Merge pull request #179315 from v-bllyd/patch-21

PMEds28 · web-flow · commit cf0087e90acd · 2021-12-15T08:45:45.000Z
Create backup-azure-encrypted-vm-troubleshoot.md
diff --git a/articles/backup/backup-azure-encrypted-vm-troubleshoot.md b/articles/backup/backup-azure-encrypted-vm-troubleshoot.md
@@ -0,0 +1,57 @@
+---
+title: Troubleshoot encrypted Azure VM backup errors
+description: Describes how to troubleshoot common errors that might occur when you use Azure Backup to back up an encrypted VM.
+ms.topic: troubleshooting
+ms.date: 11/9/2021
+---
+
+# Troubleshoot backup failures on encrypted Azure virtual machines
+
+You can troubleshoot common errors encountered while using Azure Backup service to back up encrypted Azure virtual machines with the steps listed below:
+
+## Before you start
+
+1. Review below limitations and supported configurations:
+   - You can back up and restore ADE encrypted VMs within the same subscription.
+   - Azure Backup supports VMs encrypted using standalone keys. Any key that's a part of a certificate used to encrypt a VM isn't currently supported.
+   - Azure Backup supports Cross Region Restore of encrypted Azure VMs to the [Azure paired regions](../best-practices-availability-paired-regions.md#azure-regional-pairs).
+   - ADE encrypted VMs cannot be recovered at the file/folder level. You must recover the entire VM to restore files and folders. 
+   - When restoring a VM, you cannot use 'replace existing VM' option for ADE encrypted VMs. See, [steps to restore encrypted Azure virtual machines](restore-azure-encrypted-virtual-machines.md)
+2. Review the [support matrix](backup-support-matrix.md#cross-region-restore) for a list of supported managed types and regions
+3. Learn more about encryption support using [Azure Disk Encryption(ADE)](backup-azure-vms-encryption.md#encryption-support-using-ade), [customer-managed keys(CMk)](backup-azure-vms-encryption.md#encryption-using-customer-managed-keys) and [platform-managed keys(PMK)](backup-azure-vms-encryption.md#encryption-using-platform-managed-keys)
+
+## Common error codes
+
+This section provides steps to troubleshoot common errors that you might see.
+
+## UserErrorEncryptedVmNotSupportedWithDiskEx
+
+Error message: Disk exclusion is not supported for encrypted virtual machines.
+
+Backup operation failed because selective disk backup is currently not supported for encrypted VMs. Review [selective disk backup limitations](selective-disk-backup-restore.md#limitations).
+
+## UserErrorKeyVaultPermissionsNotConfigured
+
+Error message: Backup doesn't have sufficient permissions to the key vault for backup of encrypted VMs.
+
+Backup operation failed because the encrypted VMs do not have the required permissions to access the key vault. 
+Permissions can be set through [Azure portal](./backup-azure-vms-encryption.md#provide-permissions) or through [PowerShell](./backup-azure-vms-automation.md#enable-protection).
+
+## DiskEncryptionInternalError
+
+Error message: Unknown error encountered when retrieving secret from the Key Vault with URL
+
+Restore operation of encrypted VM failed because of the missing key-vault key or secret.
+To resolve this issue, [restore the Key-Vault key or secret](backup-azure-restore-key-secret.md) and [create encrypted VMs from restored disk, key, and secret](backup-azure-vms-automation.md#create-a-vm-from-restored-disks).
+
+## BCMProtGetSaSUriAsyncError
+
+Error message: Backup failed in allocating storage from protection service
+
+Backup operation failed because Azure Key Vault do not have required access to the Recovery Service Vault. [Assign required permissions to the vault to access the encryption key](/azure/backup/encryption-at-rest-with-cmk?tabs=portal#assign-user-assigned-managed-identity-to-the-vault-in-preview) and retry the operation. 
+
+
+## Next steps
+
+- [Step-by-step instructions to backup encrypted Azure virtual machines](backup-azure-vms-encryption.md)
+- [Step-by-step instructions to restore encrypted Azure virtual machines](restore-azure-encrypted-virtual-machines.md)
diff --git a/articles/backup/backup-azure-vm-backup-faq.yml b/articles/backup/backup-azure-vm-backup-faq.yml
@@ -131,6 +131,11 @@ sections:
       - question: Will a new disk added to VM be backed up automatically?
         answer: |
           Yes, a new disk added to a VM will be backed up automatically during the next backup.
+          
+      
+      - question: Can I restore the files and folders from an encrypted VM backup?
+        answer: |
+          Restoring files and folders from encrypted VM backup is currently not supported, you must recover the entire VM to restore files and folders. See, [steps to restore an encrypted Azure Virtual machine](restore-azure-encrypted-virtual-machines.md).
 
 
   - name: Restore
@@ -250,10 +255,22 @@ sections:
           - You can also use the [private endpoints](private-endpoints.md) to restrict access to the iSCSI server from within the private network.
           - You can also disable this option across an organization using the [deny assignment](../role-based-access-control/deny-assignments.md) feature.
       
-      - question: I've changed the retention policy, what's the time needed for the policy to be effective?
+      - question: I have changed the retention policy, what is the time needed for the policy to be effective?
         answer: |
           The policy takes effect immediately after the modifications of the parameters, such as retention, schedule, and so on. This is applicable for all new backups taken from the modified policy. However, the pruning of the recovery points (if applicable) according to the new policy takes 24 hours.
 
+      - question: How do I extend or reduce the retention of a specific recovery point?
+        answer: |
+          This feature is currently not supported. You can post any feature ask in the [Azure Backup community](https://feedback.azure.com/d365community/forum/153aa817-0725-ec11-b6e6-000d3a4f0858#) portal.
+          
+      - question: How to modify retention period for Stopped backups?
+        answer: |
+          Retention of stopped backups cannot be modified since they do not have any policy attached to it. However, you can [resume protection](/azure/backup/backup-azure-manage-vms#resume-protection-of-a-vm) and assign a policy.
+          
+      - question: How long are the stopped backups retained?
+        answer: |
+          Stopped backups are retained until manually deleted.
+          
       - question: I’m unable to select a virtual network, subnet, or storage account in the secondary region when performing a Cross Region Restore.
         answer: |
           You need to check the subscription permissions in the secondary region. Write to us at [AskAzureBackupTeam@microsoft.com](mailto:AskAzureBackupTeam@microsoft.com) for subscription enrollment.
diff --git a/articles/backup/toc.yml b/articles/backup/toc.yml
@@ -589,6 +589,8 @@
       href: backup-azure-vm-file-recovery-troubleshoot.md
     - name: Azure Backup agent or VM extension timed out
       href: backup-azure-troubleshoot-vm-backup-fails-snapshot-timeout.md
+    - name: Encrypted Azure VM backup
+      href: backup-azure-encrypted-vm-troubleshoot.md
     - name: Azure Backup agent
       href: backup-azure-mars-troubleshoot.md
     - name: Files and folders backup is slow
