SOLVED

"VM has reported a failure when processing extension 'AzureDiskEncryption'.

%3CLINGO-SUB%20id%3D%22lingo-sub-136583%22%20slang%3D%22en-US%22%3E%22VM%20has%20reported%20a%20failure%20when%20processing%20extension%20'AzureDiskEncryption'.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-136583%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20am%20trying%20to%20deploy%20the%20encrypted%20disk%20VM%20through%20template.%20VM%20deployment%20part%20was%20succeeded%20but%20when%20it%20is%20trying%20to%20encrypt%20the%20disk%2C%20it%20is%20failing%20with%20below%20error.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%22code%22%3A%20%22VMExtensionProvisioningError%22%2C%3CBR%20%2F%3E%20%22message%22%3A%20%22VM%20has%20reported%20a%20failure%20when%20processing%20extension%20'AzureDiskEncryption'.%20Error%20%3CBR%20%2F%3Emessage%3A%20%5C%22Failed%20to%20configure%20bitlocker%20as%20expected.%20Exception%3A%20AADSTS70002%3A%20Error%20validating%20%3CBR%20%2F%3Ecredentials.%20AADSTS50012%3A%20Invalid%20client%20secret%20is%20provided.%5Cr%5CnTrace%20ID%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAny%20idea%20on%20this%20%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-136583%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-137212%22%20slang%3D%22en-US%22%3ERe%3A%20%22VM%20has%20reported%20a%20failure%20when%20processing%20extension%20'AzureDiskEncryption'.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-137212%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20sharing%20this%20details.%3C%2FP%3E%0A%3CP%3Eit%20is%20resolved%20after%20re-creating%20the%20secret.%20i%20was%20trying%20to%20apply%20key%20vault%20secret%20instead%20of%20AD%20app%20secret.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-137211%22%20slang%3D%22en-US%22%3ERe%3A%20%22VM%20has%20reported%20a%20failure%20when%20processing%20extension%20'AzureDiskEncryption'.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-137211%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%2C%20thanks%20a%20lot.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%20for%20your%20help.%20it%20is%20resolved%20after%20re-creating%20the%20secret.%20i%20was%20trying%20to%20apply%20key%20vault%20secret%20instead%20of%20AD%20app%20secret.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-137209%22%20slang%3D%22en-US%22%3ERe%3A%20%22VM%20has%20reported%20a%20failure%20when%20processing%20extension%20'AzureDiskEncryption'.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-137209%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20it%20is%20having%20proper%20permission.%20Anyways%2C%20it%20is%20resolved%20after%20re-creating%20the%20secret%20with%20new%20version.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%20for%20your%20help.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-137116%22%20slang%3D%22en-US%22%3ERe%3A%20%22VM%20has%20reported%20a%20failure%20when%20processing%20extension%20'AzureDiskEncryption'.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-137116%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%0A%3CP%3EThis%20template%20enables%20encryption%20on%20a%20running%20windows%20vm%20using%20AAD%20client%20secret.%20This%20template%20assumes%20that%20the%20VM%20is%20located%20in%20the%20same%20region%20as%20the%20resource%20group.%20If%20not%2C%20please%20edit%20the%20template%20to%20pass%20appropriate%20location%20for%20the%20VM%20sub-resources.%3C%2FP%3E%0A%3CP%3EPrerequisites%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EAzure%20Disk%20Encryption%20securely%20stores%20the%20encryption%20secrets%20in%20a%20specified%20Azure%20Key%20Vault.%20Use%20the%20below%20PS%20cmdlet%20for%20getting%20the%20%22keyVaultSecretUrl%22%20and%20%22keyVaultResourceId%22%20Get-AzureRmKeyVault%20-VaultName%20%24KeyVaultName%20-ResourceGroupName%20%24rgname%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EThis%20template%20enables%20encryption%20on%20a%20running%20windows%20vm%20using%20AAD%20client%20secret.%20This%20template%20assumes%20that%20the%20VM%20is%20located%20in%20the%20same%20region%20as%20the%20resource%20group.%20If%20not%2C%20please%20edit%20the%20template%20to%20pass%20appropriate%20location%20for%20the%20VM%20sub-resources.%3C%2FP%3E%0A%3CP%3EPrerequisites%3A%3C%2FP%3E%0A%3CP%3EAzure%20Disk%20Encryption%20securely%20stores%20the%20encryption%20secrets%20in%20a%20specified%20%3CA%20title%3D%22Azure%22%20href%3D%22https%3A%2F%2Fmindmajix.com%2Fmicrosoft-azure-training%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EAzure%20Key%20Vault%3C%2FA%3E.%20Use%20the%20below%20PS%20cmdlet%20for%20getting%20the%20%22keyVaultSecretUrl%22%20and%20%22keyVaultResourceId%22%20Get-AzureRmKeyVault%20-VaultName%20%24KeyVaultName%20-ResourceGroupName%20%24rgname%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYour%20can%20refer%20this%20pages%3A%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fdocumentation%2Farticles%2Fazure-security-disk-encryption%2F%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fdocumentation%2Farticles%2Fazure-security-disk-encryption%2F%3C%2FA%3E%3CA%20href%3D%22http%3A%2F%2Fblogs.msdn.com%2Fb%2Fazuresecurity%2Farchive%2F2015%2F11%2F16%2Fexplore-azure-disk-encryption-with-azure-powershell.aspx%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttp%3A%2F%2Fblogs.msdn.com%2Fb%2Fazuresecurity%2Farchive%2F2015%2F11%2F16%2Fexplore-azure-disk-encryption-with-azure-%20powershell.aspx%3C%2FA%3E%3CA%20href%3D%22http%3A%2F%2Fblogs.msdn.com%2Fb%2Fazuresecurity%2Farchive%2F2015%2F11%2F21%2Fexplore-azure-disk-encryption-with-azure-powershell-part-2.aspx%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttp%3A%2F%2Fblogs.msdn.com%2Fb%2Fazuresecurity%2Farchive%2F2015%2F11%2F21%2Fexplore-azure-disk-encryption-with-azure-powershell-part-2.aspx%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-137059%22%20slang%3D%22en-US%22%3ERe%3A%20%22VM%20has%20reported%20a%20failure%20when%20processing%20extension%20'AzureDiskEncryption'.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-137059%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20are%20in%20luck%2C%20just%20remember%20i%20created%20a%20video%20on%20using%20that%20template%20a%20while%20ago.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fyoutu.be%2Fk9byoc-_t7I%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fyoutu.be%2Fk9byoc-_t7I%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEnjoy.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-137055%22%20slang%3D%22en-US%22%3ERe%3A%20%22VM%20has%20reported%20a%20failure%20when%20processing%20extension%20'AzureDiskEncryption'.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-137055%22%20slang%3D%22en-US%22%3E%3CP%3EOk.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDid%20you%20give%20the%26nbsp%3BAAD%20application%26nbsp%3Bright%20permissions%20to%20KeyVault%3F%3C%2FP%3E%0A%3CP%3EAre%20you%20using%20KEK%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-136952%22%20slang%3D%22en-US%22%3ERe%3A%20%22VM%20has%20reported%20a%20failure%20when%20processing%20extension%20'AzureDiskEncryption'.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-136952%22%20slang%3D%22en-US%22%3E%3CP%3Ei%20used%20the%20json%20template%20from%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2Fazure-quickstart-templates%2Ftree%2Fmaster%2F201-encrypt-create-new-vm-gallery-image-managed-disks%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2Fazure-quickstart-templates%2Ftree%2Fmaster%2F201-encrypt-create-new-vm-gallery-image-managed-disks%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ei%20am%20sure%20my%20secret%20are%20correct%20only.%20i%20have%20also%20tried%20with%20new%20secret%20without%20luck.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPl%20help%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-136859%22%20slang%3D%22en-US%22%3ERe%3A%20%22VM%20has%20reported%20a%20failure%20when%20processing%20extension%20'AzureDiskEncryption'.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-136859%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20template%20are%20you%20using%3F%26nbsp%3B%20Do%20you%20have%20a%20link%20to%20it%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20error%20says%20%22%3CSPAN%3EInvalid%20client%20secret%20is%20provided%22%20so%20it%20does%20have%20something%20to%20do%20with%20your%20keyvault%20secret.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hello,

 

I am trying to deploy the encrypted disk VM through template. VM deployment part was succeeded but when it is trying to encrypt the disk, it is failing with below error.

 

"code": "VMExtensionProvisioningError",
"message": "VM has reported a failure when processing extension 'AzureDiskEncryption'. Error
message: \"Failed to configure bitlocker as expected. Exception: AADSTS70002: Error validating
credentials. AADSTS50012: Invalid client secret is provided.\r\nTrace ID:

 

Any idea on this ?

 

 

8 Replies

What template are you using?  Do you have a link to it?

 

The error says "Invalid client secret is provided" so it does have something to do with your keyvault secret.

i used the json template from 

https://github.com/Azure/azure-quickstart-templates/tree/master/201-encrypt-create-new-vm-gallery-im...

 

i am sure my secret are correct only. i have also tried with new secret without luck.

 

Pl help

Ok.

 

Did you give the AAD application right permissions to KeyVault?

Are you using KEK? 

 

best response confirmed by Suhag Desai (Contributor)
Solution

You are in luck, just remember i created a video on using that template a while ago.

 

https://youtu.be/k9byoc-_t7I

 

Enjoy.

Step by Step guide to setting up Azure Disk Encryption using GUIReference: https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryptionStep...

Hello,

This template enables encryption on a running windows vm using AAD client secret. This template assumes that the VM is located in the same region as the resource group. If not, please edit the template to pass appropriate location for the VM sub-resources.

Prerequisites:

  1. Azure Disk Encryption securely stores the encryption secrets in a specified Azure Key Vault. Use the below PS cmdlet for getting the "keyVaultSecretUrl" and "keyVaultResourceId" Get-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $rgname

This template enables encryption on a running windows vm using AAD client secret. This template assumes that the VM is located in the same region as the resource group. If not, please edit the template to pass appropriate location for the VM sub-resources.

Prerequisites:

Azure Disk Encryption securely stores the encryption secrets in a specified Azure Key Vault. Use the below PS cmdlet for getting the "keyVaultSecretUrl" and "keyVaultResourceId" Get-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $rgname

 

Your can refer this pages: https://azure.microsoft.com/en-us/documentation/articles/azure-security-disk-encryption/http://blogs.msdn.com/b/azuresecurity/archive/2015/11/16/explore-azure-disk-encryption-with-azure- p...http://blogs.msdn.com/b/azuresecurity/archive/2015/11/21/explore-azure-disk-encryption-with-azure-po...

Yes, it is having proper permission. Anyways, it is resolved after re-creating the secret with new version.

 

Thanks for your help.

Great, thanks a lot.

 

Thanks for your help. it is resolved after re-creating the secret. i was trying to apply key vault secret instead of AD app secret.

Thanks for sharing this details.

it is resolved after re-creating the secret. i was trying to apply key vault secret instead of AD app secret.