Enable Azure Disk Encryption for Windows VMs - Azure Virtual Machines (2024)

Table of Contents
In this article Supported VMs and operating systems Supported VMs Supported operating systems Networking requirements Group Policy requirements Encryption key storage requirements Terminology Next steps FAQs
  • Article

Applies to: ✔️ Windows VMs ✔️ Flexible scale sets

Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. It uses the BitLocker feature of Windows to provide volume encryption for the OS and data disks of Azure virtual machines (VMs), and is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets.

Azure Disk Encryption is zone resilient, the same way as Virtual Machines. For details, see Azure Services that support Availability Zones.

If you use Microsoft Defender for Cloud, you're alerted if you have VMs that aren't encrypted. The alerts show as High Severity and the recommendation is to encrypt these VMs.

Enable Azure Disk Encryption for Windows VMs - Azure Virtual Machines (1)

See Also
Server-side encryption of Azure managed disks - Azure Virtual MachinesHow to Install an SSL Certificate on Azure - SSL DragonTutorial: Secure a web server with TLS/SSL certificates - Azure Virtual MachinesAzure Disk Storage overview - Azure Virtual Machines

Warning

  • If you have previously used Azure Disk Encryption with Microsoft Entra ID to encrypt a VM, you must continue use this option to encrypt your VM. See Azure Disk Encryption with Microsoft Entra ID (previous release) for details.
  • Certain recommendations might increase data, network, or compute resource usage, resulting in additional license or subscription costs. You must have a valid active Azure subscription to create resources in Azure in the supported regions.
  • Do not use BitLocker to manually decrypt a VM or disk that was encrypted through Azure Disk Encryption.

You can learn the fundamentals of Azure Disk Encryption for Windows in just a few minutes with the Create and encrypt a Windows VM with Azure CLI quickstart or the Create and encrypt a Windows VM with Azure PowerShell quickstart.

Supported VMs and operating systems

Supported VMs

Windows VMs are available in a range of sizes. Azure Disk Encryption is supported on Generation 1 and Generation 2 VMs. Azure Disk Encryption is also available for VMs with premium storage.

Azure Disk Encryption is not available on Basic, A-series VMs, or on virtual machines with a less than 2 GB of memory. For more exceptions, see Azure Disk Encryption: Restrictions.

Supported operating systems

  • Windows client: Windows 8 and later.
  • Windows Server: Windows Server 2008 R2 and later.
  • Windows 10 Enterprise multi-session and later.

Note

See Also
Activate Host Encryption Mode Explicitly

Windows Server 2022 and Windows 11 do not support an RSA 2048 bit key. For more information, see FAQ: What size should I use for my key encryption key?

Windows Server 2008 R2 requires the .NET Framework 4.5 to be installed for encryption; install it from Windows Update with the optional update Microsoft .NET Framework 4.5.2 for Windows Server 2008 R2 x64-based systems (KB2901983).

Windows Server 2012 R2 Core and Windows Server 2016 Core requires the bdehdcfg component to be installed on the VM for encryption.

Networking requirements

To enable Azure Disk Encryption, the VMs must meet the following network endpoint configuration requirements:

  • To get a token to connect to your key vault, the Windows VM must be able to connect to a Microsoft Entra endpoint, [login.microsoftonline.com].
  • To write the encryption keys to your key vault, the Windows VM must be able to connect to the key vault endpoint.
  • The Windows VM must be able to connect to an Azure storage endpoint that hosts the Azure extension repository and an Azure storage account that hosts the VHD files.
  • If your security policy limits access from Azure VMs to the Internet, you can resolve the preceding URI and configure a specific rule to allow outbound connectivity to the IPs. For more information, see Azure Key Vault behind a firewall.

Group Policy requirements

Azure Disk Encryption uses the BitLocker external key protector for Windows VMs. For domain joined VMs, don't push any group policies that enforce TPM protectors. For information about the group policy for "Allow BitLocker without a compatible TPM," see BitLocker Group Policy Reference.

BitLocker policy on domain joined virtual machines with custom group policy must include the following setting: Configure user storage of BitLocker recovery information -> Allow 256-bit recovery key. Azure Disk Encryption will fail when custom group policy settings for BitLocker are incompatible. On machines that didn't have the correct policy setting, apply the new policy, and force the new policy to update (gpupdate.exe /force). Restarting may be required.

Microsoft BitLocker Administration and Monitoring (MBAM) group policy features aren't compatible with Azure Disk Encryption.

Warning

Azure Disk Encryption does not store recovery keys. If the Interactive logon: Machine account lockout threshold security setting is enabled, machines can only be recovered by providing a recovery key via the serial console. Instructions for ensuring the appropriate recovery policies are enabled can be found in the Bitlocker recovery guide plan.

Azure Disk Encryption will fail if domain level group policy blocks the AES-CBC algorithm, which is used by BitLocker.

Encryption key storage requirements

Azure Disk Encryption requires an Azure Key Vault to control and manage disk encryption keys and secrets. Your key vault and VMs must reside in the same Azure region and subscription.

For details, see Creating and configuring a key vault for Azure Disk Encryption.

Terminology

The following table defines some of the common terms used in Azure disk encryption documentation:

TerminologyDefinition
Azure Key VaultKey Vault is a cryptographic, key management service that's based on Federal Information Processing Standards (FIPS) validated hardware security modules. These standards help to safeguard your cryptographic keys and sensitive secrets. For more information, see the Azure Key Vault documentation and Creating and configuring a key vault for Azure Disk Encryption.
Azure CLIThe Azure CLI is optimized for managing and administering Azure resources from the command line.
BitLockerBitLocker is an industry-recognized Windows volume encryption technology that's used to enable disk encryption on Windows VMs.
Key encryption key (KEK)The asymmetric key (RSA 2048) that you can use to protect or wrap the secret. You can provide a hardware security module (HSM)-protected key or software-protected key. For more information, see the Azure Key Vault documentation and Creating and configuring a key vault for Azure Disk Encryption.
PowerShell cmdletsFor more information, see Azure PowerShell cmdlets.

Next steps

Enable Azure Disk Encryption for Windows VMs - Azure Virtual Machines (2024)

FAQs

How to enable Disk Encryption in Azure VM? ›

On the top bar, select Additional Settings . Under Encryption settings > Disks to encrypt, select OS and data disks. Under Encryption settings, choose Select a key vault and key for encryption. On the Select key from Azure Key Vault screen, select Create New.

Read On
When you enable Azure Disk Encryption on a Windows VM, what technology does it use on the VM to encrypt the data on your VHDs? ›

BitLocker is an industry-recognized Windows volume encryption technology that's used to enable disk encryption on Windows VMs. The asymmetric key (RSA 2048) that you can use to protect or wrap the secret.

Discover More Details
Which of the following is required to enable Azure Disk Encryption? ›

Azure Disk Encryption requires an Azure Key Vault to control and manage disk encryption keys and secrets. Your key vault and VMs must reside in the same Azure region and subscription.

Continue Reading
Is Azure Disk Encryption enabled by default? ›

If your organization's policy allows you to encrypt content at rest with an Azure-managed key, then no action is needed - the content is encrypted by default.

See Details
How do I enable Disk Encryption? ›

Turn on device encryption
  1. Sign in to Windows with an administrator account (you may have to sign out and back in to switch accounts). For more info, see Create a local or administrator account in Windows.
  2. Select Start > Settings > Privacy & security > Device encryption. ...
  3. If Device encryption is turned off, turn it On.

Find Out More
How do you enable encryption on an existing or running Windows VM? ›

Enable encryption on existing or running VMs with the Azure CLI. Use the az vm encryption enable command to enable encryption on a running IaaS virtual machine in Azure. Verify the disks are encrypted: To check on the encryption status of an IaaS VM, use the az vm encryption show command.

Tell Me More
What are the benefits of Azure Disk Encryption? ›

Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. ADE encrypts the OS and data disks of Azure virtual machines (VMs) inside your VMs by using the DM-Crypt feature of Linux or the BitLocker feature of Windows.

Show Me More
How to check if Azure Disk Encryption is enabled? ›

Verify with the Azure CLI by using the az vm encryption show command. Verify with Azure PowerShell by using the Get-AzVmDiskEncryptionStatus cmdlet. Select the VM, then click on Disks under the Settings heading to verify encryption status in the portal. In the chart under Encryption, you'll see if it's enabled.

Explore More
What is the Azure policy for Disk Encryption? ›

Azure Disk Encryption

There is no charge for encrypting virtual disks in Azure. Cryptographic keys are stored in Azure Key Vault using software-protection, or you can import or generate your keys in Hardware Security Modules (HSMs) certified to FIPS 140 validated standards.

Continue Reading
Which key is used during the encryption process in Azure? ›

The keys used for Azure Data Encryption-at-Rest, for instance, are PMKs by default. Customer-managed keys (CMK), on the other hand, are keys read, created, deleted, updated, and/or administered by one or more customers. Keys stored in a customer-owned key vault or hardware security module (HSM) are CMKs.

Show Me More

What do you have to enable encryption when using cloud storage? ›

Cloud Storage encrypts user data at rest using AES-256, in most cases using Galois/Counter Mode (GCM). There is no setup or configuration required, no need to modify the way you access the service, and no visible performance impact.

Read The Full Story
What are the two types of keys available in encryption in Azure? ›

Server-side encryption
  • Service-managed keys: Provides a combination of control and convenience with low overhead.
  • Customer-managed keys: Gives you control over the keys, including Bring Your Own Keys (BYOK) support, or allows you to generate new ones.
7 days ago

See Details
Is Azure storage encryption enabled by default and Cannot be disabled? ›

By default, all data stored in Azure storage accounts are encrypted at rest. This is done transparently at the storage service layer using a 256-bit AES Encryption key. The service and key usage is FIPS 140-2 compliant. As per the documentation this encryption is enabled automatically and cannot be disabled.

Get More Info Here
How does Disk Encryption work? ›

Full-disk encryption is the process of encoding all user data on an Android device using an encrypted key. Once a device is encrypted, all user-created data is automatically encrypted before committing it to disk and all reads automatically decrypt data before returning it to the calling process.

Continue Reading
Which service has encryption enabled by default? ›

AWS services provide‌ encryption ⁤by default to ensure security for customers' data, media files, and‍ other sensitive data. The advanced security protocols employed by ⁢AWS help protect their customers' data from unauthorized access and virus ‌attacks.

View More
Are Azure VM disks encrypted? ›

Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. ADE encrypts the OS and data disks of Azure virtual machines (VMs) inside your VMs by using the DM-Crypt feature of Linux or the BitLocker feature of Windows.

View Details
Is it possible to enable encryption on Azure storage? ›

Azure Storage encryption is enabled for all storage accounts, including both Resource Manager and classic storage accounts. Azure Storage encryption cannot be disabled. Because your data is secured by default, you don't need to modify your code or applications to take advantage of Azure Storage encryption.

See More
Can you enable BitLocker on a VM? ›

Microsoft does not support the use of BitLocker on the bootable partition of a virtual hard disk. But BitLocker is supported on non-bootable partitions of a virtual hard disk, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 or Windows Server 2012 R2.

Learn More
Top Articles
What's the Right Time To Buy a Call Option?
How To Mine Ethereum In 2023 In 5 Easy Steps
What Does IMO Mean In Slang & How To Use It - FluentSlang
What Does 'Imao' Mean On Instagram? A Comprehensive Guide - Christian Website
Latest Posts
Retail investors lose big in options markets, research shows | MIT Sloan
Companion seat Definition | Law Insider
Article information

Author: Rubie Ullrich

Last Updated:

Views: 6529

Rating: 4.1 / 5 (72 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Rubie Ullrich

Birthday: 1998-02-02

Address: 743 Stoltenberg Center, Genovevaville, NJ 59925-3119

Phone: +2202978377583

Job: Administration Engineer

Hobby: Surfing, Sailing, Listening to music, Web surfing, Kitesurfing, Geocaching, Backpacking

Introduction: My name is Rubie Ullrich, I am a enthusiastic, perfect, tender, vivacious, talented, famous, delightful person who loves writing and wants to share my knowledge and understanding with you.