Azure Advisor Bitlocker not reporting, 'Extension status not available on the VM'

Remco de Rooij 1 Reputation point
2023-10-16T08:54:11.9933333+00:00

Let's start with my situation.
I have a hub and spoke model with a Azure Firewall.
All my VM's are forced to go over de Firewall.
I also have a Keyvault with Private-link enabled. Also to the firewall.

My issue is... Azure advisor is not picking up the Bitlocker drive encryption.
Bitlocker is working, and it's encrypting and dropping keys on the keyvault.

But when i run get-azvmdiskencryptionstatus
This is my output.
OsVolumeEncrypted : Encrypted
DataVolumesEncrypted : Encrypted
OsVolumeEncryptionSettings : Microsoft.Azure.Management.Compute.Models.DiskEncryptionSettings
ProgressMessage : Extension status not available on the VM

Somehow there is no communication with the VM and Azure.
For test i've excluded the VM with an Allow-ALL traffic. But no results.

Still a warning on the advisor and the Powershell cmdlet.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,171 questions
Azure Advisor
Azure Advisor
An Azure personalized recommendation engine that helps users follow best practices to optimize Azure deployments.
45 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. vipullag-MSFT 24,211 Reputation points Microsoft Employee
    2023-10-18T06:27:48.7033333+00:00

    Hello Remco de Rooij

    Welcome to Microsoft Q&A Platform, thanks for posting your query here.

    Based on the details, looks like an issue with the Azure Disk Encryption extension on your VM. "Extension status not available on the VM" indicates that the Azure Disk Encryption extension is not reporting its status back to Azure.

    To troubleshoot this issue, follow below steps and see if that helps:

    -Check if the Azure Disk Encryption extension is installed on the VM.
    You can do this by running the following command in PowerShell:
    Get-AzVMExtension -ResourceGroupName <resource-group-name> -VMName <vm-name>.
    This should list all the extensions installed on the VM. Make sure that the AzureDiskEncryption extension is listed.

    -Check if the Azure Disk Encryption extension is running on the VM.
    You can do this by running the following command in PowerShell:
    Get-AzVMExtension -ResourceGroupName <resource-group-name> -VMName <vm-name> -Name AzureDiskEncryption.
    This should show you the status of the extension. Make sure that the ProvisioningState is Succeeded and the Status show that the extension is running.

    -Check below logs to see if Azure Disk Encryption extension is able to communicate with the Azure Disk Encryption service**:**
    C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.Security.AzureDiskEncryption.WindowsAzureDiskEncryption\1.2.0.0\. Look for any errors or warnings in the logs.

    If you have checked all of the above and still cannot find the issue, you can try redeploying the Azure Disk Encryption extension on the VM.

    Hope this helps.