Daniel's Tech Blog

Cloud Computing, Cloud Native & Kubernetes

Enabling Azure Disk Encryption on Windows Server 2016 Server Core in Azure

Beside the Windows Server 2016 Datacenter image, Microsoft also provides an image with Windows Server 2016 Datacenter – Server Core in Azure.

ServerCoreADE1

If you are using the Server Core image and want to enable Azure Disk Encryption for the VM, you will see the following error message.

New-AzureRmResourceGroupDeployment : 14:27:53 - Resource Microsoft.Compute/virtualMachines/extensions 'azst-crp4/BitLocker' failed with message '{
"status": "Failed",
"error": {
"code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal provisioning state 'Failed'.",
"details": [
{
"code": "VMExtensionProvisioningError",
"message": "VM has reported a failure when processing extension 'BitLocker'. Error message: \"Failed to configure bitlocker as expected. Exception: The system cannot find the file
specified, InnerException: , stack trace:    at System.Diagnostics.Process.StartWithCreateProcess(ProcessStartInfo startInfo)\r\n   at System.Diagnostics.Process.Start(ProcessStartInfo
startInfo)\r\n   at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerPrep.RunCommand(String cmd, String args)\r\n   at
Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerPrep.SplitOSVolumeForBitlocker(Boolean& rebootRequired)\r\n   at
Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerOperations.PrepareMachineForBitlocker(Boolean& rebootInitiated)\r\n   at
Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.PrepareMachineForBitlocker(Boolean& rebootInitiated)\r\n   at
Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.HandleEncryptionOperations()\r\n   at
Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.OnEnable()\"."
}
]
}
}'
At C:\Volume\OneDrive\Sync\Azure\ARM\Azure_Global\setupADE.ps1:31 char:13
+             New-AzureRmResourceGroupDeployment -Name $deploymentGUID. ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet

The official solution is described in the Azure documentation.

-> https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-tsg#troubleshooting-windows-server-2016-server-core

You do not need to take the steps 1 to 3. You only need to copy the four files from a 2016 Datacenter installation onto the 2016 Datacenter – Server Core installation. Afterwards you can follow the steps 1 to 3 as stated in the documentation or directly enable ADE for the VM via PowerShell or an ARM template.

WordPress Cookie Notice by Real Cookie Banner