Forum Discussion

orafaelferreira's avatar
orafaelferreira
MCT
Jul 30, 2024

XXX virtual machines should enable Azure Disk Encryption or EncryptionAtHost.

Hello everyone, I'm facing issues related to a policy:

Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost.
Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost.
 
After enabling EncryptionAtHost, it appears as encrypted in the portal.

 

However, the policy does not recognize that it is encrypted and shows it as non-compliant.
 
 

 

The same happens when enabling Azure Disk Encryption (ADE): the policy still indicates that it is non-compliant.

 



Has anyone else experienced this?

Compute
virtual machine

1 Reply

  • Matthias-Braun's avatar
    Matthias-Braun
    Brass Contributor
    Aug 01, 2024

    Hey orafaelferreira !

     

    You're not alone in experiencing this issue. It can be frustrating when the Azure portal shows your VMs as encrypted, but the policy compliance check still flags them as non-compliant.

     

    This usually boils down to a few potential issues:

    Common Causes and Solutions

    1. Policy Assignment Scope:

      • Ensure the policy is correctly scoped. Sometimes, policies need to be assigned at the correct scope level (subscription, resource group, or specific resources).
      • Verify that the policy assignment includes the resource groups where your VMs are located.

    2. Policy Evaluation Delay:

      • Azure Policy evaluation can sometimes take a while to update. Wait for a few hours and check again to see if the status updates to compliant.

    3. Policy Definitions and Versions:

      • Verify that you are using the latest version of the policy definition. Microsoft periodically updates policy definitions, and using an outdated version can lead to false non-compliance issues.
      • You can check the policy definition in the Azure portal or by using Azure PowerShell/CLI.

    4. Policy Parameters:

      • Ensure that the parameters used in the policy are correctly set. For example, if the policy is parameterized, check that it includes all necessary values for EncryptionAtHost or Azure Disk Encryption.

    5. Custom Policy Definition:

      • If you’re using a custom policy, double-check the logic in the policy definition. Make sure it correctly evaluates the encryption state.

    Steps to Troubleshoot

    • Check Policy Definition:

      • Navigate to Azure Policy in the Azure portal.
      • Find the specific policy and review its definition to ensure it covers EncryptionAtHost and Azure Disk Encryption correctly.

    • Policy Evaluation:

      • Manually trigger a policy evaluation to force an immediate compliance check:

     

    az policy state trigger-scan

     

    • Alternatively, you can navigate to the Assignments tab in Azure Policy, select the relevant policy, and choose Remediate.

    • Review Policy Compliance Details:

      • In the Azure portal, go to the Compliance tab under Azure Policy.
      • Select the policy and review the compliance details for specific VMs. This can provide insights into why they are being flagged as non-compliant.

    • Audit Logs:

      • Check the activity logs for any entries related to policy compliance. Sometimes, errors or warnings in the logs can provide clues.

    Hope this helps!

    Matthias

     

Resources