Azure virtual machine storage should be encrypted to protect sensitive information. It is considered best practice to encrypt data at-rest in any environment that supports it, especially as it is often required for certain compliance frameworks or industry regulations.
Once a Virtual Machine Scale Set is created in the console, the encryption at host setting cannot be changed. To create a resource with the correct settings, follow the steps below.
In Azure Console -
In Terraform -
References:
https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_virtual_machine_scale_set#encryption_at_host_enabled