Azure Disk Encryption Extension Fails

Question

Hi,

I am having issues with ADE extension on our Azure VMs. After the installation of the extension, everything looks good, disks are encrypted etc. But during the backup operations, using Azure Backup, ADE extension starts throwing error message. Disks are still encrypted but the status of the extension is "Provisioning failed". Here is the error message:

Set-AzVMDiskEncryptionExtension : Long running operation failed with status 'Failed'. Additional Info:'VM has reported a failure when processing extension

'AzureDiskEncryption'. Error message: "[2.2.0.39] Failed to configure bitlocker as expected. Exception: ProtectKeyWithExternalKey failed with 2147942450, InnerException: ,
stack trace: at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerWmi.Win32EncryptableVolumeWrap.ProtectKeyWithExternalkey() in
X:\bt\1205850\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerWMI\Win32EncryptableVolumeWrap.cs:line 205
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerWmi.Win32EncryptableVolumeWrap.GenerateBitlockerKey(Boolean backupKeyToAD) in
X:\bt\1205850\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerWMI\Win32EncryptableVolumeWrap.cs:line 473
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.GenerateProtectorForVolume(EncryptableVolume vol) in
X:\bt\1205850\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 158
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.GenerateAndUploadProtectors() in
X:\bt\1205850\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 918
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.EnableEncryption() in
X:\bt\1205850\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1411
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.HandleEncryptionOperations() in
X:\bt\1205850\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1701
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.OnEnable() in
X:\bt\1205850\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1797"
More information on troubleshooting is available at https://aka.ms/VMExtensionADEWindowsTroubleshoot '
ErrorCode: VMExtensionProvisioningError
ErrorMessage: VM has reported a failure when processing extension 'AzureDiskEncryption'. Error message: "[2.2.0.39] Failed to configure bitlocker as expected. Exception:
ProtectKeyWithExternalKey failed with 2147942450, InnerException: , stack trace: at
Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerWmi.Win32EncryptableVolumeWrap.ProtectKeyWithExternalkey() in
X:\bt\1205850\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerWMI\Win32EncryptableVolumeWrap.cs:line 205
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerWmi.Win32EncryptableVolumeWrap.GenerateBitlockerKey(Boolean backupKeyToAD) in
X:\bt\1205850\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerWMI\Win32EncryptableVolumeWrap.cs:line 473
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.GenerateProtectorForVolume(EncryptableVolume vol) in
X:\bt\1205850\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 158
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.GenerateAndUploadProtectors() in
X:\bt\1205850\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 918
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.EnableEncryption() in
X:\bt\1205850\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1411
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.HandleEncryptionOperations() in
X:\bt\1205850\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1701
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.OnEnable() in
X:\bt\1205850\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1797"
More information on troubleshooting is available at https://aka.ms/VMExtensionADEWindowsTroubleshoot
ErrorTarget:
StartTime: 9/27/2021 8:12:29 PM
EndTime: 9/27/2021 8:13:26 PM
OperationID: 1deb99a1-7728-40ef-8acd-9d48a0549ab8
Status: Failed
At line:71 char:11

• $action = Set-AzVMDiskEncryptionExtension -ResourceGroupName $rg -VMN ...
• ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
• CategoryInfo : CloseError: (:) [Set-AzVMDiskEncryptionExtension], ComputeCloudException
• FullyQualifiedErrorId : Microsoft.Azure.Commands.Compute.Extension.AzureDiskEncryption.SetAzureDiskEncryptionExtensionCommand

Can you please help on this?

Answer 1

@Ayhan Güler Thank you for your query!!!

As mentioned here and many issues reported with the same error can you please check below:

• Go to your keyvault -> Access Policies
• Make sure these check boxes are checked

Also this error is likely to occur when access to Key Vault from within the VM is restricted by firewall settings, some troubleshooting tips on this scenario are available here:

https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-troubleshooting

Can you please check and let me know if it worked for you or not?

Hope it helps!!!

Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.