none
ARM Template Error with Schema v1.1 RRS feed

  • Question

  • I am attempting to assemble an ARM template with the Windows2016 Datacenter image to create a VM with encrypted disks using the 1.1 schema recommended in this article:

    "Azure Disk Encryption for Windows (Microsoft.Azure.Security.AzureDiskEncryption)"

    failed with message '{
      "status": "Failed",
      "error": {
        "code": "ResourceDeploymentFailure",
        "message": "The resource operation completed with terminal provisioning state 'Failed'.",
        "details": [
          {
            "code": "VMExtensionProvisioningError",
            "message": "VM has reported a failure when processing extension 'AzureDiskEncryption'. Error message: \"Failed to configure 
    bitlocker as expected. Exception: Couldn't find AADClientID in extension PublicSettings , InnerException: , stack trace:    at 
    Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.Settings.BitlockerExtensionSettings.GetExtensionPublicSettings()\r\n   at 
    Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.InitializeExtension()\r\n   at 
    Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.OnEnable()\"."
    The perplexing part is that the 1.1 schema should not require  AAD properties.

    Here is my Json 

    {
      "type": "Microsoft.Compute/virtualMachines/extensions",
      "name": "[concat(parameters('virtualMachineName'),'/AzureDiskEncryption')]",
      "apiVersion": "2015-06-15",
      "location": "[parameters('location')]",
      "dependsOn": [
              "[concat('Microsoft.Compute/virtualMachines/', parameters('virtualMachineName'))]"
            ],
      "properties": {
    "publisher": "Microsoft.Azure.Security",
    "settings": {
      "EncryptionOperation": "EnableEncryption",
      "KeyEncryptionAlgorithm": "RSA-OAEP",
      "KeyEncryptionKeyURL": "[parameters('keyEncryptionKeyURL')]",
      "KekVaultResourceId": "[parameters('keyVaultResourceID')]",
      "KeyVaultURL": "[parameters('keyVaultURL')]",
      "KeyVaultResourceId": "[parameters('keyVaultResourceID')]",
      "SequenceVersion": "[uniqueString(resourceGroup().id, deployment().name)]",
      "VolumeType": "All"
    },
      "type": "AzureDiskEncryption",
      "typeHandlerVersion": "1.1"
      }
    }

    What am I doing wrong here?


    Saturday, August 17, 2019 1:32 AM

Answers

  • None of the suggestions were helpful. I eventually got it working with the information in this article

    https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/azure-disk-enc-windows 

    However, I did not get it to work with the schema v1.1 version but the v0.1 for the AzureDiskEncryption extension. The v0.1 schema required Azure Active Directory (AAD) properties  and the  v1.1, a newer, recommended schema that does not use Azure Active Directory (AAD) properties. So while I got encryption to work in the ARM template it uses the older schema. That is adequate for now but when I get the v1.1 schema to work I will update this post for the benefit of the community. In the meantime here is the snippet of JSON that worked for me. Note, you will have to create the required parameters in your template files.

    {
    			"name": "UpdateEncryptionSettings",
    			"type": "Microsoft.Resources/deployments",
    			"apiVersion": "2015-01-01",
    			"dependsOn": [
    				"[concat('Microsoft.Compute/virtualMachines/', parameters('virtualMachineName'))]"
    			],
    			"properties": {
    				"mode": "Incremental",
    				"templateLink": {
    				"uri": "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/201-encrypt-running-windows-vm/azuredeploy.json",
    				"contentVersion": "1.0.0.0"
    				},
    				"parameters": {
    					"vmName": {
    						"value": "[parameters('virtualMachineName')]"
    					},
    					"aadClientID": {
    						"value": "[parameters('aadClientID')]"
    					},
    					"aadClientSecret": {
    						"value": "[parameters('aadClientSecret')]"
    					},
    					"keyVaultName": {
    						"value": "[parameters('keyVaultName')]"
    					},
    					"keyVaultResourceGroup": {
    						"value": "[parameters('keyVaultResourceGroup')]"
    					},
    					"useExistingKek": {
    						"value": "[parameters('useExistingKek')]"
    					},
    					"keyEncryptionKeyURL": {
    						"value": "[parameters('keyEncryptionKeyURL')]"
    					}
    				}
    			}
    		}

     



    Thursday, August 29, 2019 8:40 PM

All replies

  • Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.

    Just for clarification: In Access policies Azure resource Manager template deployment option  is enabled?

    Also check: Go to your keyvault -> Access Policies.  Make sure these check boxes are checked

    May I know the memory size of the VM? (Ideally it’s should be 7GB)  Have you referred to the suggestion mentioned in this article

    Can you take a look at our VMExtensionProvisioning error and similar issue been discussed here and see if it helps you?

    You may also refer to this GitHub template! 

    Try the above-mentioned suggestion and If the issue still persists we would like to work more closer on this issue

    Hope this helps! 
    Kindly let us know if the above helps or you need further assistance on this issue.

    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members.

    Tuesday, August 20, 2019 10:34 AM
    Moderator
  • I plan to test it this morning. I will reply back. Thanks
    Tuesday, August 20, 2019 11:31 AM
  • Is there any update on the issue?

    If the suggested answer helped for your issue, do click on "Mark as Answer" and “Vote as Helpful” on the post that helps you, this can be beneficial to other community members.

    Wednesday, August 21, 2019 6:49 AM
    Moderator
  •  @Garth Lezama Just checking in to see if the above answer helped. If this answers your query, do click “Mark as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
    Friday, August 23, 2019 6:49 AM
    Moderator
  • @Garth Lezama Just checking in to see if the above answer helped. If this answers your query, do click “Mark as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
    Monday, August 26, 2019 7:19 AM
    Moderator
  • None of the suggestions were helpful. I eventually got it working with the information in this article

    https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/azure-disk-enc-windows 

    However, I did not get it to work with the schema v1.1 version but the v0.1 for the AzureDiskEncryption extension. The v0.1 schema required Azure Active Directory (AAD) properties  and the  v1.1, a newer, recommended schema that does not use Azure Active Directory (AAD) properties. So while I got encryption to work in the ARM template it uses the older schema. That is adequate for now but when I get the v1.1 schema to work I will update this post for the benefit of the community. In the meantime here is the snippet of JSON that worked for me. Note, you will have to create the required parameters in your template files.

    {
    			"name": "UpdateEncryptionSettings",
    			"type": "Microsoft.Resources/deployments",
    			"apiVersion": "2015-01-01",
    			"dependsOn": [
    				"[concat('Microsoft.Compute/virtualMachines/', parameters('virtualMachineName'))]"
    			],
    			"properties": {
    				"mode": "Incremental",
    				"templateLink": {
    				"uri": "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/201-encrypt-running-windows-vm/azuredeploy.json",
    				"contentVersion": "1.0.0.0"
    				},
    				"parameters": {
    					"vmName": {
    						"value": "[parameters('virtualMachineName')]"
    					},
    					"aadClientID": {
    						"value": "[parameters('aadClientID')]"
    					},
    					"aadClientSecret": {
    						"value": "[parameters('aadClientSecret')]"
    					},
    					"keyVaultName": {
    						"value": "[parameters('keyVaultName')]"
    					},
    					"keyVaultResourceGroup": {
    						"value": "[parameters('keyVaultResourceGroup')]"
    					},
    					"useExistingKek": {
    						"value": "[parameters('useExistingKek')]"
    					},
    					"keyEncryptionKeyURL": {
    						"value": "[parameters('keyEncryptionKeyURL')]"
    					}
    				}
    			}
    		}

     



    Thursday, August 29, 2019 8:40 PM
  • @Garth Lezama Glad to hear that issue got fixed. Appreciate for sharing the steps which helped you, this would certainly benefit other community members.

    Friday, August 30, 2019 4:23 AM
    Moderator