Problem Statement – Azure Arc Onboarding Failure (TLS Trust Relationship Issue)

Raj Anand 20 Reputation points Microsoft Employee

We are currently attempting to onboard Windows‑based on‑premises servers to Azure Arc‑enabled Servers using the standard onboarding script generated from the Azure Portal (Connected Machine Agent deployment via PowerShell).

During execution of the onboarding script (azure.ps1), the installation process fails at the step where the script attempts to establish HTTPS connectivity to the Azure Arc Hybrid Identity Service endpoint:

The following error is consistently observed:

Invoke-WebRequest : The underlying connection was closed:
Could not establish trust relationship for the SSL/TLS secure channel.

At C:\Users\Administrator\Desktop\azure.ps1:66 char:5
+ Invoke-WebRequest -UseBasicParsing -Uri "https://gbl.his.arc.azure.com"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CategoryInfo : InvalidOperation:
(System.Net.HttpWebRequest:HttpWebRequest)
FullyQualifiedErrorId : WebCmdletWebResponseException
  1. Raj Anand 20 Reputation points Microsoft Employee

    Thank you Suchitra, appreciate your response as customer is facing issues.

  2. Suchitra Suregaunkar 14,595 Reputation points Microsoft External Staff Moderator

    Hello Raj Anand

    Thank you for sharing the details.

    If the Azure Connected Machine agent onboarding is failing even after the required Azure Arc endpoints are allowed through the firewall or proxy, this behavior is commonly observed when the Windows machine does not have the required TLS cipher suites enabled.

    Starting from Connected Machine Agent version 1.56 for Windows, the agent may fail to establish outbound connectivity to Azure endpoints even when network access is permitted, if the machine does not support the recommended TLS 1.2 or TLS 1.3 cipher suites.

    • Azure Arc agent communication occurs over HTTPS using SSL/TLS with officially signed certificates. The agent communicates securely with Azure services over TCP port 443.
    • If the agent is unable to reach Azure endpoints even after they are allowed, you must ensure that the required TLS 1.2 / TLS 1.3 cipher suites are enabled on the Windows machine.

    When these cipher suites are disabled (often due to domain GPO hardening or legacy OS configurations), the TLS handshake with Azure Arc service endpoints fails. This results in onboarding or connectivity failures even though DNS resolution and outbound network access appear to be functioning correctly.

    As a resolution, please review the TLS configuration on the affected Windows server and ensure that at least one of the Microsoft‑recommended TLS 1.2 or TLS 1.3 cipher suites is enabled at the OS or GPO level.

    If the machine is domain‑joined, verify that the domain GPO is not overriding the local SSL Cipher Suite Order policy.

    1. Please perform connectivity checks using below PowerShell command:

    Invoke-WebRequest https://gbl.his.arc.azure.com

    If it fails with SSL/TLS trust relationship errors because the machine cannot validate Azure service certificates.

    2. Then Please verify that the affected Windows machine has the required TLS 1.2 or TLS 1.3 cipher suites enabled.

    Confirm the enabled cipher suites on the machine using:

    Get-TlsCipherSuite | Format-List Name

    3. If the required cipher suites are missing, they must be enabled either:

    • via Local Security Policy
    • via Domain Group Policy (GPO)
    • or via registry configuration

    Refer the below document to enable required cipher suites:

    https://learn.microsoft.com/en-us/azure/azure-arc/servers/troubleshoot-networking#enable-cipher-suites-with-group-policy

    1. For domain‑joined machines, local TLS settings can be overridden by Group Policy Objects (GPOs), and therefore GPO configuration must be updated to enable the required TLS cipher suites for the agent to connect successfully.

    👁 User's image

    Once the required TLS cipher suites are enabled, please retry the onboarding process.

    If the issue persists after validating TLS configuration, feel free to share the agent logs (azcmagent.log) for further analysis.

    Thanks,
    Suchitra.

  3. Siva shunmugam Nadessin 10,895 Reputation points Microsoft External Staff Moderator

    Hello Raj Anand,

    Just checking in to see if the solution shared above help you to resolve your issue. please reach out to us If you have any further questions.

    Thanks

  4. Naveena Patlolla 9,665 Reputation points Microsoft External Staff Moderator

    Hello Raj Anand,
    Could you please confirm whether your issue has been resolved, or if you’re still facing any problems?

Sign in to comment

Answer accepted by question author

Suchitra Suregaunkar 14,595 Reputation points Microsoft External Staff Moderator

Hello Raj Anand

Thank you for posting your query on Microsoft Q&A platform.

During the execution of the Azure Arc onboarding script, the installation process encountered a failure at the stage where the script attempts to establish secure HTTPS connectivity with the Azure Arc Hybrid Identity Service endpoint. The failure was accompanied by an SSL/TLS error indicating that a trusted certificate chain could not be established, specifically stating that the trust relationship for the secure channel could not be validated.

As anticipated during our investigation, this behavior was identified to be certificate‑related. Once the required certificate was correctly installed on the affected server by the Federal Bank Networking team, the SSL/TLS trust issue was fully resolved. Following this remediation, the onboarding script was re‑executed and completed successfully without any further errors, allowing the server to be onboarded to Azure Arc as expected. We sincerely appreciate the prompt collaboration and support from the networking team, which helped unblock the onboarding process and bring this activity to a successful conclusion.

Thanks,
Suchitra.

  1. Naveena Patlolla 9,665 Reputation points Microsoft External Staff Moderator

    Hello Raj Anand
    Please take a moment to "Accept the answer” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Sign in to comment

0 additional answers

Sign in to answer

Your answer