Jun 06 2024 05:18 AM
Advisor noticed that Azure Disk Encryption is missing on my VMs and gave me the following recommendation: "Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost."
A couple of weeks ago I installed the AzurePolicyforWindows extension on one of the machines. Its status changed to compliant.
Two days ago, I did the same for all other VMs but their statuses haven't changed.
Am I missing something or are the policies messing with me?
Jul 25 2024 05:08 PM
@AzureToujoursPolicy won't be applied until there is a change in state to the resources it is being applied to. Policy by itself is just a written rule, so something has to trigger the application of that rule. If you were to enforce the encryption policy at the Resource Group level and then create a new Windows VM it would be encrypted because the create operation would trigger the rule. Policy can be used to remediate non-compliant resources using the DeployIfNotExists effect, if you supply the policy with the template it should apply to fix the problem.
Sep 23 2024 05:28 PM