Facing error while encrypting a VM os and data disk using ADE

Ishan Saxena 20 Reputation points
2023-08-02T10:43:07.4633333+00:00

Facing error while encrypting a virtual machine(windows server 2016) disk through ADE. Although have given all the access roles to the key vaults and also enabled the desired permssions in vault access policy and all the resource access for vault but still facing error while encrypting the disk with the key -

error -

{
  "code": "VMExtensionProvisioningError",
  "message": "VM has reported a failure when processing extension 'AzureDiskEncryption' (publisher 'Microsoft.Azure.Security' and type 'AzureDiskEncryption').
 Error message: \"[2.4.0.2] Failed to configure machine for bitlocker encryption. 
Reboot the VM and retry encryption operation\". More information on troubleshooting is available at https://aka.ms/VMExtensionADEWindowsTroubleshoot. "
}

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
6,844 questions
Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
153 questions
Azure Disk Storage
Azure Disk Storage
A high-performance, durable block storage designed to be used with Azure Virtual Machines and Azure VMware Solution.
550 questions
{count} votes

1 answer

Sort by: Most helpful
  1. deherman-MSFT 32,156 Reputation points Microsoft Employee
    2023-08-02T18:19:58.3+00:00

    @Ishan Saxena

    This error can be caused by several issues. It appears that you have given appropriate permissions to key vault and updated the access policy to enable access to ADE. Here are a few things to check for:

    Make sure that you are not affected by one of the Unsupported scenarios.

    To ensure that encryption secrets don't cross regional boundaries, you must create and use a key vault that's in the same region and tenant as the VMs to be encrypted. Also, if you have enabled the firewall on the key vault, you must go to the Networking tab on the key vault and enable access to Microsoft Trusted Services.

    Check the networking requirements and Group Policy requirements for ADE.

    If you are using Windows Server 2016 Server Core you need to copy the binaries from a Windows Server 2016 Data Center VM to your Server Core VM.

    Hopefully this resolves your issue. If not please let me know in the comments and we can work with you directly to further investigate.


    If you still have questions, please let us know in the "comments" and we would be happy to help you. Comment is the fastest way of notifying the experts.

    If the answer has been helpful, we appreciate hearing from you and would love to help others who may have the same question. Accepting answers helps increase visibility of this question for other members of the Microsoft Q&A community.

    Thank you for helping to improve Microsoft Q&A!

    User's image

    1 person found this answer helpful.
    0 comments No comments