I'm trying to set up the Azure Arc extension for Windows Admin Center on a physical host, but I'm running into a frustrating issue during the provisioning process. The error message states: *RetrieveCertificate: Failed to retrieve certificate from key vault using app service*. It seems like this depends on a Microsoft-managed Key Vault and certificate that isn't available in my subscription. I've already connected two servers successfully with Azure Arc and the WAC extension, but now any new server I onboard fails with the same message. I've checked the versions of the ARC Agent and WAC extension, and they don't seem to be part of the problem. My servers are running Windows Server 2025 Datacenter edition, and local logs show that while the extension installs fine, the certificate retrieval fails with a 401 Unauthorized error. I've come across a few similar reports online and sense that this might be a broader Microsoft issue rather than something wrong in my setup. Has anyone encountered this error recently? Any workarounds you can suggest?
2 Answers
Have you checked your network setup? Sometimes a central firewall might be blocking the required connectivity. It could be worth taking a look at your firewall logs to see if anything stands out.
I've experienced this issue several times over the recent months. It's not just limited to new installations, either; I manage over 600 Arc-connected servers, and just a few days ago nearly all of them had problems. As for workarounds, I've had multiple sessions with Microsoft support regarding similar issues, but most have been unhelpful. They indicated that the problems stem from their end and suggested waiting for fixes or updates from them. Unfortunately, it often takes quite a while. From my experience, it's likely not anything to do with your setup—I've tried numerous troubleshooting steps to no avail. The service is supposed to be reliable, but we keep encountering these downtimes. Here's hoping this current issue gets resolved faster than previous ones!
I really appreciate your insights. We’re new users of Azure Arc and the WAC extension, and while it works well for two of our hosts, we've hit a brick wall with the remaining instances. Your observations about the Key Vault failures align perfectly with what we've encountered. I’ll share any new findings or fixes I discover in the meantime. Fingers crossed for a swift resolution, but I won't hold my breath either!
Thanks for the suggestion! The server is behind a corporate firewall, but outbound HTTPS is allowed. Azure Arc connectivity looks healthy, though I’ll double-check with the networking and security teams to make sure nothing specific is getting filtered out.