Set-AzVMDiskEncryptionExtension    
	
   
	
		Enables encryption on a running IaaS virtual machine in Azure.
	 
	Syntax 
	
		SinglePassParameterSet (Default)
	    
	
		Set-AzVMDiskEncryptionExtension
    [-ResourceGroupName] <String>
    [-VMName] <String>
    [-DiskEncryptionKeyVaultUrl] <String>
    [-DiskEncryptionKeyVaultId] <String>
    [[-KeyEncryptionKeyUrl] <String>]
    [[-KeyEncryptionKeyVaultId] <String>]
    [[-KeyEncryptionAlgorithm] <String>]
    [[-VolumeType] <String>]
    [[-SequenceVersion] <String>]
    [[-TypeHandlerVersion] <String>]
    [[-Name] <String>]
    [[-Passphrase] <String>]
    [-EncryptionIdentity <String>]
    [-Force]
    [-DisableAutoUpgradeMinorVersion]
    [-SkipVmBackup]
    [-ExtensionType <String>]
    [-ExtensionPublisherName <String>]
    [-EncryptFormatAll]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]
 
	
		AADClientSecretParameterSet
	    
	
		Set-AzVMDiskEncryptionExtension
    [-ResourceGroupName] <String>
    [-VMName] <String>
    [-AadClientID] <String>
    [-AadClientSecret] <String>
    [-DiskEncryptionKeyVaultUrl] <String>
    [-DiskEncryptionKeyVaultId] <String>
    [[-KeyEncryptionKeyUrl] <String>]
    [[-KeyEncryptionKeyVaultId] <String>]
    [[-KeyEncryptionAlgorithm] <String>]
    [[-VolumeType] <String>]
    [[-SequenceVersion] <String>]
    [[-TypeHandlerVersion] <String>]
    [[-Name] <String>]
    [[-Passphrase] <String>]
    [-Force]
    [-DisableAutoUpgradeMinorVersion]
    [-SkipVmBackup]
    [-ExtensionType <String>]
    [-ExtensionPublisherName <String>]
    [-EncryptFormatAll]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]
 
	
		AADClientCertParameterSet
	    
	
		Set-AzVMDiskEncryptionExtension
    [-ResourceGroupName] <String>
    [-VMName] <String>
    [-AadClientID] <String>
    [-AadClientCertThumbprint] <String>
    [-DiskEncryptionKeyVaultUrl] <String>
    [-DiskEncryptionKeyVaultId] <String>
    [[-KeyEncryptionKeyUrl] <String>]
    [[-KeyEncryptionKeyVaultId] <String>]
    [[-KeyEncryptionAlgorithm] <String>]
    [[-VolumeType] <String>]
    [[-SequenceVersion] <String>]
    [[-TypeHandlerVersion] <String>]
    [[-Name] <String>]
    [[-Passphrase] <String>]
    [-Force]
    [-DisableAutoUpgradeMinorVersion]
    [-SkipVmBackup]
    [-ExtensionType <String>]
    [-ExtensionPublisherName <String>]
    [-EncryptFormatAll]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]
 
	
		MigrateADEVersionParameterSet
	    
	
		Set-AzVMDiskEncryptionExtension
    [-ResourceGroupName] <String>
    [-VMName] <String>
    [[-KeyEncryptionAlgorithm] <String>]
    [[-VolumeType] <String>]
    [[-SequenceVersion] <String>]
    [[-TypeHandlerVersion] <String>]
    [[-Name] <String>]
    [[-Passphrase] <String>]
    [-Force]
    [-DisableAutoUpgradeMinorVersion]
    [-SkipVmBackup]
    [-ExtensionType <String>]
    [-ExtensionPublisherName <String>]
    [-EncryptFormatAll]
    [-Migrate]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]
 
	
		MigrateADEVersionRecoveryParameterSet
	     
	
		Set-AzVMDiskEncryptionExtension
    [-ResourceGroupName] <String>
    [-VMName] <String>
    [[-KeyEncryptionAlgorithm] <String>]
    [[-VolumeType] <String>]
    [[-SequenceVersion] <String>]
    [[-TypeHandlerVersion] <String>]
    [[-Name] <String>]
    [[-Passphrase] <String>]
    [-Force]
    [-DisableAutoUpgradeMinorVersion]
    [-SkipVmBackup]
    [-ExtensionType <String>]
    [-ExtensionPublisherName <String>]
    [-EncryptFormatAll]
    [-MigrationRecovery]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]
 
	Description 
	
		The Set-AzVMDiskEncryptionExtension  cmdlet enables encryption on a running infrastructure as a service (IaaS) virtual machine in Azure.  It enables encryption by installing the disk encryption extension on the virtual machine.
This cmdlet requires confirmation from the users as one of the steps to enable encryption requires a restart of the virtual machine.
It is advised that you save your work on the virtual machine before you run this cmdlet.
Linux: The VolumeType  parameter is required when encrypting Linux virtual machines, and must be set to a value ("Os", "Data", or "All") supported by the Linux distribution.
Windows: The VolumeType  parameter may be omitted, in which case the operation defaults to All; if the VolumeType parameter is present for a Windows virtual machine, it must be set to either All or OS.
	 
	Examples 
	Example 1: Enable encryption 
	
		$RGName = "MyResourceGroup"
$VMName = "MyTestVM"
$VaultName= "MyKeyVault"
$KeyVault = Get-AzKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
$VolumeType = "All"
Set-AzVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $VMName -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -VolumeType $VolumeType
This example enables encryption on a VM without specifying AD credentials.
	 
	
	
		$params = New-Object PSObject -Property @{
    ResourceGroupName = "[resource-group-name]"
    VMName = "[vm-name]"
    DiskEncryptionKeyVaultId = "/subscriptions/[subscription-id-guid]/resourceGroups/[resource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name]"
    DiskEncryptionKeyVaultUrl = "https://[keyvault-name].vault.azure.net"
    KeyEncryptionKeyVaultId = "/subscriptions/[subscription-id-guid]/resourceGroups/[resource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name]"
    KeyEncryptionKeyUrl = "https://[keyvault-name].vault.azure.net/keys/[kekname]/[kek-unique-id]"
    VolumeType = "All"
}
$params | Set-AzVMDiskEncryptionExtension
This example sends parameters using pipelined input to enable encryption on a VM, without specifying AD credentials.
	 
	Example 3: Enable encryption using Microsoft Entra Client ID and Client Secret 
	
		$RGName = "MyResourceGroup"
$VMName = "MyTestVM"
$AADClientID = "<clientID of your Azure AD app>"
$AADClientSecret = "<clientSecret of your Azure AD app>"
$VaultName= "MyKeyVault"
$KeyVault = Get-AzKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
$VolumeType = "All"
Set-AzVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $VMName -AadClientID $AADClientID -AadClientSecret $AADClientSecret -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -VolumeType $VolumeType
This example uses Microsoft Entra client ID and client secret to enable encryption on a VM.
	 
	Example 4: Enable encryption using Microsoft Entra client ID and client certification thumbprint 
	
		$RGName = "MyResourceGroup"
$VMName = "MyTestVM"
#The KeyVault must have enabledForDiskEncryption property set on it
$VaultName= "MyKeyVault"
$KeyVault = Get-AzKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
$VolumeType = "All"
# create Azure AD application and associate the certificate
$CertPath = "C:\certificates\examplecert.pfx"
$CertPassword = "Password"
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath, $CertPassword)
$CertValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
$AzureAdApplication = New-AzADApplication -DisplayName "<Your Application Display Name>" -HomePage "<https://YourApplicationHomePage>" -IdentifierUris "<https://YouApplicationUri>" -CertValue $CertValue
$ServicePrincipal = New-AzADServicePrincipal -ApplicationId $AzureAdApplication.ApplicationId
$AADClientID = $AzureAdApplication.ApplicationId
$aadClientCertThumbprint= $cert.Thumbprint
#Upload pfx to KeyVault
$KeyVaultSecretName = "MyAADCert"
$FileContentBytes = Get-Content $CertPath -Encoding Byte
$FileContentEncoded = [System.Convert]::ToBase64String($fileContentBytes)
$JSONObject = @"
    {
        "data" : "$filecontentencoded",
        "dataType" : "pfx",
        "password" : "$CertPassword"
    }
"@
$JSONObjectBytes = [System.Text.Encoding]::UTF8.GetBytes($jsonObject)
$JSONEncoded = [System.Convert]::ToBase64String($jsonObjectBytes)
$Secret = ConvertTo-SecureString -String $JSONEncoded -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName $VaultName -Name $KeyVaultSecretName -SecretValue $Secret
Set-AzKeyVaultAccessPolicy -VaultName $VaultName -ResourceGroupName $RGName -EnabledForDeployment
#deploy cert to VM
$CertUrl = (Get-AzKeyVaultSecret -VaultName $VaultName -Name $KeyVaultSecretName).Id
$SourceVaultId = (Get-AzKeyVault -VaultName $VaultName -ResourceGroupName $RGName).ResourceId
$VM = Get-AzVM -ResourceGroupName $RGName -Name $VMName
$VM = Add-AzVMSecret -VM $VM -SourceVaultId $SourceVaultId -CertificateStore "My" -CertificateUrl $CertUrl
Update-AzVM -VM $VM -ResourceGroupName $RGName
#Enable encryption on the virtual machine using Azure AD client ID and client cert thumbprint
Set-AzVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $VMName -AadClientID $AADClientID -AadClientCertThumbprint $AADClientCertThumbprint -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -VolumeType $VolumeType
This example uses Microsoft Entra client ID and client certification thumbprints to enable encryption on a VM.
	 
	Example 5: Enable encryption using Microsoft Entra client ID, client secret, and wrap disk encryption key by using key encryption key 
	
		$RGName = "MyResourceGroup"
$VMName = "MyTestVM"
$AADClientID = "<clientID of your Azure AD app>"
$AADClientSecret = "<clientSecret of your Azure AD app>"
$VaultName= "MyKeyVault"
$KeyVault = Get-AzKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
$VolumeType = "All"
$KEKName = "MyKeyEncryptionKey"
$KEK = Add-AzKeyVaultKey -VaultName $VaultName -Name $KEKName -Destination "Software"
$KeyEncryptionKeyUrl = $KEK.Key.kid
Set-AzVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $VMName -AadClientID $AADClientID -AadClientSecret $AADClientSecret -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $KeyEncryptionKeyUrl -KeyEncryptionKeyVaultId $KeyVaultResourceId -VolumeType $VolumeType
This example uses Microsoft Entra client ID and client secret to enable encryption on a VM, and wraps the disk encryption key using a key encryption key.
	 
	Example 6: Enable encryption using Microsoft Entra client ID, client cert thumbprint, and wrap disk encryptionkey by using key encryption key 
	
		$RGName = "MyResourceGroup"
$VMName = "MyTestVM"
#The KeyVault must have enabledForDiskEncryption property set on it
$VaultName= "MyKeyVault"
$KeyVault = Get-AzKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
$KEKName = "MyKeyEncryptionKey"
$KEK = Add-AzKeyVaultKey -VaultName $VaultName -Name $KEKName -Destination "Software"
$KeyEncryptionKeyUrl = $KEK.Key.kid
$VolumeType = "All"
# create Azure AD application and associate the certificate
$CertPath = "C:\certificates\examplecert.pfx"
$CertPassword = "Password"
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath, $CertPassword)
$CertValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
$AzureAdApplication = New-AzADApplication -DisplayName "<Your Application Display Name>" -HomePage "<https://YourApplicationHomePage>" -IdentifierUris "<https://YouApplicationUri>" -CertValue $CertValue
$ServicePrincipal = New-AzADServicePrincipal -ApplicationId $AzureAdApplication.ApplicationId
$AADClientID = $AzureAdApplication.ApplicationId
$AADClientCertThumbprint= $Cert.Thumbprint
#Upload pfx to KeyVault
$KeyVaultSecretName = "MyAADCert"
$FileContentBytes = Get-Content $CertPath -Encoding Byte
$FileContentEncoded = [System.Convert]::ToBase64String($FileContentBytes)
$JSONObject = @"
    {
        "data" : "$filecontentencoded",
        "dataType" : "pfx",
        "password" : "$CertPassword"
    }
"@
$JSONObjectBytes = [System.Text.Encoding]::UTF8.GetBytes($JSONObject)
$JsonEncoded = [System.Convert]::ToBase64String($JSONObjectBytes)
$Secret = ConvertTo-SecureString -String $JSONEncoded -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName $VaultName-Name $KeyVaultSecretName -SecretValue $Secret
Set-AzKeyVaultAccessPolicy -VaultName $VaultName -ResourceGroupName $RGName -EnabledForDeployment
#deploy cert to VM
$CertUrl = (Get-AzKeyVaultSecret -VaultName $VaultName -Name $KeyVaultSecretName).Id
$SourceVaultId = (Get-AzKeyVault -VaultName $VaultName -ResourceGroupName $RGName).ResourceId
$VM = Get-AzVM -ResourceGroupName $RGName -Name $VMName
$VM = Add-AzVMSecret -VM $VM -SourceVaultId $SourceVaultId -CertificateStore "My" -CertificateUrl $CertUrl
Update-AzVM -VM $VM -ResourceGroupName $RGName
#Enable encryption on the virtual machine using Azure AD client ID and client cert thumbprint
Set-AzVMDiskEncryptionExtension -ResourceGroupName $RGname -VMName $VMName -AadClientID $AADClientID -AadClientCertThumbprint $AADClientCertThumbprint -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $KeyEncryptionKeyUrl -KeyEncryptionKeyVaultId $KeyVaultResourceId -VolumeType $VolumeType
This example uses Microsoft Entra client ID and client cert thumbprint to enable encryption on a VM, and wraps the disk encryption key using a key encryption key.
	 
	Parameters 
		-AadClientCertThumbprint    
		Specifies the thumbprint of the Microsoft Entra application client certificate that has permissions to write secrets to KeyVault .
As a prerequisite, the Microsoft Entra client certificate must be previously deployed to the virtual machine's local computer my certificate store.
The Add-AzVMSecret cmdlet can be used to deploy a certificate to a virtual machine in Azure.
For more details, see the Add-AzVMSecret  cmdlet help.
The certificate must be previously deployed to the virtual machine local computer my certificate store.
		Parameter properties 
		
				Type: String 
Default value: None Supports wildcards: False DontShow: False 
		Parameter sets 
			
				
					AADClientCertParameterSet 
					
						 
				    
				
						Position: 3 Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
		-AadClientID  
		Specifies the client ID of the Microsoft Entra application that has permissions to write secrets to KeyVault .
		Parameter properties 
		
				Type: String 
Default value: None Supports wildcards: False DontShow: False 
		Parameter sets 
			
				
					AADClientSecretParameterSet 
					
						 
				    
				
						Position: 2 Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
			
				
					AADClientCertParameterSet 
					
						 
				    
				
						Position: 2 Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
		-AadClientSecret   
		Specifies the client secret of the Microsoft Entra application that has permissions to write secrets to KeyVault .
		Parameter properties 
		
				Type: String 
Default value: None Supports wildcards: False DontShow: False 
		Parameter sets 
			
				
					AADClientSecretParameterSet 
					
						 
				    
				
						Position: 3 Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
		-Confirm 
		Prompts you for confirmation before running the cmdlet.
		Parameter properties 
		
				Type: SwitchParameter 
Default value: False Supports wildcards: False DontShow: False Aliases: cf 
		Parameter sets 
			
				
					(All) 
					
						 
				 
				
						Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False 
			 
		-DefaultProfile  
		The credentials, account, tenant, and subscription used for communication with Azure.
		Parameter properties 
		
				Type: IAzureContextContainer 
Default value: None Supports wildcards: False DontShow: False Aliases: AzContext, AzureRmContext, AzureCredential 
		Parameter sets 
			
				
					(All) 
					
						 
				 
				
						Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False 
			 
		-DisableAutoUpgradeMinorVersion     
		Indicates that this cmdlet disables auto-upgrade of the minor version of the extension.
		Parameter properties 
		
				Type: SwitchParameter 
Default value: None Supports wildcards: False DontShow: False 
		Parameter sets 
			
				
					(All) 
					
						 
				 
				
						Position: 14 Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
		-DiskEncryptionKeyVaultId     
		Specifies the resource ID of the KeyVault  to which the virtual machine encryption keys should be uploaded.
		Parameter properties 
		
				Type: String 
Default value: None Supports wildcards: False DontShow: False 
		Parameter sets 
			
				
					SinglePassParameterSet 
					
						 
				    
				
						Position: 5 Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
			
				
					AADClientSecretParameterSet 
					
						 
				    
				
						Position: 5 Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
			
				
					AADClientCertParameterSet 
					
						 
				    
				
						Position: 5 Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
		-DiskEncryptionKeyVaultUrl     
		Specifies the KeyVault  URL to which the virtual machine encryption keys should be uploaded.
		Parameter properties 
		
				Type: String 
Default value: None Supports wildcards: False DontShow: False 
		Parameter sets 
			
				
					SinglePassParameterSet 
					
						 
				    
				
						Position: 4 Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
			
				
					AADClientSecretParameterSet 
					
						 
				    
				
						Position: 4 Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
			
				
					AADClientCertParameterSet 
					
						 
				    
				
						Position: 4 Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
		
		Encrypt-Format all data drives that are not already encrypted
		
		
				Type: SwitchParameter 
Default value: None Supports wildcards: False DontShow: False 
		
			
				
					(All) 
					
						 
				 
				
						Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False 
			 
		-EncryptionIdentity  
		Resource ID of the managed identity with access to keyvault for ADE operations.
		Parameter properties 
		
				Type: String 
Default value: None Supports wildcards: False DontShow: False 
		Parameter sets 
			
				
					SinglePassParameterSet 
					
						 
				    
				
						Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
		-ExtensionPublisherName   
		The extension publisher name. Specify this parameter only to override the default value of "Microsoft.Azure.Security".
		Parameter properties 
		
				Type: String 
Default value: None Supports wildcards: False DontShow: False 
		Parameter sets 
			
				
					(All) 
					
						 
				 
				
						Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
		-ExtensionType  
		The extension type. Specify this parameter to override its default value of "AzureDiskEncryption" for Windows VMs and "AzureDiskEncryptionForLinux" for Linux VMs.
		Parameter properties 
		
				Type: String 
Default value: None Supports wildcards: False DontShow: False 
		Parameter sets 
			
				
					(All) 
					
						 
				 
				
						Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
		-Force 
		Forces the command to run without asking for user confirmation.
		Parameter properties 
		
				Type: SwitchParameter 
Default value: None Supports wildcards: False DontShow: False 
		Parameter sets 
			
				
					(All) 
					
						 
				 
				
						Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False 
			 
		-KeyEncryptionAlgorithm   
		Specifies the algorithm that is used to wrap and unwrap the key encryption key of the virtual machine.
The default value is RSA-OAEP.
		Parameter properties 
		
				Type: String 
Default value: None Accepted values: RSA-OAEP, RSA1_5 Supports wildcards: False DontShow: False 
		Parameter sets 
			
				
					(All) 
					
						 
				 
				
						Position: 8 Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
		-KeyEncryptionKeyUrl    
		Specifies the URL of the key encryption key that is used to wrap and unwrap the virtual machine encryption key.
This must be the full versioned URL.
		Parameter properties 
		
				Type: String 
Default value: None Supports wildcards: False DontShow: False 
		Parameter sets 
			
				
					SinglePassParameterSet 
					
						 
				    
				
						Position: 6 Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
			
				
					AADClientSecretParameterSet 
					
						 
				    
				
						Position: 6 Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
			
				
					AADClientCertParameterSet 
					
						 
				    
				
						Position: 6 Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
		-KeyEncryptionKeyVaultId     
		Specifies the resource ID of the KeyVault  that contains key encryption key that is used to wrap and unwrap the virtual machine encryption key.
This must be a full versioned URL.
		Parameter properties 
		
				Type: String 
Default value: None Supports wildcards: False DontShow: False 
		Parameter sets 
			
				
					SinglePassParameterSet 
					
						 
				    
				
						Position: 7 Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
			
				
					AADClientSecretParameterSet 
					
						 
				    
				
						Position: 7 Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
			
				
					AADClientCertParameterSet 
					
						 
				    
				
						Position: 7 Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
		-Migrate 
		Initiates migration of the VM to latest Azure Disk Encryption extension version (ADE without Microsoft Entra credentials).
		Parameter properties 
		
				Type: SwitchParameter 
Default value: None Supports wildcards: False DontShow: False 
		Parameter sets 
			
				
					MigrateADEVersionParameterSet 
					
						 
				    
				
						Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
		-MigrationRecovery  
		Initiates migration recovery for failures during migration of ADE extension version with Microsoft Entra ID to ADE extension version without Microsoft Entra ID.
		Parameter properties 
		
				Type: SwitchParameter 
Default value: None Supports wildcards: False DontShow: False 
		Parameter sets 
			
				
					MigrateADEVersionRecoveryParameterSet 
					
						 
				     
				
						Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
		-Name 
		Specifies the name of the Azure Resource Manager resource that represents the extension. If the Name  parameter is omitted, the installed extension will be named AzureDiskEncryption on Windows virtual machines and AzureDiskEncryptionForLinux on Linux virtual machines.
		Parameter properties 
		
				Type: String 
Default value: None Supports wildcards: False DontShow: False Aliases: ExtensionName 
		Parameter sets 
			
				
					(All) 
					
						 
				 
				
						Position: 12 Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
		-Passphrase 
		Specifies the passphrase used for encrypting Linux virtual machines only.
This parameter is not used for virtual machines that run the Windows operating system.
		Parameter properties 
		
				Type: String 
Default value: None Supports wildcards: False DontShow: False 
		Parameter sets 
			
				
					(All) 
					
						 
				 
				
						Position: 13 Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
		-ResourceGroupName   
		Specifies the name of the resource group of the virtual machine.
		Parameter properties 
		
				Type: String 
Default value: None Supports wildcards: False DontShow: False 
		Parameter sets 
			
				
					(All) 
					
						 
				 
				
						Position: 0 Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
		-SequenceVersion  
		Specifies the sequence number of the encryption operations for a virtual machine.
This is unique per each encryption operation performed on the same virtual machine.
The Get-AzVMExtension cmdlet can be used to retrieve the previous sequence number that was used.
		Parameter properties 
		
				Type: String 
Default value: None Supports wildcards: False DontShow: False 
		Parameter sets 
			
				
					(All) 
					
						 
				 
				
						Position: 10 Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
		-SkipVmBackup  
		Skip backup creation for Linux VMs
		Parameter properties 
		
				Type: SwitchParameter 
Default value: None Supports wildcards: False DontShow: False 
		Parameter sets 
			
				
					(All) 
					
						 
				 
				
						Position: 15 Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
		-TypeHandlerVersion   
		Specifies the version of the encryption extension.
		Parameter properties 
		
				Type: String 
Default value: None Supports wildcards: False DontShow: False Aliases: HandlerVersion, Version 
		Parameter sets 
			
				
					(All) 
					
						 
				 
				
						Position: 11 Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
		-VMName 
		Specifies the name of the virtual machine.
		Parameter properties 
		
				Type: String 
Default value: None Supports wildcards: False DontShow: False Aliases: ResourceName 
		Parameter sets 
			
				
					(All) 
					
						 
				 
				
						Position: 1 Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
		-VolumeType  
		Specifies the type of virtual machine volumes on which to perform encryption operation: OS, Data, or All.
Linux: The VolumeType  parameter is required when encrypting Linux virtual machines, and must be set to a value ("Os", "Data", or "All") supported by the Linux distribution.
Windows: The VolumeType  parameter may be omitted, in which case the operation defaults to All; if the VolumeType parameter is present for a Windows virtual machine, it must be set to either All or OS.
		Parameter properties 
		
				Type: String 
Default value: None Accepted values: OS, Data, All Supports wildcards: False DontShow: False 
		Parameter sets 
			
				
					(All) 
					
						 
				 
				
						Position: 9 Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False 
			 
		-WhatIf  
		Shows what would happen if the cmdlet runs.
The cmdlet is not run.
		Parameter properties 
		
				Type: SwitchParameter 
Default value: False Supports wildcards: False DontShow: False Aliases: wi 
		Parameter sets 
			
				
					(All) 
					
						 
				 
				
						Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False 
			 
		CommonParameters 
		
			This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable,
-InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable,
-ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see
about_CommonParameters .
		 
	
			
			
				
			
			
			
				
			
	Outputs