Unable to Enable Encryption at host for Azure VM

Question

I'm attempting to enable Encryption at host for a virtual machine (VM) in Azure. I've confirmed that the "Microsoft.Compute" resource provider is registered in my Azure subscription, and when I run the necessary command to verify, it shows as registered. However, when I try to enable encryption at the host level for the VM's disk, I encounter the following error:

Failed to update 'abc-vm'. Error: The property 'securityProfile.encryptionAtHost' is not valid because the 'Microsoft.Compute/EncryptionAtHost' feature is not enabled for this subscription

Is there a specific solution or additional troubleshooting step I should consider to enable host-level encryption successfully? Any guidance or assistance would be greatly appreciated.

Answer 1

To Enable Encryption at host for Azure vm you can follow the below steps:

Ensure that it is registered for your subscription like below:

Register-AzProviderFeature -FeatureName "EncryptionAtHost" -ProviderNamespace "Microsoft.Compute"

Get-AzProviderFeature -FeatureName "EncryptionAtHost" -ProviderNamespace "Microsoft.Compute"

As per MsDoc make sure that you are selecting the correct vm size.

To check the supported vm size to allow Encryption at host make use of below script.

$vmSizes=Get-AzComputeResourceSku | where{$_.ResourceType -eq 'virtualMachines' -and $_.Locations.Contains('eastus')} 

foreach($vmSize in $vmSizes)
{
    foreach($capability in $vmSize.capabilities)
    {
        if($capability.Name -eq 'EncryptionAtHostSupported' -and $capability.Value -eq 'true')
        {
            $vmSize

        }

    }
}

Output:

After ensuring the above steps, I am able to create virtual machine with enabled Encryption at host like below:

If error persists, send an email to [email protected] with your subscription Ids to get the feature enabled for your subscriptions.

Reference:

Unable to enable encryption at host · Issue #68028 · MicrosoftDocs/azure-docs · GitHub by DerekHerman-MSFT