Cannot encrypt Azure VM with no temporary disk present

I came across a very unusual problem this week which I haven't seen before and even took Microsoft Support a few days to diagnose...

The issue was my Azure IaaS VM would not encrypt both OS and Data Disks when using the Set-AzVMDiskEncryptionExtension PowerShell command and was throwing the following message:

Set-AzVMDiskEncryptionExtension : Long running operation failed with status 'Failed'. Additional Info:'VM has reported a failure when processing extension 'AzureDiskEncryption'. Error message: "[2.2.0.36] Failed to configure bitlocker 

as expected. Exception: Object reference not set to an instance of an object., InnerException: , stack trace:    at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.SaveTemporaryStorageProtectorToBekVolume() 

in X:\bt\1132456\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 814

   at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.EnableEncryption() in X:\bt\1132456\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1635

   at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.HandleEncryptionOperations() in X:\bt\1132456\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1873

   at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.OnEnable() in X:\bt\1132456\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1970"

More information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot '

ErrorCode: VMExtensionProvisioningError

ErrorMessage: VM has reported a failure when processing extension 'AzureDiskEncryption'. Error message: "[2.2.0.36] Failed to configure bitlocker as expected. Exception: Object reference not set to an instance of an object., 

InnerException: , stack trace:    at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.SaveTemporaryStorageProtectorToBekVolume() in 

X:\bt\1132456\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 814

   at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.EnableEncryption() in X:\bt\1132456\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1635

   at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.HandleEncryptionOperations() in X:\bt\1132456\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1873

   at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.OnEnable() in X:\bt\1132456\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1970"

More information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot 

ErrorTarget: 

StartTime: 26/02/2021 16:35:27

EndTime: 26/02/2021 16:36:05

OperationID: 590717d7-5fcf-4347-9fd4-bf54f452d20f

Status: Failed

At line:1 char:1

+ Set-AzVMDiskEncryptionExtension `

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : CloseError: (:) [Set-AzVMDiskEncryptionExtension], ComputeCloudException

    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Compute.Extension.AzureDiskEncryption.SetAzureDiskEncryptionExtensionCommand

After lots of troubleshooting and various log collections it was discovered that the VM size I had selected did not include a temporary disk and these machines sizes are actually not supported for Azure Disk Encryption (BitLocker), which was news to me!

Sure enough, this was confirmed by the Azure documentation here.


The solution was fairly simple, resize the VM to a size which did have a temporary disk and retry the encryption, however that process is not as straightforward as it sounds seeing as you cannot just resize a VM without a temp disk to one that does, as per the documentation - somehting else I didn't know!


Great, ok, so that means I need to delete the VM and re-create it using a size that includes a temp disk? No drama. Although, it did take me a little while to dig out the script I had made previously to create VMs from existing managed disks, but once I found that and updated it to use the newer Az module, rather than AzureRM, I was able to recreate the VM with the required size (look out for my upcoming post which details that process). 

Now I had my VM rebuilt, complete with temporary disk, and I was ready to re-run my encryption command, I thought I was all set and then...

Set-AzVMDiskEncryptionExtension : Azure Disk Encryption extension version '2.2 ' without AAD client/secret is not supported on VMs previously encrypted with AAD client/secret.
ErrorCode: NotSupported
ErrorMessage: Azure Disk Encryption extension version '2.2 ' without AAD client/secret is not supported on VMs previously encrypted with AAD client/secret.
ErrorTarget: 
StatusCode: 409
ReasonPhrase: Conflict
OperationID : bd1b0b2a-ff6e-4396-8e11-d95960e5dc57
At line:1 char:1
+ Set-AzVMDiskEncryptionExtension `
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Set-AzVMDiskEncryptionExtension], ComputeCloudException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Compute.Extension.AzureDiskEncryption.SetAzureDiskEncryptionExtensionCommand

Urgh....now what! Turns out the disks, which I previously attempted to encrypt but failed, had some remnants of BitLocker left over and the encryption process threw an error. I got around this by running the following command to remove all traces of encryption from the VM disks and configuration:

Disable-AzVMDiskEncryption -ResourceGroupName "ResourceGroupName" -VMName "VMName" -VolumeType All

This command also threw an error about a long running operation failed, but I kind of expected this as the encryption was never fully configured. Sure enough once this had run (and errored) I was able to repeat the original encryption command which completed successfully and all my drives were enabled for BitLocker encryption.

Set-AzVMDiskEncryptionExtension `
-ResourceGroupName "ResourceGroupName" `
-VMName "VMName" `
-DiskEncryptionKeyVaultUrl $KeyVault.VaultUri `
-DiskEncryptionKeyVaultId $KeyVault.ResourceId `
-VolumeType "All" -Force

I could see the BitLocker icon on all the drives in My Computer

Also confirmed in Disk Management


The moral of the story is always use a VM size which includes a temporary disk if you plan to enable drive encryption.

-CG