This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 10%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERF%3C/text%3E%3C/svg%3E)
Azure Cli command line:
az vm encryption enable --resource-group "GenDox_Labs" --name "GenDoxDM2" --disk-encryption-keyvault "/subscriptions/963c56be-5368-4fd1-9477-f7d214f9888a/resourceGroups/GenDox_Labs/providers/Microsoft.KeyVault/vaults/ESRPIntegration" --volume-type All
Error:
(VMExtensionProvisioningError) VM has reported a failure when processing extension 'AzureDiskEncryption'. Error message: "[2.2.0.43] Failed to configure bitlocker as expected. Exception: Encrypt failed with 2147942487, InnerException: , stack trace: at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerWmi.Win32EncryptableVolumeWrap.Encrypt() in C:__w\1\s\src\BitLocker\BitlockerIaasVMExtension\BitlockerWMI\Win32EncryptableVolumeWrap.cs:line 423
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerOperations.StartEncryptionOnVolume(EncryptableVolume vol) in C:__w\1\s\src\BitLocker\BitlockerIaasVMExtension\BitlockerOperations.cs:line 1335
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.EnableEncryption() in C:__w\1\s\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1427
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.HandleEncryptionOperations() in C:__w\1\s\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1701
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.OnEnable() in C:__w\1\s\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1797"
@Ray Fu (Inspur Worldwide Services Ltd)
Thank you for your post!
From your error message - Exception: Encrypt failed with 2147942487, can you make sure that your VM meets the Group Policy requirements?
Azure Disk Encryption will fail when a custom group policy setting for BitLocker is incompatible - for example, if the OS doesn't support the given encryption method (i.e. AES_128_WITH_DIFFUSER). If your VM didn't have the correct policy setting, you'll have to apply the new policy, and force the new policy to update (gpupdate.exe /force). Restarting your VM may also be required for the policy to take affect.
For more info:
Group Policy requirements
BitLocker group policy settings
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
@Ray Fu (Inspur Worldwide Services Ltd)
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
This is a newly created VM for validating our Disaster Recovery Plan (DRP). I did not make any changes to the group policy.
Do I need to make any changes to the default group policy?
All of my policies under path "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives" are left as "Not configured".
@Ray Fu (Inspur Worldwide Services Ltd)
Thank you for following up on this!
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FV Please keep in mind PII:
OS Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
OS Name: Microsoft Windows 11 Pro
OS Version: 10.0.22000 N/A Build 22000
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
OS Version:
Yes. My VM is domain joined. Actually, I am working on Microsoft Office Interop project as a vendor dev. The VM joined Microsoft Corpnet (Redmond domain)
OS Version:
@Ray Fu (Inspur Worldwide Services Ltd)
From your screenshots you might have to change some registry values. However, I'd recommend working with our support team on this since they'll have the most up to date experience.
Note:It is not recommended to change registry values since this can negatively affect your VM/environment.
XTS-256 as the encryption method should be used.
If you change any registry values, please test this prior to changing this in production.
A restart may be required. Once your VM has restarted, retry encryption using the BEK script below.
$KVRGname = 'MyKeyVaultResourceGroup';
$VMRGName = 'MyVirtualMachineResourceGroup';
$vmName = 'MySecureVM';
$KeyVaultName = 'MySecureVault';
$KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname;
$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
$KeyVaultResourceId = $KeyVault.ResourceId;
$sequenceVersion = [Guid]::NewGuid();
Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -VolumeType "All" –SequenceVersion $sequenceVersion;
If you have any other questions, please let me know.
Thank you!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 79%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
@JamesTran-MSFT Azure Disk Encryption will fail when a custom group policy setting for BitLocker is incompatible Do you have more details on this
found it when i removed the key FVE all works