How to get Policy "Windows VMs should enable ADE or EncryptionAtHost." to be compliant?

Copper Contributor

Advisor noticed that Azure Disk Encryption is missing on my VMs and gave me the following recommendation: "Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost."

 

A couple of weeks ago I installed the AzurePolicyforWindows extension on one of the machines. Its status changed to compliant.

Two days ago, I did the same for all other VMs but their statuses haven't changed.

Am I missing something or are the policies messing with me?

 
 
 
 

 

image.pngimage.png

 

2 Replies

@AzureToujoursPolicy won't be applied until there is a change in state to the resources it is being applied to. Policy by itself is just a written rule, so something has to trigger the application of that rule. If you were to enforce the encryption policy at the Resource Group level and then create a new Windows VM it would be encrypted because the create operation would trigger the rule. Policy can be used to remediate non-compliant resources using the DeployIfNotExists effect, if you supply the policy with the template it should apply to fix the problem.

@AzureToujours 

 

How about the policy assignment, scope and definition, compliance scan?