Share via

Issue Enabling Disk Encryption on Windows Server 2022 DataCenter VM.

Charan Adabala 5 Reputation points Microsoft Employee
2025-09-12T08:20:29.97+00:00

I'm trying to enable disk encryption on one of my Windows Server 2022 DataCenter virtual machines, but I'm encountering the following error.

Both the VM and the Key Vault are in the same region and subscription. I've already:

  • Added the VM to the Key Vault access policies.
  • Granted contributor access to the VM in Access Control (IAM).

Despite these configurations, I'm still getting the error. Has anyone faced a similar issue or can help me troubleshoot this?

Set-AzVMDiskEncryptionExtension: Long running operation failed with status 'Failed'. Additional Info:'VM has reported a failure when processing extension 'AzureDiskEncryption' (publisher 'Microsoft.Azure.Security' and type 'AzureDiskEncryption'). Error message: '[2.5.0.6] Failed to enable Azure Disk Encryption on the VM with the following exception details:

Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerFailedToSendEncryptionSettingsException: The fault reason was: '0xc142506f RUNTIME_E_KEYVAULT_SECRET_WRAP_WITH_KEK_FAILED Key vault secret wrap with key encryption key failed.'.

at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.WireProtocol.WireProtocolMessage.SendEncryptionSettingsToHost() in C:__w\1\s\src\BitLocker\BitlockerIaasVMExtension\WireProtocol\WireProtocolMessage.cs:line 210

at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.SendEncryptionSettingsToHostV3(VmEncryptionSettings vmSettings) in C:__w\1\s\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1093 If you are using Windows 11 / Windows Server 2022 or newer, ensure your KEK is size RSA 3072 or larger.'. More information on troubleshooting is available at https://aka.ms/VMExtensionADEWindowsTroubleshoot. '

ErrorCode: VMExtensionProvisioningError

ErrorMessage: VM has reported a failure when processing extension 'AzureDiskEncryption' (publisher 'Microsoft.Azure.Security' and type 'AzureDiskEncryption'). Error message: '[2.5.0.6] Failed to enable Azure Disk Encryption on the VM with the following exception details:

Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerFailedToSendEncryptionSettingsException: The fault reason was: '0xc142506f RUNTIME_E_KEYVAULT_SECRET_WRAP_WITH_KEK_FAILED Key vault secret wrap with key encryption key failed.'.

at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.WireProtocol.WireProtocolMessage.SendEncryptionSettingsToHost() in C:__w\1\s\src\BitLocker\BitlockerIaasVMExtension\WireProtocol\WireProtocolMessage.cs:line 210

at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.SendEncryptionSettingsToHostV3(VmEncryptionSettings vmSettings) in C:__w\1\s\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1093 If you are using Windows 11 / Windows Server 2022 or newer, ensure your KEK is size RSA 3072 or larger.'. More information on troubleshooting is available at https://aka.ms/VMExtensionADEWindowsTroubleshoot.

ErrorTarget:

Status: Failed

Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Himanshu Shekhar 1,095 Reputation points Microsoft External Staff Moderator
    2025-09-12T12:31:31.6566667+00:00

    The error you're encountering is 0xc142506f RUNTIME_E_KEYVAULT_SECRET_WRAP_WITH_KEK_FAILED - a well-documented issue specifically affecting Windows Server 2022 and Windows 11 systems.

    The primary cause is that your Key Encryption Key (KEK) uses an RSA 2048-bit key size, which is no longer supported for these newer operating systems

    User's image

    We have reference documentation https://free.blessedness.top/en-us/azure/virtual-machines/windows/disk-encryption-overview

    Windows Server 2022 and Windows 11 include a newer version of BitLocker and currently doesn't work with RSA 2048-bit Key Encryption Keys.

    Until resolved, use an RSA 3072 or RSA 4096-bit keys, as described in https://free.blessedness.top/en-us/azure/virtual-machines/windows/disk-encryption-overview#supported-operating-systems

    Connect to your Key Vault and check the current KEK

    $KeyVaultName = "YourKeyVaultName"

    $KEKName = "YourKEKName"

    Get key details

    $KEK = Get-AzKeyVaultKey -VaultName $KeyVaultName -Name $KEKName

    $KEK.Attributes

    Please confirm whether key vault is in the same region and subscription as your VM.

    Check VM location

    $VM = Get-AzVM -ResourceGroupName "YourResourceGroup" -Name "YourVMName"

    $VM.Location

    Check Key Vault location

    $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName

    $KeyVault.Location

    For creation of new RSA 3072 or 4096-bit KEK

    az keyvault key create --name "myKEK" --vault-name "<your-unique-keyvault-name>" --kty RSA --size 4096

    reference documentation: https://free.blessedness.top/en-us/azure/virtual-machines/linux/disk-encryption-key-vault?tabs=azure-portal

    Enable Key Vault for disk encryption

    Set-AzKeyVaultAccessPolicy -VaultName $KeyVaultName -EnabledForDiskEncryption

    Enable for deployment (Note: if needed)

    Set-AzKeyVaultAccessPolicy -VaultName $KeyVaultName -EnabledForDeployment

    Enable for template deployment (Note: if needed)

    Set-AzKeyVaultAccessPolicy -VaultName $KeyVaultName -EnabledForTemplateDeployment

    This example assumes that you are using the same key vault for both the disk encryption key and the KEK :

    $KeyVault = Get-AzKeyVault -VaultName "<your-unique-keyvault-name>" -ResourceGroupName "myResourceGroup"

    $KEK = Get-AzKeyVaultKey -VaultName "<your-unique-keyvault-name>" -Name "myKEK"

    Set-AzVMDiskEncryptionExtension -ResourceGroupName MyResourceGroup -VMName "MyVM" -DiskEncryptionKeyVaultUrl $KeyVault.VaultUri -DiskEncryptionKeyVaultId $KeyVault.ResourceId -KeyEncryptionKeyVaultId $KeyVault.ResourceId -KeyEncryptionKeyUrl $KEK.Id -SkipVmBackup -VolumeType All

    Kindly let us know if the suggested steps helps or you need further assistance on this issue

    Regards

    Himanshu

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.