This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 66%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EF%3C/text%3E%3C/svg%3E)
So, I've received an email from Microsoft about the retirement of ADE in Azure and that VMs need to be migrated over to Encryption at host. The deadline is September 2028 so there's plenty of time but from what I've read, this isn't going to be easy and I imagine we're going to have issues moving forward.
The process requires us to remove our servers from the domain before following the steps, my first issue is that we have many 70+ VMs including domain controllers and removing each one, and then adding again feels like it's going to cause many issues, the second is that when the deadline is reached, any server trying to boot from a disk or access a disk that was protected by ADE will no longer be able to access the key vault to unlock the disks for data access.
Surely this will affect any backupsthat we have in Azure previous to switching to encryption at host. Causing issues with restores and accessing data.
Any guidance on this would by much appreciated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 96%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAY%3C/text%3E%3C/svg%3E)
Hello @Freestone ,
--encryption-at-host true and domain join.
Thanks for your comments, on point 2, if we restore from a backup, say 3 years ago, the disks were encrypted using ADE. If Microsoft are saying we no longer have access to the key vaults, how do we decrypt a backup. We can't just restore an old backup, decrypt it and then back it up again, we won't know what backup we will need until it's needed. The costs would be ridiculous, what about scenarios where we cannot delete backups because they're protected using immutability...
on point 2, if we restore from a backup, say 3 years ago, the disks were encrypted using ADE. If Microsoft are saying we no longer have access to the key vaults, how do we decrypt a backup.
ADE relies on BitLocker keys stored in Azure Key Vault. After September 2028, Microsoft will stop supporting ADE, meaning the VM agent and Key Vault integration used to unlock disks will no longer function. If you try to restore a backup from 3 years ago (or any point before migration), the restored VM will still expect ADE and Key Vault access. Without that, the OS disk and data disks remain encrypted and inaccessible.
What can be done as workaround: -
Before ADE retirement, you can export and securely store keys from Key Vault for all ADE-encrypted VMs. This is the only way to manually decrypt old disks later. Manual decryption would require you to have exported and securely stored the BitLocker/Keyvault encrypted keys before retirement. Without those, the disk is effectively locked forever.
We can't just restore an old backup, decrypt it and then back it up again, we won't know what backup we will need until it's needed. The costs would be ridiculous,
For backups with large retention (e.g., over 5+ years), restore them while ADE is still supported, decrypt, and re-backup under Encryption at Host or SSE with CMK.
Yes, I do agree with you that this has cost implications, but right now, it’s the only guaranteed way to ensure future recoverability.
what about scenarios where we cannot delete backups because they're protected using immutability.
If immutability is preventing deletion today, it is important to be aware that the backup may remain permanently inaccessible after 2028 unless you maintain the required encryption keys or migrate away from ADE before retirement. We strongly recommend sharing this information with your internal teams so they can assess the risk and are aware of the change.
Hello @Freestone ,
Just wanted to check if you’ve had a chance to review my previous response.
Let me know if it helped clear up your questions about ADE migration.
Hello @Freestone ,
Since the issue has been resolved, Please take a moment to "Accept Answer" and upvote it 👍 to make it helpful to the community.
Thank you for helping to improve Microsoft Q&A!