Windows Server 2008 R2 VMs - Unable to Decrypt Disks

Category: azure disk encryption


_Pete_475 on Wed, 14 Dec 2016 19:17:49

Hi, I've been testing Azure Disk Encryption and everything works fine except when it comes to decrypting Windows Server 2008 R2 VM Disks.

I'm able to encrypt and decrypt Windows Server 2012 R2 with no problems however when it comes to 2008 R2 I can enable encryption without enable problem but when it comes to decrypting the disks I run:

Disable-AzureRMVMDiskEncryption -ResourceGroupName $resourceGroupName -VMName $vmName

Then I get the following error:

Disable-AzureRMVMDiskEncryption : Long running operation failed with status 'Failed'.
ErrorCode: VMExtensionProvisioningError
ErrorMessage: VM has reported a failure when processing extension 'AzureDiskEncryption'. Error message: "Failed to configure bitlocker as expected. Exception: Object 
reference not set to an instance of an object., InnerException: , stack trace:    at 
Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerWmi.Win32EncryptableVolumeWrap.DisableKeyProtectors(Boolean specifyDisableCount, Int32 
   at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerOperations.StartDecryptionOnVolume(EncryptableVolume vol)
   at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.DisableEncryption()
   at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.HandleEncryptionOperations()
   at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.OnEnable()".

I have tried with vanilla Marketplace 2008 R2 VMs and still get the same issue but 2012 R2 is always fine.

I want to enable encryption on all my production VMs however I would like to have a regression plan which involves removing encryption first.

I have a checked I am meeting all the stated requirements for the VMs and am running the latest Azure PowerShell module

Can anyone offer any advice how to successfully decrypt 2008 R2 VMs?