This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 28.999999999999996%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETP%3C/text%3E%3C/svg%3E)
I have recently migrated a virtual machine from on-premise and are trying to enable Azure Disk Encryption which fails. The error we get in 'BitLockerExtension.log' is:
2020-07-20T07:18:11.3357689Z [Info]: InitializeMachineVolumes: Encryptable OS volume not found. System volume is not split from OS volume.
2020-07-20T07:18:11.3357689Z [Info]: BitlockerOperations::InitializeMachineVolumes End
2020-07-20T07:18:11.3357689Z [Info]: BitlockerExtension::EnableEncryption Start
2020-07-20T07:18:11.3513935Z [Error]: EnableEncryption: Encryptable OS volume not found
2020-07-20T07:18:11.3670213Z [Fatal]: BitlockerExtension::OnEnable hit exception Encryptable OS volume not found
How do we resolve this so we can enable ADE?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 28.999999999999996%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
To disable Azure Disk Encryption with PowerShell, use Disable-AzVMDiskEncryption followed by Remove-AzVMDiskEncryptionExtension. Running Remove-AzVMDiskEncryptionExtension before the encryption is disabled will fail. To disable Azure Disk Encryption with CLI, use az vm encryption disable.
Thanks for your prompt response, but I'm specifically looking to enable not disable encryption.
@Thomas Pike Can you confirm which OS and version you are using? Please confirm your disk is formatted as NTFS and not FAT32. If so you will need to reformat the disk for encryption to work. For more troubleshooting information please see our documentation.
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-troubleshooting
Hopefully this information helps to resolve your issues. If not please let us know and we will be happy to take a deeper look.
------------------
Please do not forget to "Accept the answer" and Upvote on the post that helps you, this can be beneficial to other community members.
@Thomas Pike
Based off your error message it looks like your OS volume isn't split for ADE. To encrypt drives and to verify boot integrity, BitLocker requires at least two partitions. These two partitions make up a split-load configuration. A split-load configuration separates the main operating system partition from the active system partition from which the computer starts.
Next Steps:
-You'll need to make sure your system meets the requirements to be split.
-Confirm you have a backup of your data and you can try to manually split your partition.
On an elevated CMD run:
Run: %WinDir%\System32\BdeHdCfg.exe -target default -quiet
If you don't have enough room on your OS for it to split using the default size, you can try running:
BdeHdCfg.exe -target default -size 550 -quiet
If this works, please re-run the sequence version encryption script, using the correct BEK/KEK script.
If you still aren't able to split your OS volume please let us know.
Thank you for your time!
Hi @JamesTran-MSFT ,
Investigating further, it appears the issue is an existing 99MB system partition formatted as FAT32. How can the system be prepared from this point?
@ThomasPike-6064
Thank you for your response! Since your system partition is formatted in FAT32, it currently isn't supported for ADE.
Recommended steps IF you want to continue using ADE:
-Back up your data
-Look to see if you can/want to reformat your drive to NTFS. (This might delete your data since you're reformatting)
-Create a snapshot of your VM, deploy a new test VM, from this new VM, you can then test out the reformatting process if you're hesitant about this.
-Try encrypting this newly formatted drive using the sequence version script.
Once testing is complete; if you decide to reformat your production drive to NTFS (after backing up your data and creating another snapshot), you can then run the sequence version script to enable ADE (if this fails let us know).
If you don't want to reformat your drive, you can leverage Storage Service Encryption with Customer Managed Keys (SSE+CMK). This feature lets you manage encryption at the level of each managed disk, with your own keys. However, please review the Restrictions before making a decision to use this feature.
-The main difference between ADE and SSE+CMK is the encryption type used. ADE encrypts your disks at the OS level by leveraging BitLocker. SSE+CMK encrypts your managed disks by using Envelop Encryption.
Please let me know if you have any other questions.
Thank you again for your time and patience!
Also, on the Unsupported page for ADE.
It currently isn't supported to Migrate a VM encrypted with ADE to server-side encryption with customer-managed keys (SSE+CMK). However, if your VM has never been encrypted before you can definitely leverage SSE+CMK. However, if you have any questions you can try creating a snapshot/new disk and testing this scenario out to confirm if this feature will work in your environment.
@ThomasPike-6064 Just checking in to see if the above answer helped. If this answers your query, please don’t forget to "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
@Thomas Pike Just checking in to see if the above answer helped. If this answers your query, please don’t forget to "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.