Share via


Unlock Azure Drive locked via BitLocker (ARM)

1) Create a Recovery VM located in the same Resource Group, Storage Account and Location of the impacted VM.
2) Delete the affected VM via the Azure Portal
3) Open PowerShell ISE as an Administrator
4) Run the following modifying the highlighted sections:

Login-AzureRmAccount

$vmName = “VirtualMachineName”
$vault = “AzureKeyVaultName”

# Get the Secret for the C drive from Azure Key Vault
Get-AzureKeyVaultSecret -VaultName $vault | where {($_.Tags.MachineName -eq $vmName) -and ($_.Tags.VolumeLetter -eq “C:\”) -and ($_.ContentType -eq ‘BEK‘)}

# OR Use the below command to get BEK keys for all the Volumes
#Get-AzureKeyVaultSecret -VaultName $vault | where {($_.Tags.MachineName -eq   $vmName) -and ($_.ContentType -eq ‘BEK’)}

5) Once you have the Secret Name paste the following script into PowerShell modifying the highlighted sections:

$secretName = 'SecretName'
$keyVaultSecret = Get-AzureKeyVaultSecret -VaultName $vault -Name $secretname
$bekSecretBase64 = $keyVaultSecret.SecretValueText

6) The next step is to convert the Base64 encoded value to Bytes and then Write the output to a file. Please note, the BEK file name must match the original BEK GUID if using USB unlock option. Also, you will need to create a folder on your C drive named BEK before the below steps will work

New-Item -ItemType directory -Path C:\BEK
$bekFileBytes = [Convert]::FromBase64String($bekSecretbase64)
$path = “c:\BEK\$secretName.BEK”
[System.IO.File]::WriteAllBytes($path,$bekFileBytes)

7) Once the BEK file is created on your PC, copy it to the recovery VM you have the locked OS disk attached to Run the following using the BEK file location

manage-bde -status F:
manage-bde -unlock F: -rk C:\BEKFILENAME.BEK

8) You can gather the logs by navigating to the following path: DRIVE LETTER:\Windows\System32\winevt\Logs
9) Detach the drive from the recovery machine
10) Rebuild the VM using PowerShell (Non-Managed Disk)

# To login to Azure Resource Manager
Login-AzureRmAccount
 
# To view all subscriptions for your account
Get-AzureRmSubscription

# To select a default subscription for your current session
Get-AzureRmSubscription –SubscriptionID “SubscriptionID” | Select-AzureRmSubscription

$rgname = "RGname"
$loc = "Location"
$vmsize = "VmSize"
$vmname = "VmName"
$vm = New-AzureRmVMConfig -VMName $vmname -VMSize $vmsize;

$nic = Get-AzureRmNetworkInterface -Name ("NicName") -ResourceGroupName $rgname;
$nicId = $nic.Id;

$vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nicId;

$osDiskName = "OSdiskName"
$osDiskVhdUri = "OSdiskURI"

$vm = Set-AzureRmVMOSDisk -VM $vm -VhdUri $osDiskVhdUri -name $osDiskName -CreateOption attach -Windows

New-AzureRmVM -ResourceGroupName $rgname -Location $loc -VM $vm -Verbose

11) Or if you are using managed disks: Rebuild the VM using PowerShell (Managed Disk)

# To login to Azure Resource Manager
Login-AzureRmAccount

# To view all subscriptions for your account
Get-AzureRmSubscription

# To select a default subscription for your current session
Get-AzureRmSubscription –SubscriptionID "SubscriptionID" | Select-AzureRmSubscription

#Fill in all variables
$subid = "SubscriptionID"
$rgName = "ResourceGroupName";
$loc = "Location";
$vmSize = "VmSize";
$vmName = "VmName";
$nic1Name = "FirstNetworkInterfaceName";
#$nic2Name = "SecondNetworkInterfaceName";
#$avName = "AvailabilitySetName";
$osDiskName = "OsDiskName";
$DataDiskName = "DataDiskName"

#This can be found by selecting the Managed Disks you wish you use in the Azure Portal if the format below does not match
$osDiskResouceId = "/subscriptions/$subid/resourceGroups/$rgname/providers/Microsoft.Compute/disks/$osDiskName";
$dataDiskResourceId = "/subscriptions/$subid/resourceGroups/$rgname/providers/Microsoft.Compute/disks/$DataDiskName";

$vm = New-AzureRmVMConfig -VMName $vmName -VMSize $vmSize;

#Uncomment to add Availability Set
#$avSet = Get-AzureRmAvailabilitySet –Name $avName –ResourceGroupName $rgName;
#$vm = New-AzureRmVMConfig -VMName $vmName -VMSize $vmSize -AvailabilitySetId $avSet.Id;

#Get NIC Resource Id and add
$nic1 = Get-AzureRmNetworkInterface -Name $nic1Name -ResourceGroupName $rgName;
$vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic1.Id -Primary;

#Uncomment to add a secondary NIC
#$nic2 = Get-AzureRmNetworkInterface -Name $nic2Name -ResourceGroupName $rgName;
#$vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic2.Id;

#Windows VM
$vm = Set-AzureRmVMOSDisk -VM $vm -ManagedDiskId $osDiskResouceId -name $osDiskName -CreateOption Attach -Windows;

#Linux VM
#$vm = Set-AzureRmVMOSDisk -VM $vm -ManagedDiskId $osDiskResouceId -name $osDiskName -CreateOption Attach -Linux;
 
#Uncomment to add additnal Data Disk
#Add-AzureRmVMDataDisk -VM $vm -ManagedDiskId $dataDiskResourceId -Name $dataDiskName -Caching None -DiskSizeInGB 1024 -Lun 0 -CreateOption Attach;

New-AzureRmVM -ResourceGroupName $rgName -Location $loc -VM $vm;