Download a Windows VHD from Azure

Applies to: ✔️ Windows VMs

In this article, you learn how to download a Windows virtual hard disk (VHD) file from Azure using the Azure portal.

Optional: Generalize the VM

If you want to use the VHD as an image to create other VMs, you should use Sysprep to generalize the operating system. Otherwise, you will have to make a copy of the disk for each VM you want to create.

To use the VHD as an image to create other VMs, generalize the VM.

  1. If you haven't already done so, sign in to the Azure portal.
  2. Connect to the VM.
  3. On the VM, open the Command Prompt window as an administrator.
  4. Change the directory to %windir%\system32\sysprep and run sysprep.exe.
  5. In the System Preparation Tool dialog box, select Enter System Out-of-Box Experience (OOBE), and make sure that Generalize is selected.
  6. In Shutdown Options, select Shutdown, and then click OK.

If you don't want to generalize your current VM, you can still create a generalized image by first making a snapshot of the OS disk, creating a new VM from the snapshot, and then generalizing the copy.

Stop the VM

A VHD can’t be downloaded from Azure if it's attached to a running VM. If you want to keep the VM running, you can create a snapshot and then download the snapshot.

  1. On the Hub menu in the Azure portal, click Virtual Machines.
  2. Select the VM from the list.
  3. On the blade for the VM, click Stop.

Alternative: Snapshot the VM disk

Take a snapshot of the disk to download.

  1. Select the VM in the portal.
  2. Select Disks in the left menu and then select the disk you want to snapshot. The details of the disk will be displayed.
  3. Select Create Snapshot from the menu at the top of the page. The Create snapshot page will open.
  4. In Name, type a name for the snapshot.
  5. For Snapshot type, select Full or Incremental.
  6. When you are done, select Review + create.

Your snapshot will be created shortly, and can then be used to download or create another VM.

Note

If you don't stop the VM first, the snapshot will not be clean. The snapshot will be in the same state as if the VM had been power cycled or crashed at the point in time when the snapshot was made. While usually safe, it could cause problems if the running applications running at the time were not crash resistant.

This method is only recommended for VMs with a single OS disk. VMs with one or more data disks should be stopped before download or before creating a snapshot for the OS disk and each data disk.

Secure downloads and uploads with Microsoft Entra ID

If you're using Microsoft Entra ID to control resource access, you can now use it to restrict uploads and downloads of Azure managed disks. This feature is available as a GA offering in all regions. When a user attempts to upload or download a disk, Azure validates the identity of the requesting user in Microsoft Entra ID, and confirms that user has the required permissions. At a higher level, a system administrator could set a policy at the Azure account or subscription level, to ensure that all disks and snapshots must use Microsoft Entra ID for uploads or downloads. If you have any questions on securing uploads or downloads with Microsoft Entra ID, reach out to this email: azuredisks@microsoft .com

Restrictions

  • VHDs can't be uploaded to empty snapshots.
  • Azure Backup doesn't currently support disks secured with Microsoft Entra ID.
  • Azure Site Recovery doesn't currently support disks secured with Microsoft Entra ID.

Prerequisites

Assign RBAC role

To access managed disks secured with Microsoft Entra ID, the requesting user must have either the Data Operator for Managed Disks role, or a custom role with the following permissions:

  • Microsoft.Compute/disks/download/action
  • Microsoft.Compute/disks/upload/action
  • Microsoft.Compute/snapshots/download/action
  • Microsoft.Compute/snapshots/upload/action

For detailed steps on assigning a role, see the following articles for portal, PowerShell, or CLI. To create or update a custom role, see the following articles for portal, PowerShell, or CLI.

Enable data access authentication mode

Enable data access authentication mode to restrict access to the disk. You can either enable it when creating the disk, or you can enable it on the Disk Export page under Settings for existing disks.

Screenshot of a disk's data access authentication mode checkbox, tick the checkbox to restrict access to the disk, and save your changes.

Generate download URL

To download the VHD file, you need to generate a shared access signature (SAS) URL. When the URL is generated, an expiration time is assigned to the URL.

Important

On February 15th, 2025, the Shared Access Signature (SAS) access time for disks and snapshots will be limited to a maximum of 60 days. Trying to generate a SAS with an expiration longer than 60 days results in an error. Any existing disk or snapshot SAS created with an expiration longer than 60 days may stop working 60 days after the date of creation and will result in a 403 error during authorization.

If a managed disk or snapshot SAS's expiration is longer than 60 days, revoke its access, and generate a new SAS that requests access for 60 days (5,184,000 seconds) or less. Improve your overall security by using SAS with shorter expiration dates. Make these changes before February 15, 2025 to prevent service interruption. The following links can be used to find, revoke, and request a new SAS.

  1. On the page for the VM, click Disks in the left menu.
  2. Select the operating system disk for the VM.
  3. On the page for the disk, select Disk Export from the left menu.
  4. The default expiration time of the URL is 3600 seconds (one hour). You may need to increase this for Windows OS disks or large data disks. 36000 seconds (10 hours) is usually sufficient.
  5. Click Generate URL.

Note

The expiration time is increased from the default to provide enough time to download the large VHD file for a Windows Server operating system. Large VHDs can take up to several hours to download depending on your connection and the size of the VM.

While the SAS URL is active, attempting to start the VM will result in the error There is an active shared access signature outstanding for disk diskname. You can revoke the SAS URL by selecting Cancel export on the Disk Export page.

Download VHD

Note

If you're using Microsoft Entra ID to secure managed disk downloads, the user downloading the VHD must have the appropriate RBAC permissions.

  1. Under the URL that was generated, click Download the VHD file.
  2. You may need to click Save in your browser to start the download. The default name for the VHD file is abcd.

Next steps