This solution does not support the following scenarios, features and technology in the release:

  • Basic VMs and Standard DS (Premium Storage) series IaaS VMs
  • IaaS VMs created using classic VM model
  • Enable OS disk encryption on Linux IaaS VMs already running in Azure
  • Disable encryption on Linux IaaS VM, enabled via Azure disk encryption
  • Integration with your on-premises Key Management Service
  • Windows Server 2016 Technical Preview 3 and above
  • Azure Files (Azure file share), Network file system (NFS), Dynamic volumes, Software-based RAID systems

VM before Disk Encryption



First Create an Azure AD Web Application (ASM) this gives permission for the Key Vault to pass through the VM for an extra layer of security

Navigate to the classic portal, and select ‘Active Directory’

Click the ‘Applications’ tab, and at the bottom click ‘ADD’


Select the first option


Give you application a name and select “Webb Application”


The App ID URI and Sign On URI are irrelevant at the moment so you can enter what information you like



There are two parts which are critical to perform Disk Encryption these are the Client ID & you’ll need to create a Primary Key and keep hold of both



Now the Web Application has been created, you’ll need to create the Vault, Vault Key & Resource Group containing it all

(This needs to be done in PS, at the time of writing this, it cannot be done via the Portal)

# Script Created by Craig Cloud IT Pro v.02 #
# Import AzureRM Modules and Login to your account # 
Import-Module AzureRM
# Create a new Resource Group to Host the Key Vault #
New-AzureRmResourceGroup -Name "CF-Key-Vault-RG" -Location "West Europe"
# Create a new Key Vault and add it to your RG #
New-AzureRmKeyVault -VaultName "CFKeyVault" -Sku premium -ResourceGroupName "CF-Key-Vault-RG" -Location "West Europe" 
# Add the KEK to your Key Vault #
Add-AzureKeyVaultKey -VaultName "CFKeyVault" -Name CFVaultKEK -Destination HSM 
# Enable the Key Vault for Disk Encryption from False to True # 
Set-AzureRmKeyVaultAccessPolicy -VaultName "CFKeyVault" -ResourceGroupName "CF-Key-Vault-RG" -EnabledForDiskEncryption 
# Check that the Disk Encryption is now enabled #
Get-AzureRmKeyVault "CFKeyVault"
# Variables # 
$KeyVaultName = "CFKeyVault" # Key Vault Name Variable # 
# Set the KeyVault to All Secrets & All Permissions Keys #
Set-AzureRmKeyVaultAccessPolicy -VaultName $KeyVaultName -ServicePrincipalName $aadClientID -PermissionsToKeys all -PermissionsToSecrets all
# Get Resource ID # 
(Get-AzureRmKeyVault -VaultName CFKeyVault -ResourceGroupName CF-Key-Vault-RG).ResourceId
# Get Vault URI #
(Get-AzureRmKeyVault -VaultName CFKeyVault -ResourceGroupName CF-Key-Vault-RG).VaultUri



When you run the

Add-AzureKeyVaultKey -VaultName "CFKeyVault" -Name CFVaultKEK -Destination HSM

Make sure you take note of the “ID” at the bottom of the output, this is the KEK URL

(Disk Encryption does not support port numbers so you’ll need to remove the :443 when coming to use this command in your ARM Template)

Now that we’ve created the Vault, we can deploy this to a VM in Azure using an ARM Template on GitHub


(I’ve not modified this template, it’s exactly the same as it is on the web)

Open Visual Studio and copy and paste the deploy & parameters .json into the project


Click Deploy, & change the Parameters to fit your environment



AADClientID Client ID of the Azure AD app that has permissions to write secrets to Key Vault
AADClientSecret Client Secret of the Azure AD app that has permissions to write secrets to Key Vault
keyVaultName Name of the Key Vault to which BitLocker key should be uploaded to. You can get it using the cmdlet: (Get-AzureRmKeyVault -ResourceGroupName ). Vaultname
keyEncryptionKeyURL URL of the Key Encryption Key that’s used to encrypt the generated BitLocker key. This is optional if you select “nokek” in the UseExistingKek dropdown. If  you select “kek” in the UseExistingKek dropdown, you must input the keyEncryptionKeyURL value
volumeType Type of the volume on which encryption operation is performed. Valid values are “OS”, “Data” , “All”
sequenceVersion Sequence version of the BitLocker operation. Increment this version number every time a disk encryption operation is performed on the same VM
vmName Name of the VM on which encryption operation is to be performed

Once you’ve started the deployment you’ll see the verbose logging of the current stage of where it’s at


If you go to the Azure portal and click your VM, you’ll see it “Updating”


After a short while it should successfully deploy the Disk Encryption template to your chosen VM If you browse to your VM in the Portal, and click “Disks” you’ll notice that it says “Enabled”


When you Login to your VM you’ll notice that a pop-up icon will display “Bit Locker Drive Encryption”

This will encrypt both Drives (OS Disk & Data however many you have)


After a while it should complete the process of encrypting the drives


In Explorer you’ll notice a little lock and key next to the drives