Azure Arc Resource Bridge for SCVMM stuck in WaitingForHeartbeat

Question

Azure Arc Resource Bridge for SCVMM stuck in WaitingForHeartbeat

Charles Pickering 61

I’m troubleshooting a failing Azure Arc Resource Bridge deployment for SCVMM and am looking for guidance on next steps.

In Azure Portal, the Resource Bridge resource remains in WaitingForHeartbeat
The deployment script does not complete and remains at “Waiting for control plane to be in running state”
The appliance VM is created successfully and Kubernetes components appear to start, but the deployment never finishes

Environment details

Single tenant, single subscription (development tenant)
Deployment identity:
- Global Administrator
- Owner at subscription scope
Required resource providers are registered
SCVMM account used during deployment:
- Administrator in SCVMM
- Credentials verified (the template is deployed fine by the script and appliance boots up)
Network environment:
- No proxies
- No SSL inspection
- No Private Link configuration
- Direct outbound internet access

Identity-related logs

From the ApplianceConnectAgent and related identity components, the following messages appear repeatedly:

In clusterIdentityCRDInteraction status not populated
GetTokenProvider().GetToken() error status not populated

SCVMM connectivity logs

From the capvmm-controller-manager logs during deployment, the appliance reports failures when attempting to connect to the SCVMM server. The following messages are observed:

MI_RESULT_FAILED
failed to create vmmserver session

I found this guide related to the MI_RESULT_FAILED error but the suggestion didn't help.

First guess is the managed identity isn't coming up because the appliance isn't able to get some sort of secret from VMM. I can't find anything wrong with my VMM server, I can powershell remote into it just fine from the management workstation. The management workstation used for deployment and the vmm server and the appliance are all in the same subnet with no microsegmentation or other L2 controls.

At this point:

The appliance VM deploys
Kubernetes initializes
The control plane does not transition to Running
The Azure Portal remains in WaitingForHeartbeat
Identity-related components continue retrying with the messages shown above

Any ideas where to go from here? I feel like all the stars should be aligned with how straightforward my development environment is in this stage, and this being an appliance deployed with a provided script. I have all the logs pulled from the appliance with Azure cli if there's additional things to search for, let me know.

Thanks! Charles

Suchitra Suregaunkar 5,570 Reputation points Microsoft External Staff Moderator

2026-01-06T10:07:55.76+00:00

Hello Charles Pickering

Based on the behavior and logs, this is not an Azure connectivity or permissions issue. WaitingForHeartbeat occurs because the Arc Resource Bridge control plane never transitions to Running due to the SCVMM provider failing to initialize. The MI_RESULT_FAILED – failed to create vmmserver session error indicates the appliance cannot establish a CIM/MI session to the SCVMM server. Until SCVMM connectivity succeeds, managed identity onboarding does not complete and identity components will continue retrying with “status not populated”. The next step is to validate WinRM/CIM connectivity, SCVMM service account requirements, server name resolution (FQDN vs NetBIOS), and SCVMM-side authentication from the appliance VM itself.

Are you using Kerberos or NTLM for SCVMM authentication, and is the SCVMM server specified using FQDN or NetBIOS in the deployment script?

Thanks,
Suchitra.
Charles Pickering 61 Reputation points

2026-01-06T16:57:40.34+00:00

Hi @Suchitra Suregaunkar

Thank you for confirming where the issue lies. I'm not sure which authentication scheme is in use. I'm using the Arc VMM onboarding script generated by the Azure Portal. I'm specifying the VMM server (HA Role name) by FQDN when running the script as it prompts.

Thanks,

Charles
Suchitra Suregaunkar 5,570 Reputation points Microsoft External Staff Moderator

2026-01-07T06:35:44.8933333+00:00
Hello Charles Pickering

Since you’re using the Azure Portal–generated onboarding script and specifying the SCVMM HA role by FQDN, the script defaults to Kerberos authentication when SCVMM is domain-joined and credentials are domain-based. Kerberos requires:

Correct SPNs for the SCVMM service account (matching the FQDN)

DNS resolution of the SCVMM FQDN from inside the appliance VM

Time synchronization between the appliance and SCVMM

If Kerberos negotiation fails, the provider may attempt NTLM fallback, but if NTLM is disabled or misconfigured, the session fails entirely leading to the MI_RESULT_FAILED error and the control plane staying in WaitingForHeartbeat.

As a resolution, please try below steps and let me know if it helps or not.

1.Validate DNS resolution from the appliance:

nslookup <SCVMM-FQDN>

Confirm WinRM ports (TCP 5985/5986) are open from the appliance to SCVMM.

Check SPNs for the SCVMM service account:

setspn -L <SCVMMServiceAccount>

Ensure entries for the SCVMM FQDN exist.

4.Inspect logs in the appliance

kubectl -n arc-system logs deployment/capvmm-controller-manager

Look for authentication type and connectivity errors.

Once SCVMM connectivity succeeds, identity CRDs populate automatically and the heartbeat starts.

Reference: https://learn.microsoft.com/en-us/azure/azure-arc/system-center-virtual-machine-manager/support-matrix-for-system-center-virtual-machine-manager
https://learn.microsoft.com/en-us/azure/azure-arc/system-center-virtual-machine-manager/quickstart-connect-system-center-virtual-machine-manager-to-arc?tabs=window%2Cwin

https://learn.microsoft.com/en-us/azure/azure-arc/system-center-virtual-machine-manager/troubleshoot-scvmm

If you have any other questions, please do let us know.

Thanks,

Suchitra.

Charles Pickering 61

Hi @Suchitra Suregaunkar

SPNs are correct:

C:\Users\charlespick>setspn -L makerad\vmm_srv
Registered ServicePrincipalNames for CN=vmm_srv,OU=Service Accounts,DC=makerad,DC=makerland,DC=xyz:
        SCVMM/vmm01.makerad.makerland.xyz
        SCVMM/vmm01

I haven't been able to login to the appliance yet. My research shows that the way to login is with az arcappliance troubleshoot command scvmm but that returns an error "The file C:\ProgramData\kva.ssh\scopedaccesskey does not exist. Please ensure a scoped access key was generated and call 'az arcappliance get-credentials' cmd to pull the key." get-credentials only gets the managementlogkey and managementlogkey-cert.pub files.

The script downloaded the logs for me when it failed so I opened them in VScode and searched for some things. In results.yaml:

  - metadata:
      creationTimestamp: null
      name: scvmm-connectivity-dnstest
    result:
      message: Attemped connection to the following ips vmm01.makerad.makerland.xyz:8100
        - Successfully connected to vmm01.makerad.makerland.xyz:8100
      outcome: Success
    type: TCPConnectivity

In var/log/kvalogs/capvmm-system/capvmm-controller-manager-7bcbbbc845-bq2md:

E0106 16:54:40.637667       1 vmmserver_controller.go:122] "msg"="Connection to SCVMM server was not established" "error"="Could not create new PSSession: \u001b[91mNew-PSSession: \u001b[91m[vmm01.makerad.makerland.xyz] Connecting to remote server vmm01.makerad.makerland.xyz failed with the following error message : MI_RESULT_FAILED For more information, see the about_Remote_Troubleshooting Help topic.\u001b[0m\n: $goSess6d31277ef9bfbeeb = New-PSSession -ComputerName 'vmm01.makerad.makerland.xyz' -Authentication 'negotiate' -Credential $goCred6cdb4a64f4fa186a -SessionOption $so" "logger"="controllers.VMMServer" "vmmserver"={"Namespace":"capvmm-system","Name":"capvmm-vmmserver-sample"}

Reading around there led me to capvmm-vmmserver-secret which I searched for and found this in var/log/kvalogs/cloudop-system/cloudop-controller-manager-59d8dfc589-j8v6t/logs.txt

I0106 16:54:03.050763       1 capi_vmm_controller.go:84] "msg"="Secret capvmm-vmmserver-secret is not present. Skipping identity reconciliation." "capi"={"Namespace":"default","Name":"capi-for-scvmm"} "logger"="controllers.Capi" "reconcileID"="a320dea8-87c9-43aa-9bd9-6bb888ff4de8"
...
I0106 16:54:16.130272       1 capi_vmm_controller.go:113] "msg"="Updating secret capvmm-vmmserver-secret with new credentials" "capi"={"Namespace":"default","Name":"capi-for-scvmm"} "logger"="controllers.Capi" "reconcileID"="22881148-4701-4c36-b35c-86b82fcb5896"
E0106 16:54:16.152201       1 capi_vmm_controller.go:130] "msg"="patch failed" "error"="failed to patch Capi default/capi-for-scvmm: error patching conditions: The condition \"CredentialsUpToDate\" was modified by a different process and this caused a merge/AddCondition conflict:   &v1beta1.Condition{\n  \tType:

Charles Pickering 61

Hi @Suchitra Suregaunkar

I can't login to the appliance with the az arcappliance troubleshoot command because of a missing file.

The file C:\ProgramData\kva\.ssh\scopedaccesskey does not exist. Please ensure a scoped access key was generated and call 'az arcappliance get-credentials' cmd to pull the key.

get-credentials only gets the log management key. The login keys don't appear to be available because the appliance didn't get far enough through it's bootstrap process.

PS C:\Users\charlespick_elev\Desktop\arcvmm> az arcappliance get-credentials --config .\arcgw-westus3-01-appliance.yaml
Successfully saved management log keys to: C:\ProgramData\kva\.ssh

But I can get the logs. I found a couple things

In the logs downloaded:

var/log/kvalogs/results.yaml - DNS resolution appears fine

  - metadata:
      creationTimestamp: null
      name: scvmm-connectivity-dnstest
    result:
      message: Attemped connection to the following ips vmm01.makerad.makerland.xyz:8100
        - Successfully connected to vmm01.makerad.makerland.xyz:8100
      outcome: Success
    type: TCPConnectivity

var/log/kvalogs/capvmm-system/capvmm-controller-manager-7bcbbbc845-bq2md/logs.txt

E0106 16:54:40.637667       1 vmmserver_controller.go:122] "msg"="Connection to SCVMM server was not established" "error"="Could not create new PSSession: \u001b[91mNew-PSSession: \u001b[91m[vmm01.makerad.makerland.xyz] Connecting to remote server vmm01.makerad.makerland.xyz failed with the following error message : MI_RESULT_FAILED For more information, see the about_Remote_Troubleshooting Help topic.\u001b[0m\n: $goSess6d31277ef9bfbeeb = New-PSSession -ComputerName 'vmm01.makerad.makerland.xyz' -Authentication 'negotiate' -Credential $goCred6cdb4a64f4fa186a -SessionOption $so" "logger"="controllers.VMMServer" "vmmserver"={"Namespace":"capvmm-system","Name":"capvmm-vmmserver-sample"}

var/log/kvalogs/cloudop-system/cloudop-controller-manager-59d8dfc589-j8v6t/logs.txt

E0106 16:54:16.152201       1 capi_vmm_controller.go:130] "msg"="patch failed" "error"="failed to patch Capi default/capi-for-scvmm: error patching conditions: The condition \"CredentialsUpToDate\" was modified by a different process and this caused a merge/AddCondition conflict:   &v1beta1.Condition{\n  \tType:               \"CredentialsUpToDate\",\n- \tStatus:             \"False\",\n+ \tStatus:             \"True\",\n- \tSeverity:           \"Warning\",\n+ \tSeverity:           \"\",\n  \tLastTransitionTime: {Time: s\"2026-01-06 16:54:16 +0000 UTC\"},\n- \tReason:             \"UpdatingSecrets\",\n+ \tReason:             \"\",\n  \tMessage:            \"\",\n  }\n" "capi"="capi-for-scvmm" "logger"="controllers.Capi" "reconcileID"="22881148-4701-4c36-b35c-86b82fcb5896"

There appears to be some sort of race condition in managing the secret that is used to connect to the vmm server that is breaking the process.

Charles Pickering 61

Also, the SPNs are correct:

C:\Users\charlespick>setspn -L makerad\vmm_srv
Registered ServicePrincipalNames for CN=vmm_srv,OU=Service Accounts,DC=makerad,DC=makerland,DC=xyz:
        SCVMM/vmm01.makerad.makerland.xyz
        SCVMM/vmm01

Charles Pickering 61 Reputation points

2026-01-08T02:03:31.5766667+00:00

Not sure why my first comment didn't get posted then reappeared after I had re written it. Sorry for the confusion.

Charles Pickering 61

I had to do some digging but I found this in the event logs on the vmm server. The SID which is redacted decodes to the VMM service account in my environment. I see very little about error code 2150858752 on the internet. :(

Log Name:      Microsoft-Windows-WinRM/Operational
Source:        Microsoft-Windows-WinRM
Date:          1/7/2026 7:44:42 PM
Event ID:      142
Task Category: Response handling
Level:         Error
Keywords:      Client
User:          MAKERAD\vmm_srv
Computer:      vmmworker01.makerad.makerland.xyz
Description:
WSMan operation Enumeration failed, error code 2150858752
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-WinRM" Guid="{a7975c8f-ac13-49f1-87da-5a984a4ab417}" />
    <EventID>142</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>10</Task>
    <Opcode>2</Opcode>
    <Keywords>0x4000000000000002</Keywords>
    <TimeCreated SystemTime="2026-01-08T02:44:42.6375911Z" />
    <EventRecordID>2071031</EventRecordID>
    <Correlation ActivityID="{d8454c2f-568c-42c4-aa63-d148d805fe6a}" />
    <Execution ProcessID="9468" ThreadID="6392" />
    <Channel>Microsoft-Windows-WinRM/Operational</Channel>
    <Computer>vmmworker01.makerad.makerland.xyz</Computer>
    <Security UserID="redacted" />
  </System>
  <EventData>
    <Data Name="operationName">Enumeration</Data>
    <Data Name="errorCode">2150858752</Data>
  </EventData>
</Event>

Suchitra Suregaunkar 5,570 Reputation points Microsoft External Staff Moderator

2026-01-08T04:18:13.4166667+00:00
Hello Charles Pickering your data coherently indicates a WinRM remoting problem, not SCVMM service reachability or SPN registration.

Validate WinRM listeners and policy on the VMM server (and HA nodes):

winrm enumerate winrm/config/listener winrm get winrm/config winrm enumerate winrm/config/service winrm enumerate winrm/config/client

Look for ListeningOn must include the NIC IP(s) used by the appliance subnet (not just 127.0.0.1).

If GPO has set IPv4Filter/IPv6Filter, ensure the server’s NIC IPs and appliance ranges are explicitly allowed.

If misconfigured, fix by recreating listeners:

winrm delete winrm/config/listener?address=*+transport=http winrm delete winrm/config/listener?address=*+transport=https winrm quickconfig Enable-PSRemoting -Force

Confirm WinRM reachability and auth from the appliance:

First generate the scoped access key where the troubleshoot command expects it
az arcappliance get-credentials -n <resourceBridgeName> -g <resourceGroup> ` --credentials-dir "C:\ProgramData\kva\.ssh"

Then run appliance-side checks

nslookup vmm01.makerad.makerland.xyz nc -zv vmm01.makerad.makerland.xyz 5985 || true nc -zv vmm01.makerad.makerland.xyz 5986 || true timedatectl # verify clock sync (Kerberos is time-sensitive)

If 5985/5986 fail → fix firewall/GPO to allow WinRM from appliance IPs. If they succeed → focus on Negotiate, ensure NTLM isn’t disabled and Kerberos can succeed (DNS/SPN/time already checked).

After WinRM is healthy, reconcile credentials:

In Azure Portal, open the Arc-enabled SCVMM resource and use Update credentials.

This clears the “secret patch failed” loop and lets the SCVMM provider initialize. When it does, the control plane transitions to Running and WaitingForHeartbeat will clear automatically.

Could you run just this on the affected VMM node and paste the ListeningOn lines?

winrm enumerate winrm/config/listener

If we see only loopback or missing NIC IPs, we’ll fix the listener/GPO bindings first.

Thanks,

Suchitra.
Charles Pickering 61 Reputation points

2026-01-08T04:35:13.6866667+00:00

Hi @Suchitra Suregaunkar thanks for your help with this. The problem was related to WinRM, specifically an SPN registration was needed for the WinRM service itself (HTTP/) in addition to the SCVMM/ registration. After adding that to the service account it functions properly and onboarding completed. I think this should be added/made more prominent in the documentation that if installation is completed by an account without the ability to register SPNs on the service account, both the SCVMM and HTTP SPNs need to be manually registered. Currently only the SCVMM/ ones are documented.

Answer accepted by question author

2 additional answers

Your answer

Suchitra Suregaunkar 5,570 Reputation points Microsoft External Staff Moderator

2026-01-06T10:07:55.76+00:00

Hello Charles Pickering

Based on the behavior and logs, this is not an Azure connectivity or permissions issue. WaitingForHeartbeat occurs because the Arc Resource Bridge control plane never transitions to Running due to the SCVMM provider failing to initialize. The MI_RESULT_FAILED – failed to create vmmserver session error indicates the appliance cannot establish a CIM/MI session to the SCVMM server. Until SCVMM connectivity succeeds, managed identity onboarding does not complete and identity components will continue retrying with “status not populated”. The next step is to validate WinRM/CIM connectivity, SCVMM service account requirements, server name resolution (FQDN vs NetBIOS), and SCVMM-side authentication from the appliance VM itself.

Are you using Kerberos or NTLM for SCVMM authentication, and is the SCVMM server specified using FQDN or NetBIOS in the deployment script?

Thanks,
Suchitra.
Charles Pickering 61 Reputation points

2026-01-06T16:57:40.34+00:00

Hi @Suchitra Suregaunkar

Thank you for confirming where the issue lies. I'm not sure which authentication scheme is in use. I'm using the Arc VMM onboarding script generated by the Azure Portal. I'm specifying the VMM server (HA Role name) by FQDN when running the script as it prompts.

Thanks,

Charles
Suchitra Suregaunkar 5,570 Reputation points Microsoft External Staff Moderator

2026-01-07T06:35:44.8933333+00:00

Hello Charles Pickering

Since you’re using the Azure Portal–generated onboarding script and specifying the SCVMM HA role by FQDN, the script defaults to Kerberos authentication when SCVMM is domain-joined and credentials are domain-based. Kerberos requires:

Correct SPNs for the SCVMM service account (matching the FQDN)

DNS resolution of the SCVMM FQDN from inside the appliance VM

Time synchronization between the appliance and SCVMM

If Kerberos negotiation fails, the provider may attempt NTLM fallback, but if NTLM is disabled or misconfigured, the session fails entirely leading to the MI_RESULT_FAILED error and the control plane staying in WaitingForHeartbeat.

As a resolution, please try below steps and let me know if it helps or not.

1.Validate DNS resolution from the appliance:

nslookup <SCVMM-FQDN>

Confirm WinRM ports (TCP 5985/5986) are open from the appliance to SCVMM.

Check SPNs for the SCVMM service account:

setspn -L <SCVMMServiceAccount>

Ensure entries for the SCVMM FQDN exist.

4.Inspect logs in the appliance

kubectl -n arc-system logs deployment/capvmm-controller-manager

Look for authentication type and connectivity errors.

Once SCVMM connectivity succeeds, identity CRDs populate automatically and the heartbeat starts.

Reference: https://learn.microsoft.com/en-us/azure/azure-arc/system-center-virtual-machine-manager/support-matrix-for-system-center-virtual-machine-manager
https://learn.microsoft.com/en-us/azure/azure-arc/system-center-virtual-machine-manager/quickstart-connect-system-center-virtual-machine-manager-to-arc?tabs=window%2Cwin

https://learn.microsoft.com/en-us/azure/azure-arc/system-center-virtual-machine-manager/troubleshoot-scvmm

If you have any other questions, please do let us know.

Thanks,

Suchitra.
Charles Pickering 61 Reputation points

2026-01-07T22:29:03.82+00:00

Also, the SPNs are correct:

C:\Users\charlespick>setspn -L makerad\vmm_srv Registered ServicePrincipalNames for CN=vmm_srv,OU=Service Accounts,DC=makerad,DC=makerland,DC=xyz: SCVMM/vmm01.makerad.makerland.xyz SCVMM/vmm01
Charles Pickering 61 Reputation points

2026-01-08T02:03:31.5766667+00:00

Not sure why my first comment didn't get posted then reappeared after I had re written it. Sorry for the confusion.
Charles Pickering 61 Reputation points

2026-01-08T03:42:24.02+00:00

I had to do some digging but I found this in the event logs on the vmm server. The SID which is redacted decodes to the VMM service account in my environment. I see very little about error code 2150858752 on the internet. :(

Log Name: Microsoft-Windows-WinRM/Operational Source: Microsoft-Windows-WinRM Date: 1/7/2026 7:44:42 PM Event ID: 142 Task Category: Response handling Level: Error Keywords: Client User: MAKERAD\vmm_srv Computer: vmmworker01.makerad.makerland.xyz Description: WSMan operation Enumeration failed, error code 2150858752 Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-WinRM" Guid="{a7975c8f-ac13-49f1-87da-5a984a4ab417}" /> <EventID>142</EventID> <Version>0</Version> <Level>2</Level> <Task>10</Task> <Opcode>2</Opcode> <Keywords>0x4000000000000002</Keywords> <TimeCreated SystemTime="2026-01-08T02:44:42.6375911Z" /> <EventRecordID>2071031</EventRecordID> <Correlation ActivityID="{d8454c2f-568c-42c4-aa63-d148d805fe6a}" /> <Execution ProcessID="9468" ThreadID="6392" /> <Channel>Microsoft-Windows-WinRM/Operational</Channel> <Computer>vmmworker01.makerad.makerland.xyz</Computer> <Security UserID="redacted" /> </System> <EventData> <Data Name="operationName">Enumeration</Data> <Data Name="errorCode">2150858752</Data> </EventData> </Event>
Charles Pickering 61 Reputation points

2026-01-08T04:35:13.6866667+00:00

Hi @Suchitra Suregaunkar thanks for your help with this. The problem was related to WinRM, specifically an SPN registration was needed for the WinRM service itself (HTTP/) in addition to the SCVMM/ registration. After adding that to the service account it functions properly and onboarding completed. I think this should be added/made more prominent in the documentation that if installation is completed by an account without the ability to register SPNs on the service account, both the SCVMM and HTTP SPNs need to be manually registered. Currently only the SCVMM/ ones are documented.

Answer 1

Hello Charles Pickering The Arc Resource Bridge for SCVMM was stuck in WaitingForHeartbeat because the SCVMM provider could not establish a PowerShell remoting session over WinRM. The logs showed:

MI_RESULT_FAILED – New-PSSession failed with Authentication 'Negotiate'

This indicated a WinRM/Kerberos authentication issue, not SCVMM service reachability.

The root cause of the issue is Missing SPNs for the HTTP/WinRM service on the SCVMM service account. While the documented prerequisites mention SCVMM SPNs, Kerberos also requires SPNs for HTTP when using New-PSSession with Negotiate authentication.

Below are the resolution steps:

Added SPNs for HTTP/WinRM on the SCVMM service account: setspn -S HTTP/<FQDN> setspn -S HTTP/<NetBIOS>
- Verified WinRM listeners and authentication settings.
- After updating SPNs, Kerberos negotiation succeeded, the SCVMM provider initialized, and the control plane transitioned to Running.
If you see MI_RESULT_FAILED and Event ID 142 in WinRM logs during Arc SCVMM onboarding:
- Check WinRM listener bindings (must include NIC IPs, not just loopback).
  - Validate Kerberos prerequisites.
  - SPNs for SCVMM and HTTP/WinRM
  - DNS resolution for FQDN
  - Time synchronization
  - Ensure WinRM ports (5985/5986) are reachable from the appliance.

If Arc Resource Bridge for SCVMM is stuck in WaitingForHeartbeat and logs show New-PSSession failures, don’t stop at SCVMM SPNs—also verify HTTP/WinRM SPNs for Kerberos.

Reference: https://learn.microsoft.com/en-us/azure/azure-arc/system-center-virtual-machine-manager/troubleshoot-scvmm

https://learn.microsoft.com/en-us/azure/azure-arc/system-center-virtual-machine-manager/support-matrix-for-system-center-virtual-machine-manager

Thanks,

Suchitra.

Answer 2

Hi ,

Thanks for reaching out to Microsoft Q&A.

In Arc Resource Bridge for SCVMM, WaitingForHeartbeat + MI_RESULT_FAILED means the appliance cannot establish a persistent VMM server session using WinRM with Kerberos/Negotiate, which is mandatory even if basic powershell remoting works. The mi does not fully come up until this succeeds, which is why clusterIdentity stays unpopulated.

Concrete things to check next (do not skip these):

SCVMM WinRM configuration

WinRM must be enabled and listening on HTTP (5985) on the VMM server.

  `winrm enumerate winrm/config/listener` on the VMM server.
  
     HTTPS-only WinRM or hardened WinRM configs break Arc RB.

Kerberos / SPN issues

Ensure the SCVMM service account has correct SPNs registered.

No duplicate SPNs for the VMM server name.

Test from the appliance VM: --> Test-WSMan <VMMServerFQDN> ->This must succeed without prompting.

Time sync

  Even small clock skew between appliance, VMM, and domain controller will break Kerberos silently.
  
     Verify time sync on all three.
     
     Firewall
     
        Confirm 5985, 443, 80, and dynamic RPC ports are open both ways between appliance and VMM.
        
           Many dev environments miss return traffic.
           
           SCVMM version and patch level
           
              Arc RB is sensitive here. Ensure SCVMM is on a supported update rollup.
              
                 Older URs fail MI session creation.

If Test-WSMan from the appliance fails or falls back to NTLM, that is your root cause. Until Kerberos WinRM works cleanly, the control plane will never reach Running and azure will stay in WaitingForHeartbeat.

Please 'Upvote'(Thumbs-up) and 'Accept' as answer if the reply was helpful. This will be benefitting other community members who face the same issue.

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Answer 3

Charles Pickering 61

The issue turned out to be missing SPNs, but NOT the SCVMM/ ones as documented. Adding SPNs for the HTTP/ WinRM service on the vmm service account resolved the issue.

Suchitra Suregaunkar 5,570 Reputation points Microsoft External Staff Moderator

2026-01-08T04:40:09.53+00:00

Hello Charles Pickering

Could you please let me know if the solution shared addressed your query?

Share via

Azure Arc Resource Bridge for SCVMM stuck in WaitingForHeartbeat

2 additional answers

Your answer