Quickstart: Create and encrypt a Windows virtual machine with the Azure portal

Azure virtual machines (VMs) can be created through the Azure portal. The Azure portal is a browser-based user interface to create VMs and their associated resources. In this quickstart you will use the Azure portal to deploy a Windows virtual machine, create a key vault for the storage of encryption keys, and encrypt the VM.

If you don't have an Azure subscription, create a free account before you begin.

Sign in to Azure

Sign in to the Azure portal.

Create a virtual machine

  1. Choose Create a resource in the upper left corner of the Azure portal.

  2. In the New page, under Popular, select Windows Server 2016 Datacenter.

  3. In the Basics tab, under Project details, make sure the correct subscription is selected.

  4. For "Resource Group", select Create new. Enter myResourceGroup as the name and select Ok.

  5. For Virtual machine name, enter MyVM.

  6. For Region, select (US) East US.

  7. Verify that the Size is Standard D2s v3.

  8. Under Administrator account, select Password. Enter a user name and a password.

    Windows VM creation screen

    Warning

    The "Disks" tab features an "Encryption Type" field under Disk options. This field is used to specify encryption options for Managed Disks + CMK, not for Azure Disk Encryption.

    To avoid confusion, we suggest you skip the Disks tab entirely while completing this tutorial.

  9. Select the "Management" tab and verify that you have a Diagnostics Storage Account. If you have no storage accounts, select "Create New", give your new account a name, and select "Ok"

    ResourceGroup creation screen

  10. Click "Review + Create".

  11. On the Create a virtual machine page, you can see the details about the VM you are about to create. When you are ready, select Create.

It will take a few minutes for your VM to be deployed. When the deployment is finished, move on to the next section.

Encrypt the virtual machine

  1. When the VM deployment is complete, select Go to resource.

  2. On the left-hand sidebar, select Disks.

  3. On the top bar, select Additional Settings .

  4. Under Encryption settings > Disks to encrypt, select OS and data disks.

    Screenshot that shows OS and data disks.

  5. Under Encryption settings, choose Select a key vault and key for encryption.

  6. On the Select key from Azure Key Vault screen, select Create New.

    Screenshot that shows the Create new option.

  7. To the left of Key vault and key, select Click to select a key.

  8. On the Select key from Azure Key Vault, under the Key Vault field, select Create new.

  9. On the Create key vault screen, ensure that the Resource Group is myResourceGroup, and give your key vault a name. Every key vault across Azure must have an unique name.

  10. On the Access Policies tab, check the Azure Disk Encryption for volume encryption box.

    disks and encryption selection

  11. Select Review + create.

  12. After the key vault has passed validation, select Create. This will return you to the Select key from Azure Key Vault screen.

  13. Leave the Key field blank and choose Select.

  14. At the top of the encryption screen, click Save. A popup will warn you that the VM will reboot. Click Yes.

Clean up resources

When no longer needed, you can delete the resource group, virtual machine, and all related resources. To do so, select the resource group for the virtual machine, select Delete, then confirm the name of the resource group to delete.

Next steps

In this quickstart, you created a Key Vault that was enable for encryption keys, created a virtual machine, and enabled the virtual machine for encryption.