Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.
371 questions
Azure Arc-enabled Servers - DeployGPO.ps1 Script fails with "C:\<path>\DeployGPO.ps1 : Exception calling "ProtectBase64" with "2" argument(s): "Encryption failed."
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 74%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
SysTek
31
Reputation points
I am trying to deploy Azure Arc for a client and attempting to enroll machines at scale following the "Connect machines at sale using Group Policy" KB. I have configured all of the prerequisites and gone through the Azure setup portion of the scripts.
I am having issues with the DeployGPO.ps1 script completing. The script gets through the GPO portion successfully, but hangs at the encryption section and eventually fails with "C:<path>\DeployGPO.ps1 : Exception calling "ProtectBase64" with "2" argument(s): "Encryption failed.". The only place I can find mention of this error is in this github comment thread on the official ArcEnabledServersGroupPolicy repo. I have tried all of the solutions in the comment thread, as well as the linked related thread, without success. I have also confirmed all .NET updates are installed and ensured that no dependencies are being blocked by both the corporate firewall and windows firewall.
In my case, the issue seems to be environment related and specific to the "$encryptedSecret = [DpapiNgUtil]::ProtectBase64($descriptor, $ServicePrincipalSecret)" line in the PowerShell script. There are no issues importing the module required which defines how to use DpapiNgUtil. I have isolated this section of the script with the required variables and was able to have it successfully run in a lab environment, so I know it isn't a bug or mistake in the script itself. Using that same, confirmed working, portion of the script anywhere in the customer environment, even fresh Windows Server 2022 VMs that have not been joined to the domain yet, all fail with the same "Encryption failed" error described above. Installing the agent manually on the VMs works but is not feasible with the number of VMs in the environment.
I am working on getting a support request setup through our partner portal, but figured I would post here as well while that gets approved. Any help is appreciated!
1 answer
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 78%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAL%3C/text%3E%3C/svg%3E)
Alan La Pietra (CSA) 80 Reputation points Microsoft Employee2024-07-01T06:59:06.8133333+00:00