How to change from VM with ADE to VM to Encryption at host?

Question

How to change from VM with ADE to VM to Encryption at host?

HandinataTanudjaja-6677 380

Hi everyone,

I would like to know the proper steps to change from VM with ADE to Encryption at host.

Thank you

HandinataTanudjaja-6677 380 Reputation points

2025-03-05T16:42:04.8433333+00:00

Hi @SUNOJ KUMAR YELURU ,

Thank you for your response.
It seems the option to detach disk is only for data disk.
What about the OS disk?

And from what I know OS disk encrypted with ADE cannot be used to Encrypted at host.
What should I do to make it work with Encrypted at host?

Thanks again
Jose Benjamin Solis Nolasco 3,431 Reputation points

2025-03-05T16:57:38.6566667+00:00
Hello,

I made this guide for you I hope you can archive what you are looking for;

links : https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-powershell

https://www.reddit.com/r/AZURE/comments/1ci7by7/windows_virtual_machines_should_enable_azure_disk/

Ensure Pre‑Requisites and Check Support

Before you proceed, verify the following:

Supported VM Size & Region: Not every VM size supports Encryption at host. Check the Azure documentation for the latest list of supported sizes and regions.

Permissions: You must have sufficient permissions (typically the Contributor role or higher on both the VM and its disk resources) to make encryption changes.

Backup: Backup your VM data or create a snapshot of the disks just in case you need to revert to your previous state.

Remove Azure Disk Encryption (ADE)

Encryption at host cannot be enabled while the disks are encrypted with ADE. Therefore, you must first decrypt the VM’s OS and data disks.

Steps to Remove ADE:

Identify the Encryption Status:

In the Azure Portal, navigate to your VM and check its “Disks” blade (or the “Encryption” section if available) to confirm that ADE is enabled.

Run the Decryption Process:

**Using PowerShell:** If you set up ADE using PowerShell (such as with the `Set-AzVMDiskEncryptionExtension` cmdlet), you now need to disable it. For example: powershell ```powershell Disable-AzVMDiskEncryption `

-ResourceGroupName <YourResourceGroup> ` -VMName <YourVMName> ```

Monitor the progress. (Depending on your configuration, the command might vary. Microsoft’s documentation on removing Azure Disk Encryption can be a useful guide.) **Using the Azure CLI:** Similarly, if you use CLI, there’s a command to disable disk encryption (check the current CLI reference as the procedures may evolve). **Wait for Complete Decryption:** This operation can take some time. Verify in the portal that your disks are now in an unencrypted state. Confirm that any ADE-related extensions have been removed.

Enable Encryption at Host

With your VM’s disks now decrypted and free of ADE, you can enable Encryption at host. This property is configured at the VM level.

Two Approaches:

A. Live Update (If Supported)

If your VM supports an in-place update, you might be able to update its encryption configuration by modifying its properties.

Stop the VM (If Required): Sometimes a stop–deallocate–start cycle is necessary to register configuration changes.

Update the VM Configuration:

Using Azure CLI: You can update the VM’s encryption profile by running a command like:

bash

az vm update \ --resource-group <YourResourceGroup> \ --name <YourVMName> \ --set encryptionProfile.encryptionAtHost=true

This command sets the property that tells Azure to enable host-level encryption.

Verify the Change:

Once updated, check the VM’s properties in the Azure Portal. The “Encryption at host” property should now indicate that it is enabled.

B. Redeploy the VM (If Live Update Isn’t Available)

Some VM configurations may require a rebuild:

Detach the Disks:

If necessary, detach the OS and data disks after decryption.

Create a New VM with Encryption at Host Enabled:

Using an ARM template, the Azure CLI, or the Azure Portal, create a new VM.

When configuring the new VM, set the “Encryption at host” property to true. For example, in an ARM template the property might be under the VM’s "securityProfile": { "encryptionAtHost": true }.

Attach the Existing Disks:

Reattach your previously decrypted OS and/or data disks to this new VM.

Test the New Deployment:

Once the new VM is up and running, verify that everything is working as expected and that the encryption at host property is applied.

Ensure Pre‑Requisites and Check Support

Before you proceed, verify the following:

Supported VM Size & Region: Not every VM size supports Encryption at host. Check the Azure documentation for the latest list of supported sizes and regions.

Permissions: You must have sufficient permissions (typically the Contributor role or higher on both the VM and its disk resources) to make encryption changes.

Backup: Backup your VM data or create a snapshot of the disks just in case you need to revert to your previous state.

Remove Azure Disk Encryption (ADE)

Encryption at host cannot be enabled while the disks are encrypted with ADE. Therefore, you must first decrypt the VM’s OS and data disks. Steps to Remove ADE:

Identify the Encryption Status:

In the Azure Portal, navigate to your VM and check its “Disks” blade (or the “Encryption” section if available) to confirm that ADE is enabled.

Run the Decryption Process:

Using PowerShell: If you set up ADE using PowerShell (such as with the Set-AzVMDiskEncryptionExtension cmdlet), you now need to disable it. For example: powershell
Disable-AzVMDiskEncryption `

-ResourceGroupName <YourResourceGroup> ` -VMName <YourVMName> ```

Monitor the progress. (Depending on your configuration, the command might vary. Microsoft’s documentation on removing Azure Disk Encryption can be a useful guide.) - **Using the Azure CLI:** Similarly, if you use CLI, there’s a command to disable disk encryption (check the current CLI reference as the procedures may evolve). 1. **Wait for Complete Decryption:** - This operation can take some time. Verify in the portal that your disks are now in an unencrypted state. - Confirm that any ADE-related extensions have been removed. 3. Enable Encryption at Host With your VM’s disks now decrypted and free of ADE, you can enable Encryption at host. This property is configured at the VM level. **Two Approaches:** **A. Live Update (If Supported)** If your VM supports an in-place update, you might be able to update its encryption configuration by modifying its properties. 1. **Stop the VM (If Required):** Sometimes a stop–deallocate–start cycle is necessary to register configuration changes. 1. **Update the VM Configuration:** - **Using Azure CLI:** You can update the VM’s encryption profile by running a command like: bash ```dockerfile az vm update \

--resource-group <YourResourceGroup>
--name <YourVMName>
--set encryptionProfile.encryptionAtHost=true ```

This command sets the property that tells Azure to enable host-level encryption. 1. **Verify the Change:** - Once updated, check the VM’s properties in the Azure Portal. The “Encryption at host” property should now indicate that it is enabled. **B. Redeploy the VM (If Live Update Isn’t Available)** Some VM configurations may require a rebuild: 1. **Detach the Disks:** - If necessary, detach the OS and data disks after decryption. 1. **Create a New VM with Encryption at Host Enabled:** - Using an ARM template, the Azure CLI, or the Azure Portal, create a new VM. - When configuring the new VM, set the “Encryption at host” property to true. For example, in an ARM template the property might be under the VM’s `"securityProfile": { "encryptionAtHost": true }`. 1. **Attach the Existing Disks:** - Reattach your previously decrypted OS and/or data disks to this new VM. 1. **Test the New Deployment:** - Once the new VM is up and running, verify that everything is working as expected and that the encryption at host property is applied.

If the Answer is helpful, please click Accept Answer and Up-Vote, so that it can help others in the community looking for help on similar topics.
Jose Benjamin Solis Nolasco 3,431 Reputation points

2025-03-05T16:58:39.95+00:00

If you have any further queries, please let us know we are glad to help you.
HandinataTanudjaja-6677 380 Reputation points

2025-03-05T22:56:33.2466667+00:00
Thank you very much Jose!
You're stirring me into the right path however I have a different requirement that I will need to solve.

So we have an existing VM with ADE enabled.
We don't want to change the existing VM but we want to be able to use a backup of the disk to a new VM with Encrypted At Host (EAH) enabled.

The steps I did to do this are the following:

Create a snapshot of the disk from the existing VM that has ADE enabled.

Create a new disk based on the snapshot.

Swap the OS disk in the existing VM with the new disk to verify that ADE is still enabled.

Disable the new disk ADE using the Powershell command "Disable-AzVMDiskEncryption" and ensuring the VolumeType parameter value is "all"

Confirmed the new disk ADE is now disabled.

Create a new VM instance with EAH enabled.

Swap OS disk of the new VM instance with the new disk that I had the ADE is disabled. This last step is unable to be completed.
I received the following error when I tried to swap the OS disk: "**Disk security type is not compatible with VM security type"
**
I am not sure why I would get this error. I thought that by disabling the ADE of the new backup this, I would be able to use it a VM instance that has EAH enabled.

Thoughts?
Thank you
SUNOJ KUMAR YELURU 15,256 Reputation points MVP Volunteer Moderator

2025-03-06T06:26:21.3866667+00:00

Hello @Handinata Tanudjaja,

Try this, If it is OS disk take disk snapshot, create new disk from snapshot and attach to new VM.
Anusree Nashetty 4,380 Reputation points Microsoft External Staff Moderator

2025-03-06T07:12:26.3666667+00:00

Hi Handinata Tanudjaja,

Please try this and let us know. Create a Snapshot from the Existing ADE-Enabled Disk. Create a New Disk from the Snapshot with SecurityType TrustedLaunch. Then, deploy a New TrustedLaunch (EAH-Enabled) VM and make sure the new VM has TrustedLaunch enabled. Attach the New Disk as the OS Disk for the TrustedLaunch VM

Thank you.
TP 124.7K Reputation points Volunteer Moderator

2025-03-06T09:30:00.36+00:00
Hi,

Azure Disk Encryption has restrictions. One of them is you can't go from ADE to Encryption at Host or SSE if the disk has ever been encrypted with ADE. Please see excerpts below:

Excerpt from Windows ADE Restrictions:

Azure Disk Encryption does not work for the following scenarios, features, and technology:

Migrating a VM that is encrypted with ADE, or has ever been encrypted with ADE, to Encryption at Host or server-side encryption with customer-managed keys.

Excerpt from Linux ADE Restrictions:

Azure Disk Encryption does not work for the following Linux scenarios, features, and technology:

Migrating a VM that is encrypted with ADE, or has ever been encrypted with ADE, to Encryption at Host or server-side encryption with customer-managed keys.

Workaround/Solution

Basic steps that I have actually used successfully in the past to convert from ADE to EAH/SSE below. It is likely there are fine details that I will forget to mention.

Create snapshot of source OS disk while its VM is Deallocated

Create new temp VM from snapshot

Disable ADE on new temp VM, wait until all volumes are Fully Decrypted. At bare minimum this will take minutes. You can verify inside of Windows VM using manage-bde -status . Check that all volumes show Fully Decrypted

Deallocate new temp VM

Navigate to the new temp VM's OS disk -- Settings -- Disk Export blade, Generate URLs, Download VHD file. To save time you could download this to an Azure VM in same zone/vnet.

Use azcopy to upload vhd to storage account in same region and resource group

Create new disk, for source choose storage blob, select the vhd file you just uploaded, choose OS type, choose Security type, VM generation, disk size/type to match whatever original VM was, leave VM guest state blob blank

Navigate to the managed disk you just created, click Create VM, fill out various settings as required, including selecting Encryption at host on Disks tab

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP
HandinataTanudjaja-6677 380 Reputation points

2025-03-06T21:24:18.6466667+00:00

Thank you TP but I was able to resolve my issue with a different approach.
Thanks you for your input though!

3 answers

Your answer

HandinataTanudjaja-6677 380 Reputation points

2025-03-05T16:42:04.8433333+00:00

Hi @SUNOJ KUMAR YELURU ,

Thank you for your response.
It seems the option to detach disk is only for data disk.
What about the OS disk?

And from what I know OS disk encrypted with ADE cannot be used to Encrypted at host.
What should I do to make it work with Encrypted at host?

Thanks again
Jose Benjamin Solis Nolasco 3,431 Reputation points

2025-03-05T16:58:39.95+00:00

If you have any further queries, please let us know we are glad to help you.
HandinataTanudjaja-6677 380 Reputation points

2025-03-05T22:56:33.2466667+00:00

Thank you very much Jose!
You're stirring me into the right path however I have a different requirement that I will need to solve.

So we have an existing VM with ADE enabled.
We don't want to change the existing VM but we want to be able to use a backup of the disk to a new VM with Encrypted At Host (EAH) enabled.

The steps I did to do this are the following:

Create a snapshot of the disk from the existing VM that has ADE enabled.

Create a new disk based on the snapshot.

Swap the OS disk in the existing VM with the new disk to verify that ADE is still enabled.

Disable the new disk ADE using the Powershell command "Disable-AzVMDiskEncryption" and ensuring the VolumeType parameter value is "all"

Confirmed the new disk ADE is now disabled.

Create a new VM instance with EAH enabled.

Swap OS disk of the new VM instance with the new disk that I had the ADE is disabled. This last step is unable to be completed.
I received the following error when I tried to swap the OS disk: "**Disk security type is not compatible with VM security type"
**
I am not sure why I would get this error. I thought that by disabling the ADE of the new backup this, I would be able to use it a VM instance that has EAH enabled.

Thoughts?
Thank you
SUNOJ KUMAR YELURU 15,256 Reputation points MVP Volunteer Moderator

2025-03-06T06:26:21.3866667+00:00

Hello @Handinata Tanudjaja,

Try this, If it is OS disk take disk snapshot, create new disk from snapshot and attach to new VM.
Anusree Nashetty 4,380 Reputation points Microsoft External Staff Moderator

2025-03-06T07:12:26.3666667+00:00

Hi Handinata Tanudjaja,

Please try this and let us know. Create a Snapshot from the Existing ADE-Enabled Disk. Create a New Disk from the Snapshot with SecurityType TrustedLaunch. Then, deploy a New TrustedLaunch (EAH-Enabled) VM and make sure the new VM has TrustedLaunch enabled. Attach the New Disk as the OS Disk for the TrustedLaunch VM

Thank you.
HandinataTanudjaja-6677 380 Reputation points

2025-03-06T21:24:18.6466667+00:00

Thank you TP but I was able to resolve my issue with a different approach.
Thanks you for your input though!

Answer 1

HandinataTanudjaja-6677 380

Hi Anashetty,

Your suggestion wasn't the solution but it did stir me to the right direction, thank you!
I found out the issue that caused "Disk security type is not compatible with VM security type" message.
In order for the OS disk swap to work, I will need to make sure the new VM instance has the same "Security Type" as the old VM that I removed ADE from.
Original VM is in Standard Security Type so I had to make the new VM instance to be in Standard Security Type (it was defaulted "TrustedLaunch").

Mystery solved!

Anusree Nashetty 4,380 Reputation points Microsoft External Staff Moderator

2025-03-07T01:36:29.6233333+00:00

Hi Handinata Tanudjaja,

Good catch! Glad the issue is resolved for you finally. I will have this answer promoted by reposting it. As an Original Poster(You) will not be able to accept your own answer. This is in the attempt to help others looking for a solution for a similar issue.

Thanks again for sharing the solution here. Have a good day!

Answer 2

Hi Handinata Tanudjaja,

As the original poster cannot accept their own answer, I am reposting it if you would like to Upvote and Accept answer for the benefit of community who faces the same issue can easily find the solution.

Issue:

we have an existing VM with ADE enabled. We don't want to change the existing VM but we want to be able to use a backup of the disk to a new VM with Encrypted At Host (EAH) enabled.

I received the following error when I tried to swap the OS disk: "**Disk security type is not compatible with VM security type" ** I am not sure why I would get this error. I thought that by disabling the ADE of the new backup this, I would be able to use it a VM instance that has EAH enabled.

Solution:

I found out the issue that caused "Disk security type is not compatible with VM security type" message. In order for the OS disk swap to work, I will need to make sure the new VM instance has the same "Security Type" as the old VM that I removed ADE from. Original VM is in Standard Security Type, so I had to make the new VM instance to be in Standard Security Type (it was defaulted "TrustedLaunch").

Mystery solved!

Thank you again for your time and patience throughout this issue. Please remember to "Upvote" and "Accept Answer", so that others in the community facing similar issues can easily find the solution.

Thank you.

User's image

Anusree Nashetty 4,380 Reputation points Microsoft External Staff Moderator

2025-03-28T06:32:55.7833333+00:00

Hi Handinata Tanudjaja,

I have reposted your solution as Answer, could you please Accept Answer on it, as original poster cannot accept their own Answer. For the Accepted Answer it will be highlighted and will be helpful to community who faces the similar issue.

Thank you.

Answer 3

Hello @HandinataTanudjaja-6677

To convert an Azure VM with Azure Disk Encryption (ADE) to using "Encryption at Host," you need to first detach the existing encrypted disks from the VM, then create a new VM with the "Encryption at Host" option enabled, and finally attach the previously detached encrypted disks to the new VM; essentially, you're creating a new VM with the desired encryption method and migrating the existing disks to it, as you cannot directly change an existing VM's encryption method from ADE to Encryption at Host.

Key steps:

Access Azure Portal:

Log in to the Azure portal and navigate to your virtual machine.

Detach Disks:
- Go to the VM's "Disks" section.
  - Select each disk you want to migrate and choose the option to "Detach".
  - Create New VM with Encryption at Host:
    - Initiate the creation of a new virtual machine.
      - When configuring the disks, select "Encryption at Host" under the encryption settings.
        
        Choose the appropriate key management option (customer-managed keys or platform-managed keys).
        
        Attach Detached Disks:
        
        Once the new VM is deployed, navigate to its "Disks" section.
        
        Select "Attach existing disk" and choose the previously detached encrypted disks.

Important Considerations:

Data Migration: If you have sensitive data on the existing disks, ensure you have a proper backup strategy before detaching and migrating them.
VM Downtime: Converting to "Encryption at Host" will require a VM restart, resulting in temporary downtime.
Key Management: Be mindful of the key management strategy you choose when enabling "Encryption at Host". To convert an Azure VM with Azure Disk Encryption (ADE) to using "Encryption at Host," you need to first detach the existing encrypted disks from the VM, then create a new VM with the "Encryption at Host" option enabled, and finally attach the previously detached encrypted disks to the new VM; essentially, you're creating a new VM with the desired encryption method and migrating the existing disks to it, as you cannot directly change an existing VM's encryption method from ADE to Encryption at Host. Key steps:
- Access Azure Portal: Log in to the Azure portal and navigate to your virtual machine.
- Detach Disks:
  - Go to the VM's "Disks" section.
  - Select each disk you want to migrate and choose the option to "Detach".
- Create New VM with Encryption at Host:
  - Initiate the creation of a new virtual machine.
  - When configuring the disks, select "Encryption at Host" under the encryption settings.
  - Choose the appropriate key management option (customer-managed keys or platform-managed keys).
- Attach Detached Disks:
  - Once the new VM is deployed, navigate to its "Disks" section.
  - Select "Attach existing disk" and choose the previously detached encrypted disks.
Important Considerations:
- Data Migration: If you have sensitive data on the existing disks, ensure you have a proper backup strategy before detaching and migrating them.
- VM Downtime: Converting to "Encryption at Host" will require a VM restart, resulting in temporary downtime.
- Key Management: Be mindful of the key management strategy you choose when enabling "Encryption at Host".

If the Answer is helpful, please click Accept Answer and Up-Vote, so that it can help others in the community looking for help on similar topics.

Share via

How to change from VM with ADE to VM to Encryption at host?

3 answers

Your answer