Share via

Azure Run Command and Custom Script Extension not working on Windows Server 2012 Azure-Arc enabled server

Filah Aditia Aldhauri 10 Reputation points
2025-11-21T12:41:47.99+00:00

Hi,
I am currently performing a mass deployment of a third-party software agent to several Windows Server 2012 Azure Arc enabled machine. The deployment is being executed through Run Command, but I am encountering failures that appear to be related to the Azure Arc agent itself.

I performed a test by running a simple command using Run command and Custom Script Extension to determine whether the issue originated from my script, and the same error occurred.

Azure Run Command log:

New-AzConnectedMachineRunCommand `

-ResourceGroupName "xxxxxxx" `

-MachineName "HV-ARC-WIN12" `

-Subscription "xxxxxxxxxxxx" `

-Location "southeastasia" `

-RunCommandName "Test" `

-SourceScript "Write-Host Hello World!"

AsyncExecution : False

ErrorBlobManagedIdentityClientId :

ErrorBlobManagedIdentityObjectId :

ErrorBlobUri :

Id : /subscriptions/xxxxxxxxxx/resourceGroups/xxxxxxx/providers/Microsoft.HybridCompute/machines/HV-ARC-WIN12/runcommands/Test

InstanceViewEndTime : 11/21/2025 10:33:01 AM

InstanceViewError :

InstanceViewExecutionMessage : Failed to decode, decrypt, and deserialize the protected settings string. Error Message: Cannot decrypt protected settings with certificate due to: Invalid provider type

                                specified.

InstanceViewExecutionState : Failed

InstanceViewExitCode : -22

InstanceViewOutput :

InstanceViewStartTime : 11/21/2025 10:33:01 AM

InstanceViewStatuses :

Location : southeastasia

Name : Test

OutputBlobManagedIdentityClientId :

OutputBlobManagedIdentityObjectId :

OutputBlobUri :

Parameter :

ProtectedParameter :

ProvisioningState : Succeeded

ResourceGroupName : xxxxxxxxxxx

RunAsPassword :

RunAsUser :

ScriptUriManagedIdentityClientId :

ScriptUriManagedIdentityObjectId :

SourceCommandId :

SourceScript : Write-Host Hello World!

SourceScriptUri :

SystemDataCreatedAt :

SystemDataCreatedBy :

SystemDataCreatedByType :

SystemDataLastModifiedAt :

SystemDataLastModifiedBy :

SystemDataLastModifiedByType :

Tags : {

                                }

TimeoutInSecond : 0

Type : Microsoft.HybridCompute/machines/runcommands

Custom Script Extension Log:
Extension Message: Failed to decode the protected settings string. Error Message: Invalid provider type specified.

Extension Error:

C:\Packages\Plugins\Microsoft.Compute.CustomScriptExtension\1.10.20>if not exist RuntimeSettings*.settings exit /b -2

C:\Packages\Plugins\Microsoft.Compute.CustomScriptExtension\1.10.20>start cmd /C C:\Packages\Plugins\Microsoft.Compute.CustomScriptExtension\1.10.20\bin\CustomScriptHandler.exe "enable"

If I recall correctly, Azure Run Command was functioning on our Windows Server 2012 Azure Arc–enabled machines a couple of months ago. Is Run Command no longer supported for Windows Server 2012 Azure-Arc enabled server?

Thanks in advance

Azure Arc
Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Suchitra Suregaunkar 3,565 Reputation points Microsoft External Staff Moderator
    2025-11-25T11:39:57.99+00:00

    Hello Filah Aditia Aldhauri

    Thank you for posting your query on Microsoft Q&A platform.

    The error from your logs indicate Failed to decode, decrypt, and deserialize the protected settings string. Error: Cannot decrypt protected settings with certificate due to: Invalid provider type specified (exit code -22) when using Run Command and Custom Script Extension on an Arc-enabled Windows Server 2012 machine.

    This is due to below following reasons:

    1. OS support boundary: Azure Arc’s Connected Machine agent (CMA) supports Windows Server 2012 R2 and later. Windows Server 2012 (non‑R2) isn’t in the supported list. When Arc features (including Run Command and extensions) try to decrypt protected settings, they rely on OS crypto providers. On legacy stacks (WS 2012 non‑R2) decryption can throw “Invalid provider type specified” because the private key/provider used by the agent’s transport certificate isn’t compatible with the OS crypto APIs.

    User's image

    Reference: https://learn.microsoft.com/en-us/azure/azure-arc/servers/prerequisites

    1. Run Command requirements & current limitations: Run Command for Arc requires CMA v1.33+ and is supported via PowerShell/CLI/REST (Portal not yet). It doesn’t support authenticating script blobs using Managed Identity at this time, protected parameters are locally decrypted by the agent using its transport certificate. If certificate/provider handling fails, decryption of protected settings fails exactly as in your error.

    Reference: https://learn.microsoft.com/en-us/azure/azure-arc/servers/run-command

    1. Certificate/provider mismatch on Windows: On Windows, extension protected settings are decrypted using a transport certificate. Known failure modes include missing/expired transport cert, wrong key provider type, or incorrect permissions under C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys.

    As a resolution If this machine is truly Windows Server 2012 (non‑R2), migrate/upgrade to 2012 R2 (or newer) before using Arc Run Command / CSE at scale.

    If the machine is Windows Server 2012 R2 (or later) : Ensure the Arc stack and crypto prerequisites are healthy

    Verify agent & tooling versions on the server confirm agentVersion ≥ 1.33 (Run Command requirement). If lower, upgrade CMA.

    On your client: check CLI extension versions for connectedmachine / Az.ConnectedMachine.

    azcmagent
azcmagent

    Check Arc connectivity & endpoints and Add --enable-pls-check if using private endpoints.

    azcmagent check --location "southeastasia"

    Regenerate agent transport certificate & re‑sync extensions A fresh reconnect (which re-establishes identity and certs) often resolves protected settings failures:

    
# Collect logs first
azcmagent logs

# Graceful disconnect (removes Arc resource)
azcmagent disconnect

# Reconnect (same RG/subscription/region)
azcmagent connect --resource-group <RG> --subscription-id <SubId> --location southeastasia

    If the Azure resource no longer exists, --force-local-only can be used to clean local state before reconnect.

    Verify certificate & MachineKeys permissions (Windows) If decryption still fails, inspect certificate health per Microsoft guidance for Windows VM extensions:

    • Review C:\WindowsAzure\Logs\WaAppAgent.log and the extension logs under C:\Packages\Plugins\Microsoft.Compute.CustomScriptExtension\<version>\
    • Check permissions on C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
    • Ensure TLS 1.2 and current .NET/PowerShell baselines are present (common prerequisite for Arc/agent operations).

    Retry with minimal protected settings When testing, avoid protectedParameters unless needed (e.g., passwords, keys). Use a simple inline script (as you did) and keep protectedParameters empty to isolate crypto issues from script logic.

    For full schema and behaviors, see Run Command resource definition https://learn.microsoft.com/en-us/azure/templates/microsoft.hybridcompute/machines/runcommands?pivots=deployment-language-bicep

    Avoid Managed Identity for script blob auth (today) Run Command on Arc doesn’t support MI blob auth yet, pass a SAS URL if using scriptUri. Your PowerShell example uses inline SourceScript, which is fine.

    Could you please let us know if the solution shared in the comment addressed your query. If you have any other questions or need further support, please feel free to contact us.

    Thanks,

    Suchitra.

    1 person found this answer helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.