Enable Azure Disk Encryption on an AVD session host using a Nerdio scripted action

Hi there,

Welcome to another Azure Virtual Desktop blog post where I combine AVD with the power of Nerdio.

Security is a big subject these days and you want to make sure that you have enough security on each layer. You can have security on your Azure network but you also need to secure your session hosts. One of the security options for your session hosts is Azure Disk Encrytion. For Windows this is based on Bitlocker.

You can run a powershell or Azure CLI command on each session host to enable this. We want to make sure we can do this alot easier and more at scale. Nerdio has got you covered. With Nerdio you get Scripted Actions. This feature let’s you run powershell commands on your session hosts.

In this blog post I’ll show you how to enable this with an already existing Keyvault.

Prerequisites

Since I want to show you how to do this with an existing Keyvault I already made one with Terraform. (will be covered in a separate post how to deploy a keyvault with Terraform)

Make sure that your Keyvault is enabled for ADE.

Scripted Action

Within Nerdio you have alot of built in scripts that you can leverage. One of them is the script to enable ADE on session hosts. You can find them in the following menu.

To modify click on the arrow on the right and select Clone

In the next screen you can give it a title of your choice and click on clone.

One of the first lines of the script that Nerdio gives us needs to be modified if you want to use an existing keyvault. You need uncomment the 2 lines and put in the name of your keyvault. When done select Save&Close

Use the scripted action

Now that we have the scripted action, we have some options to run the script on the hosts. You can enable this from in the AVD Host Pool properties. Each time a host is created the scripts runs and the ADE will be enabled.

When you want to enable ADE on already existing session hosts you can select the dropdown menu and select run script on all hosts.

In the next screen select the scripted action and select Run now.

After the scripted action has done it’s work you can see that ADE has been activated when you look up the virtual machine in the Azure portal.

You can see it’s really easy to enable ADE on AVD session hosts if you use Nerdio. Not only is it very easy and doesn’t take much time to configure but you also enhance the security of your hosts.

If you any further questions about this feel free to reach out.

4 thoughts on “Enable Azure Disk Encryption on an AVD session host using a Nerdio scripted action

Leave a Reply

Your email address will not be published. Required fields are marked *