Encrypt disks on a Windows VM in Azure


This PowerShell script covers a complete case with one virtual machine (Windows Server 2016), with one data disk, Virtual Network, Subnet, Public IP Address, Network Security Group, BGInfo, and Disk Encryption Extensions.


The executing steps are :

Step 1. Create a Resource Group

Step 2. Create Azure Active Directory service principal

Step 3. Create AAD Application

Step 4. Create Azure Key Vault

Step 5. Create Cryptographic Key

Step 6. Give Permissions to the AAD Application access the principal keys

Step 7. Create Virtual Machine

Step 8. Enable BGInfo extension

Step 9. Enable Disk Encryption extension and encrypt the OS disk

Every step in the script can be used as a separated PowerShell code block.The deployment of the script takes 15 – 20 minutes.

Instructions on how to execute the .ps1 file

Step 1. download  Auto-Deploy-VM-DiskEncryption  File extract and save it to the drive C:\

Step 2. Open a Powershell with Administrative rights

Step 3. Suppose that the .ps1 file is downloaded on the C:\ drive and execute the following command

PS C:\> .\Auto-Deploy-VM-DiskEncryption.ps1 
SubscriptionName: My Subscription 
RGName: MyResourceGroupName 
Location: westeurope 
ApplicationName: MyAADApplication 
KVName: MyKeyName 
VMName: MyVMName
This script will update on a regular basis.

Be the first to comment

Leave a Reply

Your email address will not be published.