Share via

Issues when installing Azure monitor extension - FailedToDecryptProtectedSettings

Jakub Petrovic 36 Reputation points
2020-06-22T12:04:57.79+00:00

Hi,

I have an issue with installing azure monitor VM extension. To be more specific I need the extension to carry out OS updates via functions/update management. The update management has been working fine for the past 5 months, but i cant add new VMs because of the agent installation issues.

The error says: "VM has reported a failure when processing extension 'MicrosoftMonitoringAgent'. Error message: \"Failed to apply configuration to Microsoft Monitoring Agent due to FailedToDecryptProtectedSettings.\"\r\n\r\nMore information on troubleshooting is available at https://aka.ms/VMExtensionMMAWindowsTroubleshoot"

Went through the agent logs on the target VM and found following: Failed to enable Microsoft Monitoring Agent extension, code: FailedToDecryptProtectedSettings, message: Cannot find the cert to decrypt protected extension settings.

I looked through the certificates on VMs and found that machines where the agent installation succeeded have following certificate "Windows Azure CRP certificate Generator", friendly name "TenantEncryptionCert" and those where installation fails don't have this one. My question is how do I get the extension to install? Where do I get this Azure CRP certificate?

Thanks.
J

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,020 questions
Accepted answer
  1. Fabrice 116 Reputation points
    2020-06-26T12:56:29.103+00:00

    Good News: i have the solution about the problem. It is realy weird but this solve my problem:

    Check the Local Computer certificate store to see if the “Windows Azure CRP Certificate Generator” certificate is there. If it is then delete it.
    Use the mmc.exe console / add Certificates snap-in / Computer Account / Local Computer - then browse the Personal store.

    · Add an empty data disk to trigger a new Goal State to the tenant. It doesn’t need to be formatted.
    · Retry the extension operation
    · Detach the Data Disk
    The problem is with the “Windows Azure CRP Certificate Generator” certificate which may be missing so some steps to force a new one to be downloaded can be taken to recover the situation.
    More details on how the secure settings on a VM Extension are handled can be found here https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/features-windows#secure-vm-extension-data

    2 people found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Fabrice 116 Reputation points
    2020-06-23T09:26:45.907+00:00

    Hello Jakub,

    you can try to install the agent manual, this works for me.
    https://learn.microsoft.com/en-us/services-hub/health/mma-setup

    Best greetings
    Fabrice

    1 person found this answer helpful.