Introduction
Azure Disk Encryption (ADE) uses BitLocker for Windows and DM-Crypt for Linux to encrypt VM disks. When encryption fails, VMs remain unencrypted, potentially violating security and compliance requirements.
Symptoms
Encryption failed:
```bash $ az vm encryption show --name my-vm --resource-group my-rg
{ "status": "Failed", "message": "Azure Disk Encryption extension failed to provision" } ```
Extension error:
```bash # In VM extension status az vm extension show --vm-name my-vm --resource-group my-rg --name AzureDiskEncryptionForLinux
{ "status": "error", "message": "Key Vault access denied" } ```
Key Vault error:
# In activity logs:
"AAD application does not have permission to access Key Vault"Common Causes
- 1.Key Vault access policy missing - ADE app lacks permissions
- 2.Key Vault not enabled for disk encryption - Setting disabled
- 3.AAD application not configured - Missing or misconfigured
- 4.VM extension failure - Extension installation issues
- 5.Key Vault firewall blocking - Network restrictions
- 6.Encryption already enabled - Double encryption attempt
- 7.Unsupported VM size or OS - Incompatible configuration
Step-by-Step Fix
- 1.Check logs for specific error messages
- 2.Verify configuration settings
- 3.Test network connectivity
- 4.Review recent changes
- 5.Apply corrective action
- 6.Verify the fix
Step 1: Check Encryption Status
```bash # Check current encryption status az vm encryption show \ --name my-vm \ --resource-group my-rg \ --query '{OSDisk:disks[0].encryptionSettings,DataDisks:disks[1:]}'
# Check extension status az vm extension list \ --vm-name my-vm \ --resource-group my-rg \ --query "[?contains(name, 'DiskEncryption')]" ```
Step 2: Verify Key Vault Configuration
```bash # Check Key Vault exists and is accessible az keyvault show \ --name my-keyvault \ --resource-group my-rg \ --query '{Name:name,EnabledForDiskEncryption:properties.enabledForDiskEncryption}'
# Enable Key Vault for disk encryption az keyvault update \ --name my-keyvault \ --resource-group my-rg \ --enabled-for-disk-encryption true ```
Step 3: Check Key Vault Access Policies
```bash # List current access policies az keyvault show \ --name my-keyvault \ --query 'properties.accessPolicies'
# Required permissions for ADE: # - Key: wrapKey, unwrapKey, get # - Secret: get, list
# Get ADE service principal ID az ad sp show --id "Microsoft.Azure.Security.ServerEncryptor" --query id
# Add access policy for ADE az keyvault set-policy \ --name my-keyvault \ --object-id "ADE_SP_OBJECT_ID" \ --key-permissions wrapKey unwrapKey get \ --secret-permissions get list ```
Step 4: Create Key Encryption Key (KEK)
```bash # Create a key for disk encryption az keyvault key create \ --vault-name my-keyvault \ --name my-kek \ --protection software
# Or use existing key az keyvault key show \ --vault-name my-keyvault \ --name my-kek \ --query 'key.kid' ```
Step 5: Configure AAD Application
```bash # Create AAD application for disk encryption (if not using system-assigned) az ad app create --display-name "ADE-App"
# Create service principal az ad sp create --id "APP_ID"
# Create client secret az ad app credential reset --id "APP_ID"
# Grant Key Vault access az keyvault set-policy \ --name my-keyvault \ --spn "APP_ID" \ --key-permissions wrapKey unwrapKey get \ --secret-permissions get list ```
Step 6: Enable Disk Encryption
```bash # Enable encryption for Linux VM az vm encryption enable \ --name my-vm \ --resource-group my-rg \ --disk-encryption-keyvault my-keyvault \ --key-encryption-key my-kek \ --volume-type all
# Enable for Windows VM az vm encryption enable \ --name my-vm \ --resource-group my-rg \ --disk-encryption-keyvault my-keyvault \ --key-encryption-key my-kek \ --volume-type all ```
Step 7: Check Key Vault Firewall
```bash # If Key Vault has network restrictions az keyvault show \ --name my-keyvault \ --query 'properties.networkAcls'
# Allow Azure services az keyvault update \ --name my-keyvault \ --bypass AzureServices
# Or disable firewall temporarily for encryption az keyvault update \ --name my-keyvault \ --default-action Allow ```
Step 8: Verify VM Prerequisites
```bash # Check VM supports encryption az vm show \ --name my-vm \ --resource-group my-rg \ --query '{Size:hardwareProfile.vmSize,OS:storageProfile.osDisk.osType}'
# Supported VM sizes: A, D, DS, G, GS, F, FS series # Not supported: Basic A series, VMs with premium storage mismatch
# Check OS version (must support encryption) # Windows: Server 2008 R2+, Windows 10+ # Linux: Ubuntu, CentOS, RHEL, SUSE with specific kernel versions ```
Step 9: Monitor Encryption Progress
```bash # Check encryption status az vm encryption show \ --name my-vm \ --resource-group my-rg \ --query '{Status:disks[0].encryptionSettings.enabled,Progress:disks[0].encryptionSettings.diskEncryptionKey.secretUrl}'
# Monitor extension status az vm extension show \ --vm-name my-vm \ --resource-group my-rg \ --name AzureDiskEncryptionForLinux \ --query '{Status:provisioningState,Message:settings.status}' ```
Step 10: Troubleshoot Common Errors
```bash # Error: "VM has pending changes" # Stop the VM first az vm deallocate --name my-vm --resource-group my-rg # Then retry encryption
# Error: "Extension failed to install" # Check extension logs az vm extension show \ --vm-name my-vm \ --resource-group my-rg \ --name AzureDiskEncryptionForLinux \ --query 'instanceView.statuses'
# Error: "Key Vault not found" # Verify Key Vault name and resource group az keyvault list --query "[?contains(name, 'my-keyvault')].name" ```
ADE Support Matrix
| VM Type | Windows | Linux |
|---|---|---|
| Premium Storage | Yes | Yes |
| Standard Storage | Yes | Yes |
| Unmanaged disks | No | No |
| Ultra disks | No | No |
| Shared disks | No | No |
Verification
```bash # After enabling encryption, verify status az vm encryption show \ --name my-vm \ --resource-group my-rg \ --query 'disks[].{Name:name,Encrypted:encryptionSettings.enabled}'
# Should show: # Name: my-vm_OsDisk_1 # Encrypted: true
# Verify Key Vault has encryption keys az keyvault secret list --vault-name my-keyvault az keyvault key list --vault-name my-keyvault ```
Related Issues
- [Fix Azure Key Vault Access Denied](/articles/fix-azure-key-vault-access-denied)
- [Fix Azure VM Extension Failed](/articles/fix-azure-vm-extension-failed)
- [Fix Azure VM Not Starting](/articles/fix-azure-vm-not-starting)
Related Articles
- [Technical troubleshooting: Fix Azure Aks Pod Crashloopbackoff Issue in Azure](azure-aks-pod-crashloopbackoff)
- [Technical troubleshooting: Fix Azure Api Management Policy Expression Runtime](azure-api-management-policy-expression-runtime-error)
- [Technical troubleshooting: Fix Azure App Configuration Feature Flag Not Refre](azure-app-configuration-feature-flag-not-refreshing)
- [Technical troubleshooting: Fix Azure App Service 503 Always On Disabled Issue](azure-app-service-503-always-on-disabled)
- [Technical troubleshooting: Fix Azure Application Gateway Err SSL Unrecognized](azure-application-gateway-err-ssl-unrecognized-name-alert)
<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "TechArticle", "headline": "Fix Azure Disk Encryption Failed", "description": "Troubleshoot Azure Disk Encryption failures. Fix Key Vault access policies, AAD permissions, and encryption prerequisites.", "url": "https://www.fixwikihub.com/fix-azure-disk-encryption-failed", "publisher": { "@type": "Organization", "name": "FixWikiHub", "url": "https://www.fixwikihub.com" }, "author": { "@type": "Person", "name": "FixWikiHub Editorial Team" }, "datePublished": "2026-04-03T00:18:26.321Z", "dateModified": "2026-04-03T00:18:26.321Z" } </script>