Share via

vmss_KeyVaultForWindows extension in failed state - deployment failing.

Asmita Yadav 40 Reputation points Microsoft Employee
2026-04-01T11:36:43.65+00:00

VMSS KV extension is in failed state - and deployment is failing with the following error.

Status: Failed Error: Code: VMExtensionProvisioningTimeout Message: Provisioning of VM extension vmss_KeyVaultForWindows has timed out. Extension provisioning has taken too long to complete. The extension last reported "Enable failed for plugin (name: Microsoft.Azure.KeyVault.KeyVaultForWindows, version 4.0.3333.280) with exception Command C:\Packages\Plugins\Microsoft.Azure.KeyVault.KeyVaultForWindows\4.0.3333.280\enable-disable-kvvm.cmd of Microsoft.Azure.KeyVault.KeyVaultForWindows has exited with Exit code: 2. Error: The service is not responding to the control function. More help is available by typing NET HELPMSG 2186. . ".

Azure Virtual Machine Scale Sets
Azure Virtual Machine Scale Sets

Azure compute resources that are used to create and manage groups of heterogeneous load-balanced virtual machines.

0 comments
Answer accepted by question author
  1. Himanshu Shekhar 5,140 Reputation points Microsoft External Staff Moderator
    2026-04-01T12:14:02.5566667+00:00

    Asmita Yadav - Please check extension logs inside one affected VMSS instance

    Review logs at: C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.KeyVault.KeyVaultForWindows\<version> to identify the exact failure during service start

    Please verify managed identity and Key Vault permissions

    Validate network connectivity to Key Vault - Confirm the VMSS can reach the Key Vault endpoint (especially if using Private Endpoint, NSGs, or Azure Firewall).

    Reinstall or upgrade the extension Remove the failed extension and redeploy it with autoUpgradeMinorVersion = true after the VMSS reaches a stable state.

    Key Vault VM Extension for Windows https://learn.microsoft.com/azure/virtual-machines/extensions/key-vault-windows

    Finally, the issue has been resolved by deleting and redeploying the VMSS after draining traffic from the affected region. The service is now functioning as expected.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-04-01T11:37:08.63+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The error indicates that the Key Vault VM extension for Windows on the VMSS instances is timing out during the Enable phase and returning exit code 2. This is a VM extension provisioning failure, which can block deployments and cause long-running operations until the extension either succeeds or times out.

    Use the following steps to troubleshoot and remediate:

    1. Check extension status on the VMSS instances
      Use Azure CLI or PowerShell to inspect the extension state on one or more instances and confirm that vmss_KeyVaultForWindows is in a failed state. For single VMs, the Key Vault extension status can be checked with:
      • PowerShell: 
             Get-AzVMExtension -ResourceGroupName <myResourceGroup> -VMName <myVM> -Name <myExtensionName>
      • Azure CLI: 
             az vm get-instance-view --resource-group <myResourceGroup> --name <myVM> --query "instanceView.extensions"
      For VMSS, run the equivalent az vmss get-instance-view or PowerShell cmdlets per instance to see which instances/extensions are failing.
    2. Review Key Vault extension logs inside the guest OS
      The Key Vault VM extension logs exist only locally on the VM. Connect to one of the affected VMSS instances and review the extension logs under the standard extension log paths for Windows:
      • General extension logs: C:\WindowsAzure\Logs\Plugins
      • Key Vault extension folder: C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.KeyVault.KeyVaultForWindows\<version> (if present)
      Also inspect the extension settings and status files under:
      • C:\Packages\Plugins\Microsoft.Azure.KeyVault.KeyVaultForWindows\<version>
      Look for detailed error messages around the time the enable-disable-kvvm.cmd script runs and fails with exit code 2. This will usually indicate whether the failure is due to service startup, configuration, or connectivity.
    3. Verify the Azure VM Guest Agent and extension framework
      A non-healthy Guest Agent can cause extension provisioning timeouts:
      • In the VM/VMSS instance Overview blade, verify Agent status is Ready and a valid Agent version is shown.
      • If the Guest Agent is not ready or appears stuck, follow the guidance in the VM extension troubleshooting article to review Guest Agent health and logs.
    4. Check for general VM extension issues and timeouts
      VM extensions have a 90‑minute provisioning timeout. When an extension is in a failed state, subsequent operations such as Start, Redeploy, or scale‑set operations can be delayed while Azure retries the extension. To mitigate:
      • In the VM/VMSS Extensions + applications blade, confirm the Key Vault extension status. If it is not Provisioning succeeded, either:
        • Fix the configuration (for example, incorrect Key Vault URI, access policy, or certificate settings), then re‑deploy the extension, or
        • Remove the failing extension from the VMSS model and/or instances if it is not required, then re‑add it with correct settings.
      • After fixing or removing the extension, stop and start the VMSS instances or perform a rolling upgrade to confirm that provisioning completes quickly.
    5. Reapply VM state if the extension is stuck
      If the extension remains in a failed state even after configuration fixes, trigger a VM state reapply on an affected instance to force a new goal state and extension reprovisioning:
      • Azure portal: for a single VM, use Redeploy + reapply → Reapply. For VMSS, use the equivalent reimage/upgrade operations per instance.
      • PowerShell (single VM example): 
             Set-AzVM -ResourceGroupName <RG Name> -Name <VM Name> -Reapply
      • Azure CLI (single VM example): 
             az vm reapply -g <RG Name> -n <VM Name>
      Reapply usually does not reboot the VM, but in rare cases it can trigger a pending update that requires a restart, so schedule during a maintenance window.
    6. Check for certificate/SSL or network issues if uploads or HTTPS calls fail
      If the Key Vault extension logs show SSL/TLS trust errors or failures to reach Azure endpoints (similar to other extensions that upload results or retrieve secrets), verify:
      • No NSG or firewall is blocking outbound HTTPS to required Azure endpoints and Certificate Authority URLs.
      • No SSL inspection device is breaking the certificate chain.
    7. If the VM/VMSS was created from an image with old extensions
      If the VMSS instances were created from a generalized or specialized image that already contained extension binaries and status files, stale extension state can cause incorrect or failed provisioning. In such cases:
      • Remove the old extension from the source VM before imaging, then recreate the image and redeploy.
      • For existing VMSS, remove the failing extension from the model and instances, then add it back cleanly.
    8. If the issue persists
      After reviewing logs, fixing configuration, ensuring Guest Agent health, and reapplying/redeploying, if the Key Vault extension still times out, open a support request so that the extension publisher or Azure Support can review extension‑specific logs and behavior.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.