ADE is only enabled on OS disk but not on temporary storage

Question

ADE is only enabled on OS disk but not on temporary storage

Tan-9136 100

Hi,

I was checking my Secure Score and I found this recommendation message:
"Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost"

Some of my VMs are considered to have ADE but some are considered to not have ADE even though ADE is shown as enabled on the VM overview page.

What I noticed the difference between the ones that are recognized to have ADE and the ones that are NOT recognized to have ADE is the temporary storage (it's in the D drive).
For some reasons, some VMs have ADE in their temporary storage and some don't.
And I don't know why.

How do I enable ADE in temporary storage?
And if I do enable it, will it cause any issue? Because this is a production environment.

Thanks

Silvia Wibowo 5,966 Reputation points Microsoft Employee Volunteer Moderator

2025-05-21T01:02:29.9633333+00:00

Hi @Tan-9136 , is your VM OS Windows or Linux? Assuming it's Windows: Azure Disk Encryption for Windows VMs uses the BitLocker feature of Windows to provide full disk encryption of the OS disk and data disks.

What you can do for VMs that do not have temp disk encrypted: set the VolumeType parameter to All.

More info: See Supported VMs and operating systems for ADE.
Tan-9136 100 Reputation points

2025-05-21T19:11:40.5+00:00

Hi @Silvia Wibowo ,
Thank you for the response.
My VM is Windows VM.
Is this something I can do via Azure portal?
Silvia Wibowo 5,966 Reputation points Microsoft Employee Volunteer Moderator

2025-05-21T21:09:59.65+00:00

Hi @Tan , you can use Azure Portal, click on "CloudShell" icon.

Select CLI, then follow the steps from Enable encryption on existing or running VMs with Azure CLI - make sure you use the option --volume-type All
Tan-9136 100 Reputation points

2025-05-22T16:35:38.6066667+00:00

Thank you @Silvia Wibowo

If I don't want to use CLI, can I do it via the portal in the "Disk settings" page?

And assuming it's possible, I have to choose "OS and data disks", correct? That's the same as VolumeType "all"?

I also would like to make sure that if I do enable it, will it cause any issue? Because this is a production environment.

Thank you
Silvia Wibowo 5,966 Reputation points Microsoft Employee Volunteer Moderator

2025-05-22T21:02:29.4633333+00:00
Hi @Tan-9136 , please clarify:

What does your Azure Portal show when you open that "Encryption settings"? Does it show "Disk to encrypt = OS and data disk"?

What VM SKU do you use? I need to check whether the temp disk is SCSI or NVMe, as it could be different on how to enable the encryption.
Tan-9136 100 Reputation points

2025-05-23T17:56:21.4533333+00:00

Hi @Silvia Wibowo ,

Encryption Settings shown as "None" even though ADE can be seen enabled in the overview page and disk page.

VM SKU is Standard D4s v3.

Thank you
Vamsi Ram Annepu 825 Reputation points Microsoft External Staff Moderator

2025-05-26T02:37:43.5166667+00:00

Hi @Tan-9136 ,
If the information provided on you question was useful do consider to "Accept answer" and "Upvote" on the post for the betterment of the community.
Feel free to reach out if you have any further queries.

Thank You
Vamsi Ram Annepu 825 Reputation points Microsoft External Staff Moderator

2025-05-27T02:00:30.9333333+00:00

Hi @Tan-9136 ,
Just checking in to see if you had a chance to review the answer on your question. Please let us know if it was helpful and feel free to reach out if you have any further queries.

If you found the information useful, please click "Accept answer" and "Upvote" on the post to let us know.

Thank You.

Accepted answer

1 additional answer

Your answer

Silvia Wibowo 5,966 Reputation points Microsoft Employee Volunteer Moderator

2025-05-21T01:02:29.9633333+00:00

Hi @Tan-9136 , is your VM OS Windows or Linux? Assuming it's Windows: Azure Disk Encryption for Windows VMs uses the BitLocker feature of Windows to provide full disk encryption of the OS disk and data disks.

What you can do for VMs that do not have temp disk encrypted: set the VolumeType parameter to All.

More info: See Supported VMs and operating systems for ADE.
Tan-9136 100 Reputation points

2025-05-21T19:11:40.5+00:00

Hi @Silvia Wibowo ,
Thank you for the response.
My VM is Windows VM.
Is this something I can do via Azure portal?
Silvia Wibowo 5,966 Reputation points Microsoft Employee Volunteer Moderator

2025-05-21T21:09:59.65+00:00

Hi @Tan , you can use Azure Portal, click on "CloudShell" icon.

Select CLI, then follow the steps from Enable encryption on existing or running VMs with Azure CLI - make sure you use the option --volume-type All
Tan-9136 100 Reputation points

2025-05-22T16:35:38.6066667+00:00

Thank you @Silvia Wibowo

If I don't want to use CLI, can I do it via the portal in the "Disk settings" page?

And assuming it's possible, I have to choose "OS and data disks", correct? That's the same as VolumeType "all"?

I also would like to make sure that if I do enable it, will it cause any issue? Because this is a production environment.

Thank you
Silvia Wibowo 5,966 Reputation points Microsoft Employee Volunteer Moderator

2025-05-22T21:02:29.4633333+00:00

Hi @Tan-9136 , please clarify:

What does your Azure Portal show when you open that "Encryption settings"? Does it show "Disk to encrypt = OS and data disk"?

What VM SKU do you use? I need to check whether the temp disk is SCSI or NVMe, as it could be different on how to enable the encryption.
Tan-9136 100 Reputation points

2025-05-23T17:56:21.4533333+00:00

Hi @Silvia Wibowo ,

Encryption Settings shown as "None" even though ADE can be seen enabled in the overview page and disk page.

VM SKU is Standard D4s v3.

Thank you
Vamsi Ram Annepu 825 Reputation points Microsoft External Staff Moderator

2025-05-26T02:37:43.5166667+00:00

Hi @Tan-9136 ,
If the information provided on you question was useful do consider to "Accept answer" and "Upvote" on the post for the betterment of the community.
Feel free to reach out if you have any further queries.

Thank You
Vamsi Ram Annepu 825 Reputation points Microsoft External Staff Moderator

2025-05-27T02:00:30.9333333+00:00

Hi @Tan-9136 ,
Just checking in to see if you had a chance to review the answer on your question. Please let us know if it was helpful and feel free to reach out if you have any further queries.

If you found the information useful, please click "Accept answer" and "Upvote" on the post to let us know.

Thank You.

Answer 1

Hi there Tan-9136

thank you for your follow-up question! Let me break this down in a simple way so it’s easy to follow.

Yes, you can absolutely enable Azure Disk Encryption (ADE) through the Azure Portal without needing to use the command line! When you’re in the "Disk settings" page of your Windows VM, you’ll see the option for Azure Disk Encryption under the Encryption settings section. If you select OS and data disks, that’s indeed the same as setting the VolumeType to "All" in the command line. This means both the OS disk and any attached data disks will be encrypted.

Now, about your concern for the production environment that’s a very valid question! Enabling ADE shouldn’t cause any major issues, but there are a few things to keep in mind. First, the encryption process itself might take some time, depending on the size of your disks, and the VM will reboot during the process. Also, make sure you have a proper Key Vault set up for the encryption keys, as this is required for ADE to work. Microsoft has a great guide on best practices for production workloads here: Azure Disk Encryption prerequisites.

One thing to note if your VM has any critical workloads running, it might be a good idea to test this in a staging environment first, just to be safe. And of course, always ensure you have recent backups before making any changes!

Hope this helps.

Best regards, Alex
P.S. If my answer help to you, please Accept my answer
PPS That is my Answer and not a Comment
https://ctrlaltdel.blog/

Answer 2

Hi @Tan-9136 , let me summarize your issue and provide you with explanation that can answer your question.

Current situation:

Azure Advisor's Secure Score recommends "Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost". It lists some of the VMs. You noticed that the VMs in that list has temporary (local) storage, with SKU: Standard D4s v3.
On the affected VMs:
- Overview page of the VM and the disk page show encryption enabled.
- Under "Disk settings", ADE (Azure Disk Encryption) shows None (OS and Data disks are not enabled for ADE).

Question: how to execute Secure Score's recommendation to enable ADE?

Explanation:

There are several types of encryption available for your managed disks, including Azure Disk Encryption (ADE), Server-Side Encryption (SSE), and encryption at host. Ref: Managed disk encryption options.

SSE is always enabled; this is what your VM "Overview" page and your disk page refer by "encryption enabled".

ADE needs to be enabled, you can use Azure CLI, PowerShell, or Azure Portal to enable it, choosing OS, Data, or All (OS and Data) disks. You should take a snapshot and/or create a backup before disks are encrypted. Backups ensure that a recovery option is possible if an unexpected failure occurs during encryption. VMs with managed disks require a backup before encryption occurs.

Enabling ADE will:

Come with restrictions and limitations.
Need you to create and configure an Azure Key Vault.
Cause your VM to reboot.

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Share via

ADE is only enabled on OS disk but not on temporary storage

1 additional answer

Your answer