Share via

EncryptionAtHost is enabled so why are the Advisor Recommendations saying it isn't?

Thomas Leland 41 Reputation points
2025-03-07T20:31:40.14+00:00

I properly registered EncryptionAtHost to our subscription, which took a few minutes. I then created a VM with EncryptionAtHost enabled during the creation process. It has been over 3 weeks and the Advisor is still showing the following recommendation: "Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost." How can I be certain that EncryptionAtHost is working properly if I am still seeing this Advisor recommendation?

Azure Advisor
Azure Advisor

An Azure personalized recommendation engine that helps users follow best practices to optimize Azure deployments.

0 comments
Answer accepted by question author
  1. Naveena Patlolla 8,520 Reputation points Microsoft External Staff Moderator
    2025-03-07T23:13:38.4533333+00:00

    Hi Thomas Leland
    Azure Advisory Recommending  "Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost."

    You are already Enabled   EncryptionAtHost, Just It is Recommending   for Azure Disk Encryption.

    Navigate to the VM → Under Disks, go to Additional Settings → Under Encryption settings --> Check if disks to encrypt are set None.

    User's image

    If it is set to None, then Azure Advisory Recommending for Azure Disk Encryption.

    Azure Disk Encryption (ADE) vs. Encryption at Host (EAH) Both Azure Disk Encryption (ADE) and Encryption at Host (EAH) are encryption mechanisms in Azure, but they differ in implementation, scope, and use cases.

     Azure Disk Encryption (ADE): Encrypts OS and Data disks using BitLocker (Windows) or dm-crypt (Linux)

    Encryption at Host (EAH):  Encrypts temporary disks, OS disks, and data disks at the host level

    Please follow the below steps to verify Encryption at Host Level is enabled

     

    Navigate to the VM → Under Disks, go to Additional Settings → Check if Encryption at Host Level is enabled

    User's image

    User's image

    Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Saiprakash Reddy Pathepuram 0 Reputation points
    2025-07-29T14:13:16.2533333+00:00

    Hi @Thomas Leland

    One of the reason you may still see the recommendation Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost after enabling encryption at host under VM settings lies in the description of that recommendation.

    User's image

    This policy will not even be evaluated if you have'nt installed guest configuration extension in your virtual machine and could show up as a recommendation even if you have enabled encryption at host,

    Guest configuration allows azure to audit the configuration of your virtual machine's operating system (for example: Is your VM's OS is disk encryption or not). Azure can evaluate your VM's control plane configuration but you need guest configuration to evaluate OS level configuration.

    Follow the below steps to install guest os configuration.

    1. Make sure you install the resource provider in your subscription where your VM reside
    2. Make sure to turn on System assigned managed identity for your virtual machine
    3. Make sure to install Azure Machine Configuration extension for windows/linux(guest configuration)
      User's image

    Once installation is complete, the recommendation should automatically disappear after the next refresh interval.

    Please upvote this answer if you found it helpful!

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.