Not able to set ADE on data disk for SQL VM.

Question

• Problem Statement:
  We had a request to create a Standard B4ms SQL VM with two standard SSD to store DB logs while creating the VM we were not able to attach Standard SSDs of 512 GB to the VM so we followed below steps
• Measures took:
  Setting up E20 - Standard SSD - which is 512 GB disk.
  But it allows selecting only Premium SSD or ultra disk, so we went ahead and set up the VM with Premium SSD and disk size kept it less than 512 GB. Later on, when the VM was ready, shut the VM and convert the existing disk from Premium SSD to Standard SSD. (Point to note here is you can only upgrade the disk size. if your disk size is prem 512 GB, you cant change to Standard SSD 512GB. but you can convert from prem 256 GB to standard SSD 512 GB i.e. upgrading disk size.)
• Issue Observer:
  Later while setting up Azure Disk Encryption to the VM we selected OS and Data disk which was successfully complete without an error but the disk options were not showing ADE where else for OS disk it showed SSE with PMK & ADE and for Data Disks it only showed SSE with PMK. Further also in the security centre, it displays disk encryption as pending.

We have also tried to encrypt the data disk using CLI it created the KEY but still, the issue persists below command used to encrypt the data disk

az VM encryption show --name myvmname --resource-group myresgroup
//this command displayed that my both the data disks were not encrypted so we used;

az VM encryption enable --resource-group "myresgroup" --name "myvmname" --disk-encription-keyvault "mykeyvault" --volume-type Data

using the above command we were not able to set ADE, the issue persists,

Was the issue due to the steps we used while creating the VM if yes then how we can resolve this, also are there any restrictions to ADE ???

looking for guidance.

Thanks & Regards;

Answer 1

@RSaw-Knack
Is your data disk in a Storage Pool? If so, you'll have to put your disk into maintenance mode, re-run the sequence version encryption script, and take your disk off maintenance mode.

If you're still having issues encrypting your SQL VM, we can look into your logs if you'd like to send the information below.

Email: AzCommunity@microsoft.com
Subject: ATTN Derek & James - ADE
Body:
-Link to this thread.
-Subscription ID
-Screenshot of your disk management

Attach the following logs as a zip file:
C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.Security.AzureDiskEncryption\BitLockerExtension.txt
C:\Packages\Plugins\Microsoft.Azure.Security.AzureDiskEncryption\RuntimeSettings
C:\Windows\System32\winevt\Logs\Microsoft-Windows-BitLocker%4BitLocker Management.evtx
C:\Windows\System32\winevt\Logs\Microsoft-Windows-BitLocker-DrivePreparationTool%4Operational.evtx

If you have any other questions just let us know!
Thank you for your time and patience.

Answer 2

@RSaw-Knack Sorry to hear you are having issues here. I don't see how the above steps would affect the ability to encrypt your disks. Please try the following and see if it resolves your issue.

1-Make sure your data disk is attached to your VM and Initialized
2-If your disk is already attached and initialized, can you make sure it's online and formatted in NTFS.
3-Once all the above is true, please re-run the encryption script using the "sequence version" variable. Keep in mind, if you used a KEK to encrypt you'll be using the KEK encryption script. All variables will remain the same as when you initially encrypted.

Hope this helps!

----------------

Please don’t forget to "Accept the answer" and "up-vote" wherever the information provided helps you, this can be beneficial to other community members.