Share via

Disabling Azure Disk Encryption - removing the Unified Data Encryption flag

Craig 41 Reputation points Microsoft Employee
2026-02-27T22:44:53.0366667+00:00

The docs say it is not possible to switch from Azure Disk Encryption to Encryption at Host without creating a new VM and new disks.

There appears to be a way to remove the Unified Data Encryption flag on the disks that were formerly encrypted by Azure Disk Encryption.

Question: what are the consequences of removing the UDE? The goal is to move from ADE to Encryption at Host.

## Disable the encryption setting for the disk
Update-AzDisk -ResourceGroupName TheDiskResourceGroup -DiskName SomeEncryptedDiskName -DiskUpdate (
    New-AzDiskUpdateConfig -EncryptionSettingsEnabled $false
)
Azure Disk Encryption
Azure Disk Encryption

An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.

0 comments
Answer accepted by question author
  1. Manish Deshpande 4,225 Reputation points Microsoft External Staff Moderator
    2026-02-28T00:10:14.25+00:00

    Hello @Anonymous

    Removing the Unified Data Encryption (UDE) flag from disks encrypted with Azure Disk Encryption (ADE) is not supported for migration to Encryption at Host. This does not make the disk compatible and may cause unsupported setups and risks.

    Microsoft does not support an in‑place conversion from Azure Disk Encryption (ADE) to Encryption at Host. This applies even if ADE is disabled and the disk appears decrypted.
    User's image

    https://docs.azure.cn/en-us/virtual-machines/disk-encryption-migrate?tabs=CLI%2CCLI2%2CCLI3%2CCLI4%2CCLI5%2CCLI-cleanup#migration-limitations-and-considerations

    Disks that were ever encrypted with ADE retain UDE metadata, and:

    • This metadata persists even after decryption
    • Snapshots and disk copies retain the UDE flag
    • Disks with UDE cannot be used to enable Encryption at Host

    This behavior is by design.

    Consequences of Manually Removing the UDE Flag :
    Removing the UDE flag using unsupported methods (for example, directly updating disk encryption settings) can result in:

    • A configuration that is not supported by Microsoft
    • Failure when enabling Encryption at Host
    • Operational risk during VM restarts, disk attachment, or future platform updates
    • Potential issues during support escalation, as the state is outside documented scenarios

    For these reasons, Microsoft strongly recommends not attempting to remove UDE to bypass migration requirements.

    Possible Action :

    The only supported method to move from ADE to Encryption at Host is to create new disks and a new VM with Encryption at Host enabled.

    High‑level supported approach:

    1. Back up all data from the existing VM.
    2. Create new managed disks that do not carry ADE/UDE metadata (using the upload method or fresh disk creation).
    3. Deploy a new VM with Encryption at Host enabled.
    4. Attach the new disks and restore application/data as required.
    5. Decommission the old ADE‑encrypted VM and disks once validation is complete.

    This ensures the VM is fully compliant, supported, and future‑proof.

    Encryption at Host provides:

    • End‑to‑end encryption for OS, data, temp disks, and disk caches
    • No dependency on in‑guest encryption extensions
    • Lower operational complexity compared to ADE

    Microsoft also recommends Encryption at Host for all new VM deployments, as Azure Disk Encryption is scheduled for retirement on September 15, 2028.

    Thanks,
    Manish.

    0 comments
Answer accepted by question author
  1. Jose Benjamin Solis Nolasco 7,376 Reputation points
    2026-02-27T23:41:18.1033333+00:00

    Welcome to Microsoft Q&A

    Hello Craig, I hope you are doing well,

    The documentation is correct. Transitioning directly from Azure Disk Encryption (ADE) to Encryption at Host on the same VM/disks is an unsupported migration path.

    Here are the exact consequences of running the PowerShell command you provided to force the EncryptionSettingsEnabled flag to $false:

    Update-AzDisk command only modifies the Azure Resource Manager (ARM) metadata properties. It does not trigger the BitLocker (Windows) or DM-Crypt (Linux) decryption process inside the guest operating system. If you remove the Unified Data Encryption (UDE) flag while the bits on the disk are still ciphered, you create a split-brain scenario. Upon the next reboot, the Azure platform will read the flag, assume the disk is in plaintext, and refuse to pass the required Key Encryption Key (KEK) or BitLocker Encryption Key (BEK) from your Azure Key Vault to the host machine. The OS will fail to unlock the drive and the VM will be permanently unbootable.

    Even if you properly decrypt the disk from within the guest OS first and then run your script, you still cannot enable Encryption at Host. The Azure Compute control plane maintains a historical state of the resource. The ARM API contains a strict validation check that permanently blocks the EncryptionAtHost property from being enabled on any VM or Managed Disk that has ever had the ADE extension installed or the ADE encryption settings enabled. This is a safety mechanism to prevent overlapping encryption corruption.

    To achieve your goal, you must create a new VM with Encryption at Host enabled and migrate the data (e.g., via Azure Site Recovery, AzCopy, or backup/restore).

    😊 If my answer helped you resolve your issue, please consider marking it as the correct answer. This helps others in the community find solutions more easily. Thanks!

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.