Move an ADE encrypted Azure Windows VM across Azure Subscriptions

in 10 Simple Steps!!!

Microsoft Azure

Azure cloud platform is more than 200 products and cloud services designed to help the users bring new solutions to life and to solve today’s challenges and create the future. Build, run and manage applications across multiple clouds, on-premises and at the edge, with the tools and frameworks of your choice.

Below is a simple 10 step process to move an ADE encrypted Azure Windows VM across subscriptions using Azure Portal and PowerShell Commands:

Downtime Required: 2–4 hours

1. Mitigate the dependencies of the VM, Stop the backup and keep backup data.

2. Decrypt the Disks (This will reboot the VM automatically)

a. Disable-AzVMDiskEncryption -ResourceGroupName “SourceResourceGroup” -VMName “MyVM” -VolumeType “all”

b. Remove-AzVMDiskEncryptionExtension -ResourceGroupName “SourceResourceGroup” -VMName “MyVM”

3. Check the encryption status (should be Not Encrypted)

Get-AzVmDiskEncryptionStatus -ResourceGroupName “SourceResourceGroup” -VMName “MyVM”

4. Keep the decrypted VM in stopped and deallocated state. (Stop the VM from the Azure Portal)

Stop-AzVM -ResourceGroupName “ SourceResourceGroup” -Name “MyVM”

5. Capture the snapshots of decrypted OS DISK and DATA DISK(s).

DISK > Overview > Create Snapshot.

6. Using Azure Resource Mover, move the snapshots to Target Subscription in the desired Resource Group.

a. Choose Move across subscription:

Azure Resource Mover

b. Choose Source (Subscription + Resource Group) and Target (Subscription + Resource Group)

c. Add the Resources to Move (Snapshots of OS and DATA DISK(s))> Validate > Move.

7. Create Disks using the moved Snapshots in the Target Subscription.

8. From the OS DISK, spin up a new VM in the target (Subscription and Resource Group) while attaching the DATA DISK(s) created from the moved Snapshot(s).

9. Encrypt the newly created VM and Schedule the Backup again.

10. Validate the newly migrated VM and delete the original resources ( VM, Disks, NIC, NSG, etc. ) in the Source Subscription and the moved Snapshots in the Target Subscription.

NOTE: Do not start both the VMs at the same time if they are domain joined as this will cause a clash in the Active Directory.

I hope you find the above action plan useful. In case of any questions or concerns, find me at abhibothera.github.io.

About me:

Cloud Engineer at Hanu Software | 6x Microsoft Azure Certified | Azure Administrator | Azure DevOps | Azure Security | AVD | Former Research Scholar at Georgia Institute of Technology.