Move an ADE encrypted Azure Windows VM across Azure Subscriptions

in 10 Simple Steps!!!

Microsoft Azure

Downtime Required: 2–4 hours

1. Mitigate the dependencies of the VM, Stop the backup and keep backup data.

2. Decrypt the Disks (This will reboot the VM automatically)

a. Disable-AzVMDiskEncryption -ResourceGroupName “SourceResourceGroup” -VMName “MyVM” -VolumeType “all”

3. Check the encryption status (should be Not Encrypted)

Get-AzVmDiskEncryptionStatus -ResourceGroupName “SourceResourceGroup” -VMName “MyVM”

4. Keep the decrypted VM in stopped and deallocated state. (Stop the VM from the Azure Portal)

Stop-AzVM -ResourceGroupName “ SourceResourceGroup” -Name “MyVM”

5. Capture the snapshots of decrypted OS DISK and DATA DISK(s).

DISK > Overview > Create Snapshot.

6. Using Azure Resource Mover, move the snapshots to Target Subscription in the desired Resource Group.

a. Choose Move across subscription:

Azure Resource Mover

7. Create Disks using the moved Snapshots in the Target Subscription.

8. From the OS DISK, spin up a new VM in the target (Subscription and Resource Group) while attaching the DATA DISK(s) created from the moved Snapshot(s).

9. Encrypt the newly created VM and Schedule the Backup again.

10. Validate the newly migrated VM and delete the original resources ( VM, Disks, NIC, NSG, etc. ) in the Source Subscription and the moved Snapshots in the Target Subscription.

NOTE: Do not start both the VMs at the same time if they are domain joined as this will cause a clash in the Active Directory.

About me:



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store