When i try restarting the VM, am getting Key Vault "xxxxxx" does not exist.

Question

I found my VM stopped this is affecting everything for us right now. When i try restarting the VM. Am getting a failed error message that says "Key Vault "vault name" does not exist. Any response on how to fix the issue is highly appreciated.

Answer 1

This usually happens when:

1. The Key Vault used for disk encryption (Azure Disk Encryption or Customer-Managed Keys for Managed Disks) was:

• Deleted,
  • Moved to another subscription, or
  • Access revoked (permissions, managed identity, etc.).

2. The VM depends on that vault to decrypt its OS or data disk — and without it, the VM cannot boot.

Step-by-Step Fix

Step 1 — Check whether the Key Vault really exists

Run this in Azure Cloud Shell (or PowerShell locally with Az module):

az keyvault show --name <vault-name> --resource-group <resource-group>

If it returns details → the vault exists. If it says “not found” → the vault has been deleted or is in a different subscription/region.

---

Step 2 — If the vault was deleted recently

If the vault was soft-deleted, you can restore it:

az keyvault recover --name <vault-name>

Then verify:

az keyvault show --name <vault-name>

---

Step 3 — Check VM Disk Encryption Settings

Find out if your VM is using Azure Disk Encryption (ADE):

az vm show --name <vm-name> --resource-group <resource-group> --query "storageProfile.osDisk.encryptionSettings"

If this shows encryption settings with a key URL pointing to the missing vault — that’s the cause.

---

Step 4 — Restore access permissions

If the Key Vault exists but the VM can’t access it:

1. Go to Azure Portal → Key Vault → Access policies
2. Ensure the VM’s Managed Identity or the Disk Encryption Set principal is listed.
   • Permissions required:
     • Get, Wrap Key, Unwrap Key, Get Secret
3. Save the changes.

You can also grant access with CLI:

az keyvault set-policy \
  --name <vault-name> \
  --object-id <vm-managed-identity-id> \
  --key-permissions get wrapKey unwrapKey \
  --secret-permissions get

---

Step 5 — Try to Start the VM Again

Once Key Vault and permissions are restored:

az vm start --name <vm-name> --resource-group <resource-group>

---

Step 6 — If the Key Vault cannot be recovered

If the Key Vault is permanently deleted and encryption keys are lost:

• Unfortunately, the encrypted disks cannot be decrypted — the data is unrecoverable without the original keys.
• Your only option is to redeploy from a backup, snapshot, or image if available.

---

Answer 2

Hello @Ishmael Omolo ,

A Windows VM doesn't start. When you check the screenshots in the Boot diagnostics window, you see one of the following error messages:

• Plug in the USB driver that has the BitLocker key
• You’re locked out! Enter the recovery key to get going again (Keyboard Layout: US) The wrong sign-in info has been entered too many times, so your PC was locked to protect your privacy. To retrieve the recovery key, go to https://windows.microsoft.com/recoverykeyfaq from another PC or mobile device. In case you need it, the key ID is XXXXXXX. Or, you can reset your PC.
• Enter the password to unlock this drive [ ] Press the Insert Key to see the password as you type.
• Enter your recovery key Load your recovery key from a USB device.

To resolve this problem, stop and deallocate the VM, and then start it. This operation forces the VM to retrieve the BEK file from the Azure Key Vault, and then put it on the encrypted disk.

If this method does not the resolve the problem, follow these steps to restore the BEK file manually: https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/windows/troubleshoot-bitlocker-boot-error?source=recommendations#decrypt-the-encrypted-os-disk

If you have any further queries, do let us know.