Microsoft AzureOverview
NOTE: This is a legacy recommendation. Managed Disks are encrypted by default and recommended for all new VM implementations.
VHD (Virtual Hard Disks) are stored in BLOB storage. They are the old-style disks that were attached to Virtual Machines, and the BLOB VHD was then leased to the VM. By default, storage accounts are not encrypted, and Azure Defender(Security Centre) would then recommend that the OS disks be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK, and this should be turned on for storage accounts containing VHDs.
Rationale
With the changes that have been made that recommend using managed disks that are encrypted by default, we also need to have a recommendation that "legacy" disks that may, for several reasons, need to be left as VHDs should also be encrypted to protect the data content.
Impact
The size of the impact will depend on how the encryption is implemented; if provider-managed keys(PMK) are utilized, the impact is relatively low, but processes need to be put in place to rotate the keys regularly. If customer-managed keys(CMK) are utilized, a key management process needs to be implemented to store and manage key rotation, and thus, the impact is medium to high, depending on user maturity with key management.
Remediation guidance
From Azure Portal
- Navigate to the
storage accountthat you wish to encrypt - Select the
encryptionoption - Select the
key typethat you wish to use
If you wish to use an azure managed key (the default), you can save at this point and encryption will be applied to the account.
If you select customer managed key it will ask for the location of the key (The default is an Azure Keyvault) and the key name.
Once these arecaptured, save the configuration and the account will be encrypted using the provided key.
Using Azure Command Line Interface
Create the Keyvault
az keyvault create --name "myKV" --resource-group "myResourceGroup" --location eastus --enabled-for-disk-encryption
Encrypt the disk and store the key in keyvault
az vm encryption enable -g MyResourceGroup --name MyVM --disk-encryption-keyvault myKV
Using Azure Powershell
This process uses a keyvault to store the keys
Create the Keyvault
New-AzKeyvault -name MyKV -ResourceGroupName myResourceGroup -Location EastUS -EnabledForDiskEncryption
Encrypt the disk and store the key in keyvault
$KeyVault = Get-AzKeyVault -VaultName MyKV -ResourceGroupName MyResourceGroupSet-AzVMDiskEncryptionExtension -ResourceGroupName MyResourceGroup -VMName MyVM -DiskEncryptionKeyVaultUrl $KeyVault.VaultUri -DiskEncryptionKeyVaultId $KeyVault.ResourceId
Default Value
The default value for encryption is "NO Encryption"
References
- CLI: https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-cli-quickstart
- Powershell: https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-powershell-quickstart
- https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest
Multiple Remediation Paths
Azure
SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.
az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>
ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.
PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.
References for Service-Wide Patterns
- Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
- Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
- Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure
Operational Rollout Workflow
Use this sequence to reduce risk and avoid repeated drift.
1. Contain at Service-Wide Scope First (Recommended)
- Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.
az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>
2. Remediate Existing Affected Assets
- Execute the control-specific Console/CLI steps documented above for each flagged resource.
- Prioritize internet-exposed and production assets first.
3. Validate and Prevent Recurrence
- Re-scan after each remediation batch.
- Track exceptions with owner and expiry date.
- Add preventive checks in IaC/CI pipelines.
Query logic
These are the stored checks tied to this control.
Azure unmanaged disks
Connectors
Covered asset types
Expected check: eq []
{
disks(where: { diskAttachments: { NOT: { vhdURI: "" } } }) {
...AssetFragment
}
}
