none
Error encrypting a VM Scale Set RRS feed

  • Question

  • When trying to Encrypt a VM scale set i keep getting the below error message. The VM image is hardened using the GPO's from the Microsoft security baseline.

    Does any one have any idea whats going on?

    Set-AzVmssDiskEncryptionExtension : Long running operation failed with status 'Failed'. Additional Info:'VM has
    reported a failure when processing extension 'AzureDiskEncryption'. Error message: "Failed to configure bitlocker as
    expected. Exception: ProtectKeyWithExternalKey failed with 2147942450, InnerException: , stack trace:    at Microsoft.C
    is.Security.BitLocker.BitlockerIaasVMExtension.BitlockerWmi.Win32EncryptableVolumeWrap.ProtectKeyWithExternalkey() in
    X:\bt\1001052\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerWMI\Win32EncryptableVolumeWrap.cs:line 205
       at
    Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerOperations.GenerateKeyForVolume(EncryptableVolume
    vol) in X:\bt\1001052\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerOperations.cs:line 845
       at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.GenerateProtectorForVolume(Encryptab
    leVolume vol) in X:\bt\1001052\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 116
       at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.GenerateAndUploadProtectors() in
    X:\bt\1001052\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 755
       at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.EnableEncryption() in
    X:\bt\1001052\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1255
       at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.HandleEncryptionOperations() in
    X:\bt\1001052\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1505
       at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.OnEnable() in
    X:\bt\1001052\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1595".'
    ErrorCode: VMExtensionProvisioningError
    ErrorMessage: VM has reported a failure when processing extension 'AzureDiskEncryption'. Error message: "Failed to
    configure bitlocker as expected. Exception: ProtectKeyWithExternalKey failed with 2147942450, InnerException: , stack
    trace:    at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerWmi.Win32EncryptableVolumeWrap.ProtectK
    eyWithExternalkey() in
    X:\bt\1001052\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerWMI\Win32EncryptableVolumeWrap.cs:line 205
       at
    Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerOperations.GenerateKeyForVolume(EncryptableVolume
    vol) in X:\bt\1001052\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerOperations.cs:line 845
       at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.GenerateProtectorForVolume(Encryptab
    leVolume vol) in X:\bt\1001052\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 116
       at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.GenerateAndUploadProtectors() in
    X:\bt\1001052\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 755
       at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.EnableEncryption() in
    X:\bt\1001052\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1255
       at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.HandleEncryptionOperations() in
    X:\bt\1001052\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1505
       at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.OnEnable() in
    X:\bt\1001052\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1595".
    ErrorTarget:
    StartTime: 14/05/2019 08:38:22
    EndTime: 14/05/2019 08:39:09
    OperationID: c0078252-ab1d-462d-9748-a71e9c21c228
    Status: Failed
    At line:1 char:1
    + Set-AzVmssDiskEncryptionExtension -ResourceGroupName $VMSSRGname -VMS ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : CloseError: (:) [Set-AzVmssDiskEncryptionExtension], ComputeCloudException
        + FullyQualifiedErrorId : Microsoft.Azure.Commands.Compute.Extension.AzureDiskEncryption.SetAzureVmssDiskEncryptio
       nExtensionCommand

    Tuesday, May 14, 2019 8:14 AM

All replies

  • Could you share the Power shell script, which you have used to encrypt the VMSS to help better on this?

    did you followed the prerequisites to encrypt the VM? If not you can have look at the following article.

    Azure Disk Encryption - Prerequisites


    Tuesday, May 14, 2019 8:52 AM
    Moderator
  • Hello, I used this.

    $KVRGname = 'pixelrobots-Dev-KeyVault';
    $VMSSRGname = 'pixelrobots-dev';
    $VmssName = 'pixelrobots-dev';
    $KeyVaultName = 'encryption-keyvault-UKS';
    $keyEncryptionKeyName = "MyKeyEncryptionKey";
    ## Do not edit below this line.
    $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname;
    $DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
    $KeyVaultResourceId = $KeyVault.ResourceId;
    $KeyEncryptionKeyUrl = (Get-AzKeyVaultKey -VaultName $KeyVaultName -Name $keyEncryptionKeyName).Key.kid;
    Set-AzVmssDiskEncryptionExtension -ResourceGroupName $VMSSRGname -VMScaleSetName $VmssName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $KeyEncryptionKeyUrl -KeyEncryptionKeyVaultId $KeyVaultResourceId;

    the keyvault is set up right too. It works when I try to encrypt a non hardened vm image.

    Tuesday, May 14, 2019 10:37 AM
  • Apologies for the delay!

    Based on the error message: ProtectKeyWithExternalKey failed with 2147942450

     

    Can you make sure that you doesn't have any dynamic or stripped volumes in the VM. Or any GPOs that are preventing creating external key protectors.

     

    Additionally, the can you check the GPO and provide a screenshot directly to you if possible:

    Can you share the group policy screenshot of allowing external key protectors:

    Screenshot or export: Local group policy editor --> Administrative templates --> Windows Components --> BitLocker Drive Encryption --> Operating system drives --> Require additional authentication at startup

    Wednesday, May 22, 2019 6:11 AM
    Moderator
  • Hello,

    the volumes are just a normal windows volume, nothing special there. Also the GPO settings you asked to look at are all set to Not Configured. I have used the base line configuration from https://blogs.technet.microsoft.com/secguide/2018/11/20/security-baseline-final-for-windows-10-v1809-and-windows-server-2019/ to harden the image.

    Wednesday, May 22, 2019 8:13 AM
  • Refer to the suggestion mentioned in the below:

    • Removed the BitLocker setting, “Allow Secure Boot for integrity validation,” as it merely enforced a default that was unlikely to be modified even by a misguided administrator.
    • Removed the BitLocker setting, “Configure minimum PIN length for startup,” as new hardware features reduce the need for a startup PIN, and the setting increased Windows’ minimum by only one character.  

    The GPO looks to be messing with BitLocker settings as well.

     

    Configuring TPM startup PIN is required for ADE and same with Configure TPM startup key. Below is a screenshot of what I mean.



    Friday, May 24, 2019 5:28 AM
    Moderator
  • Hello,

    I have checked one of my Azure VM's that have been encrypted using the azure extension (the same thing that is happening with the vmss) and my current GPO's All not configured matches. So your Answer above will not help in this case.

    Do you have any other ideas?

    Thanks

    Richard

    Friday, May 24, 2019 8:08 AM
  • Apologies for the delayed response! This may require a deeper investigation to find out the root cause, so If you have a support plan, I request you file a support ticket by following How to create an Azure support request. If you don’t have a support plan.Please do let us know, we will try and help you get a one-time free technical support. In this case, please send an email to AzCommunity[at]Microsoft[dot]com with the below details to investigate this further. Please mention "ATTN Yash" in the subject field. Thank you for your cooperation on this matter and look forward to your reply.

    Thread URL:

    Subscription ID:

    Monday, June 3, 2019 7:34 AM
    Moderator