When I try to enabled Azure Disk Encryption on an Azure Windows Server 2022 VM I get the following error:
*Failed to enable Azure Disk Encryption on the VM with the following exception details:Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerFailedToSendEncryptionSettingsException: The fault reason was: ‘ 0xc142506f RUNTIME_E_KEYVAULT_SECRET_WRAP_WITH_KEK_FAILED Key vault secret wrap with key encryption key failed.at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.WireProtocol.WireProtocolMessage.SendEncryptionSettingsToHost()
*
I have enabled Access Policies on the KeyVault. I’m following the instructions here:
https://www.starwindsoftware.com/blog/encrypt-your-azure-vm-with-azure-disk-encryption
The KeyVault is in the same tenant as the VM.
I have JIT enabled on the VM. Not sure if that’s an issue.
Any ideas?
2
Answers
I tried to reproduce the same in my environment I got the same error like below:
When I created Azure Windows Server 2019 VM Azure Disk Encryption is deployed successfully like below:
When I try to check in server BitLocker drive encryption Bitlocker is enabled in the Azure VM and the disk is encrypting successfully like below:
This is a kind of emerging issue as KEK encryption is not currently supported on Windows Server 2022.
Please try the possible 2 workarounds:
Use BEK for the encryption
Change the length of the RSA key from 2048 to the higher values