Azure Virtual Machine Disk Encryption Windows Server 2019 Core

Last week I was deploying Windows Server 2019 core to Azure with disk encryption, and I came across couple of challenges.

Key vault provision issue

I was provision key vault using Az PowerShell module and key vault was created but I had no rights to it, so this lead situation where I couldn’t create secrets, keys, or certificates which I needed to encrypt virtual machine disks.

Warning messages what I received was:

WARNING: The provided information does not map to an AD object id.

WARNING: Access policy is not set. No user or application have access permission to use this vault. This can happen if the vault was created by a service principal. Please use Set-AzKeyVaultAccessPolicy to set access policies.

Those messages are pretty clear and led me to right path.

I was logged to Azure with my Microsoft Account not with Azure Ad account and New-AzKeyVault command could find Azure Ad object with my Microsoft Account.  Microsoft accounts userprincipalname in Azure AD are formatted following way:

“If Microsoft Account is following then it will be presented in Azure Ad tenant as

Fix was pretty simple, couple PowerShell commands and that was it.

You can download script from my  github

You can download script from my github

After this I had full access rights to all secrets, keys, and certificates. So, I could continue my deployment.

Disk encryption

Azure VM disk encryption will fail on Windows Server 2019 core installation because it’s missing bdehdcfg component. Microsoft has an article troubleshooting Windows Server 2016 core installations but this same issue is with Windows Server 2019 core installations and Azure VM Disk Encryption.

Workaround to fix this is following:

  1. Copy following files from Windows Server 2019 GUI installation to same location on core installation:

    • C:\windows\system32\bdehdcfg.exe

    • C:\windows\system32\bdehdcfglib.dll

    • C:\windows\system32\en-US\bdehdcfglib.dll.mui

    • C:\windows\system32\en-US\bdehdcfg.exe.mui

  2. Then run following command in command prompt on core installation:

    • bdehdcfg.exe -target default

  3. Check that you have 550MB system partition on core server

    • Get-Partition | where {$_.Type -eq "System"}

If you don’t have Windows Server 2019 GUI installation in place, you can download files and commands from here.

After this workaround you should be good to go with Azure VM Disk Encryption

Thanks for reading