Infamous “Object reference not set to an instance of an object” for Azure Disk Encryption

I’m working on encrypting RedHat 7.2 VM using Managed Disks. Keep in mind, to work with Managed Disks in PowerShell, you should upgrade to the latest AzureRM module (version 3.7.0 as of this writing). The command to start the encryption process is the same for Windows as it is for Linux:

Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $resourceGroupName -VMName $vmNameForEncryption `
-AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl `
-DiskEncryptionKeyVaultId $keyVaultResourceId -VolumeType OS

However, when executing this command for a Linux VM which uses Managed Disks, it fails:

Set-AzureRmVMDiskEncryptionExtension : Object reference not set to an instance of an object.
At line:1 char:1
+ Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $resourceGrou ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The reason for the failure can be found as an issue on the Azure GitHub repository:

The enable encryption command typically adds to extensions to the target VM. A VMBackup extension and the encryption extension. The VMBackup extension is a recovery safeguard in case encryption fails. Unfortunately the VMBackup extension is not compatible with managed disks. This causes the enable encryption command to fail at the point it attempts to make a backup of the managed disk, prior to performing encryption.

The fix is simple, backup your VM (if you choose to) first and then run the command while specifying the –SkipVmBackup parameter:

Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $resourceGroupName -VMName $vmNameForEncryption `
-AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl `
-DiskEncryptionKeyVaultId $keyVaultResourceId -VolumeType OS –SkipVmBackup