This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 53%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
I have configured Encryption (SSE with CMK) on Azure disk. Now I'm getting a Microsoft defender recommendation, saying that "Virtual machines and virtual machine scale sets should have encryption at host enabled"
How to enable encryption at host on existing vms in azure?
Is it possible to configure encryption at host on existing VMs
Yes, it is possible to enable encryption at the host on existing virtual machines (VMs) in Azure. There are a few different options for doing this, depending on your specific requirements and the resources you have available. Here are some options you can consider:
Use Azure Disk Encryption (ADE): ADE is a feature of Azure that enables you to encrypt your VM disks and the VM itself. ADE uses the BitLocker feature of Windows or the DM-Crypt feature of Linux to encrypt the disks and the VM. To use ADE, you must create a key vault and an Azure Active Directory (AAD) application. You can then use the Azure portal or Azure PowerShell to enable ADE on your VM.
Use Azure Key Vault to manage your encryption keys: If you prefer to manage your encryption keys, you can use Azure Key Vault to store and manage them. Using BitLocker or DM-Crypt, you can then use the keys stored in Key Vault to encrypt your VM disks and the VM itself.
Use third-party tools: There are also several third-party tools that you can use to encrypt your VMs in Azure. These tools may offer additional features and options for managing and securing your encryption keys.
Regardless of your choice, it is essential to carefully consider the security implications of encrypting your VMs and follow best practices for managing encryption keys.
----------
Please "Accept as Answer" and Upvote if any of the above helped so that it can help others in the community looking for remediation for similar issues.
@Ravi Kanth Koppala Thanks for your reply.
As far as I know ADE and SSE+CMK both you cannot configured together. Could you please reverify again?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 36%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
@Mahavir Saroj Yes, SSE + CMK is currently incompatible with Azure Disk Encryption (ADE).
The only option available would be to migrate from SSE+CMK to ADE or vice-versa. Hope this helps.
Please let us know if you have any more questions and we will be glad to assist you further. Thank you!
Remember:
Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Want a reminder to come back and check responses? Here is how to subscribe to a notification.
Hi,
Yes, you can enable Encryption at host for your existing VMs. They need to be Deallocated to make the change.
First you need to register the feature in your subscription if you haven't already. You can do this via Cloud Shell (PowerShell):
Register-AzProviderFeature -FeatureName "EncryptionAtHost" -ProviderNamespace "Microsoft.Compute"
After running above command, wait about 15 minutes for the feature to finish registering. Refresh the portal page.
Second, in the portal, with your VM Deallocated, navigate to the VM's Disks blade, then click Additional settings button.
Option to enable Encryption at host will be there, as shown:
Please see this article for restrictions:
Thanks.
-TP
@Mahavir Saroj Just checking if you made progress enabling encryption at host using the instructions I provided above and/or if you have any other questions.
@TV-MVP No, It's not working. I have configured my VMS disk with SSE with CMK encryption. I have checked in my lab environment. It's not allowing me to enable encryption at host
Any error message? I had a problem with an old VM whereby if I clicked Yes and clicked Save it would close the window but do nothing. For that VM I enabled Encryption at host using powershell and it worked fine.
@TP Was your Vms disk configured with SSE with CMK Encryption type?
No, the one that had portal issue wasn't CMK, it was PMK.
I created test VM with SSE with CMK to make sure nothing has changed since I last worked on this. Please see below:
Here you see test VM's disk configured with SSE with CMK:
Same VM showing Encryption at host enabled with VM running:
Hi @Mahavir Saroj Any progress or update?
Hello
It is possible to enable encryption at host on existing virtual machines (VMs) in Azure. There are several options available for doing this, depending on the type of VM and the operating system it is running.
One option is to use Azure Disk Encryption, which is a feature of Azure that enables you to encrypt the OS and data disks of your VMs using BitLocker on Windows VMs or DM-Crypt on Linux VMs. To enable Azure Disk Encryption on an existing VM, you will need to follow the steps outlined in the Azure documentation:
Make sure that the VM meets the prerequisites for Azure Disk Encryption.
Another option is to use Azure Confidential Computing, which is a feature of Azure that enables you to encrypt data in use on VMs using hardware-based trusted execution environments (TEEs). To enable Azure Confidential Computing on an existing VM, you will need to follow the steps outlined in the Azure documentation:
Good luck!