Azure Local Windows Admin Center won't run - error 501 when retrieving the certificate

Question

Azure Local Windows Admin Center won't run - error 501 when retrieving the certificate

Pawel Niemczyk 0

Hello,

Fresh deployment of Azure Local with latest image.

Went through all the WDAC audit/enforce process and extension finally installed.

Initially won't run because it tries to run with Network Service which doesn't have permissions to run services. Changed to Local System and it finally starts/runs.

Can't get it to actually work however. It is throwing error 501 at step RetrieveCertificate.

{

"status": "error",

"code": 501,

"name": "RetrieveCertificate",

"formattedMessage": {

"message": "Failed to retrieve certificate from key vault using app service",

"lang": "en-US"

}

Any ideas how to get around this?

Jilakara Hemalatha 340 Reputation points Microsoft External Staff Moderator

2025-08-21T05:09:36.2133333+00:00
Hi Pawel Niemczyk,

To help us better understand and troubleshoot the issue, could you please provide more details on the following

Is the App Service using a system-assigned or user-assigned identity to access resources?

Does the managed identity have permission to read and list certificates from the Key Vault?

Can you use Azure CLI or PowerShell with that identity to manually get the certificate?

Is the Key Vault set up to allow access from the App Service’s region and network?

Is the certificate active, not expired, and still available in the Key Vault?

Which version of the Azure Local image are you currently using?
Ankit Yadav 410 Reputation points Microsoft External Staff Moderator

2025-08-26T16:39:16.46+00:00

Additionally to the questions as by Jilakara Hemalatha,

could you please let us if this a new setup or it was an existing setup that started throwing errors recently? Have you done some changes to it or done any updates to any component from the setup ?

Also, please let us know what version of WAC you are using in your Azure Local environment.
Ankit Yadav 410 Reputation points Microsoft External Staff Moderator

2025-08-28T12:08:38.0533333+00:00

Hello Pawel Niemczyk,

Just checking in if you are still blocked with the certificate issue for WAC.

If yes, could you please answer the queries asked by me and Jilakara Hemalatha so that we can understand the issue better and assist in resolving your issue.

1 answer

Your answer

Jilakara Hemalatha 340 Reputation points Microsoft External Staff Moderator

2025-08-21T05:09:36.2133333+00:00

Hi Pawel Niemczyk,

To help us better understand and troubleshoot the issue, could you please provide more details on the following

Is the App Service using a system-assigned or user-assigned identity to access resources?

Does the managed identity have permission to read and list certificates from the Key Vault?

Can you use Azure CLI or PowerShell with that identity to manually get the certificate?

Is the Key Vault set up to allow access from the App Service’s region and network?

Is the certificate active, not expired, and still available in the Key Vault?

Which version of the Azure Local image are you currently using?
Ankit Yadav 410 Reputation points Microsoft External Staff Moderator

2025-08-26T16:39:16.46+00:00

Additionally to the questions as by Jilakara Hemalatha,

could you please let us if this a new setup or it was an existing setup that started throwing errors recently? Have you done some changes to it or done any updates to any component from the setup ?

Also, please let us know what version of WAC you are using in your Azure Local environment.
Ankit Yadav 410 Reputation points Microsoft External Staff Moderator

2025-08-28T12:08:38.0533333+00:00

Hello Pawel Niemczyk,

Just checking in if you are still blocked with the certificate issue for WAC.

If yes, could you please answer the queries asked by me and Jilakara Hemalatha so that we can understand the issue better and assist in resolving your issue.

Answer 1

Hello Pawel Niemczyk,

At this point with given information, we suspect that error code 501 "Failed to retrieve certificate from key vault using app service" is either due to key vault access permission issue or a misconfiguration in the certificate retrieval process.

To fix the key vault access permission issue :

The Network ⁠Service account may not have sufficient permissions to access the certificate store or Key Vault. The Local System change you made suggests a permissions issue.
⁠Ensure proper delegation is configured for the Windows Admin Center gateway to access required resources.
⁠If you're using Azure Key Vault integration, ensure the Key Vault extension is properly configured with the correct authentication settings.

To fix the certificate retrieval process :

Consider using the standard self-signed certificate approach instead of Key Vault retrieval.

Use SSL_CERTIFICATE_OPTION=generate during WAC installation.
⁠Export and import the generated certificate to establish trust.

Share via

Azure Local Windows Admin Center won't run - error 501 when retrieving the certificate

1 answer

Your answer