Enable encryption on a running Windows VM.

Azure Public Test Date Azure Public Test Result

Azure US Gov Last Test Date Azure US Gov Last Test Result

Best Practice Check Cred Scan Check

Deploy To Azure Deploy To Azure US Gov Visualize

This template enables encryption on a running windows vm using AAD client secret. This template assumes that the VM is located in the same region as the resource group. If not, please edit the template to pass appropriate location for the VM sub-resources.


  1. Azure Disk Encryption securely stores the encryption secrets in a specified Azure Key Vault.

Use the below PS cmdlet for getting the "keyVaultSecretUrl" and "keyVaultResourceId" Get-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $rgname

Incase : If deployment fails with the the error code: Access Denied or conflict : extension not supported or VM has reported a failure when processing extension 'AzureDiskEncryption'. Error message: "Failed to configure bitlocker as expected; use the below PD cmdlet for removing the unsuccessful disk encryption extension and re-do the template deployment for success. Remove-AzureRmVMExtension -ResourceGroupName $rgname -Name "extensionname" -VMName $vmname Reference: https://social.msdn.microsoft.com/Forums/SECURITY/f77af0b4-d06e-468a-816d-c894f08af125/error-user-encryption-settings-in-the-vm-model-are-not-supported-please-upgrade-azure-disk?forum=AzureDiskEncryption https://blogs.msdn.microsoft.com/azuresecurity/2016/02/10/azure-disk-encryption-error-related-to-azure-powershell-1-1-0/

References: White paper - https://azure.microsoft.com/documentation/articles/azure-security-disk-encryption/ http://blogs.msdn.com/b/azuresecurity/archive/2015/11/16/explore-azure-disk-encryption-with-azure-powershell.aspx http://blogs.msdn.com/b/azuresecurity/archive/2015/11/21/explore-azure-disk-encryption-with-azure-powershell-part-2.aspx

Tags: Microsoft.KeyVault/vaults, Microsoft.Compute/virtualMachines/extensions, AzureDiskEncryption, Microsoft.Network/VirtualNetworks, Microsoft.Network/publicIPAddresses, Microsoft.Network/networkInterfaces, Microsoft.Compute/virtualMachines, SystemAssigned