I stopped the lone VM, disabled Encrypt at Host, and the AMA extension was able to be added and attached to DCR.
VM Disc Encrypt at Host Prevents Azure Monitor Agent Migration
This week we have ran in to an issue when trying to Migrate Azure Log Analytics Agents on VMs over to Azure Monitor Agent. VMs with discs using Encrypt at Host cannot be joined to a Data Collection Rules because the AMA cannot be installed. I cannot find this addressed in azure documentation BTW, it was discovered in error logs. This is one of those moments where I am totally unsure of a solution. I cannot just go trying different encryption methods until finding something that works. It's probably best to poll the community to see how others have handled this. Any links to resources in this scenario are coveted. Thank you,