Migrate from Azure Disk Encryption to encryption at host

Freestone 20 Reputation points

So, I've received an email from Microsoft about the retirement of ADE in Azure and that VMs need to be migrated over to Encryption at host. The deadline is September 2028 so there's plenty of time but from what I've read, this isn't going to be easy and I imagine we're going to have issues moving forward.

The process requires us to remove our servers from the domain before following the steps, my first issue is that we have many 70+ VMs including domain controllers and removing each one, and then adding again feels like it's going to cause many issues, the second is that when the deadline is reached, any server trying to boot from a disk or access a disk that was protected by ADE will no longer be able to access the key vault to unlock the disks for data access.

Surely this will affect any backupsthat we have in Azure previous to switching to encryption at host. Causing issues with restores and accessing data.

Any guidance on this would by much appreciated.

https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption-migrate?tabs=CLI%2CCLI2%2CCLI3%2CCLI4%2CCLI5%2CCLI-cleanup&source=docs

0 comments No comments
Sign in to comment

1 answer

  1. Ankit Yadav 14,455 Reputation points Microsoft External Staff Moderator

    Hello @Freestone ,

    1. Yes, migrating domain-joined systems will require careful planning and likely multiple maintenance windows. You can expect downtime several minutes depending on how quickly you recreate the VM and rejoin the domain.
      Doing this manually can be quite cumbersome and can be error prone too thus automation is highly recommended. You can use powershell or Azure tools (ARM/Bicep templates) to script domain unjoin, save network configuration and automate VM creation with --encryption-at-host true and domain join.
    2. Any VM or disk still using ADE by the retirement date becomes inaccessible once platform support ends. This includes running VMs, stopped VMs, and backups that rely on ADE. To avoid data loss, all ADE-encrypted disks must be decrypted or migrated before the deadline. I'd suggest treat mid-2028 as your effective cut-off and ensure no critical data exists only in old ADE-encrypted backups—restore and re-back them up using the new encryption method while support is still available.
    1. Freestone 20 Reputation points

      Thanks for your comments, on point 2, if we restore from a backup, say 3 years ago, the disks were encrypted using ADE. If Microsoft are saying we no longer have access to the key vaults, how do we decrypt a backup. We can't just restore an old backup, decrypt it and then back it up again, we won't know what backup we will need until it's needed. The costs would be ridiculous, what about scenarios where we cannot delete backups because they're protected using immutability...

    2. Ankit Yadav 14,455 Reputation points Microsoft External Staff Moderator

      on point 2, if we restore from a backup, say 3 years ago, the disks were encrypted using ADE. If Microsoft are saying we no longer have access to the key vaults, how do we decrypt a backup.

      ADE relies on BitLocker keys stored in Azure Key Vault. After September 2028, Microsoft will stop supporting ADE, meaning the VM agent and Key Vault integration used to unlock disks will no longer function. If you try to restore a backup from 3 years ago (or any point before migration), the restored VM will still expect ADE and Key Vault access. Without that, the OS disk and data disks remain encrypted and inaccessible.

      What can be done as workaround: -
      Before ADE retirement, you can export and securely store keys from Key Vault for all ADE-encrypted VMs. This is the only way to manually decrypt old disks later. Manual decryption would require you to have exported and securely stored the BitLocker/Keyvault encrypted keys before retirement. Without those, the disk is effectively locked forever.

      We can't just restore an old backup, decrypt it and then back it up again, we won't know what backup we will need until it's needed. The costs would be ridiculous,

      For backups with large retention (e.g., over 5+ years), restore them while ADE is still supported, decrypt, and re-backup under Encryption at Host or SSE with CMK.

      Yes, I do agree with you that this has cost implications, but right now, it’s the only guaranteed way to ensure future recoverability.

      what about scenarios where we cannot delete backups because they're protected using immutability.

      If immutability is preventing deletion today, it is important to be aware that the backup may remain permanently inaccessible after 2028 unless you maintain the required encryption keys or migrate away from ADE before retirement. We strongly recommend sharing this information with your internal teams so they can assess the risk and are aware of the change.

    3. Ankit Yadav 14,455 Reputation points Microsoft External Staff Moderator

      Hello @Freestone ,

      Just wanted to check if you’ve had a chance to review my previous response.

      Let me know if it helped clear up your questions about ADE migration.

    4. Ankit Yadav 14,455 Reputation points Microsoft External Staff Moderator

      Hello @Freestone ,

      Since the issue has been resolved, Please take a moment to "Accept Answer" and upvote it 👍 to make it helpful to the community.👁 User's image

      Thank you for helping to improve Microsoft Q&A!

    Sign in to comment
Sign in to answer

Your answer