Hello Najam ul Saqib,
Greetings! Welcome to Microsoft Q&A Platform.
I understand that you enabled Encryption at Host for your existing Linux VMs. However, the issue you’re encountering with the Defender recommendation not updating could indeed be related to how Encryption at Host is applied.
From the documentation you referenced, it appears that Encryption at Host is typically enabled during the creation of a new VM. This means that enabling it on existing VMs might not fully integrate with all the necessary security checks and updates that Defender for Cloud performs.
But it is possible to enable encryption at host on existing virtual machines (VMs) in Azure. There are several options available for doing this, depending on the type of VM and the operating system it is running. One option is to use Azure Disk Encryption, which is a feature of Azure that enables you to encrypt the OS and data disks of your VMs using BitLocker on Windows VMs or DM-Crypt on Linux VMs. To enable Azure Disk Encryption on an existing VM, you will need to follow the steps outlined in the Azure documentation:
Make sure that the VM meets the prerequisites for Azure Disk Encryption.
- Install the Azure Disk Encryption Extension on the VM.
- Create an Azure Key Vault and grant the required permissions to the VM.
- Use Azure PowerShell or Azure CLI to enable Azure Disk Encryption on the VM.
Another option is to use Azure Confidential Computing, which is a feature of Azure that enables you to encrypt data in use on VMs using hardware-based trusted execution environments (TEEs). To enable Azure Confidential Computing on an existing VM, you will need to follow the steps outlined in the Azure documentation:
- Make sure that the VM meets the prerequisites for Azure Confidential Computing.
- Install the Azure Confidential Computing Extension on the VM.
- Use Azure PowerShell or Azure CLI to enable Azure Confidential Computing on the VM.
Similar thread for reference - https://learn.microsoft.com/en-us/answers/questions/739983/how-to-encrypt-the-temp-disks-caches-and-data-flow,https://learn.microsoft.com/en-us/answers/questions/843946/has-anybody-enable-azure-encryption-at-host-what-i,https://learn.microsoft.com/en-us/answers/questions/1696674/issue-with-defender-recommendations-linux-virtual
Please consider checking below steps to resolve the issue,
- Double-check that Encryption at Host is indeed enabled on your VMs. You can do this through the Azure portal or using Azure CLI/PowerShell commands.
- Sometimes, Defender for Cloud might need a manual trigger to re-scan and update its recommendations. You can initiate a new scan to see if the recommendation updates.
- Ensure that all your Azure resources, including Defender for Cloud, are up-to-date. Sometimes, updates can resolve such discrepancies.
- Note: Azure Disk Encryption and Encryption at Host are different features. Azure Disk Encryption uses the DM-Crypt feature of Linux to provide volume encryption, while Encryption at Host encrypts data at the host level before it is written to the disk. Encryption at Host can't be enabled on virtual machines (VMs) or virtual machine scale sets that currently or ever had Azure Disk Encryption enabled in past times. You will need to recreate the VM in order to enable Encryption at Host. Apologies for the inconvenience with this limitation.
Hope this information helps! please let us know if you have any further queries. I’m happy to assist you further.
Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.