This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 35%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECA%3C/text%3E%3C/svg%3E)
I'm trying to enable disk encryption on one of my Windows Server 2022 DataCenter virtual machines, but I'm encountering the following error.
Both the VM and the Key Vault are in the same region and subscription. I've already:
Despite these configurations, I'm still getting the error. Has anyone faced a similar issue or can help me troubleshoot this?
Set-AzVMDiskEncryptionExtension: Long running operation failed with status 'Failed'. Additional Info:'VM has reported a failure when processing extension 'AzureDiskEncryption' (publisher 'Microsoft.Azure.Security' and type 'AzureDiskEncryption'). Error message: '[2.5.0.6] Failed to enable Azure Disk Encryption on the VM with the following exception details:
Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerFailedToSendEncryptionSettingsException: The fault reason was: '0xc142506f RUNTIME_E_KEYVAULT_SECRET_WRAP_WITH_KEK_FAILED Key vault secret wrap with key encryption key failed.'.
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.WireProtocol.WireProtocolMessage.SendEncryptionSettingsToHost() in C:__w\1\s\src\BitLocker\BitlockerIaasVMExtension\WireProtocol\WireProtocolMessage.cs:line 210
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.SendEncryptionSettingsToHostV3(VmEncryptionSettings vmSettings) in C:__w\1\s\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1093 If you are using Windows 11 / Windows Server 2022 or newer, ensure your KEK is size RSA 3072 or larger.'. More information on troubleshooting is available at https://aka.ms/VMExtensionADEWindowsTroubleshoot. '
ErrorCode: VMExtensionProvisioningError
ErrorMessage: VM has reported a failure when processing extension 'AzureDiskEncryption' (publisher 'Microsoft.Azure.Security' and type 'AzureDiskEncryption'). Error message: '[2.5.0.6] Failed to enable Azure Disk Encryption on the VM with the following exception details:
Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerFailedToSendEncryptionSettingsException: The fault reason was: '0xc142506f RUNTIME_E_KEYVAULT_SECRET_WRAP_WITH_KEK_FAILED Key vault secret wrap with key encryption key failed.'.
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.WireProtocol.WireProtocolMessage.SendEncryptionSettingsToHost() in C:__w\1\s\src\BitLocker\BitlockerIaasVMExtension\WireProtocol\WireProtocolMessage.cs:line 210
at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.SendEncryptionSettingsToHostV3(VmEncryptionSettings vmSettings) in C:__w\1\s\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1093 If you are using Windows 11 / Windows Server 2022 or newer, ensure your KEK is size RSA 3072 or larger.'. More information on troubleshooting is available at https://aka.ms/VMExtensionADEWindowsTroubleshoot.
ErrorTarget:
Status: Failed
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
Issue resolved, due to some NSP restrictions, I got above error, now that resolved
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 8%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHS%3C/text%3E%3C/svg%3E)
The error you're encountering is 0xc142506f RUNTIME_E_KEYVAULT_SECRET_WRAP_WITH_KEK_FAILED - a well-documented issue specifically affecting Windows Server 2022 and Windows 11 systems.
The primary cause is that your Key Encryption Key (KEK) uses an RSA 2048-bit key size, which is no longer supported for these newer operating systems
We have reference documentation https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview
Windows Server 2022 and Windows 11 include a newer version of BitLocker and currently doesn't work with RSA 2048-bit Key Encryption Keys.
Until resolved, use an RSA 3072 or RSA 4096-bit keys, as described in https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview#supported-operating-systems
Connect to your Key Vault and check the current KEK
$KeyVaultName = "YourKeyVaultName"
$KEKName = "YourKEKName"
Get key details
$KEK = Get-AzKeyVaultKey -VaultName $KeyVaultName -Name $KEKName
$KEK.Attributes
Please confirm whether key vault is in the same region and subscription as your VM.
Check VM location
$VM = Get-AzVM -ResourceGroupName "YourResourceGroup" -Name "YourVMName"
$VM.Location
Check Key Vault location
$KeyVault = Get-AzKeyVault -VaultName $KeyVaultName
$KeyVault.Location
For creation of new RSA 3072 or 4096-bit KEK
az keyvault key create --name "myKEK" --vault-name "<your-unique-keyvault-name>" --kty RSA --size 4096
reference documentation: https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-key-vault?tabs=azure-portal
Enable Key Vault for disk encryption
Set-AzKeyVaultAccessPolicy -VaultName $KeyVaultName -EnabledForDiskEncryption
Enable for deployment (Note: if needed)
Set-AzKeyVaultAccessPolicy -VaultName $KeyVaultName -EnabledForDeployment
Enable for template deployment (Note: if needed)
Set-AzKeyVaultAccessPolicy -VaultName $KeyVaultName -EnabledForTemplateDeployment
This example assumes that you are using the same key vault for both the disk encryption key and the KEK :
$KeyVault = Get-AzKeyVault -VaultName "<your-unique-keyvault-name>" -ResourceGroupName "myResourceGroup"
$KEK = Get-AzKeyVaultKey -VaultName "<your-unique-keyvault-name>" -Name "myKEK"
Set-AzVMDiskEncryptionExtension -ResourceGroupName MyResourceGroup -VMName "MyVM" -DiskEncryptionKeyVaultUrl $KeyVault.VaultUri -DiskEncryptionKeyVaultId $KeyVault.ResourceId -KeyEncryptionKeyVaultId $KeyVault.ResourceId -KeyEncryptionKeyUrl $KEK.Id -SkipVmBackup -VolumeType All
Kindly let us know if the suggested steps helps or you need further assistance on this issue
Regards
Himanshu