Dealing with Azure Disk Encryption and Windows OS disk resizing

When you are enabling Azure Disk Encryption on your Azure VM, the process will shrink your existing OS partition a bit to implement the System Reserved partition. The System Reserved partition is placed at the end of the OS disk. When you resize the OS disk, then the free space is added after this partition.

Trying to extend the OS partition, forces you to create a new partition, because you have the System Reserved partition between the OS partition and the free space. With Windows built-in tools it is not possible to move the System Reserved partition to the end. But that is not the point. The point ist that you should consider the right OS disk size before you enable Azure Disk Encryption.

Per default the OS disk size is 127 GB, when you are deploying the Windows VM from the Azure Marketplace image.

The options you have right now are to resize the OS disk via the Azure portal or Azure PowerShell before you enable and configure ADE. But I recommend to deploy the Azure VM via an ARM template. There you can describe all necessary actions like resizing the disk, expanding the OS partition and enable ADE.

I will only describe the steps how do you do the resizing and expanding in an ARM template.

So let us begin with the resizing. You just have to add the line diskSizeGB under the osDisk section in your template and provide the appropriate disk size.


"osDisk": {
"name": "vmName",
"vhd": {
"uri": "osDiskURI"
"caching": "ReadWrite",
"diskSizeGB": 500,
"createOption": "FromImage"

Additionally you also have to implement the custom script extension to expand the partition before, and that is important, you enable Azure Disk Encryption.

Have a look at the following Azure documentation entry on how to use the custom script extension in your ARM template.


Expanding the C partition is very easy, just use the following two lines for your custom script.

$Size=Get-PartitionSupportedSize -DriveLetter C
Resize-Partition -DriveLetter C -Size $Size.SizeMax

Last but not least an important note on the BitLocker extension. You should not only implement a dependsOn condition for the VM itself. In addition it is absolutely necessary to add a dependsOn condition for the custom script extension.


Leave a Reply