VM has reported a failure when processing extension AzureDiskEncryption

Question

I am running the following script:

$keyVault = Get-AzKeyVault -VaultName $keyVaultName -ResourceGroupName $rgName;
$diskEncryptionKeyVaultUrl = $keyVault.VaultUri;
$keyVaultResourceId = $keyVault.ResourceId;
$keyEncryptionKeyUrl = (Get-AzureKeyVaultKey -VaultName $keyVaultName -Name myKey).Key.kid;

Set-AzVMDiskEncryptionExtension -ResourceGroupName $rgName `
-VMName "myVM" `
-DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl `
-DiskEncryptionKeyVaultId $keyVaultResourceId `
-KeyEncryptionKeyUrl $keyEncryptionKeyUrl `
-KeyEncryptionKeyVaultId $keyVaultResourceId

which is returning the following around 1 minutes of processing:

Set-AzureRmVmDiskEncryptionExtension : Long running operation failed with status 'Failed'. Additional Info:'VM has reported a failure when processing extension 'AzureDiskEncryption'. Error message: "Failed to send DiskEncryptionData, Check KeyVault inputs, ResourceIds and retry encryption operation".' ErrorCode: VMExtensionProvisioningError ErrorMessage: VM has reported a failure when processing extension 'AzureDiskEncryption'. Error message: "Failed to send DiskEncryptionData, Check KeyVault inputs, ResourceIds and retry encryption operation". ErrorTarget: StartTime: 3/2/19 2:10:59 PM EndTime: 3/2/19 2:10:59 PM

i have verified the values are all correctly passed to the set command and no nulls are being passed.

Answer 1

in this case OP needed to enable Key Vault for disk encryption, under advanced access policies.

Answer 2

I had this issue but banging my head for days the below steps fixed my issue.

1. Check the values of the $KeyVault, $DiskEncryptionKeyVaultUrl, and $KeyVaultResourceId variables and make sure they are not null or empty.
2. If step 1 is completed, check the Key Vault creation process thoroughly, and check if it is in the same region as the VM and that it has been enabled for disk encryption:Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName - EnabledForDiskEncryption

Answer 3

If you are still facing the issue, you can try this:

1. Go to the disk of a VM that needs to be encrypted.
2. Click Identity
3. Turn Status to "ON" for a system or user assigned.

Then execute below commands. It is available with explanation on https://learn.microsoft.com/en-us/azure/virtual-machines/windows/encrypt-disks

$keyVault = Get-AzKeyVault -VaultName $keyVaultName -ResourceGroupName $rgName;

$diskEncryptionKeyVaultUrl = $keyVault.VaultUri;

$keyVaultResourceId = $keyVault.ResourceId;

$keyEncryptionKeyUrl = (Get-AzKeyVaultKey -VaultName $keyVaultName -Name myKey).Key.kid;

Set-AzVMDiskEncryptionExtension -ResourceGroupName $rgName `

-VMName "myVM" 
-DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl `
-DiskEncryptionKeyVaultId $keyVaultResourceId `
-KeyEncryptionKeyUrl $keyEncryptionKeyUrl `
-KeyEncryptionKeyVaultId $keyVaultResourceId$