AdminCenter extension enable fails on Azure Local (West Europe): token retrieval from Arc identity/HIMDS → 400, WAC certificate retrieval blocked

Question

AdminCenter extension enable fails on Azure Local (West Europe): token retrieval from Arc identity/HIMDS → 400, WAC certificate retrieval blocked

Kopach, Vitalii 30

Hi!

We’re unable to successfully deploy Windows Admin Center in Azure (AdminCenter extension) for our Azure Local (Azure Stack HCI) cluster. The extension package installs, but the Enable phase intermittently fails when it tries to obtain an access token from Azure Arc’s identity endpoint and then retrieve the TLS certificate for WAC.

Environment Details:

Azure Local Version: 2509 (Freshly installed)
Azure Connected Machine Agent (Arc Agent) Version: 1.56.03167.2465
AdminCenter Extension Versions Tested: 0.62.0.0 and 0.47.0.0
Microsoft Hybrid Connectivity: Registered
Windows Admin Center (WAC) Port: 6516 (Added to azcmagent incoming connections; local firewall allow rule created)
Egress: TCP port 443 open; no proxy configured (HTTPS_PROXY is not set)
Region: West Europe

Symptoms & logs

Reachability check succeeds:
- TestWACAppServiceReachability: Successfully
Then token retrieval fails:
- GetAccessTokenForArc: Failed to get access token from Azure Arc's identity endpoint
- The remote server returned an error: (400) Bad Request.
Certificate retrieval then cannot proceed:
- RetrieveCertificate: Retrieving certificate from key vault using app service (doesn’t complete)

[
    {
        "status":  {
                       "status":  "error",
                       "code":  553,
                       "name":  "InvokeEnableOperation",
                       "formattedMessage":  {
                                                "message":  "Executing Enable operation",
                                                "lang":  "en-US"
                                            },
                       "operation":  "InvokeEnableOperation",
                       "substatus":  [
                                         {
                                             "status":  "success",
                                             "code":  0,
                                             "name":  "SettingDnsRecords",
                                             "formattedMessage":  {
                                                                      "message":  "Creating/updating DNS records",
                                                                      "lang":  "en-US"
                                                                  }
                                         },
                                         {
                                             "status":  "success",
                                             "code":  0,
                                             "name":  "GetDataFromMetadataService",
                                             "formattedMessage":  {
                                                                      "message":  "Getting data from Azure metadata service",
                                                                      "lang":  "en-US"
                                                                  }
                                         },
                                         {
                                             "status":  "success",
                                             "code":  0,
                                             "name":  "GetInstanceMetadataForArc",
                                             "formattedMessage":  {
                                                                      "message":  "Retrieving the virtual machine instance metadata information",
                                                                      "lang":  "en-US"
                                                                  }
                                         },
                                         {
                                             "status":  "success",
                                             "code":  0,
                                             "name":  "GettingWacPort",
                                             "formattedMessage":  {
                                                                      "message":  "Getting Windows Admin Centers configured port",
                                                                      "lang":  "en-US"
                                                                  }
                                         },
                                         {
                                             "status":  "success",
                                             "code":  0,
                                             "name":  "GettingCSPFrameAncestors",
                                             "formattedMessage":  {
                                                                      "message":  "Getting Windows Admin Center configured CSP frame ancestors",
                                                                      "lang":  "en-US"
                                                                  }
                                         },
                                         {
                                             "status":  "success",
                                             "code":  0,
                                             "name":  "UpdatingWindowsAdminCenterConfiguration",
                                             "formattedMessage":  {
                                                                      "message":  "Updating Windows Admin Center Configuration",
                                                                      "lang":  "en-US"
                                                                  }
                                         },
                                         {
                                             "status":  "success",
                                             "code":  0,
                                             "name":  "StoppingWindowsAdminCenterService",
                                             "formattedMessage":  {
                                                                      "message":  "Stopping Windows Admin Center service",
                                                                      "lang":  "en-US"
                                                                  }
                                         },
                                         {
                                             "status":  "success",
                                             "code":  0,
                                             "name":  "UpdatingInstallationTypeSettings",
                                             "formattedMessage":  {
                                                                      "message":  "Updating Installation type for Windows Admin Center",
                                                                      "lang":  "en-US"
                                                                  }
                                         },
                                         {
                                             "status":  "success",
                                             "code":  0,
                                             "name":  "UpdatingCSPSettings",
                                             "formattedMessage":  {
                                                                      "message":  "Updating CSP Frame Ancestors for Windows Admin Center",
                                                                      "lang":  "en-US"
                                                                  }
                                         },
                                         {
                                             "status":  "success",
                                             "code":  0,
                                             "name":  "UpdatingCORSSettings",
                                             "formattedMessage":  {
                                                                      "message":  "Updating CORS origins for Windows Admin Center",
                                                                      "lang":  "en-US"
                                                                  }
                                         },
                                         {
                                             "status":  "success",
                                             "code":  0,
                                             "name":  "UpdatingPort",
                                             "formattedMessage":  {
                                                                      "message":  "Updating port for Windows Admin Center",
                                                                      "lang":  "en-US"
                                                                  }
                                         },
                                         {
                                             "status":  "success",
                                             "code":  0,
                                             "name":  "UpdatingWebSocketValidationOverride",
                                             "formattedMessage":  {
                                                                      "message":  "Updating WebSocket validation override settings",
                                                                      "lang":  "en-US"
                                                                  }
                                         },
                                         {
                                             "status":  "success",
                                             "code":  0,
                                             "name":  "UpdatingTokenAuthenticationEnabled",
                                             "formattedMessage":  {
                                                                      "message":  "Updating token authentication setting",
                                                                      "lang":  "en-US"
                                                                  }
                                         },
                                         {
                                             "status":  "success",
                                             "code":  0,
                                             "name":  "UpdatingAutoUpdate",
                                             "formattedMessage":  {
                                                                      "message":  "Updating auto update setting",
                                                                      "lang":  "en-US"
                                                                  }
                                         },
                                         {
                                             "status":  "success",
                                             "code":  0,
                                             "name":  "SettingProxy",
                                             "formattedMessage":  {
                                                                      "message":  "Updating proxy for Windows Admin Center",
                                                                      "lang":  "en-US"
                                                                  }
                                         },
                                         {
                                             "status":  "success",
                                             "code":  0,
                                             "name":  "GettingWacPort",
                                             "formattedMessage":  {
                                                                      "message":  "Getting Windows Admin Centers configured port",
                                                                      "lang":  "en-US"
                                                                  }
                                         },
                                         {
                                             "status":  "success",
                                             "code":  0,
                                             "name":  "UpdatingWindowsAdminCenterConfiguration",
                                             "formattedMessage":  {
                                                                      "message":  "Updating Windows Admin Center Configuration",
                                                                      "lang":  "en-US"
                                                                  }
                                         },
                                         {
                                             "status":  "success",
                                             "code":  0,
                                             "name":  "GetDataFromMetadataService",
                                             "formattedMessage":  {
                                                                      "message":  "Getting data from Azure metadata service",
                                                                      "lang":  "en-US"
                                                                  }
                                         },
                                         {
                                             "status":  "success",
                                             "code":  0,
                                             "name":  "GetInstanceMetadataForArc",
                                             "formattedMessage":  {
                                                                      "message":  "Retrieving the virtual machine instance metadata information",
                                                                      "lang":  "en-US"
                                                                  }
                                         },
                                         {
                                             "status":  "success",
                                             "code":  0,
                                             "name":  "TestWACAppServiceReachability",
                                             "formattedMessage":  {
                                                                      "message":  "Testing reachability of Application Web Service of Windows Admin Center",
                                                                      "lang":  "en-US"
                                                                  }
                                         },
                                         {
                                             "status":  "error",
                                             "code":  553,
                                             "name":  "GetAccessTokenForArc",
                                             "formattedMessage":  {
                                                                      "message":  "Failed to get access token from Azure Arc\u0027s identity endpoint",
                                                                      "lang":  "en-US"
                                                                  }
                                         },
                                         {
                                             "status":  "error",
                                             "code":  553,
                                             "name":  "RetrieveCertificate",
                                             "formattedMessage":  {
                                                                      "message":  "Retrieving certificate from key vault using app service",
                                                                      "lang":  "en-US"
                                                                  }
                                         }
                                     ]
                   },
        "timestampUTC":  "2025-10-01T10:03:14Z",
        "version":  "1.0"
    }
]

Daniel Söderholm 0 Microsoft Employee

I have the same problem in the France Central region with single virtual machines (not Azure Local), running Windows Server 2022/2025 and connected machine agent version 1.55.03132.2414:

[2025-10-01T21:45:01Z]     INFO: | | Invoking Operation "GetAccessTokenForArc"

[2025-10-01T21:45:03Z]  WARNING: | | | Failed to get access token

[2025-10-01T21:45:03Z]  WARNING: | | | The remote server returned an error: (400) Bad Request.

[2025-10-01T21:45:50Z]    ERROR: | | | Exiting Operation "GetAccessTokenForArc" with code: IMDSAccessTokenGETRequestFailure. Message: Failed to get access token from Azure Arc's identity endpoint

[2025-10-01T21:45:50Z]    ERROR: | | Exiting Operation "RetrieveCertificate" with code: IMDSAccessTokenGETRequestFailure. Message: Retrieving certificate from key vault using app service

[2025-10-01T21:45:50Z]    ERROR: | Exiting Operation "InvokeEnableOperation" with code: IMDSAccessTokenGETRequestFailure. Message: Executing Enable operation

[2025-10-01T21:45:50Z]    ERROR: Exited all operations with code: IMDSAccessTokenGETRequestFailure

Ankit Yadav 4,635 Reputation points Microsoft External Staff Moderator

2025-10-02T01:31:37.9566667+00:00
Hello Kopach, Vitalii,

Kindly verify below checks as well:

Verify Arc Agent Status: Check if the Azure Connected Machine agent is properly connected and authenticated (especially if you are having service principal for authentication purposes).

Review Role Assignments: The Arc-enabled servers need proper role assignments for Azure services ie "Azure Connected Machine Resource Manager" and "Reader" roles.
Additionally, do review that the Arc Machine identity has the right permissions for Key Vault access.

Network and Firewall configuration: While you've already confirmed TCP 443 connectivity, ensure the Arc agent can reach the metadata service internally. The identity endpoint operates on localhost:40342 and requires proper internal communication.

Try restart: Try restarting the Azure Connected Machine Agent service on all cluster nodes if not done already. This can also help to rule out any intermittent issues.

Arc agent registration status: Run azcmagent show to confirm proper registration status.
Ankit Yadav 4,635 Reputation points Microsoft External Staff Moderator

2025-10-02T01:33:27.37+00:00

Hey Daniel Söderholm,

Since the issue seems to be specific to your virtual machine, it’d be best to start a new thread on the Microsoft Q&A forum. That way, you’ll get more focused help from the right experts.

Thanks!
Kopach, Vitalii 30 Reputation points

2025-10-02T12:28:00.1566667+00:00
Arc Agent Status: Azure Connected Machine agent is properly connected and authenticated.

Role Assignments: The Arc-enabled servers have proper role assignments for Azure services ie "Azure Connected Machine Resource Manager" and "Reader" roles.

Network and Firewall Configuration: The identity endpoint is functioning correctly on localhost:40342 and supports proper internal communication.

Restart Attempt: This option has already been tried, but it did not resolve the issue.

Arc Agent Registration Status: This information has been shared with you via private message.
Veselý, Ondřej 55 Reputation points

2025-10-02T23:59:32.46+00:00

Is it the same issue as we are discussing here? Seems to be a global issue:
https://learn.microsoft.com/en-us/answers/questions/5562330/error-windows-admin-center-extension-on-azure-loca
Jimmy Lindö 0 Reputation points

2025-10-03T18:23:27.93+00:00

I had a working demo environment that has crashed. It was updated to version 1.55.03132.2414 and WAC Extension did go to a bad state and when I look at an ARC server I do have 553 error same as described here. Have tried with same issue:
Windows Server 2025 and 2022.
Trying different regions Sweden and East US 2.
Ankit Yadav 4,635 Reputation points Microsoft External Staff Moderator

2025-10-09T18:37:38.01+00:00

Hello @Kopach, Vitalii @Jimmy Lindö @Veselý, Ondřej

Please be noted that the Engineering team has confirmed that this has been identified as an issue with the extension and it'll be fixed with the new version (0.66.0.0). The Engineering team is planning to roll out the fixed version by next week to be globally available.
Kopach, Vitalii 30 Reputation points

2025-10-10T09:55:12.36+00:00

Hello,

I have updated to version 0.66.0.0 and can confirm that it is now deploying successfully. However, the extension is still somewhat unstable overall. I often need to press the "Try Again" button multiple times to establish a successful connection. I understand that it's still in preview, so I appreciate the ongoing improvements.

Answer accepted by question author

0 additional answers

Your answer

Daniel Söderholm 0 Reputation points Microsoft Employee

2025-10-01T22:05:09.27+00:00

I have the same problem in the France Central region with single virtual machines (not Azure Local), running Windows Server 2022/2025 and connected machine agent version 1.55.03132.2414:

[2025-10-01T21:45:01Z] INFO: | | Invoking Operation "GetAccessTokenForArc" [2025-10-01T21:45:03Z] WARNING: | | | Failed to get access token [2025-10-01T21:45:03Z] WARNING: | | | The remote server returned an error: (400) Bad Request. [2025-10-01T21:45:50Z] ERROR: | | | Exiting Operation "GetAccessTokenForArc" with code: IMDSAccessTokenGETRequestFailure. Message: Failed to get access token from Azure Arc's identity endpoint [2025-10-01T21:45:50Z] ERROR: | | Exiting Operation "RetrieveCertificate" with code: IMDSAccessTokenGETRequestFailure. Message: Retrieving certificate from key vault using app service [2025-10-01T21:45:50Z] ERROR: | Exiting Operation "InvokeEnableOperation" with code: IMDSAccessTokenGETRequestFailure. Message: Executing Enable operation [2025-10-01T21:45:50Z] ERROR: Exited all operations with code: IMDSAccessTokenGETRequestFailure
Ankit Yadav 4,635 Reputation points Microsoft External Staff Moderator

2025-10-02T01:31:37.9566667+00:00

Hello Kopach, Vitalii,

Kindly verify below checks as well:

Verify Arc Agent Status: Check if the Azure Connected Machine agent is properly connected and authenticated (especially if you are having service principal for authentication purposes).

Review Role Assignments: The Arc-enabled servers need proper role assignments for Azure services ie "Azure Connected Machine Resource Manager" and "Reader" roles.
Additionally, do review that the Arc Machine identity has the right permissions for Key Vault access.

Network and Firewall configuration: While you've already confirmed TCP 443 connectivity, ensure the Arc agent can reach the metadata service internally. The identity endpoint operates on localhost:40342 and requires proper internal communication.

Try restart: Try restarting the Azure Connected Machine Agent service on all cluster nodes if not done already. This can also help to rule out any intermittent issues.

Arc agent registration status: Run azcmagent show to confirm proper registration status.
Ankit Yadav 4,635 Reputation points Microsoft External Staff Moderator

2025-10-02T01:33:27.37+00:00

Hey Daniel Söderholm,

Since the issue seems to be specific to your virtual machine, it’d be best to start a new thread on the Microsoft Q&A forum. That way, you’ll get more focused help from the right experts.

Thanks!
Kopach, Vitalii 30 Reputation points

2025-10-02T12:28:00.1566667+00:00

Arc Agent Status: Azure Connected Machine agent is properly connected and authenticated.

Role Assignments: The Arc-enabled servers have proper role assignments for Azure services ie "Azure Connected Machine Resource Manager" and "Reader" roles.

Network and Firewall Configuration: The identity endpoint is functioning correctly on localhost:40342 and supports proper internal communication.

Restart Attempt: This option has already been tried, but it did not resolve the issue.

Arc Agent Registration Status: This information has been shared with you via private message.
Veselý, Ondřej 55 Reputation points

2025-10-02T23:59:32.46+00:00

Is it the same issue as we are discussing here? Seems to be a global issue:
https://learn.microsoft.com/en-us/answers/questions/5562330/error-windows-admin-center-extension-on-azure-loca
Jimmy Lindö 0 Reputation points

2025-10-03T18:23:27.93+00:00

I had a working demo environment that has crashed. It was updated to version 1.55.03132.2414 and WAC Extension did go to a bad state and when I look at an ARC server I do have 553 error same as described here. Have tried with same issue:
Windows Server 2025 and 2022.
Trying different regions Sweden and East US 2.
Ankit Yadav 4,635 Reputation points Microsoft External Staff Moderator

2025-10-09T18:37:38.01+00:00

Hello @Kopach, Vitalii @Jimmy Lindö @Veselý, Ondřej

Please be noted that the Engineering team has confirmed that this has been identified as an issue with the extension and it'll be fixed with the new version (0.66.0.0). The Engineering team is planning to roll out the fixed version by next week to be globally available.
Kopach, Vitalii 30 Reputation points

2025-10-10T09:55:12.36+00:00

Hello,

I have updated to version 0.66.0.0 and can confirm that it is now deploying successfully. However, the extension is still somewhat unstable overall. I often need to press the "Try Again" button multiple times to establish a successful connection. I understand that it's still in preview, so I appreciate the ongoing improvements.

Answer 1

Hi Kopach, Vitalii

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Verify the Azure Connected Machine Agent status by first checking if the agent is properly connected and authenticated, especially if you are using a service principal for authentication. Review the necessary role assignments for Arc-enabled servers, ensuring they have "Azure Connected Machine Resource Manager" and "Reader" roles granted. Also, verify that the Arc Machine identity has appropriate permissions to access Key Vault. While TCP 443 connectivity is confirmed, it is essential to make sure the Arc agent can reach the internal metadata service endpoint on localhost:40342, as this internal communication is required for identity operations.

If issues persist, try restarting the Azure Connected Machine Agent service on all cluster nodes to rule out intermittent problems. Finally, use the command azcmagent show on the Arc-enabled machine to confirm the proper registration status and verify the agent's connectivity and heartbeat with Azure

Please be noted that the Engineering team has confirmed that this has been identified as an issue with the extension and it'll be fixed with the new version (0.66.0.0). The Engineering team is planning to roll out the fixed version by next week to be globally available.

Regards

Himanshu

Share via

AdminCenter extension enable fails on Azure Local (West Europe): token retrieval from Arc identity/HIMDS → 400, WAC certificate retrieval blocked

0 additional answers

Your answer