Issue Enabling Disk Encryption on Windows Server 2022 DataCenter VM.
I'm trying to enable disk encryption on one of my Windows Server 2022 DataCenter virtual machines, but I'm encountering the following error.
Both the VM and the Key Vault are in the same region and subscription. I've already:
- Added the VM to the Key Vault access policies.
- Granted contributor access to the VM in Access Control (IAM).
Despite these configurations, I'm still getting the error. Has anyone faced a similar issue or can help me troubleshoot this?
Set-AzVMDiskEncryptionExtension: Long running operation failed with status 'Failed'. Additional Info:'VM has reported a failure when processing extension 'AzureDiskEncryption' (publisher 'Microsoft.Azure.Security' and type 'AzureDiskEncryption'). Error message: '[2.5.0.6] Failed to enable Azure Disk Encryption on the VM with the following exception details:
Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerFailedToSendEncryptionSettingsException: The fault reason was: '0xc142506f RUNTIME_E_KEYVAULT_SECRET_WRAP_WITH_KEK_FAILED Key vault secret wrap with key encryption key failed.'.
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.WireProtocol.WireProtocolMessage.SendEncryptionSettingsToHost() in C:__w\1\s\src\BitLocker\BitlockerIaasVMExtension\WireProtocol\WireProtocolMessage.cs:line 210
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.SendEncryptionSettingsToHostV3(VmEncryptionSettings vmSettings) in C:__w\1\s\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1093 If you are using Windows 11 / Windows Server 2022 or newer, ensure your KEK is size RSA 3072 or larger.'. More information on troubleshooting is available at . '
ErrorCode: VMExtensionProvisioningError
ErrorMessage: VM has reported a failure when processing extension 'AzureDiskEncryption' (publisher 'Microsoft.Azure.Security' and type 'AzureDiskEncryption'). Error message: '[2.5.0.6] Failed to enable Azure Disk Encryption on the VM with the following exception details:
Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerFailedToSendEncryptionSettingsException: The fault reason was: '0xc142506f RUNTIME_E_KEYVAULT_SECRET_WRAP_WITH_KEK_FAILED Key vault secret wrap with key encryption key failed.'.
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.WireProtocol.WireProtocolMessage.SendEncryptionSettingsToHost() in C:__w\1\s\src\BitLocker\BitlockerIaasVMExtension\WireProtocol\WireProtocolMessage.cs:line 210
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.SendEncryptionSettingsToHostV3(VmEncryptionSettings vmSettings) in C:__w\1\s\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1093 If you are using Windows 11 / Windows Server 2022 or newer, ensure your KEK is size RSA 3072 or larger.'. More information on troubleshooting is available at .
ErrorTarget:
Status: Failed
-
Charan Adabala 5 Reputation points • Microsoft Employee
Issue resolved, due to some NSP restrictions, I got above error, now that resolved
Sign in to comment
1 answer
-
Himanshu Shekhar 6,710 Reputation points • Microsoft External Staff • Moderator
The error you're encountering is 0xc142506f RUNTIME_E_KEYVAULT_SECRET_WRAP_WITH_KEK_FAILED - a well-documented issue specifically affecting Windows Server 2022 and Windows 11 systems.
The primary cause is that your Key Encryption Key (KEK) uses an RSA 2048-bit key size, which is no longer supported for these newer operating systems
We have reference documentation https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview
Windows Server 2022 and Windows 11 include a newer version of BitLocker and currently doesn't work with RSA 2048-bit Key Encryption Keys.
Until resolved, use an RSA 3072 or RSA 4096-bit keys, as described in https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview#supported-operating-systems
Connect to your Key Vault and check the current KEK
$KeyVaultName = "YourKeyVaultName"
$KEKName = "YourKEKName"
Get key details
$KEK = Get-AzKeyVaultKey -VaultName $KeyVaultName -Name $KEKName
$KEK.Attributes
Please confirm whether key vault is in the same region and subscription as your VM.
Check VM location
$VM = Get-AzVM -ResourceGroupName "YourResourceGroup" -Name "YourVMName"
$VM.Location
Check Key Vault location
$KeyVault = Get-AzKeyVault -VaultName $KeyVaultName
$KeyVault.Location
For creation of new RSA 3072 or 4096-bit KEK
az keyvault key create --name "myKEK" --vault-name "<your-unique-keyvault-name>" --kty RSA --size 4096
reference documentation: https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-key-vault?tabs=azure-portal
Enable Key Vault for disk encryption
Set-AzKeyVaultAccessPolicy -VaultName $KeyVaultName -EnabledForDiskEncryption
Enable for deployment (Note: if needed)
Set-AzKeyVaultAccessPolicy -VaultName $KeyVaultName -EnabledForDeployment
Enable for template deployment (Note: if needed)
Set-AzKeyVaultAccessPolicy -VaultName $KeyVaultName -EnabledForTemplateDeployment
This example assumes that you are using the same key vault for both the disk encryption key and the KEK :
$KeyVault = Get-AzKeyVault -VaultName "<your-unique-keyvault-name>" -ResourceGroupName "myResourceGroup"
$KEK = Get-AzKeyVaultKey -VaultName "<your-unique-keyvault-name>" -Name "myKEK"
Set-AzVMDiskEncryptionExtension -ResourceGroupName MyResourceGroup -VMName "MyVM" -DiskEncryptionKeyVaultUrl $KeyVault.VaultUri -DiskEncryptionKeyVaultId $KeyVault.ResourceId -KeyEncryptionKeyVaultId $KeyVault.ResourceId -KeyEncryptionKeyUrl $KEK.Id -SkipVmBackup -VolumeType All
Kindly let us know if the suggested steps helps or you need further assistance on this issue
Regards
Himanshu