating WebSocket validation override settings, UpdatingTokenAuthenticationEnabled: Updating token authentication setting, UpdatingAutoUpdate: Updating auto update setting, SettingProxy: Updating proxy for Windows Admin Center, GettingWacPort: Getting Windows Admin Centers configured port, UpdatingWindowsAdminCenterConfiguration: Updating Windows Admin Center Configuration, GetDataFromMetadataService: Getting data from Azure metadata service, GetInstanceMetadataForArc: Retrieving the virtual machine instance metadata information, TestWACAppServiceReachability: Testing reachability of Application Web Service of Windows Admin Center, GetAccessTokenForArc: Getting access token from Azure Arc's identity endpoint, GetDataFromMetadataService: Getting data from Azure metadata service, GetInstanceMetadataForArc: Retrieving the virtual machine instance metadata information, RetrieveCertificate: Failed to retrieve certificate from key vault using app service
👁 Image
Suchitra Suregaunkar 14,595 Reputation points • Microsoft External Staff • Moderator
By looking into the screenshot and error message the failure occurs during the Windows Admin Center extension’s internal certificate retrieval step. This is not user configurable and does not require Key Vault setup. The extension requires unrestricted outbound HTTPS access without SSL/TLS inspection. If a firewall or proxy performs HTTPS interception, the certificate handshake fails and the extension moves to Failed. The resolution is to bypass TLS inspection for Azure/Windows Admin Center traffic, then uninstall and reinstall the extension. If this cannot be allowed, the WAC Arc extension is not supported in that environment.

Please verify the following on the Arc‑enabled machine:

Outbound HTTPS (port 443) must be allowed

The server must be able to access the internet over HTTPS.

No inbound ports are required.

No SSL / TLS inspection on outbound traffic

If your firewall, proxy, or security appliance intercepts or re‑signs HTTPS traffic, the WAC extension will fail.

TLS inspection must be disabled or bypassed for Azure traffic.

Proxy check (if applicable)

If the server uses a proxy, it must:

Allow direct HTTPS traffic

Not perform certificate inspection or re‑encryption

Retry after network change

Once the above is confirmed:

Uninstall the Windows Admin Center extension

Wait a few minutes

Reinstall it from the Azure portal

Could you please check network settings and let me know the results?

Thanks,

Suchitra.
👁 Image

Josh W 5 Reputation points

I am having the same issue, i have done a deep dive into this:

at Invoke-EnableOperation, C:\Packages\Plugins\Microsoft.AdminCenter.AdminCenter\0.70.0.0\Sme.VmExtension\Sme.VmExtension.psm1: line 301

at <ScriptBlock>, C:\Packages\Plugins\Microsoft.AdminCenter.AdminCenter\0.70.0.0\WACScripts\WACEnableOperationScript.ps1: line 5

[2026-02-23T12:18:51Z] WARNING: | | Retrying request to reach WAC service for certificate in 2 seconds

[2026-02-23T12:18:53Z] WARNING: | | The remote server returned an error: (401) Unauthorized.

[2026-02-23T12:18:53Z] WARNING: | | at <ScriptBlock>, C:\Packages\Plugins\Microsoft.AdminCenter.AdminCenter\0.70.0.0\Sme.VmExtension\Sme.VmExtension.WacService\Sme.VmExtension.WacService.psm1: line 258

at Invoke-OperationWithLogging, C:\Packages\Plugins\Microsoft.AdminCenter.AdminCenter\0.70.0.0\Sme.VmExtension\Sme.VmExtension.Logging\Sme.VmExtension.Logging.psm1: line 341

at Invoke-Operation, C:\Packages\Plugins\Microsoft.AdminCenter.AdminCenter\0.70.0.0\Sme.VmExtension\Sme.VmExtension.Logging\Sme.VmExtension.Logging.psm1: line 285

at Get-CertificateFromWacAzureService, C:\Packages\Plugins\Microsoft.AdminCenter.AdminCenter\0.70.0.0\Sme.VmExtension\Sme.VmExtension.WacService\Sme.VmExtension.WacService.psm1: line 309

at <ScriptBlock>, C:\Packages\Plugins\Microsoft.AdminCenter.AdminCenter\0.70.0.0\Sme.VmExtension\Sme.VmExtension.psm1: line 257

at Invoke-OperationWithLogging, C:\Packages\Plugins\Microsoft.AdminCenter.AdminCenter\0.70.0.0\Sme.VmExtension\Sme.VmExtension.Logging\Sme.VmExtension.Logging.psm1: line 341

at Invoke-Operation, C:\Packages\Plugins\Microsoft.AdminCenter.AdminCenter\0.70.0.0\Sme.VmExtension\Sme.VmExtension.Logging\Sme.VmExtension.Logging.psm1: line 276

at Invoke-EnableOperation, C:\Packages\Plugins\Microsoft.AdminCenter.AdminCenter\0.70.0.0\Sme.VmExtension\Sme.VmExtension.psm1: line 301

at <ScriptBlock>, C:\Packages\Plugins\Microsoft.AdminCenter.AdminCenter\0.70.0.0\WACScripts\WACEnableOperationScript.ps1: line 5

[2026-02-23T12:18:53Z] WARNING: | | Retrying request to reach WAC service for certificate in 9 seconds

[2026-02-23T12:19:02Z] WARNING: | | The remote server returned an error: (401) Unauthorized.
👁 Image

Josh W 5 Reputation points

https://www.reddit.com/r/AZURE/comments/1rcglfw/azure_arc_windows_admin_center_extension_failing/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button
👁 Image

Frank van Zandwijk 0 Reputation points

This is also affecting us as well as some of our customers. We'll be opening up support cases accordingly since this appears to be a Microsoft issue.
👁 Image

Jshot 15 Reputation points

Diving into the logs I'm seeing the same thing Josh W reported - The remote server returned an error: (401) Unauthorized. Installation on multiple VMs, multiple regions, and multiple WAC versions all fail with the same error. Version 0.66 used to be our workaround, but it also fails now.

@Suchitra Suregaunkar what's going on?

@Josh W any luck on your end?
👁 Image

Josh W 5 Reputation points

@Jshot

Me and my colleague posted it in reddit, https://www.reddit.com/r/AZURE/comments/1rcglfw/azure_arc_windows_admin_center_extension_failing/?rdt=41431

a couple of weeks later, something must have changed / been fixed. Its been working for a couple of months now.

1 answer

👁 Image

Peter Mavrakis 20 Reputation points

We are having the same issue. Our windows admin center access suddenly died on our azure local instances, and we've been trying to reinstall the extension, but getting the same error.
👁 Image

Jshot 15 Reputation points

Did you ever figure it out?
Sign in to comment

URL: https://learn.microsoft.com/en-us/answers/questions/5720460/azure-arc-windows-admin-center-extension-retrievec

⇱ Azure Arc Windows Admin Center Extension: RetrieveCertificate: Failed to retrieve certificate from key vault using app service - Microsoft Q&A

Azure Arc Windows Admin Center Extension: RetrieveCertificate: Failed to retrieve certificate from key vault using app service

1 answer

Your answer