Azure Disk Encryption – upgrade from Azure AD

Old version Azure Disk Encryption with Azure AD app uses Extension AzureDiskEncryption version 1.*.

New Azure Disk Encryption uses Extension AzureDiskEncryption version 2.*. Switching from AAD application Encryption for this encrypted VM isn’t supported yet.

Here is unofficial, not-supported way:

  • On VM using PowerShell as an Admin – disable Encryption, first:

manage-bde -status #write recovery password

Suspend-BitLocker -MountPoint “C:” -RebootCount 0

manage-bde -off c:

manage-bde -status

  • Using regedit delete the following:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Azure\BitlockerExtension

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Azure\HandlerState\Microsoft.Azure.Security.AzureDiskEncryption_1.1.0.4

  • Delete directory:


  • After that you must shut down VM, not reboot (!) just because Azure Agent install Extension just again. After switching off you have to follow this: