Azure Key Vault virtual machine extension for Windows

Question

Azure Key Vault virtual machine extension for Windows

Dev Team 25

I've tried following the instructions here to set up the Key Vault Extension for Windows using PowerShell. My PowerShell script is:

# Build settings
$settings = ".\key-vault-settings.json"
$extName = "KeyVaultForWindows"
$extPublisher = "Microsoft.Azure.KeyVault"
$extType = "KeyVaultForWindows"
  
# Add extension to Virtual Machine Scale Sets
$vmss = Get-AzVmss -ResourceGroupName devtestmornevm -VMScaleSetName devtestmornevm
Add-AzVmssExtension -VirtualMachineScaleSet $vmss  -Name $extName -Publisher $extPublisher -Type $extType -TypeHandlerVersion "3.0" -Setting $settings

# Start the deployment
Update-AzVmss -ResourceGroupName devtestmornevm -VMScaleSetName devtestmornevm -VirtualMachineScaleSet $vmss

This is my key-vault-settings.json file:

{   
   "secretsManagementSettings": {
   "pollingIntervalInS": "3600",
   "linkOnRenewal": true,
   "observedCertificates":
   [
      {
          "url": "https://devtestmornevmss.vault.azure.net/secrets/Certificate1",
          "certificateStoreName": "MY",
          "certificateStoreLocation": "LocalMachine"
      },
      {
          "url": "https://devtestmornevmss.vault.azure.net/secrets/Certificate2",
          "certificateStoreName": "MY",
          "certificateStoreLocation": "LocalMachine"
      }
   ]},
   "authenticationSettings": {
      "msiEndpoint":  "http://169.254.169.254/metadata/identity/oauth2/token",
      "msiClientId":  "31f84835-57e6-46d6-9000-87f70631a152"
   }
}

The VMSS is set up with a User Assigned Managed Identity, which has these properties:

User's image

The msiClientId in the JSON is the Client ID of the Managed Identity. The msiEndpoint was taken from your Azure documentation. I cannot find any other resource that explains what to put there.

After running the script, I get the following error, which is also shown on the extension page on the Azure portal when looking at the extension.

Enable failed for plugin (name: Microsoft.Azure.KeyVault.KeyVaultForWindows, version 3.0.2138.56) with exception Command C:\Packages\Plugins\Microsoft.Azure.KeyVault.KeyVaultForWindows\3.0.2138.56\enable-disable-kvvm.cmd of Microsoft.Azure.KeyVault.KeyVaultForWindows has exited with Exit code: 2. Error: The service is not responding to the control function. More help is available by typing NET HELPMSG 2186.

Also, some additional information. If I run this .NET code on the VM, it runs successfully, which indicates that the VM has got access to the Key Vault, but it is the Extension specifically that is not working.

class Program
    {
        static void Main(string[] args)
        {
            string secretName = "mySecret";
            string keyVaultName = "devtestmornevmss";
            var kvUri = "https://devtestmornevmss.vault.azure.net";
            SecretClientOptions options = new SecretClientOptions()
            {
                Retry =
                {
                    Delay= TimeSpan.FromSeconds(2),
                    MaxDelay = TimeSpan.FromSeconds(16),
                    MaxRetries = 5,
                    Mode = RetryMode.Exponential
                 }
            };

            var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential(),options);

            Console.Write("Input the value of your secret > ");
            string secretValue = Console.ReadLine();

            Console.Write("Creating a secret in " + keyVaultName + " called '" + secretName + "' with the value '" + secretValue + "' ...");

            client.SetSecret(secretName, secretValue);

            Console.WriteLine(" done.");

            Console.WriteLine("Forgetting your secret.");
            secretValue = "";
            Console.WriteLine("Your secret is '" + secretValue + "'.");

            Console.WriteLine("Retrieving your secret from " + keyVaultName + ".");

            KeyVaultSecret secret = client.GetSecret(secretName);

            Console.WriteLine("Your secret is '" + secret.Value + "'.");

            Console.Write("Deleting your secret from " + keyVaultName + " ...");

            client.StartDeleteSecret(secretName);

            System.Threading.Thread.Sleep(5000);
            Console.WriteLine(" done.");

        }
    }

Durga Reshma Malthi 11,400 Reputation points Microsoft External Staff Moderator

2025-08-08T14:33:56.3433333+00:00
Hi Dev Team

Could you please check the following things:

Ensure your VMSS is running a supported Windows Server version (e.g., Windows Server 2019 or later). The Key Vault for Windows extension may not work properly on custom or older images.

Ensure the VMSS subnet has outbound access to Azure services, especially the Key Vault and MSI endpoint. If using NSGs or firewalls, allow traffic to 169.254.169.254 (MSI metadata endpoint) and *.vault.azure.net

Also Ensure your User Assigned Managed Identity has Key Vault Secrets Officer (or Certificate Officer if dealing with certificates) role at the Key Vault scope.

Even though your .NET code works, the extension internally might need explicit get + list permissions for both secrets and certificates.

Sometimes the extension gets stuck in a failed state. Remove it, wait a minute, then re-add after fixing the JSON

Hope this helps!

Please Let me know if you have any queries.
Dev Team 25 Reputation points

2025-08-22T07:59:58.2133333+00:00
To answer your questions:

The VMSS is running Windows 2025 Datacenter Azure Edition

This is configured (see screenshot)

This is configured (see screenshot)

If we're using managed identities, then how would we configure this? Get and List permissions are only available when using the Key Vault Access policy and not Azure role-based access control. Are you saying that your recommended approach of using managed identities is not supported? Nevertheless, I have tried using both types of Key Vault Configuration. When using Key Vault Access policy, the permissions as seen in the screenshot:

I've tried removing and re-adding the extension. I believe my JSON is correct. If not, please let me know what is wrong with it.
Durga Reshma Malthi 11,400 Reputation points Microsoft External Staff Moderator

2025-08-26T08:16:52.9966667+00:00

Hi Dev Team

Try to remove the msiEndpoint from your JSON. Only keep msiClientId.

msiEndpoint is correct but I suspect that it might be breaking the extension initialization.

You mentioned Windows Server 2025 Datacenter Azure Edition. This is new and might be not validated for older extensions. The Key Vault extension (3.0.x) was mostly validated against Windows Server 2016/2019/2022. So, check this once.

Hope this helps!

Please Let me know if you have any queries.
Anusree Nashetty 6,225 Reputation points Microsoft External Staff Moderator

2025-08-26T20:17:39.87+00:00

Hi Dev Team

Did you get a chance to see the response. If you have any further queries, let us know. If the information is helpful, please click on Upvote.

1 answer

Your answer

Durga Reshma Malthi 11,400 Reputation points Microsoft External Staff Moderator

2025-08-08T14:33:56.3433333+00:00

Hi Dev Team

Could you please check the following things:

Ensure your VMSS is running a supported Windows Server version (e.g., Windows Server 2019 or later). The Key Vault for Windows extension may not work properly on custom or older images.

Ensure the VMSS subnet has outbound access to Azure services, especially the Key Vault and MSI endpoint. If using NSGs or firewalls, allow traffic to 169.254.169.254 (MSI metadata endpoint) and *.vault.azure.net

Also Ensure your User Assigned Managed Identity has Key Vault Secrets Officer (or Certificate Officer if dealing with certificates) role at the Key Vault scope.

Even though your .NET code works, the extension internally might need explicit get + list permissions for both secrets and certificates.

Sometimes the extension gets stuck in a failed state. Remove it, wait a minute, then re-add after fixing the JSON

Hope this helps!

Please Let me know if you have any queries.
Dev Team 25 Reputation points

2025-08-22T07:59:58.2133333+00:00

To answer your questions:

The VMSS is running Windows 2025 Datacenter Azure Edition

This is configured (see screenshot)

This is configured (see screenshot)

If we're using managed identities, then how would we configure this? Get and List permissions are only available when using the Key Vault Access policy and not Azure role-based access control. Are you saying that your recommended approach of using managed identities is not supported? Nevertheless, I have tried using both types of Key Vault Configuration. When using Key Vault Access policy, the permissions as seen in the screenshot:

I've tried removing and re-adding the extension. I believe my JSON is correct. If not, please let me know what is wrong with it.
Durga Reshma Malthi 11,400 Reputation points Microsoft External Staff Moderator

2025-08-26T08:16:52.9966667+00:00

Hi Dev Team

Try to remove the msiEndpoint from your JSON. Only keep msiClientId.

msiEndpoint is correct but I suspect that it might be breaking the extension initialization.

You mentioned Windows Server 2025 Datacenter Azure Edition. This is new and might be not validated for older extensions. The Key Vault extension (3.0.x) was mostly validated against Windows Server 2016/2019/2022. So, check this once.

Hope this helps!

Please Let me know if you have any queries.
Anusree Nashetty 6,225 Reputation points Microsoft External Staff Moderator

2025-08-26T20:17:39.87+00:00

Hi Dev Team

Did you get a chance to see the response. If you have any further queries, let us know. If the information is helpful, please click on Upvote.

Answer 1

Dev Team 25

We were struggling too much to get the extension working, and it's proving unreliable to use in a production environment. We've resorted to using a Custom Script Extension with a PowerShell script that does what the extension should do. This is proving to be much more reliable, and we can output logs to a file to diagnose what's not working if something goes wrong, whereas with the extension, it's a guessing game.

Share via

Azure Key Vault virtual machine extension for Windows

1 answer

Your answer