none
Failed to configure bitlocker as expected. Exception: Encrypt failed with 2147942487 RRS feed

  • Question

  • I get the following exception when I try to enable Azure Disk encryption on a Windows 10 VM.

    I'm following direction from here: https://docs.microsoft.com/en-us/powershell/module/azurerm.compute/set-azurermvmdiskencryptionextension?view=azurermps-6.13.0

    Failed to configure bitlocker as expected. Exception: Encrypt failed with 2147942487, InnerException: , stack trace:    at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerWmi.Win32EncryptableVolumeWrap.Encrypt() in                          X:\bt\1001052\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerWMI\Win32EncryptableVolumeWrap.cs:line 451
                                    at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerOperations.StartEncryptionOnVolume(EncryptableVolume vol) in X:\bt\1001052\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerOperations.cs:line 867
                                    at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.EnableEncryption() in X:\bt\1001052\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1272
                                    at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.HandleEncryptionOperations() in X:\bt\1001052\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1505
                                    at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.OnEnable() in X:\bt\1001052\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1595

    Tuesday, May 7, 2019 1:57 AM

All replies

  • Can you share the complete Power Shell script which you have used to encrypt the windows VM?

    Which encryption scenario you are trying from the scenarios listed in the Encryption scenarios section?

    Did you followed the disk encryption prerequisites before encrypting the VM? If not, I would recommend you to check here.

    You can also try installing  the latest Az PowerShell module as described here and run the below PowerShell script to encrypt the windows virtual machine.

    Login-AzAccount
    Select-AzSubscription -Subscription "**********************"
    $rgName = "your resource group name"
    $location = "location name"
    
    Register-AzResourceProvider -ProviderNamespace "Microsoft.KeyVault"
    Get-AzResourceGroup -Location $location -Name $rgName
    
    #create a new keyvault
    $keyVaultName = "your key vault name"
    New-AzKeyVault -Location $location `
        -ResourceGroupName $rgName `
        -VaultName $keyVaultName `
        -EnabledForDiskEncryption
    
    Add-AzureKeyVaultKey -VaultName $keyVaultName -Name "myKey" -Destination "Software"
    $keyVault = Get-AzKeyVault -VaultName $keyVaultName -ResourceGroupName $rgName;
    $diskEncryptionKeyVaultUrl = $keyVault.VaultUri;
    $keyVaultResourceId = $keyVault.ResourceId;
    $keyEncryptionKeyUrl = (Get-AzKeyVaultKey -VaultName $keyVaultName -Name myKey).Key.kid;
    
    
    Set-AzVMDiskEncryptionExtension -ResourceGroupName $rgName `
        -VMName "your vm name" `
        -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl `
        -DiskEncryptionKeyVaultId $keyVaultResourceId `
        -KeyEncryptionKeyUrl $keyEncryptionKeyUrl `
        -KeyEncryptionKeyVaultId $keyVaultResourceId
    
    Get-AzVmDiskEncryptionstatus -ResourceGroupName $rgName -VMName "your Vm name" 

    kindly let us know if you need any further assistance on this.

    Tuesday, May 7, 2019 11:15 AM
    Moderator
  • Here is my script:

    connect-AzAccount
    $rgName = "jastimso-devvm"
    $location = "eastus"
    Register-AzResourceProvider -ProviderNamespace "Microsoft.KeyVault"
    Get-AzResourceGroup -Location $location -Name $rgName
    #create a new keyvault
    $keyVaultName = "jastimso-devvm-kv"
    New-AzKeyVault -Location $location `
        -ResourceGroupName $rgName `
        -VaultName $keyVaultName `
        -EnabledForDiskEncryption
    Add-AzureKeyVaultKey -VaultName $keyVaultName -Name "jastimso-devvm-key" -Destination "Software"
    $keyVault = Get-AzKeyVault -VaultName $keyVaultName -ResourceGroupName $rgName;
    $diskEncryptionKeyVaultUrl = $keyVault.VaultUri;
    $keyVaultResourceId = $keyVault.ResourceId;
    $keyEncryptionKeyUrl = (Get-AzKeyVaultKey -VaultName $keyVaultName -Name myKey).Key.kid;

    Set-AzVMDiskEncryptionExtension -ResourceGroupName $rgName `
        -VMName "jastimso-devvm" `
        -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl `
        -DiskEncryptionKeyVaultId $keyVaultResourceId `
        -KeyEncryptionKeyUrl $keyEncryptionKeyUrl `
        -KeyEncryptionKeyVaultId $keyVaultResourceId
    Get-AzVmDiskEncryptionstatus -ResourceGroupName $rgName -VMName "jastimso-devvm"

    Tuesday, May 7, 2019 3:16 PM
  • Also, while following your scrip Add-AzureKeyVaultKey doesn't work. See error below. Yes, I have installed latest Az modules.

    Add-AzureKeyVaultKey -VaultName $keyVaultName -Name "jastimso-devvm-key" -Destination "Software"
    Add-AzureKeyVaultKey : The term 'Add-AzureKeyVaultKey' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the
    spelling of the name, or if a path was included, verify that the path is correct and try again.
    At line:1 char:1
    + Add-AzureKeyVaultKey -VaultName $keyVaultName -Name "jastimso-devvm-k ...
    + ~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (Add-AzureKeyVaultKey:String) [], CommandNotFoundException
        + FullyQualifiedErrorId : CommandNotFoundException

    Tuesday, May 7, 2019 3:35 PM
  • I ran your script and got same error.
    Tuesday, May 7, 2019 3:48 PM
  • @Jared, could you please uninstall the Az modules and install the AzureRM modules?

    After installing the Azure Rm module, you can try the below Power Shell script for encrypting the Windows VM.

    Login-AzureRmAccount
    
    Select-AzureRmSubscription -SubscriptionId "your subscription id"
    $rgName = "jastimso-devvm"
    $location = "eastus"
    
    Register-AzureRmResourceProvider -ProviderNamespace "Microsoft.KeyVault"
    Get-AzureRmResourceGroup -Location $location -Name $rgName
    
    #create a new keyvault
    $keyVaultName = "jastimso-devvm-kv"
    New-AzureRmKeyVault -Location $location `
        -ResourceGroupName $rgName `
        -VaultName $keyVaultName `
        -EnabledForDiskEncryption
    
    #add key to the keyvault
    Add-AzureKeyVaultKey -VaultName $keyVaultName `
        -Name "jastimso-devvm-key" `
        -Destination "Software"
    
    
    $keyVault = Get-AzureRmKeyVault -VaultName $keyVaultName -ResourceGroupName $rgName;
    $diskEncryptionKeyVaultUrl = $keyVault.VaultUri;
    $keyVaultResourceId = $keyVault.ResourceId;
    $keyEncryptionKeyUrl = (Get-AzureKeyVaultKey -VaultName $keyVaultName -Name jastimso-devvm-key).Key.kid;
    
    Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgName `
        -VMName "jastimso-devvm" `
        -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl `
        -DiskEncryptionKeyVaultId $keyVaultResourceId `
        -KeyEncryptionKeyUrl $keyEncryptionKeyUrl `
        -KeyEncryptionKeyVaultId $keyVaultResourceId
    
    #check the status of encryption is enabled for the VM
    
    Get-AzureRmVmDiskEncryptionStatus  -ResourceGroupName $rgName -VMName "jastimso-devvm" 

    I have tested in my environment and it’s working perfectly. Please find the below screenshots.

    You can check the status using Azure portal as shown below.

    Kindly, let us know if you need any further assistance on this.

    Wednesday, May 8, 2019 8:56 AM
    Moderator
  • @Jared, Just checking in to see if the above answer helped. If this answers your query, do click “Mark as Answer” and Up-Vote for the same. And, if you have any further query do let us know.
    Thursday, May 9, 2019 5:15 AM
    Moderator