How to remove Azure Disk Encryption from disks that have already been decrypted

I had an interesting one this week that I thought was worth posting about just in case it might help some others in the same situation.

Scenario: Customer has some Azure Windows virtual machines that are encrypted with Azure Disk Encryption and integrated with Azure Key Vault. They want to move these virtual machines to another subscription.

Limitation: It is not supported to move a virtual machine to another subscription if it is integrated with Azure Key Vault for Azure Disk Encryption.

The solution as documented here is to first disable the encryption, in other words decrypt the managed disks of the virtual machine first and then move the resources.

Azure Disk Encryption (ADE) uses Bitlocker for Windows virtual machines. It’s the same Bitlocker feature that comes built in with Windows. The difference is that ADE manages the feature for you and importantly, the encryption keys.

The problem: In this case, the customer had logged in to the virtual machine and initiated the Bitlocker decryption process from within the operating system.

This is exactly what happens when you disable ADE through the method linked above – Bitlocker just decrypts the disks. However the issue here is that Azure does not become aware that the disks have been decrypted and still reports the disks as being encrypted.

Running the decryption cmdlet appears to be successful but the encryption status still remains as ‘Encrypted’.

The solution: The fix for this issue comes in three steps and can be performed either through the Azure portal or via PowerShell or Azure CLI commands.

Step 1: Disable Azure Disk Encryption. Below are the required PowerShell cmdlets.

Disable-AzVMDiskEncryption -ResourceGroupName <Resource Group Name> -VMName <VM Name> -VolumeType all
Get-AzVMDiskEncryptionStatus -ResourceGroupName <Resource Group Name> -VMName <VM Name>

As mentioned earlier, this will still show your disks as encrypted at this point.

Step 2: Re-encrypt the disks with Azure Disk Encryption again.

Step 3: You can now disable Azure Disk Encryption again. This time you should find that your disks show a status of ‘NotEncrypted’.

You are now free to move the resources to another subscription.

Alternative method: There is another method that works where you can disable ADE through PowerShell but the downside to this is that the disk must first be detached from the virtual machine.

New-AzDiskUpdateConfig -EncryptionSettingsEnabled $false | Update-AzDisk -ResourceGroupName '<Resource Group Name>' -DiskName '<Managed Disk Name>'

I hope this might help anyone else who might run into this particular issue. Please feel free to reach out if you have any questions.

One thought on “How to remove Azure Disk Encryption from disks that have already been decrypted

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.