Only encrypting OS disk for Windows

[CarlosJoseChaconChavarria]

hi

I am running this script from your site but for Windows Server (I was testing windows 2012 R2) only OS disk gets encrypted and Data it won't I tried setting Data after having OS disk encrypted but same issue any idea?

$RGName = "RG"
$VMName = "vm02"
$VaultName= "vaultkey-1111"
$KeyVault = Get-AzKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
$VolumeType = "All"
Set-AzVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $VMName -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -VolumeType $VolumeType

thanks

[BryanTrach-MSFT]

@karlochacon Can you please provide us with the URL of the Azure Doc that you are having issues with? We look forward to your reply.

[CarlosJoseChaconChavarria]

@karlochacon Can you please provide us with the URL of the Azure Doc that you are having issues with? We look forward to your reply.

sorry I forgot
https://docs.microsoft.com/en-us/powershell/module/az.compute/set-azvmdiskencryptionextension?view=azps-2.5.0
Example 1: Enable encryption

tried and tried specifying All and Data and same issue
$VolumeType = "All"

thanks

[CarlosJoseChaconChavarria]

any update guys did it work for you or not?

thanks

[SumanthMarigowda-MSFT-zz]

@karlochacon
If you have selected Volume type "all" during the encryption, any new disk should automatically encrypted. Try to restart the VM after adding the new disk and check the for the status.

For more information, How to Enable disk encryption on Data disk

One thing to check first: After attaching a new data disk, there are some steps that need to be taken to initialize the disk inside of Windows before it can be encrypted. Has this been done? If not, some steps on how to do this are available here: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/attach-managed-disk-portal#initialize-a-new-data-disk

$rgName = "Storage-Resources"
$location = "East US"

Register-AzResourceProvider -ProviderNamespace "Microsoft.KeyVault"
Get-AzResourceGroup -Location $location -Name $rgName

$keyVaultName = "diskk****ubm"
New-AzKeyVault -Location $location -ResourceGroupName $rgName
-VaultName $keyVaultName `
-EnabledForDiskEncryption

#Install-Module -Name Az.KeyVault

#Import-module -Name Az.KeyVault -RequiredVersion 1.0.1

#Install-Module -Name Az.KeyVault -RequiredVersion 1.0.1

#Install-Module -Name Az.KeyVault -RequiredVersion 0.7.0

Add-AzKeyVaultKey -VaultName 'diskkeyessubm' -Name 'tsteys' -Destination 'Software'

$sequenceVersion = [Guid]::NewGuid();

$keyVault = Get-AzKeyVault -VaultName $keyVaultName -ResourceGroupName $rgName;
$diskEncryptionKeyVaultUrl = $keyVault.VaultUri;
$keyVaultResourceId = $keyVault.ResourceId;
$keyEncryptionKeyUrl = (Get-AZKeyVaultKey -VaultName $keyVaultName -Name testkeys).Key.kid;

Set-AzVMDiskEncryptionExtension -ResourceGroupName $rgName -VMName "filesync"
-DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $keyVaultResourceId
-KeyEncryptionKeyUrl $keyEncryptionKeyUrl `
-KeyEncryptionKeyVaultId $keyVaultResourceId -VolumeType All -SequenceVersion $sequenceVersion

Restart the VM and wait for a 5-10 Minutes, I was able to encrypt the 2 attached disk at same time, by above mentioned script.

Get-AzVmDiskEncryptionStatus -ResourceGroupName $rgName -VMName "filesync"

[CarlosJoseChaconChavarria]

thanks a lot I will take a look then, I think the disk was just added from azure but not formatted using Windows NTFS or any other

[SumanthMarigowda-MSFT-zz]

@karlochacon We will now proceed to close this thread. If there are further questions regarding this matter, please tag me in your reply. We will gladly continue the discussion and we will reopen the issue.