Azure Disk Encryption troubleshooting guide
Applies to: ✔️ Windows VMs ✔️ Flexible scale sets
This guide is for IT professionals, information security analysts, and cloud administrators whose organizations use Azure Disk Encryption. This article is to help with troubleshooting disk-encryption-related problems.
Before taking any of these steps, first ensure that the VMs you're attempting to encrypt are among the supported VM sizes and operating systems, and that you've met all the prerequisites:
Troubleshooting 'Failed to send DiskEncryptionData'
When encrypting a VM fails with the error message "Failed to send DiskEncryptionData...", it's usually caused by one of the following situations:
- Having the Key Vault existing in a different region and/or subscription than the Virtual Machine
- Advanced access policies in the Key Vault are not set to allow Azure Disk Encryption
- Key Encryption Key, when in use, has been disabled or deleted in the Key Vault
- Typo in the Resource ID or URL for the Key Vault or Key Encryption Key (KEK)
- Special characters used while naming the VM, data disks, or keys. i.e _VMName, élite, etc.
- Unsupported encryption scenarios
- Network issues that prevent the VM/Host from accessing the required resources
Suggestions
- Make sure the Key Vault exists in the same region and subscription as the Virtual Machine
- Ensure that you have set key vault advanced access policies properly
- If you are using KEK, ensure the key exists and is enabled in Key Vault
- Check VM name, data disks, and keys follow key vault resource naming restrictions
- Check for any typos in the Key Vault name or KEK name in your PowerShell or CLI command
Note
The syntax for the value of disk-encryption-keyvault parameter is the full identifier string:
/subscriptions/[subscription-id-guid]/resourceGroups/[resource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name]
The syntax for the value of the key-encryption-key parameter is the full URI to the KEK as in:
https://[keyvault-name].vault.azure.net/keys/[kekname]/[kek-unique-id]
- Ensure you are not violating any restrictions
- Ensure you are meeting network requirements and try again
Troubleshooting Azure Disk Encryption behind a firewall
When connectivity is restricted by a firewall, proxy requirement, or network security group (NSG) settings, the ability of the extension to perform needed tasks might be disrupted. This disruption can result in status messages such as "Extension status not available on the VM." In expected scenarios, the encryption fails to finish. The sections that follow have some common firewall problems that you might investigate.
Network security groups
Any network security group settings that are applied must still allow the endpoint to meet the documented network configuration prerequisites for disk encryption.
Azure Key Vault behind a firewall
When encryption is being enabled with Microsoft Entra credentials, the target VM must allow connectivity to both Microsoft Entra endpoints and Key Vault endpoints. Current Microsoft Entra authentication endpoints are maintained in sections 56 and 59 of the Microsoft 365 URLs and IP address ranges documentation. Key Vault instructions are provided in the documentation on how to Access Azure Key Vault behind a firewall.
Azure Instance Metadata Service
The VM must be able to access the Azure Instance Metadata service endpoint (169.254.169.254) and the virtual public IP address (168.63.129.16) used for communication with Azure platform resources. Proxy configurations that alter local HTTP traffic to these addresses (for example, adding an X-Forwarded-For header) are not supported.
Troubleshooting Windows Server 2016 Server Core
On Windows Server 2016 Server Core, the bdehdcfg component isn't available by default. This component is required by Azure Disk Encryption. It's used to split the system volume from OS volume, which is done only once for the life time of the VM. These binaries aren't required during later encryption operations.
To work around this issue, copy the following four files from a Windows Server 2016 Data Center VM to the same location on Server Core:
\windows\system32\bdehdcfg.exe
\windows\system32\bdehdcfglib.dll
\windows\system32\en-US\bdehdcfglib.dll.mui
\windows\system32\en-US\bdehdcfg.exe.mui
Enter the following command:
bdehdcfg.exe -target defaultThis command creates a 550-MB system partition. Reboot the system.
Use DiskPart to check the volumes, and then proceed.
For example:
DISKPART> list vol
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
Volume 0 C NTFS Partition 126 GB Healthy Boot
Volume 1 NTFS Partition 550 MB Healthy System
Volume 2 D Temporary S NTFS Partition 13 GB Healthy Pagefile
Troubleshooting encryption status
The portal may display a disk as encrypted even after it has been unencrypted within the VM. This situation can occur when low-level commands are used to directly unencrypt the disk from within the VM, instead of using the higher level Azure Disk Encryption management commands. The higher level commands not only unencrypt the disk from within the VM, but outside of the VM they also update important platform level encryption settings and extension settings associated with the VM. If these are not kept in alignment, the platform will not be able to report encryption status or provision the VM properly.
To disable Azure Disk Encryption with PowerShell, use Disable-AzVMDiskEncryption followed by Remove-AzVMDiskEncryptionExtension. Running Remove-AzVMDiskEncryptionExtension before the encryption is disabled will fail.
To disable Azure Disk Encryption with CLI, use az vm encryption disable.
Next steps
In this document, you learned more about some common problems in Azure Disk Encryption and how to troubleshoot those problems. For more information about this service and its capabilities, see the following articles: