Home / Azure Local

Azure Local | HomeLab – Troubleshoot Windows Update
Azure LocalInfrastructure

Azure Local | HomeLab – Troubleshoot Windows Update

mmAlex ter Neuzen··Reading Time: 6 min
Reading Time: 4 minutes

The cluster was deployed two days ago. Local Identity with Azure Key Vault, single node, West Europe. Registration is healthy, connection status shows Connected, sync is running on schedule. Everything looks exactly the way it should.

Then the update pre-check blocks with a single health fault:

Microsoft.Health.FaultType.Cluster.KeyVaultDoesNotExist

The Key Vault exists. The secrets are in it. So what is actually going on?

The Environment

PropertyValue
ClusterClusterKADZ
Deployment ModelLocal Identity with Azure Key Vault
RegionWest Europe
Resource Groupazl-we-rsg-azl-koogaandezaan-01
Key VaultClusterKADZ-hcikv1
Nodenode01
Connection StatusConnected

Step 1: Verify Cluster Health

Before diving into the Key Vault, confirm the cluster itself is in good shape. On the cluster node:

PS C:\Users\hciadmin> Get-AzureStackHCI
 
ClusterStatus      : Clustered
RegistrationStatus : Registered
RegistrationDate   : 27-5-2026 13:30:57
AzureResourceName  : ClusterKADZ
ConnectionStatus   : Connected
LastConnected      : 29-5-2026 03:00:03
IMDSAttestation    : Enabled
DiagnosticLevel    : Basic
Region             : westeurope

Clustered, registered, connected. The cluster is healthy and syncing to Azure. The problem is isolated to the Key Vault integration.

Step 2: Verify the Key Vault Exists

The fault says the Key Vault does not exist. First thing to check is whether that is actually true.

PS C:\Users\hciadmin> az keyvault secret list --vault-name "ClusterKADZ-hcikv1" --query "[].name" -o table
 
Result
------------------------------------------------------------------
ClusterKADZ-BL-Data-xxxxxxxxxx
ClusterKADZ-BL-Data-xxxxxxxxxx
ClusterKADZ-LocalAdminCredential-xxxxxxxxxx
ClusterKADZ-TVMKey-Master-RSA-Private
ClusterKADZ-TVMKey-Master-RSA-Public
node01-RecoveryAdminPassword

Six secrets. BitLocker keys, local admin credentials, TVM keys, recovery admin password. The vault is healthy, the secrets are accessible, and everything was provisioned correctly during deployment.

So the vault exists. The fault name is misleading.

Step 3: Check the Cluster Identity

Azure Local uses a system-assigned managed identity to authenticate to Azure services. The CLI session works because you are logged in as a user. The cluster service uses its own identity.

PS C:\Users\hciadmin> az resource show --ids "/Subscriptions/2a234050-.../providers/
    Microsoft.AzureStackHCI/clusters/ClusterKadz" --query "identity" -o json
 
{
  "principalId": "c6cbeb2d-xxxx-xxxx-xxxx-e8f5261c5bcd",
  "tenantId": "cd41dae2-xxxx-xxxx-xxxx-56161d080b65",
  "type": "SystemAssigned"
}

The cluster has a system-assigned managed identity with principal ID c6cbeb2d-xxxx-xxxx-xxxx-e8f5261c5bcd. This is the identity the cluster uses to access Key Vault. Keep this ID in mind.

Step 4: Check Key Vault RBAC

The Key Vault uses RBAC authorization. Check who actually has access:

PS C:\Users\hciadmin> az role assignment list --scope "/subscriptions/.../providers/
    Microsoft.KeyVault/vaults/ClusterKADZ-hcikv1" \
    --query "[].{Principal:principalId, Role:roleDefinitionName}" -o table
 
Principal                             Role
------------------------------------  -----------------------------------
b11a9918-xxxx-xxxx-xxxx-be18f8eea738  Key Vault Data Access Administrator
b11a9918-xxxx-xxxx-xxxx-be18f8eea738  Key Vault Secrets Officer
ee90e0d3-xxxx-xxxx-xxxx-3d6a24222a7b  Key Vault Secrets Officer
ee90e0d3-xxxx-xxxx-xxxx-3d6a24222a7b  Key Vault Certificates Officer

Two principals have access. The first is likely the deployment service principal. The second is the Arc node identity.

The cluster identity c6cbeb2d-xxxx-xxxx-xxxx-e8f5261c5bcd is not in this list. That is the root cause.

The cluster’s managed identity has no RBAC role on the Key Vault. When the health service tries to validate Key Vault access using the cluster identity, it cannot authenticate. The health service interprets this as the Key Vault not existing.

The CLI works fine because the az session is authenticated as a different principal entirely. The cluster service does not use that session.

The Fix

Grant the cluster’s managed identity the Key Vault Secrets Officer role on the vault.

Option A: Azure Portal

1. Open the Key Vault Almere01-hcikv in the Azure portal

2. Go to Access control (IAM)

3. Click Add > Add role assignment

4. Select role: Key Vault Secrets Officer

5. Click Members > select Managed identity

6. Choose Azure Stack HCI (or Azure Local) as the managed identity type

7. Find and select Almere01

8. Click Review + assign

Option B: Azure CLI

Run this from a workstation or Cloud Shell with Owner or User Access Administrator permissions:

az role assignment create \
  --assignee-object-id "c6cbeb2d-xxxx-xxxx-xxxx-e8f5261c5bcd" \
  --assignee-principal-type "ServicePrincipal" \
  --role "Key Vault Secrets Officer" \
  --scope "/subscriptions/2a234050-.../providers/Microsoft.KeyVault/vaults/ClusterKADZ-hcikv1"

You cannot run this from the cluster node itself. The hciadmin session on the node is authenticated as the Arc machine identity, which does not have permission to write role assignments. Use the Azure Portal or a CLI session with sufficient privileges.

Force Health Re-evaluation

After applying the role assignment, the health service needs to re-check. You can wait for the next scheduled evaluation or force it manually.

Start with the most targeted approach and work your way up:

Trigger a health check

Get-StorageSubSystem Cluster* | Debug-StorageSubSystem

Force a sync with Azure

Sync-AzureStackHCI

Restart the Health Service

Stop-ClusterResource "Health Service"
Start-ClusterResource "Health Service"

Restart Cloud Management

Stop-ClusterGroup "Cloud Management"
Start-ClusterGroup "Cloud Management"

After each step, verify the fault is gone:

Get-StorageSubSystem Cluster* | Debug-StorageSubSystem

If this returns nothing, the fault has cleared. Retry the update.

Key Things to Know

The fault name is misleading. KeyVaultDoesNotExist does not necessarily mean the vault was deleted. It can mean the cluster identity cannot authenticate to it. The health service makes no distinction between “not found” and “access denied.”

Your CLI session is not the cluster. When you run az keyvault secret list and everything works, that proves your user identity has access. It says nothing about the cluster’s managed identity. Always verify the RBAC assignments for the cluster principal separately.

Check all three identities. A Local Identity with Key Vault deployment involves at least three principals: the deployment service principal, the Arc node identity, and the cluster’s system-assigned managed identity. All three need appropriate access. If the cluster identity is missing, the health fault fires.

Run the fix from the right context. The hciadmin session on the cluster node runs under the Arc machine identity, not your user account. Role assignments require Owner or User Access Administrator permissions. Use the Azure Portal or a workstation CLI session.

Share and Enjoy !

Shares
Tagged:
Related storiesMore in Azure Local →
Designer (23)

Stay close to the action—follow GetToThe.Cloud across social!
Deep dives and hands‑on how‑tos on Azure Local, hybrid cloud, automation, PowerShell/Bicep, AVD + FSLogix, image pipelines, monitoring, networking, and resilient design when the internet/Azure is down.

🔗 Our channels
▶️ YouTube: https://www.youtube.com/channel/UCa33PgGdXt-Dr4w3Ub9hrdQ
💼 LinkedIn Group: https://www.linkedin.com/groups/9181126/
✖️ X (Twitter): https://x.com/Gettothecloud
🎵 TikTok: https://www.tiktok.com/@gettothecloud
🐙 GitHub: https://github.com/GetToThe-Cloud/Website
💬 Slack: DM us for an invite
📲 WhatsApp: DM for the community link

Share

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners. View more
Cookies settings
Accept
Privacy & Cookie policy
Privacy & Cookies policy
Cookies list
Cookie name Active

Who we are

Our website address is: https://www.gettothe.cloud

Comments

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Cookies

If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select "Remember Me", your login will persist for two weeks. If you log out of your account, the login cookies will be removed.If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Who we share your data with

If you request a password reset, your IP address will be included in the reset email.

How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where we send your data

Visitor comments may be checked through an automated spam detection service.
Save settings
Cookies settings