Share via

Encryption At Host on Domain Controller VMs

Richard Long 341 Reputation points
2025-05-05T15:28:47.23+00:00

I would like to enable Encryption At Host on all Azure Virtual Machines. For our Domain Controller VMs, I need to confirm the best practice for shutting them down and deallocating them. From what I understand, Domain Controllers should be shut down from the Guest OS due to the VM-GenerationID. However, it seems that shutting down the VM this way doesn't deallocate it. Is there a recommended way to shut down a Domain Controller so that the Encryption At Host setting can be applied?

Thanks.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
8,760 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pramidha Yathipathi 600 Reputation points Microsoft External Staff
    2025-05-05T18:48:49.4133333+00:00

    Hi Richard Long,

    It sounds like you're trying to enable Encryption At Host on your Domain Controller VMs in Azure and want to ensure you’re following the best practices for shutting them down properly. You're right that it's essential to shut down Domain Controllers from the Guest OS to maintain the VM-GenerationID, but this does not actually deallocate the VMs, which is necessary to apply the Encryption At Host settings.Here are the steps you can follow to handle this properly:

    Shut Down the Domain Controller from the Guest OS: Log in to your Domain Controller VM and shut it down from within the operating system. This ensures that the VM-GenerationID remains intact.

    Deallocate the VM: After shutting down the VM from the Guest OS, go to the Azure portal. Navigate to the VM's overview page and select “Stop” to deallocate the VM. You will need to manually deallocate it after the shutdown to enable changes like Encryption At Host.

    Enable Encryption At Host: Once the VM is deallocated, you can now proceed with enabling Encryption At Host. Follow the steps in the Azure Documentation for enabling Encryption At Host based on your preference (Azure CLI, PowerShell, or Azure Portal).

    https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disks-enable-host-based-encryption-cli

    Restart the VM: After enabling the Encryption At Host, start your VM from the Azure portal.

    This method ensures that your Domain Controllers are shut down correctly while allowing for the necessary changes to be applied.

    If you found information helpful, please click "Upvote" and "Accept Answer".

    Thank You.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.