This article covers my custom PowerShell Automation script use to set up Azure Disk Encryption (BitLocker) for an Azure Virtual Machine (VM) using Azure Key Vault. The article includes a video demonstration going over the entire process and testing the encryption process on a Windows Virtual Machine (VM).

Disk Encryption BitLocker


Steps in the above video covers;

Running of Initialize-AzureDiskEncryption.ps1 script which automates the steps below;

  • Create Azure Active Directory App
  • Create Key for App
  • Create Azure Key Vault
  • Add permission for the Azure Active Directory App to the Key Vault
  • Generate a self-signed encryption certificate
  • Upload encryption certificate to the Azure Key Vault Secret
  • Create Azure Key Vault Encryption Key (KEK)
  • Put a delete lock on Key Vault resource

Running of Add-AzureDiskEncryptionWinVM.ps1  which automates the steps below

  • Add Encryption certificate to VM’s local store
  • Enable disk encryption using disk encryption VM extension


Used quick start template to enable disk encryption for a running Virtual Machine (VM)

Microsoft Azure article covering referencing steps in video

Disk Encryption Series