question

AyhanGler-2865 avatar image
0 Votes"
AyhanGler-2865 asked AyhanGler-2865 commented

Azure Disk Encryption Extension Fails

Hi,

I am having issues with ADE extension on our Azure VMs. After the installation of the extension, everything looks good, disks are encrypted etc. But during the backup operations, using Azure Backup, ADE extension starts throwing error message. Disks are still encrypted but the status of the extension is "Provisioning failed". Here is the error message:

Set-AzVMDiskEncryptionExtension : Long running operation failed with status 'Failed'. Additional Info:'VM has reported a failure when processing extension

'AzureDiskEncryption'. Error message: "[2.2.0.39] Failed to configure bitlocker as expected. Exception: ProtectKeyWithExternalKey failed with 2147942450, InnerException: ,
stack trace: at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerWmi.Win32EncryptableVolumeWrap.ProtectKeyWithExternalkey() in
X:\bt\1205850\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerWMI\Win32EncryptableVolumeWrap.cs:line 205
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerWmi.Win32EncryptableVolumeWrap.GenerateBitlockerKey(Boolean backupKeyToAD) in
X:\bt\1205850\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerWMI\Win32EncryptableVolumeWrap.cs:line 473
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.GenerateProtectorForVolume(EncryptableVolume vol) in
X:\bt\1205850\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 158
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.GenerateAndUploadProtectors() in
X:\bt\1205850\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 918
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.EnableEncryption() in
X:\bt\1205850\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1411
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.HandleEncryptionOperations() in
X:\bt\1205850\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1701
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.OnEnable() in
X:\bt\1205850\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1797"
More information on troubleshooting is available at https://aka.ms/VMExtensionADEWindowsTroubleshoot '
ErrorCode: VMExtensionProvisioningError
ErrorMessage: VM has reported a failure when processing extension 'AzureDiskEncryption'. Error message: "[2.2.0.39] Failed to configure bitlocker as expected. Exception:
ProtectKeyWithExternalKey failed with 2147942450, InnerException: , stack trace: at
Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerWmi.Win32EncryptableVolumeWrap.ProtectKeyWithExternalkey() in
X:\bt\1205850\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerWMI\Win32EncryptableVolumeWrap.cs:line 205
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerWmi.Win32EncryptableVolumeWrap.GenerateBitlockerKey(Boolean backupKeyToAD) in
X:\bt\1205850\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerWMI\Win32EncryptableVolumeWrap.cs:line 473
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.GenerateProtectorForVolume(EncryptableVolume vol) in
X:\bt\1205850\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 158
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.GenerateAndUploadProtectors() in
X:\bt\1205850\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 918
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.EnableEncryption() in
X:\bt\1205850\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1411
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.HandleEncryptionOperations() in
X:\bt\1205850\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1701
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.OnEnable() in
X:\bt\1205850\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1797"
More information on troubleshooting is available at https://aka.ms/VMExtensionADEWindowsTroubleshoot
ErrorTarget:
StartTime: 9/27/2021 8:12:29 PM
EndTime: 9/27/2021 8:13:26 PM
OperationID: 1deb99a1-7728-40ef-8acd-9d48a0549ab8
Status: Failed
At line:71 char:11
+ $action = Set-AzVMDiskEncryptionExtension -ResourceGroupName $rg -VMN ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Set-AzVMDiskEncryptionExtension], ComputeCloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Compute.Extension.AzureDiskEncryption.SetAzureDiskEncryptionExtensionCommand


Can you please help on this?
azure-virtual-machines-extensionazure-disk-encryption
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

prmanhas-MSFT avatar image
1 Vote"
prmanhas-MSFT answered AyhanGler-2865 commented

@AyhanGler-2865 Thank you for your query!!!

As mentioned here and many issues reported with the same error can you please check below:

  • Go to your keyvault -> Access Policies

  • Make sure these check boxes are checked

135847-image.png

Also this error is likely to occur when access to Key Vault from within the VM is restricted by firewall settings, some troubleshooting tips on this scenario are available here:

https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-troubleshooting

Can you please check and let me know if it worked for you or not?

Hope it helps!!!

Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.




image.png (41.4 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @prmanhas-MSFT

I re-checked the troubleshooting doc and also other similar errors but no luck. To make it more clear, we are using Server 2019 core with Storage Pools. I can only encrypt the disks using following path:

  • Deploy the server and do not create the storage pool, only add raw disks to VM.

  • Run encryption on both OS and Data drives with keyvault and KEK.

  • Create storage pool and volume

  • Re-run the same encryption script using the same KEK and keyvault.

Any other scenario throws the error message I shared above.

Any ideas?



0 Votes 0 ·