Enabling Azure Disk Encryption on Windows Server 2016 Server Core in Azure

Beside the Windows Server 2016 Datacenter image, Microsoft also provides an image with Windows Server 2016 Datacenter – Server Core in Azure.

If you are using the Server Core image and want to enable Azure Disk Encryption for the VM, you will see the following error message.

New-AzureRmResourceGroupDeployment : 14:27:53 - Resource Microsoft.Compute/virtualMachines/extensions 'azst-crp4/BitLocker' failed with message '{
"status": "Failed",
"error": {
"code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal provisioning state 'Failed'.",
"details": [
{
"code": "VMExtensionProvisioningError",
"message": "VM has reported a failure when processing extension 'BitLocker'. Error message: \"Failed to configure bitlocker as expected. Exception: The system cannot find the file
specified, InnerException: , stack trace:    at System.Diagnostics.Process.StartWithCreateProcess(ProcessStartInfo startInfo)\r\n   at System.Diagnostics.Process.Start(ProcessStartInfo
startInfo)\r\n   at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerPrep.RunCommand(String cmd, String args)\r\n   at
Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerPrep.SplitOSVolumeForBitlocker(Boolean& rebootRequired)\r\n   at
Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerOperations.PrepareMachineForBitlocker(Boolean& rebootInitiated)\r\n   at
Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.PrepareMachineForBitlocker(Boolean& rebootInitiated)\r\n   at
Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.HandleEncryptionOperations()\r\n   at
Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.OnEnable()\"."
}
]
}
}'
At C:\Volume\OneDrive\Sync\Azure\ARM\Azure_Global\setupADE.ps1:31 char:13
+             New-AzureRmResourceGroupDeployment -Name $deploymentGUID. ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet

The official solution is described in the Azure documentation.

-> https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-tsg#troubleshooting-windows-server-2016-server-core

You do not need to take the steps 1 to 3. You only need to copy the four files from a 2016 Datacenter installation onto the 2016 Datacenter – Server Core installation. Afterwards you can follow the steps 1 to 3 as stated in the documentation or directly enable ADE for the VM via PowerShell or an ARM template.