none
Failed to configure machine for bitlocker encryption. Reboot the VM and retry encryption operation RRS feed

  • Question

  • Hi,

    I'm trying to encrypt the Azure VM's Disk using Keyvault. But it is throwing the below error.

    "Failed to configure machine for bitlocker encryption. Reboot the VM and retry encryption operation". Please help in resolving the issue.

    Thanks

    Monday, August 5, 2019 6:58 AM

All replies

  • May I know which OS system are you using?

    This error is likely to occur when access to Key Vault from within the VM is restricted by firewall settings, some troubleshooting tips on this scenario are available here:

     You may refer to the troubleshooting steps mentioned in this article and let me know the status.

    Also check: Go to your keyvault -> Access Policies.  Make sure these check boxes are checked

    How to Encrypt virtual disks on a Windows VM and Enable encryption on a newly added data disk If the issue persists, please do provide a screenshot of the error (after concealing any private) for better understanding.

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.
    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members.

    Monday, August 5, 2019 9:45 AM
    Moderator
  • Hi Sumanth,

    Thank you for your response.

    I'm using Windows OS.

    All the security policies are clearly implemented. Checked the policies and policies also allowed. There is no restriction with firewall.

    I have a doubt i.e., Is the VM must contain enabling of Bitlocker in it. Please let me know.

    Thanks



    • Edited by uk9777 Monday, August 5, 2019 11:39 AM
    Monday, August 5, 2019 10:28 AM
  • The Azure platform needs access to the encryption keys or secrets in your key vault to make them available to the virtual machine when it boots and decrypts the virtual machine OS volume. To grant permissions to Azure platform, set the EnabledForDiskEncryption property in the key vault. Can you please check the prerequisites of Azure Disk Encryption?

    Just for clarification have enabled KV for disk encryption.: 

    Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ResourceGroupName $resourceGroupName –EnabledForDiskEncryption

     Get-Command Set-AzureRM*Extension* -Module AzureRM.Compute, if it is not installed after activating the encryption, sometimes a reboot is necessary for this.  Let me know if this helps, or if you would like to enable a support case for you.

    Can you try to Encrypt different VM disk and let me know the status.

    If the issue still persists, on the VM, you should see an error indicating a fatal exception in BitlockerExtension OnEnable. On the below mentioned location

    C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.Security.AzureDiskEncryption\

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.
    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members

    Tuesday, August 6, 2019 8:05 AM
    Moderator
  • Hi Sumanth,

    I enabled KV for disk encryption. But no luck.

    Today I tried with Az module, instead of AzureRM module. It works.

    Thanks

    Tuesday, August 6, 2019 11:17 AM
  • Glad to hear that issue got fixed! Thanks for the update! Kindly do let us know if you need further assistance.  Do click on "Mark as Answer" and Upvote on the post that helps you in query, this can be beneficial to other community members
    • Marked as answer by uk9777 Monday, August 19, 2019 5:37 AM
    • Unmarked as answer by uk9777 Monday, August 19, 2019 12:37 PM
    Tuesday, August 6, 2019 12:14 PM
    Moderator
  • Hi Sumanth,

    There is one more error I'm getting. Following are the error details. Please help in resolving this.

    Set-AzVMDiskEncryptionExtension : Long running operation failed with status 'Failed'. Additional Info:'VM has reported a failure when processing 
    extension 'AzureDiskEncryption'. Error message: "Failed to configure bitlocker as expected. Exception: ProtectKeyWithExternalKey failed with 
    2147942512, InnerException: , stack trace:    at 
    Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerWmi.Win32EncryptableVolumeWrap.ProtectKeyWithExternalkey() in 
    X:\bt\1027666\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerWMI\Win32EncryptableVolumeWrap.cs:line 207
       at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerWmi.Win32EncryptableVolumeWrap.GenerateBitlockerKey(Boolean backupKeyToAD) 
    in X:\bt\1027666\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerWMI\Win32EncryptableVolumeWrap.cs:line 473
       at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.GenerateProtectorForVolume(EncryptableVolume vol) in 
    X:\bt\1027666\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 121
       at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.GenerateAndUploadProtectors() in 
    X:\bt\1027666\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 953
       at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.EnableEncryption() in 
    X:\bt\1027666\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1447
       at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.HandleEncryptionOperations() in 
    X:\bt\1027666\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1699
       at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.OnEnable() in 
    X:\bt\1027666\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1790".'
    ErrorCode: VMExtensionProvisioningError
    ErrorMessage: VM has reported a failure when processing extension 'AzureDiskEncryption'. Error message: "Failed to configure bitlocker as expected. 
    Exception: ProtectKeyWithExternalKey failed with 2147942512,

    Monday, August 19, 2019 5:41 AM
  • @uk9777  Just for clarification: In Access policies Azure resource Manager template deployment option  is enabled? 

    Also check: Go to your keyvault -> Access Policies.  Make sure these check boxes are checked 

    May I know the memory size of the VM? (Ideally it’s should be 7GB)  Have you referred to the suggestion mentioned in this article

    Can you take a look at our VMExtensionProvisioning error and similar issue been discussed here and see if it helps you?

    You may also refer to this GitHub template! Try the above-mentioned suggestion and If the issue still persists we would like to work more closer on this issue 

     For a deeper analysis of this issue, I would recommend you to contact support, so If you have a support plan, I request you file a support ticket, else please do let us know, we will try and help you get a one-time free technical support. In this case, could you send an email to AzCommunity[at]Microsoft[dot]com referencing this thread as well as your subscription ID. Please mention "ATTN subm" in the subject field. Thank you for your cooperation on this matter and look forward to your reply.

    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members.

    Monday, August 19, 2019 2:58 PM
    Moderator
  • Is there any update on the issue?

    If the suggested answer helped for your issue, do click on "Mark as Answer" and “Vote as Helpful” on the post that helps you, this can be beneficial to other community members.

    Wednesday, August 21, 2019 6:50 AM
    Moderator
  • @@uk9777  Just checking in to see if the above answer helped. If this answers your query, do click “Mark as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
    Friday, August 23, 2019 5:58 AM
    Moderator
  • @uk9777  Just checking in to see if the above answer helped. If this answers your query, do click “Mark as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
    Monday, August 26, 2019 5:55 AM
    Moderator
  • @uk9777  I am following  up in this thread.
    Just checking in to see if the above answer helped. If this answers your query, do click “Mark as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
    Thursday, August 29, 2019 5:54 AM
    Moderator