Sometimes while trying to add/remove a disk from Azure VM through the Azure portal we get an error like "Failed to update virtual machine disks" as below,
Here though we are only trying to add/remove the disk, we're not doing anything with Azure Disk Encryption (ADE), still, we're getting the error message related to ADE.
Not while adding or updating the disk, if we try to add extensions or perform any activity required to save the operation to update the VM template, it shows a similar failure message which is related to ADE.
Now to resolve this if we disable the disk encryption through the Azure portal it will disable the disk encryption; and on the Azure portal, we can see there is no disk encryption and also the related Key vault field is coming up empty. But still when we try to add/remove the disk & do the save operation we are getting the similar message. This is because in the VM JSON template we can see it still maintains the disk encryption-related properties. So to rectify this error iwe remove the disk encryption property from its template JSON , and we'll be good.
Let's see how to remove the ADE related properties from the VM JSON template.
Step 1 - Disable the disk encryption (either through the Azure portal or through PowerShell command)
After performing the disable ADE through the portal or the PowerShell script, we have to wait for some time to get the disk fully decrypted.
How to verify if disks (all disk OS + data disks) got fully decrypted or not.
- Login to your VM
- Open PowerShell in admin mode
- Run the command "Get-BitLockerVolume"
- This command will show you the encryption or decryption percentage.
- Sometimes you may observe C drive (or OS disk) is not getting decrypted after waiting for a long period it still shows 100% encrypted. (or 0% decrypted). In that case, you've to manually disable the bit locker for your OS disk. Open your "Manage BitLocker" [from control panel] => Expand OS (c:) => Turn Off BitLocker"
DON'T PERFORM THE BELOW OPERATION IF VM DISK IS STILL ENCRYPTED OR DECRYPTION IS IN PROGRESS.
Step 2
Once we are sure that the bit locker is disabled and all disks are fully decrypted (100%), now we have to remove the ADE alltogether.
- $resourceGroup = "<<your-resource-group>>"
- $vmName = "<<your-vm-name>>"
First, let's stop the VM
- ##Stop-AzVM -ResourceGroupName $resourceGroup -Name $vmName -NoWait
Wait for a few minutes to stop the VM. You can check from the portal, whether you're getting the "Start" button enabled or not.
Now execute the PowerShell command to get the VM details
- ##$myVm = Get-AzVM -ResourceGroupName $resourceGroup -Name $vmName
Here we'll update the encryption setting to NULL, False means the encryption setting is there but not enabled right-now
- ##$myVm.StorageProfile.OsDisk.EncryptionSettings = $null
- ##Update-AzVM -ResourceGroupName $myVm.ResourceGroupName -VM $myVm
Let's start the VM now. Because just now we've executed the "update-AzVM" command, so start-AzVM will take some time, in some of the cases I've observed it took 20-25 minutes.
- ##Start-AzVM -ResourceGroupName $myVm.ResourceGroupName -Name $myVm.Name
After these operations, once your VM is up and running, try to add/remove the disk and you're good to go.