How to Disable Disk Encryption on Azure VMs

We found a gap in Microsoft documentation, for disabling disk encryption on VMs, and this blog may help someone save time.

We had disk encryption enabled on a VM. We needed to disable the disk encryption. The disk encryption is bit locker encryption. You would see a lock symbol on the disks to indicate that the bit locker or disk encryption is enabled:

Microsoft provides a knowledge article to help with this. However, we found that the Microsoft Knowledge article is inaccurate.

The KB basically asks user to run the following two commands:

Disable-AzVMDiskEncryption And Remove-AzVMDiskEncryptionExtension with appropriate parameters.

We got the following error when we ran the first command - Disable-AzVMDiskEncryption:

ErrorMessage: Multiple VMExtensions per handler not supported for OS type 'Windows'. VMExtension 'AzureDiskEncryption' with handler 'Microsoft.Azure.Security.AzureDiskEncryption' already added or specified in input.

To resolve the situation, we ran the following command to find the list of extensions, and found that Microsoft has changed the name of the extension to AzureDiskEncryption0, however the documentation is not updated.

We needed to remove this extension with the following command:

Now we see Status code OK.

The Disable-AzVMDiskEncryption command now succeeds.

The command Remove-AzVMDiskEncryptionExtension mentioned in the article is not needed. It does not fail with a red error, however the output means that it did not find the extension, so basically it did nothing. You can see the output below:

You can also remove bit locker encryption directly from the VM. However, if the correct extension is not removed using the steps mentioned above, the disks will get encrypted again after sometime.

If you have questions about this topic or would like to discuss further, please let us know! We are happy to help.