Unlock Azure Drive locked with Bitlocker BEK Encryption (ARM)

Symptom:

• Unable to RDP to Azure VM due to being locked with Bitlocker BEK encryption
• Unable to gather logs off VM due to OS being locked with Bitlock BEK encryption

Resolution:

1. Create a Recovery VM located in the same Resource Group, Storage Account and Location of the impacted VM.
2. Delete the affected VM via the Azure Portal
3. Open PowerShell ISE as an Administrator
4. Run the following modifying each section as neededsections:Login-AzureRmAccount

   $vmName = “VirtualMachineName”
   $vault = “AzureKeyVaultName”# Get the Secret for the C drive from Azure Key Vault
   Get-AzureKeyVaultSecret -VaultName $vault | where {($_.Tags.MachineName -eq $vmName) -and ($_.Tags.VolumeLetter -eq “C:”) -and ($_.ContentType -eq ‘BEK‘)}
   
   # OR Use the below command to get BEK keys for all the Volumes
   
   Get-AzureKeyVaultSecret -VaultName $vault | where {($_.Tags.MachineName -eq   $vmName) -and ($_.ContentType -eq ‘BEK’)}

5. Once you have the Secret Name paste the following script into PowerShell modifying the highlighted sections:
   
   $secretName = ‘SecretName’
   $keyVaultSecret = Get-AzureKeyVaultSecret -VaultName $vault -Name $secretname
   $bekSecretBase64 = $keyVaultSecret.SecretValueText
6. The next step is to convert the Base64 encoded value to Bytes and then Write the output to a file. Please note, the BEK file name must match the original BEK GUID if using USB unlock option. Also, you will need to create a folder on your C drive named BEK before the below steps will work
   
   New-Item -ItemType directory -Path C:BEK
   $bekFileBytes = [Convert]::FromBase64String($bekSecretbase64)
   $path = “c:BEK$secretName.BEK”
   [System.IO.File]::WriteAllBytes($path,$bekFileBytes)
7. Once the BEK file is created on your PC, copy it to the recovery VM you have the locked OS disk attached to Run the following using the BEK file locationmanage-bde -status F:
   manage-bde -unlock F: -rk C:BEKFILENAME.BEK
8. You can gather the logs by navigating to the following path: DRIVE LETTER:WindowsSystem32winevtLogs

9. Detach the drive from the recovery machine
10. Rebuild the VM using PowerShell using one of the two scripts below:
    

    ---

     

    #Rebuild from Non-Managed Disk
    
    # To login to Azure Resource Manager
    Login-AzureRmAccount

    # To view all subscriptions for your account
    Get-AzureRmSubscription
     
    # To select a default subscription for your current session
    Get-AzureRmSubscription –SubscriptionID “SubscriptionID” | Select-AzureRmSubscription
     
    $rgname = “RGname”
    $loc = “Location”
    $vmsize = “VmSize”
    $vmname = “VmName”
    $vm = New-AzureRmVMConfig -VMName $vmname -VMSize $vmsize;
     
    $nic = Get-AzureRmNetworkInterface -Name (“NicName”) -ResourceGroupName $rgname;
    $nicId = $nic.Id;
     
    $vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nicId;
     
    $osDiskName = “OSdiskName”
    $osDiskVhdUri = “OSdiskURI”
     
    $vm = Set-AzureRmVMOSDisk -VM $vm -VhdUri $osDiskVhdUri -name $osDiskName -CreateOption attach -Windows
     
    New-AzureRmVM -ResourceGroupName $rgname -Location $loc -VM $vm -Verbose

    ---

    #Rebuild from Managed Disk

    # To login to Azure Resource Manager
    Login-AzureRmAccount
     
    # To view all subscriptions for your account
    Get-AzureRmSubscription
      
    # To select a default subscription for your current session
    Get-AzureRmSubscription –SubscriptionID “SubscriptionID” | Select-AzureRmSubscription
      
    #Fill in all variables
    $subid = “SubscriptionID”
    $rgName = “ResourceGroupName”;
    $loc = “Location”;
    $vmSize = “VmSize”;
    $vmName = “VmName”;
    $nic1Name = “FirstNetworkInterfaceName”;
    #$nic2Name = “SecondNetworkInterfaceName”;
    $avName = “AvailabilitySetName”;
    $osDiskName = “OsDiskName”;
    $DataDiskName = “DataDiskName”
      
    #This can be found by selecting the Managed Disks you wish you use in the Azure Portal if the format below does not match
    $osDiskResouceId = “/subscriptions/$subid/resourceGroups/$rgname/providers/Microsoft.Compute/disks/$osDiskName”;
    $dataDiskResourceId = “/subscriptions/$subid/resourceGroups/$rgname/providers/Microsoft.Compute/disks/$DataDiskName”;
      
    $vm = New-AzureRmVMConfig -VMName $vmName -VMSize $vmSize;
      
    #Uncomment to add Availabilty Set
    #$avSet = Get-AzureRmAvailabilitySet –Name $avName –ResourceGroupName $rgName;
    #$vm = New-AzureRmVMConfig -VMName $vmName -VMSize $vmSize -AvailabilitySetId $avSet.Id;
      
    #Get NIC Resource Id and add
    $nic1 = Get-AzureRmNetworkInterface -Name $nic1Name -ResourceGroupName $rgName;
    $vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic1.Id -Primary;
     
    #Uncomment to add a secondary NIC
    #$nic2 = Get-AzureRmNetworkInterface -Name $nic2Name -ResourceGroupName $rgName;
    #$vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic2.Id;
      
    #Windows VM
    $vm = Set-AzureRmVMOSDisk -VM $vm -ManagedDiskId $osDiskResouceId -name $osDiskName -CreateOption Attach -Windows;
      
    #Linux VM
    #$vm = Set-AzureRmVMOSDisk -VM $vm -ManagedDiskId $osDiskResouceId -name $osDiskName -CreateOption Attach -Linux;
      
    #Uncomment to add additnal Data Disk
    #Add-AzureRmVMDataDisk -VM $vm -ManagedDiskId $dataDiskResourceId -Name $dataDiskName -Caching None -DiskSizeInGB 1024 -Lun 0 -CreateOption Attach;
      
    New-AzureRmVM -ResourceGroupName $rgName -Location $loc -VM $vm;

     

    ---