Known issues in disconnected operations for Azure Local

This article identifies critical known issues and their workarounds in disconnected operations for Azure Local.

These release notes are updated continuously to include critical issues and required workarounds. Review this information carefully before you deploy disconnected operations for Azure Local.

Known issues for version 2602

Bootstrap or deployment fails due certificates being invalid (exception)

In cases where the Certificate Revocation List (CRL) is empty or misconfigured, bootstrap validation will fail.

Mitigation:

Verify that your Certificate Authority is configured correctly and ensure that your certificates include a CRL endpoint that is accessible from the nodes.

Cloud deployment fails and transitions into a failed state

In version 2602, a known issue in disconnected operations for Azure Local causes the Hybrid Instance Metadata Service (HIMDS) to stop functioning because the control plane services take longer than expected to start. This timing issue can result in failed deployments accompanied by unclear or non-descriptive error messages.

Workaround:

Perform the following steps on all nodes:

1. Download and copy the attached Zip file to the C:\AzureLocal folder.

2. Extract the Zip file to the path: C:\AzureLocal\HimdsWatchDog.

3. Run the Install-HIMDS-Watchdog.ps1 command.

4. Verify if the scheduled task is created by running:

   Get-ScheduledTask -TaskName HIMDS 
   

5. After the cloud deployment is complete, delete the task on each node by running:

   Unregister-ScheduledTask -TaskName HIMDSWatchdog
   

Portal issues

Policy

There's a known issue with the Azure Policy portal interface in this release. As a workaround, use the Azure CLI or Azure PowerShell.

SSH keys

There's a known issue in the Azure portal that prevents creating SSH keys during the creation of Linux VMs or Azure Kubernetes Service (AKS) clusters.

Mitigation:

Use command-line tools to generate an SSH key and include the key during the VM or AKS creation process.

Additional cluster deployments fail as Host Guardian certificates aren't available

When deploying additional Azure Local cluster after successfully deploying the dedicated management cluster, they fail.

Mitigation:

Copy the following certs from the first node of the management cluster and paste it in all Azure local nodes (workload clusters) at path C:\Users\Administrator\AppData\Roaming\AzureLocal\.

Make sure that the following files are present on each Azure Local node before you deploy a new workload cluster:

• C:\Users\Administrator\AppData\Roaming\AzureLocal\AzsVmHostGuardian-IRVM01-encryption.pfx
• C:\Users\Administrator\AppData\Roaming\AzureLocal\AzsVmHostGuardian-IRVM01-signing.pfx

Control plane deployment stuck and times out without completing

In rare cases, deployments may time out, and services might not reach 100% convergence, even after 8 hours.

Mitigation:

Redeploy the disconnected operations appliance. If the issue persists after 2–3 clean redeployments, collect logs and open a support ticket.

Generating certificates gets stuck

When running the Operations module or using a script-based approach to generate certificates, the process may hang if executed through a Remote Desktop session.

Mitigation:

Make sure that the Remote Desktop session isn't mapping smart cards. If smart card mapping is enabled, running the scripts to generate certificates can cause certreq to hang.

Set-MgmtClusterDenyPolicy.ps1 script is missing

Mitigation: Generate the file using the below script:

<#
.SYNOPSIS
    Denies resource creation on a management cluster Custom Location via Azure Policy.

.DESCRIPTION
    This script creates an Azure Policy definition with a deny effect targeting the management
    cluster's Custom Location and assigns it at subscription scope. It uses Azure PowerShell cmdlets
    to create both the policy definition and assignment.

    The policy blocks any resource creation where the extendedLocation targets the specified
    management cluster Custom Location. Due to the single-CL-per-subscription design constraint,
    the policy definition and assignment use hardcoded names. Re-running the script with a
    different Custom Location ID will overwrite the previous assignment.

.PARAMETER SubscriptionId
    The Azure subscription GUID where the policy definition and assignment will be created.
    If omitted (and -AllSubscriptions is not set), the script runs against the current
    Azure PowerShell subscription context.

.PARAMETER MgmtClusterCustomLocationId
    The fully-qualified ARM resource ID of the management cluster Custom Location to deny
    resource creation against.

.PARAMETER AllSubscriptions
    When set, the script applies the deny policy to every enabled subscription the caller
    has access to. If both -AllSubscriptions and -SubscriptionId are provided,
    -AllSubscriptions takes precedence and -SubscriptionId is ignored.

.EXAMPLE
    .\Set-MgmtClusterDenyPolicy.ps1 `
        -SubscriptionId "a1b2c3d4-e5f6-7890-abcd-ef1234567890" `
        -MgmtClusterCustomLocationId "/subscriptions/a1b2c3d4-e5f6-7890-abcd-ef1234567890/resourceGroups/my-rg/providers/Microsoft.ExtendedLocation/customLocations/my-custom-location"

.EXAMPLE
    .\Set-MgmtClusterDenyPolicy.ps1 `
        -AllSubscriptions `
        -MgmtClusterCustomLocationId "/subscriptions/a1b2c3d4-e5f6-7890-abcd-ef1234567890/resourceGroups/my-rg/providers/Microsoft.ExtendedLocation/customLocations/my-custom-location"

.NOTES
    Rollback commands:
        Remove-AzPolicyAssignment -Name 'deny-resource-creation-on-mgmt-cluster-assignment' -Scope '/subscriptions/{subId}'
        Remove-AzPolicyDefinition -Name 'deny-resource-creation-on-mgmt-cluster' -SubscriptionId '{subId}' -Force

    Requires active Azure PowerShell session (Connect-AzAccount) and Resource Policy Contributor role.
#>
[CmdletBinding()]
param(
    [Parameter(Mandatory = $false)]
    [ValidatePattern('^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$')]
    [string]$SubscriptionId,

    [Parameter(Mandatory = $true)]
    [ValidatePattern('^/subscriptions/[0-9a-fA-F-]+/resourceGroups/[^/]+/providers/Microsoft\.ExtendedLocation/customLocations/[^/]+$')]
    [string]$MgmtClusterCustomLocationId,

    [Parameter(Mandatory = $false)]
    [switch]$AllSubscriptions
)

# Validate required Az modules
$modAccounts = Get-Module -ListAvailable -Name Az.Accounts | Sort-Object Version -Descending | Select-Object -First 1
if (-not $modAccounts -or $modAccounts.Version -lt [version]'2.13.0') {
    throw "Az.Accounts module >= 2.13.0 is required. Install via: Install-Module -Name Az.Accounts -MinimumVersion 2.13.0"
}

$modResources = Get-Module -ListAvailable -Name Az.Resources | Sort-Object Version -Descending | Select-Object -First 1
if (-not $modResources -or $modResources.Version -lt [version]'6.12.0') {
    throw "Az.Resources module >= 6.12.0 is required. Install via: Install-Module -Name Az.Resources -MinimumVersion 6.12.0"
}

# Check authentication
$azContext = Get-AzContext
if (-not $azContext) {
    throw "Not connected to Azure. Run 'Connect-AzAccount' first."
}

# ---------------------------------------------------------------------------
# Determine subscription list
# ---------------------------------------------------------------------------

$subscriptions = @()

if ($AllSubscriptions) {
    if (-not [string]::IsNullOrEmpty($SubscriptionId)) {
        Write-Warning "Both -AllSubscriptions and -SubscriptionId were provided. -AllSubscriptions takes precedence; -SubscriptionId will be ignored."
    }
    Write-Host "Retrieving all enabled subscriptions..."
    try {
        $subs = Get-AzSubscription -ErrorAction Stop | Where-Object { $_.State -eq 'Enabled' }
    } catch {
        throw "Failed to retrieve subscription list. $($_.Exception.Message)"
    }
    $subscriptions = @($subs)
    if ($subscriptions.Count -eq 0) {
        throw "No enabled subscriptions found for the current account."
    }
    Write-Host "Found $($subscriptions.Count) enabled subscription(s)." -ForegroundColor Cyan
} elseif ([string]::IsNullOrEmpty($SubscriptionId)) {
    # No SubscriptionId provided — resolve from current Azure PowerShell context
    $currentCtx = Get-AzContext
    if (-not $currentCtx -or [string]::IsNullOrEmpty($currentCtx.Subscription.Id)) {
        throw "Failed to determine the current subscription context. Provide -SubscriptionId or run 'Set-AzContext' first."
    }
    Write-Host "No SubscriptionId provided. Using current subscription context: $($currentCtx.Subscription.Name) ($($currentCtx.Subscription.Id))"
    $subscriptions = @([PSCustomObject]@{ Id = $currentCtx.Subscription.Id; Name = $currentCtx.Subscription.Name })
} else {
    $subscriptions = @([PSCustomObject]@{ Id = $SubscriptionId; Name = $SubscriptionId })
}

# ---------------------------------------------------------------------------
# Prepare policy JSON definitions (inline)
# ---------------------------------------------------------------------------

$policyRuleJson = @'
{
  "if": {
    "allOf": [
      {
        "field": "extendedLocation.name",
        "equals": "[parameters('customLocationId')]"
      },
      {
        "field": "extendedLocation.type",
        "equals": "CustomLocation"
      }
    ]
  },
  "then": {
    "effect": "deny"
  }
}
'@

$policyParamJson = @'
{
  "customLocationId": {
    "type": "String",
    "metadata": {
      "displayName": "Custom Location Resource ID",
      "description": "The full ARM resource ID of the Custom Location to deny resource creation against (e.g., /subscriptions/{subId}/resourceGroups/{rg}/providers/Microsoft.ExtendedLocation/customLocations/{name})"
    }
  }
}
'@

# ---------------------------------------------------------------------------
# Process each subscription
# ---------------------------------------------------------------------------

$results  = @()
$failures = @()

foreach ($sub in $subscriptions) {
    $currentSubId   = $sub.Id
    $currentSubName = $sub.Name

    Write-Host "`n===== Processing subscription: $currentSubName ($currentSubId) =====" -ForegroundColor Cyan

    # --- Set subscription context ---
    try {
        Set-AzContext -SubscriptionId $currentSubId -ErrorAction Stop | Out-Null
    } catch {
        $msg = "Failed to set subscription context to '$currentSubId'. $($_.Exception.Message)"
        Write-Error $msg
        $failures += [PSCustomObject]@{ SubscriptionId = $currentSubId; SubscriptionName = $currentSubName; Error = $msg }
        if (-not $AllSubscriptions) { throw $msg }
        continue
    }

    # --- Create policy definition ---
    Write-Host "  Creating policy definition 'deny-resource-creation-on-mgmt-cluster'..."
    try {
        $definition = New-AzPolicyDefinition `
            -Name 'deny-resource-creation-on-mgmt-cluster' `
            -DisplayName 'Deny resource creation on management cluster Custom Location' `
            -Description 'Blocks resource creation when extendedLocation targets the management cluster Custom Location' `
            -Policy $policyRuleJson `
            -Parameter $policyParamJson `
            -Mode 'All' `
            -Metadata '{"category":"Management Cluster"}' `
            -SubscriptionId $currentSubId `
            -ErrorAction Stop
    } catch {
        $msg = "Failed to create policy definition in subscription '$currentSubId'. $($_.Exception.Message)"
        Write-Error $msg
        $failures += [PSCustomObject]@{ SubscriptionId = $currentSubId; SubscriptionName = $currentSubName; Error = $msg }
        if (-not $AllSubscriptions) { throw $msg }
        continue
    }

    if ($null -eq $definition -or [string]::IsNullOrEmpty($definition.Id)) {
        $msg = "Policy definition was created in subscription '$currentSubId' but returned unexpected output."
        Write-Error $msg
        $failures += [PSCustomObject]@{ SubscriptionId = $currentSubId; SubscriptionName = $currentSubName; Error = $msg }
        if (-not $AllSubscriptions) { throw $msg }
        continue
    }

    # --- Create policy assignment ---
    $scope = "/subscriptions/$currentSubId"

    Write-Host "  Creating policy assignment 'deny-resource-creation-on-mgmt-cluster-assignment'..."
    try {
        $assignment = New-AzPolicyAssignment `
            -Name 'deny-resource-creation-on-mgmt-cluster-assignment' `
            -DisplayName 'Deny resource creation on management cluster Custom Location' `
            -PolicyDefinition $definition `
            -Scope $scope `
            -PolicyParameterObject @{ customLocationId = $MgmtClusterCustomLocationId } `
            -EnforcementMode 'Default' `
            -ErrorAction Stop
    } catch {
        $msg = "Failed to create policy assignment in subscription '$currentSubId'. $($_.Exception.Message)"
        Write-Error $msg
        $failures += [PSCustomObject]@{ SubscriptionId = $currentSubId; SubscriptionName = $currentSubName; Error = $msg }
        if (-not $AllSubscriptions) { throw $msg }
        continue
    }

    if ($null -eq $assignment) {
        $msg = "Policy assignment was created in subscription '$currentSubId' but returned unexpected output."
        Write-Error $msg
        $failures += [PSCustomObject]@{ SubscriptionId = $currentSubId; SubscriptionName = $currentSubName; Error = $msg }
        if (-not $AllSubscriptions) { throw $msg }
        continue
    }

    Write-Host "  Policy successfully created and assigned." -ForegroundColor Green

    $results += [PSCustomObject]@{
        SubscriptionName            = $currentSubName
        SubscriptionId              = $currentSubId
        DefinitionName              = $definition.Name
        DefinitionId                = $definition.PolicyDefinitionId
        AssignmentName              = $assignment.Name
        AssignmentId                = $assignment.PolicyAssignmentId
        Scope                       = $scope
        MgmtClusterCustomLocationId = $MgmtClusterCustomLocationId
    }
}

# ---------------------------------------------------------------------------
# Summary
# ---------------------------------------------------------------------------

Write-Host "`n===== Summary =====" -ForegroundColor Cyan
Write-Host "  Succeeded: $($results.Count) subscription(s)" -ForegroundColor Green
if ($failures.Count -gt 0) {
    Write-Host "  Failed:    $($failures.Count) subscription(s)" -ForegroundColor Red
    foreach ($f in $failures) {
        Write-Host "    - $($f.SubscriptionName) ($($f.SubscriptionId))" -ForegroundColor Red
    }
}

if ($results.Count -gt 0) {
    Write-Output $results
}

if ($failures.Count -gt 0 -and $results.Count -eq 0) {
    throw "All subscriptions failed. See errors above."
}

SSL/TLS error using management endpoint (OperationsModule)

When you use a cmdlet that uses the management endpoint (for example, Get-ApplianceHealthState) you receive an error "threw and exception: The request was aborted: Could not create SSL/TLS secure channel.. Retrying"

Mitigation:

For 2511, do not use Set-DisconnectedOperationsClientContext. Instead use $context = New-DisconnectedOperationsClientContext and pass the $context to the respective cmdlets.

Arc bootstrap fails on node (Invoke-AzStackHCIArcInitialization) on Original Equipment Manufacturer (OEM) provided images

If you are running an OEM image, make sure that you are on the correct OS baseline.

Follow these steps:

1. Make sure that you are on a same supported version or an earlier version (for example, 2508 or earlier).

2. Disable zero-day update on each node:

   Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\EdgeArcBootstrapSetup" -Name "MicrosoftOSImage" -Value 1
   

3. Upgrade to the Microsoft provided ISO for your disconnected operations version target. Choose upgrade and keep settings when reimaging the nodes using this approach.

   • Alternatively, run the following command to get the correct update:

     # Define the solution version and local package path - review the correct versions.
     # Only do this if your OEM image is on a earlier version than the target version.
     
     $TargetSolutionVersion = "12.2511.1002.5"
     $localPlatformVersion = "12.2511.0.3038"
     $DownloadUpdateZipUrl = "https://azurestackreleases.download.prss.microsoft.com/dbazure/AzureLocal/WindowsPlatform/$($localPlatformVersion)/Platform.$($localPlatformVersion).zip"
     $LocalPlatformPackagePath = "C:\Platform.$($localPlatformVersion).zip"
     
     # Download the DownloadUpdateZipUrl to LocalPlatformPackagePath (Alternative do this from browser and copy file over if you cannot run this on your nodes/disconnected scenarios)
     Invoke-WebRequest $DownloadUpdateZipUrl -Outfile $LocalPlatformPackagePath
     
     $updateConfig = @{
       "TargetSolutionVersion" = $TargetSolutionVersion
       "LocalPlatformPackagePath" = $LocalPlatformPackagePath
     }
     
     $configHash = @{
       "UpdateConfiguration" = $updateConfig
     }
     
     # Trigger zero-day update
     $tempConfigPath = "C:\temp.json"
     $configHash | ConvertTo-Json -Depth 3 | Out-File $tempConfigPath -Force
     Start-ArcBootstrap -ConfigFilePath $tempConfigPath
     
     # Continue with Invoke-AzStackHCIArcInitialization.
     

4. Review the version compatibility table.

Cloud deployment validation fails during the portal experience

Solution Builder extension (SBE) validation fails when trying to reach an aka.ms link to download.

Workaround:

1. Run the cloud deployment (portal) flow until the validation fails in the UX.

2. Download a patched version of ExtractOEMContent.ps1

3. Download a patched version of EN-US\ExtractOEMContent.Strings.psd1

4. Modify the following file using your favorite editor ExtractOEMContent.ps1.

5. Replace line 899 in this file with the code snippet:

   if (-not (Test-SBEXMLSignature -XmlPath $sbeDiscoveryManifestPath)) {
       throw ($localizedStrings.OEMManifestSignature -f $sbeDiscoveryManifestPath)
   }
   $packageHash = (Get-FileHash -Path $zipFile.FullName -Algorithm SHA256).Hash
   $manifestXML = New-Object -TypeName System.Xml.XmlDocument
   $manifestXML.PreserveWhitespace = $false
   $xmlTextReader = New-Object -TypeName System.Xml.XmlTextReader -ArgumentList $sbeDiscoveryManifestPath
   $manifestXML.Load($xmlTextReader)
   $xmlTextReader.Dispose()
   
   # Test that the zip file hash matches the package hash from the manifest
   $applicableUpdate = $manifestXML.SelectSingleNode("//ApplicableUpdate[UpdateInfo/PackageHash='$packageHash']")
   if ([System.String]::IsNullOrEmpty($applicableUpdate)) {
       throw "$($zipFile.FullName) hash of $packageHash does not match value in manifest at $sbeDiscoveryManifestPath"
   }
   $result = [PSCustomObject]@{
       Code = "Latest"
       Message = "Override for ALDO"
       Endpoint = "https://aka.ms/AzureStackSBEUpdate/Dell"
       ApplicableUpdate = $applicableUpdate.OuterXml
   }
   

6. Copy the newly modified file to C:\CloudDeployment\Setup\Common\ExtractOEMContent.ps1 on the first machine.

7. Copy the downloaded, unmodified file to C:\CloudDeployment\Setup\Common\En-US\ExtractOEMContent.Strings.psd1 on the first machine.

8. Resume cloud deployment.

Cloud deployment (validation or deployment) gets stuck

During the validate or cloud deployment flow, the first machine (seed node) restarts, which causes the control plane appliance to restart. Sometimes this process takes longer than expected, causing Hybrid Instance Metadata Service (HIMDS) to stop because it can't connect to the HIS endpoint. This issue can cause the deployment flow to stop responding.

Mitigation:

1. Check if the HIMDS service is stopped:

   Get-Service HIMDS
   

2. If the service is stopped, start it:

   Start-Service HIMDS
   

3. Check the logs in the first mode at C:\CloudDeployment\Logs.

4. Review the appropriate log file:

   • Validate stage: Check the latest file with a name starting with EnvironmentValidator.
   • Deploy stage: Check the latest file with a name starting with CloudDeployment.
   • If the status in the file is different from what appears in the portal, follow the next steps to resync the deployment status with the portal.

Deployment status out of sync from cluster to portal

The portal shows that cloud deployment is in progress even though it's already completed, or the deployment is taking longer than expected. This happens because the cloud deployment status isn't synced with the actual status.

If the portal and log file are out of sync, restart the LCM Controller service to reestablish the connection to relay by running Restart-Service LCMController.

Mitigation on the first machine:

1. Find the following files:

   • For the Validate stage: C:\ECEStore\efb61d70-47ed-8f44-5d63-bed6adc0fb0f\559dd25c-9d86-dc72-4bea-b9f364d103f8
   • For the Deploy stage: C:\ECEStore\efb61d70-47ed-8f44-5d63-bed6adc0fb0f\086a22e3-ef1a-7b3a-dc9d-f407953b0f84

2. Update the attribute EndTimeUtc located in the first line of the file to a future time based on the machine's current time. For example, <Action Type="CloudDeployment" StartTimeUtc="2025-04-09T08:01:51.9513768Z" Status="Success" EndTimeUtc="2025-04-10T23:30:45.9821393Z">.

3. Save the file and close it.

4. LCM sends the notification to HCI RP within 5-10 minutes.

5. To view LCM Controller logs, use the following command:

   Get-WinEvent -LogName "Microsoft.AzureStack.LCMController.EventSource/Admin" -MaxEvents 100 | Where-Object {$_.Message -like "*from edge common logger*"} | Select-Object TimeCreated, Message
   

Failed to deploy disconnected operations Appliance (Appliance.Operations failure)

Some special characters in the management TLS cert password, external certs password, or observability configuration secrets from the OperationsModule can cause the deployment to fail with an error output: Appliance.Operations operation [options]

Mitigation:

Do not use special characters like single or double quotes in the passwords.

Resources disappear from portal

When you sign in to the portal with the same user account that worked before, resources are missing and don't appear.

Mitigation: Start your browser in incognito mode, or close your browser and clear all cookies. Then go back to your local portal and sign in again. Alternatively, restart IRVM01 on the seed node and wait until the services are back online and healthy.

Memory consumption when there's less than 128 GB of memory per node

The disconnected operations appliance uses 78 GB of memory. If your node has less than 128 GB of memory, complete these steps after you deploy the appliance but before you deploy Azure Local instances.

Mitigation:

1. Shut down the IRVM01VM on the seed node.
2. Change the IRVM01 virtual machine memory setting to 64 GB.
3. Start the IRVM01 appliance.
4. Wait for convergence. Monitor Get-ApplianceHealthState until all services converge.
5. Deploy Azure Local instances.

Deployment failure

In virtual environments, deployments can time out, and services might not reach 100% convergence, even after 8 hours.

Mitigation:

Redeploy the disconnected operations appliance a few times. If you're using a physical environment and the problem continues, collect logs and open a support ticket.

Azure Local deployment with Azure Keyvault

Role-Based Access Control (RBAC) permissions on a newly created Azure Key Vault can take up to 20 minutes to propagate. If you create the Key Vault in the local portal and quickly try to finish the cloud deployment, you might encounter permission issues when validating the cluster.

Mitigation:

Wait 20 minutes after you create the Azure Key Vault to finish deploying the cluster, or create the Key Vault ahead of time.

If you create the Key Vault ahead of time, make sure you assign:

• Managed identity for each node
• The Key Vault admin
• The user deploying to the cloud explicit roles on the Key Vault:
  • Key Vault Secrets Officer and Key Vault Data Access Administrator.

Here's an example script. Modify and use this script to create the Key Vault ahead of time:

param($resourceGroupName = "aldo-disconnected", $keyVaultName = "aldo-kv", $subscriptionName = "Starter Subscription")

$location = "autonomous"

Write-Verbose "Sign in interactive with the user who does cloud deployment"
# Sign in to Azure CLI (use the user you run the portal deployment flow with)"
az login 
az account set --subscription $subscriptionName
$accountInfo = (az account show)|convertfrom-json

# Create the Resource Group
$rg = (az group create --name $resourceGroupName --location $location)|Convertfrom-json

# Create a Key Vault
$kv = (az keyvault create --name $keyVaultName --resource-group $resourceGroupName --location $location --enable-rbac-authorization $true)|Convertfrom-json

Write-Verbose "Assigning permissions to $($accountInfo.user.name) on the Key Vault"
# Assign the secrets officer role to the resource group (you can use KV explicit).
az role assignment create --assignee $accountInfo.user.name --role "Key Vault Secrets Officer" --scope $kv.Id
az role assignment create --assignee $accountInfo.user.name --role "Key Vault Data Access Administrator" --scope $kv.Id

$machines = (az connectedmachine list -g $resourceGroupName)|ConvertFrom-Json

# For now, a minimum of 3 machines for Azure Local disconnected operations are supported.
if($machines.Count -lt 3){
    Write-Error "No machines found in the resource group $resourceGroupName. Please check the resource group and try again. Please use the same resource group as where your Azure Local nodes are"
    return 1
}

Write-Verbose "Assigning permissions to MSIs $($machines.count) on the Key Vault"

$apps =(az ad sp list)|ConvertFrom-Json
$managedIds=$machines.displayname | foreach-object {
    $name = $_
    $apps|Where-Object {$_.ServicePrincipalType -eq 'ManagedIdentity' -and $_.displayname -match $name}
}

# Assign role to each of the managed IDs (Arc-VMs) in the RG 
$managedIds|foreach-object {    
    az role assignment create --role "Key Vault Administrator" --assignee $_.Id --scope $kv.id
}

Write-Verbose "Wait 20 min before running cloud deployment from portal"

Azure Local VMs

Azure Resource Graph add or edit tags error

After you start, restart, or stop the Azure Local VM, the power action buttons are disabled and the status isn't reflected properly.

Mitigation:

Use Azure Command-Line Interface (CLI) to add or edit tags for the resource.

Start, restart, or delete buttons disabled after stopping VM

After you stop an Azure Local VM, the start, restart, and delete buttons in the Azure portal are disabled.

Mitigation:

Refresh your browser and the page.

Delete a VM resource

When you delete a VM from the portal, you might see these messages Delete associated resource failed and Failed to delete the associated resource 'name' of type 'Network interface'.

Mitigation:

After you delete the VM, use CLI to delete the associated network interface. Run this command:

az stack-hci-vm network nic delete

Azure Kubernetes Service (AKS) on Azure Local

AKS deployment fails in fully air-gapped scenarios

AKS deployments fails in fully air-gapped scenarios. No mitigation is available for this issue in the current releases.

Use an existing public key when creating AKS cluster

In this release, you can only use an existing public key when creating an AKS cluster.

Mitigation:

To create an SSH key, use the following command-line tool and paste the public key in the UI:

ssh-keygen -t rsa 
(cat ~\.ssh\id_rsa.pub)|set-clipboard

Update or scale a node pool from the portal is disabled

Updating or scaling a node pool from the portal is unsupported in this preview release.

Mitigation:

Use CLI to update or scale a node pool.

az aksarc nodepool update
az aksarc nodepool scale

Scale limitation

In the current Azure Local disconnected operations scale envelope, running more than 20 workload clusters can affect control plane stability. Under sustained load, the disconnected operations control plane may become less responsive over time, which can impact manageability and reliability at higher cluster counts.

Mitigation:

Until the supported scale range is expanded, Microsoft recommends limiting the number of workload clusters to 20 or fewer to maintain stable and reliable disconnected operations.

Kubernetes cluster list empty under Azure Local (Kubernetes clusters)

When you navigate to Azure Local and click Kubernetes clusters, you might see an empty list of clusters.

Mitigation:

Navigate to Kubernetes > Azure Arc in the left menu or use the search bar. Your clusters should appear in the list.

Save Kubernetes service notification stuck

After you update to a newer version of Kubernetes, you might see a stuck notification that says, Save Kubernetes service.

Mitigation:

Navigate to the Cluster View page and refresh it. Check whether the state shows upgrading or completed. If the update completed successfully, you can ignore the notification.

Activity log shows authentication issue

Ignore the portal warning in this release.

Microsoft Entra authentication with Kubernetes RBAC fails

When attempting to create a Kubernetes cluster with Entra authentication, you encounter an error.

Only local accounts with Kubernetes RBAC are supported in this preview release.

Arc extensions

When navigating to extensions on an AKS cluster, the add button is disabled and there aren't any extensions listed.

Arc extensions are unsupported in this preview release.

AKS resource shows on portal after deletion

After successfully deleting an AKS cluster from portal, the resource continues to show.

Mitigation:

Use CLI to delete and clean up the cluster. Run this command:

az aksarc delete

Export Host Guardian Service certificates

This feature is unsupported in this preview release.

Restart a node or the control plane VM

After you restart a node or the control plane VM, the system might take up to an hour to become fully ready. If you notice issues with the local portal, missing resources, or failed deployments, check the appliance health using the OperationsModule to confirm that all services are fully converged.

Subscriptions

Operator create subscription

After you create a new subscription as an operator, the subscription appears in the list as non-clickable and displays no access for the owner.

Mitigation:

Refresh your browser window.

Operator subscriptions view (timeout)

If you're signed in as an operator, you might see a timeout screen and be unable to view, list, or create subscriptions.

Cause:

This issue happens when a subscription owner is deleted or isn't synced from the source identity system to the local control plane. When you try to view subscriptions, the process fails because the owner's identity isn't available.

Mitigation:

If the portal doesn't work, use Azure CLI or REST API to create and list subscriptions. To assign a different owner, use the REST API and enter the subscriptionOwnerId parameter when you create the subscription.

Azure CLI

Manage clouds

When you use the az cloud commands, such as az cloud register, az cloud show, or az cloud set, you might encounter issues if you use uppercase letters in the cloud name.

Mitigation:

Only use lowercase letters for cloud names in az cloud subcommands, such as register, show, or set.

Create subscriptions

Azure CLI doesn't support providing subscriptionOwnerId for new subscriptions. This makes the operator the default owner of newly created subscriptions without a way of changing the owner currently.

Mitigation:

Use az rest to create subscriptions with a different owner if required to automate directly with different owner

Azure portal

Sign out fails

When you select Signout, the request doesn't work.

Mitigation:

Close your browser, then go to the Portal URL.

Azure Resource Manager

Template specs

Template specs are unsupported in the preview release. Deployments that use ARM templates with template specs fail.

Unsupported scenarios

The following scenarios are unsupported in the preview release.

• Arc-Enabled servers (remote or non Azure Local VMs)
• Arc-Enabled Kubernetes clusters (remote or non AKS clusters)

If you test these scenarios, these systems must trust your custom CA and you need to pass -custom-ca-cert when Arc-enabling them.

Related content

• Disconnected operations for Azure Local.

This feature is available only in Azure Local 2602 or later.