This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 15%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
How to encrypt the temp disks, caches, and data flows between Compute and Storage resources in Azure windows vm.
@Azurelearner Welcome to Microsoft Q&A Forum, Thank you for posting your query here!
Did you try ADE and you were not able to enable it? ADE should cover all the below – Temp disk, caches and the content between Compute and Storage (Encrypted at Rest and in transit)
Firstly let me explain how encryption works: Server-Side Encryption (also referred to as encryption-at-rest or Azure Storage encryption) automatically encrypts data stored on Azure managed disks (OS and data disks) when persisting on the Storage Clusters. For full details, see Server-side encryption of Azure Disk Storage.
Encryption at host ensures that data stored on the VM host hosting your VM is encrypted at rest and flows encrypted to the Storage clusters. For full details, see Encryption at host - End-to-end encryption for your VM data.
Encryption is part of a layered approach to security and should be used with other recommendations to secure Virtual Machines and their disks. For full details, see Security recommendations for virtual machines in Azure and Restrict import/export access to managed disks.
When you enable encryption at host, that encryption starts on the VM host itself, the Azure server that your VM is allocated to. The data for your temporary disk and OS/data disk caches are stored on that VM host. After enabling encryption at host, all this data is encrypted at rest and flows encrypted to the Storage service, where it is persisted. Essentially, encryption at host encrypts your data from end-to-end. Encryption at host does not use your VM's CPU and doesn't impact your VM's performance.
Temporary disks and ephemeral OS disks are encrypted at rest with platform-managed keys when you enable end-to-end encryption. The OS and data disk caches are encrypted at rest with either customer-managed or platform-managed keys, depending on the selected disk encryption type. For example, if a disk is encrypted with customer-managed keys, then the cache for the disk is encrypted with customer-managed keys, and if a disk is encrypted with platform-managed keys then the cache for the disk is encrypted with platform-managed keys.
Note: Temporary disks are not managed disks and are not encrypted by SSE, unless you enable encryption at host.
Please let us know if you have any further queries. I’m happy to assist you further.
Please do not forget to 
]7 and 
wherever the information provided helps you, this can be beneficial to other community members.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 95%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
@Sumarigo-MSFT why does Microsoft Defender for Cloud show "Unhealthy" as the status when Encryption at Host enabled?
The "High" severity recommendation in Defender for Cloud states "Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources". However, the description of this recommendation goes on to say "Disregard this recommendation if you're using the encryption-at-host feature".
Will Defender for Cloud be fixing this recommendation when encryption at host is enabled, or do we need to mark it as "Exempt" in Defender for Cloud? Appreciate your thoughts on this.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 4%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Hi @Sumarigo-MSFT,
Thank you very much for your kind response.
From the comparisons Image, I can understand that Azure disk encryption and azure encryption at host both will suffice the requirement of (Virtual Machines should encrypt temp disks and data flows between Compute and Storage resources).
However when we go with Azure disk encryption, does it impact the VM CPU performance? Because from the comparisons image it was unchecked. Please confirm on this point Sai.
With regards to business impact, yeah I was referring both any downtime or cost implications anything that happened after we enable the azure disk encryption/encryption at host.
Also help me understand, Is enabling the azure disk encryption will encrypt the temp disks, and caches because except from image i couldn't see the same details from any Microsoft reference articles.
Lastly please help me know if there is any azure policy to implement to govern this encryption automatically.
Thank you
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 85%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Hi @Sumarigo-MSFT ,
Can you help me know, if there is any other alternative to achieve the (encryption of temp disks, caches, and data flows between Compute and Storage resources in Azure windows vm).
I understand we have Azure disk encryption and encryption at host. But considering the operational risk it is involved our leadership and engineering teams planned to move ahead with different method.
Please let us know, if there is a way to achieve this( How to encrypt the flow between compute and storage resources from azure backbone services)?
Looking forward to hearing from you.
Thank you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 34%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMN%3C/text%3E%3C/svg%3E)
@Sumarigo-MSFT Encryption at host covers all aspect of encryption, but why Microsoft defender still mark this as unhealthy ? Is it a bug on defender ?