I have an IAAS Disk Encryption question. I have successfully encrypted my machines using Bitlocker/BEK/Azure Key Vault. I'm trying to add the KEK layer on top so that I can run Azure Backup on the Encrypted machines. I'm hitting a snag where all the powershell commands I find online are failing. When you run them against a VM that is running. The BEK part of the command is happy, but the KEK part wants the machine to be deallocated. When I deallocate the VM, I get an error about the machine needing to be started for the BEK section of the command to run against the VM extensions. I'm probably missing something here, but I've spent a lot of time poking at different articles with no luck.
Try this URL.
Note: before you run backup, you must first configure the access policy "Backup Management Service "
https://docs.microsoft.com/en-sg/azure/backup/backup-azure-vms-encryption#provide-permissions-to-azure-backup
Good luck