EncryptionAtHost is enabled so why are the Advisor Recommendations saying it isn't?

Question

EncryptionAtHost is enabled so why are the Advisor Recommendations saying it isn't?

Thomas Leland 41

I properly registered EncryptionAtHost to our subscription, which took a few minutes. I then created a VM with EncryptionAtHost enabled during the creation process. It has been over 3 weeks and the Advisor is still showing the following recommendation: "Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost." How can I be certain that EncryptionAtHost is working properly if I am still seeing this Advisor recommendation?

Accepted answer

0 additional answers

Your answer

Answer 1

Naveena Patlolla 975 Microsoft External Staff

Hi Thomas Leland
Azure Advisory Recommending "Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost."

You are already Enabled EncryptionAtHost, Just It is Recommending for Azure Disk Encryption.

Navigate to the VM → Under Disks, go to Additional Settings → Under Encryption settings --> Check if disks to encrypt are set None.

User's image

If it is set to None, then Azure Advisory Recommending for Azure Disk Encryption.

Azure Disk Encryption (ADE) vs. Encryption at Host (EAH) Both Azure Disk Encryption (ADE) and Encryption at Host (EAH) are encryption mechanisms in Azure, but they differ in implementation, scope, and use cases.

Azure Disk Encryption (ADE): Encrypts OS and Data disks using BitLocker (Windows) or dm-crypt (Linux)

Encryption at Host (EAH): Encrypts temporary disks, OS disks, and data disks at the host level

Please follow the below steps to verify Encryption at Host Level is enabled

Navigate to the VM → Under Disks, go to Additional Settings → Check if Encryption at Host Level is enabled

User's image

Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Ashok Gandhi Kotnana 4,310 Reputation points Microsoft External Staff

2025-03-10T04:43:41.6066667+00:00

Hi Thomas Leland

Just want to check if the above answer provided by @Anonymous worked for you or else please let us know if any help, we are always here to help whenever you need us.

Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.
Thomas Leland 41 Reputation points

2025-03-10T19:41:42.98+00:00

We only plan to use EncryptionAtHost. We are not using Azure Disk Encryption (ADE). With that said, EncyprionAtHost is registered and set to Yes under additional settings for the VM. I guess I would need to exempt this recommendation to clear it then?
Ashok Gandhi Kotnana 4,310 Reputation points Microsoft External Staff

2025-03-11T06:32:25.05+00:00

Hi Thomas Leland

Thanks for the response back.

It seems that even if you have enabled Encryption at Host for your VM, Azure Advisor may still flag it as not enabled due to specific conditions or configurations that might not be met. This could include the VM's compatibility with the encryption features or other settings that Azure Advisor checks.

If you are certain that Encryption at Host is correctly configured and you are not using Azure Disk Encryption (ADE), you might consider exempting the recommendation if it does not apply to your situation

https://learn.microsoft.com/en-us/azure/virtual-desktop/azure-advisor-recommendations

https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption#encryption-at-host---end-to-end-encryption-for-your-vm-data

Please do not forget to "Accept the answer” and upvote it wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Share via

EncryptionAtHost is enabled so why are the Advisor Recommendations saying it isn't?

0 additional answers

Your answer