This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 95%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDG%3C/text%3E%3C/svg%3E)
In Defender for cloud, I'm getting Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost recommendations, but in my Azure VM EncryptionAtHost enabled already, I have checked connection between VM and Azure monitor and also checked Heartbeat from azure monitor to agent and receive result from agent and vice versa. Why I'm receiving recommendation If encryption is in place.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@Davit Grigoryan Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.
In process of transition to AMA, will update here accordingly, thank you.
@Davit Grigoryan Did you get the correct result in Defender after you got to AMA?
I have the same recommendation in Defender for some of my VM's but EncryptionAtHost is enabled and we are using AMA
It seems like an issue where over time, more and more VM is suddenly appearing on the list with missing Encryption enabled
@Davit Grigoryan Did you get the correct result in Defender after you got to AMA? I have the same recommendation in Defender for some of my VM's but EncryptionAtHostVM's is enabled and we are on AMA It seems like an issue where over time, more and more VM is suddenly appearing on the list with missing Encryption enabled
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 35%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKJ%3C/text%3E%3C/svg%3E)
I’m experiencing the same issue across approximately 44 VMs. Previously, we hadn’t enabled Encryption at host, and even after activating it, the VMs are still showing an unhealthy status. Additionally, I noticed something unusual: although the refresh interval is set to 30 minutes, the last updated timestamp shows a date from several days ago and hasn’t changed since.
Hello Davit, Welcome to MS Q&A
It seems that you have already enabled EncryptionAtHost (HBE) on your Azure VM. However, you are still receiving recommendations to enable Azure Disk Encryption (ADE) or EncryptionAtHost. Let's delve into the possible reasons for this recommendation.
It's important to note that enabling both ADE and HBE at the same time on a VM is not supported. Additionally, customers should not enable HBE on a VM which previously used ADE at some point. This could be a reason why you are still receiving the recommendation despite having HBE enabled on your VM.
Another aspect to consider is the compliance requirements for ADE. For Windows VMs, the OS disk and all data disks should be encrypted, with the exception of the 'System Reserved partition' and the "BEK volume" created by ADE extension. For Linux VMs, similar encryption requirements apply, with exemptions for certain disks and file system types not supported by the ADE extension.
To further troubleshoot this issue, you can check if any disk on the VM is missing ADE encryption. For Windows, you can run the command "manage -bde --status" from an elevated command prompt or PowerShell window. For Linux, you can run the command "lsblk" from an elevated user prompt to verify the encryption status of the disks.
For further details and specific commands to check the encryption status, you can refer to the Microsoft Defender for Cloud Encryption recommendation troubleshooting guide.
For more detailed instructions, you can view solution:
Please let us know if further questions
Kindly accept answer if it helps
Thanks
Deepanshu
Thank you for your reply,
We don't have attached data or any disk on VM ,only Temp disk, which have to be encrypted with HBE.
There is another part ,that I doubt ,It is configuration of defender environments, in attached you can see that .Is there possibility that there's conflict in collecting data for defender and scan is out of date?
I think If the Log Analytics Agent is outdated and other critical scanning or monitoring tools are turned off (such as Vulnerability Assessment and Agentless Scanning), this could lead to incomplete or out-of-date security data being reported to Defender. Without updated information from these components, Microsoft Defender may not be performing scans accurately or in a timely manner.
All tools are enabled, but still facing the outdate findings and recommendations from defender for cloud
For more detailed instructions, you can view solutions:
Thank you for your reply.