Microsoft recently announced that Azure Disk Encryption will be discontinued in September 2028. There is still a long way to go until then, but I would nevertheless like to provide you with some more detailed information below and how you can find out whether one or more of your Azure disks are affected.
Retirement – Azure Disk Encryption
On 24 September 2025, Microsoft announced via Azure Updates that Azure Disk Encryption will no longer be available in September 2028, i.e. in three years’ time. It is important to note that both new and existing Azure disks will be affected and Microsoft will not take any action automatically.
If a disk still has Azure Disk Encryption enabled after a reboot from 15th September 2028 on, it will no longer unlock during the booth phase.
Am I affected? Find out now!
You can use the Service Retirement Workbook provided by Microsoft to check whether your Azure disks are affected or not.
Here is the direct link to the workbook: Service Retirement Workbook
Important to note
At the time of writing this article on 26 September 2025, retirement is not yet listed. Experience shows that it takes a few days after the announcement before it appears in the workbook.
Migration Possibilities
Since Microsoft does not offer a seamless option, you will need to take action yourself before 15 September 2028. Microsoft has published migration documentation on this subject.
It should be noted that this requires new disks and virtual machines, in-place migration is not possible at this time.
I have not yet gone through the migration process described in the documentation myself, but I will certainly do so at some point and share my experiences.
What’s the new alternative?
The new alternative and standard is called Encryption at Host. This is a security feature within the Azure cloud service designed to encrypt data directly on the host machine before it is written to storage. This provides an additional layer of protection by keeping your data encrypted throughout the entire processing time.
In the Azure environment, this means that your sensitive information is protected at the level of the virtual machine (VM). This is particularly crucial for companies that need to comply with strict regulations or whose data is highly vulnerable to attacks.
Benefits of Encryption at Host include:
- Enhanced Security
Protects data at rest directly on the host.
- Easy implementation
Automated encryption without additional administrative overhead.
- Compliance
Supports adherence to legal regulations and data protection standards.
This feature strengthens the security profile of your Azure infrastructure and ensures that your data is optimally protected even in potentially insecure environments.
From My Perspective
For a few months now, I have been using encryption at host in the Azure Virtual Desktop environment. My experiences with the setup and daily operation have been very positive. So far, I haven’t noticed anything negative, and since this is a new standard from Microsoft, I will continue to use it and, of course, make sure that new Azure disks are no longer created with disk encryption but that encryption is enabled at the host level.