Forum Discussion
XXX virtual machines should enable Azure Disk Encryption or EncryptionAtHost.
Hi there,
This can happen because Azure Policy does not update compliance immediately after encryption is enabled. First, trigger an on-demand policy compliance scan and allow some time for reevaluation.
Also verify the property directly:
Get-AzVM -ResourceGroupName "<RG>" -Name "<VM>" |
Select-Object -ExpandProperty SecurityProfile
EncryptionAtHost should show True. For existing VMs, the VM must usually be deallocated before enabling Encryption at Host and then started again.
If it remains non-compliant after a new policy scan, open the resource’s compliance details to identify the exact evaluated condition. Also check whether an older or duplicated version of the built-in policy is assigned.
One important point: Azure Disk Encryption and Encryption at Host should not be enabled together. For current deployments, Encryption at Host is generally the preferred option