Unlock Azure Drive locked via BitLocker (ARM)

1) Create a Recovery VM located in the same Resource Group, Storage Account and Location of the impacted VM.

2) Delete the affected VM via the Azure Portal

3) Open PowerShell ISE as an Administrator

4) Run the following modifying the highlighted sections:

Login-AzureRmAccount

$vmName = “VirtualMachineName”

$vault = “AzureKeyVaultName”

# Get the Secret for the C drive from Azure Key Vault

Get-AzureKeyVaultSecret -VaultName $vault | where {($_.Tags.MachineName -eq $vmName) -and ($_.Tags.VolumeLetter -eq “C:”) -and ($_.ContentType -eq ‘BEK‘)}

# OR Use the below command to get BEK keys for all the Volumes

#Get-AzureKeyVaultSecret -VaultName $vault | where {($_.Tags.MachineName -eq   $vmName) -and ($_.ContentType -eq ‘BEK’)}

5) Once you have the Secret Name paste the following script into PowerShell modifying the highlighted sections:

$secretName = ‘SecretName’

$keyVaultSecret = Get-AzureKeyVaultSecret -VaultName $vault -Name $secretname

$bekSecretBase64 = $keyVaultSecret.SecretValueText

6) The next step is to convert the Base64 encoded value to Bytes and then Write the output to a file. Please note, the BEK file name must match the original BEK GUID if using USB unlock option. Also, you will need to create a folder on your C drive named BEK before the below steps will work

New-Item -ItemType directory -Path C:BEK

$bekFileBytes = [Convert]::FromBase64String($bekSecretbase64)

$path = “c:BEK$secretName.BEK”

[System.IO.File]::WriteAllBytes($path,$bekFileBytes)

7) Once the BEK file is created on your PC, copy it to the recovery VM you have the locked OS disk attached to Run the following using the BEK file location

manage-bde -status F:

manage-bde -unlock F: -rk C:BEKFILENAME.BEK

8) You can gather the logs by navigating to the following path: DRIVE LETTER:WindowsSystem32winevtLogs

9) Detach the drive from the recovery machine

10) Rebuild the VM using PowerShell (Non-Managed Disk)

# To login to Azure Resource Manager

Login-AzureRmAccount

 

# To view all subscriptions for your account

Get-AzureRmSubscription

# To select a default subscription for your current session

Get-AzureRmSubscription –SubscriptionID “SubscriptionID” | Select-AzureRmSubscription

$rgname = “RGname”

$loc = “Location”

$vmsize = “VmSize”

$vmname = “VmName”

$vm = New-AzureRmVMConfig -VMName $vmname -VMSize $vmsize;

$nic = Get-AzureRmNetworkInterface -Name (“NicName”) -ResourceGroupName $rgname;

$nicId = $nic.Id;

$vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nicId;

$osDiskName = “OSdiskName”

$osDiskVhdUri = “OSdiskURI”

$vm = Set-AzureRmVMOSDisk -VM $vm -VhdUri $osDiskVhdUri -name $osDiskName -CreateOption attach -Windows

New-AzureRmVM -ResourceGroupName $rgname -Location $loc -VM $vm -Verbose

11) Or if you are using managed disks: Rebuild the VM using PowerShell (Managed Disk)

# To login to Azure Resource Manager

Login-AzureRmAccount

# To view all subscriptions for your account

Get-AzureRmSubscription

# To select a default subscription for your current session

Get-AzureRmSubscription –SubscriptionID “SubscriptionID” | Select-AzureRmSubscription

#Fill in all variables

$subid = “SubscriptionID”

$rgName = “ResourceGroupName”;

$loc = “Location”;

$vmSize = “VmSize”;

$vmName = “VmName”;

$nic1Name = “FirstNetworkInterfaceName”;

#$nic2Name = “SecondNetworkInterfaceName”;

#$avName = “AvailabilitySetName“;

$osDiskName = “OsDiskName”;

$DataDiskName = “DataDiskName”

#This can be found by selecting the Managed Disks you wish you use in the Azure Portal if the format below does not match

$osDiskResouceId = “/subscriptions/$subid/resourceGroups/$rgname/providers/Microsoft.Compute/disks/$osDiskName”;

$dataDiskResourceId = “/subscriptions/$subid/resourceGroups/$rgname/providers/Microsoft.Compute/disks/$DataDiskName”;

$vm = New-AzureRmVMConfig -VMName $vmName -VMSize $vmSize;

#Uncomment to add Availability Set

#$avSet = Get-AzureRmAvailabilitySet –Name $avName –ResourceGroupName $rgName;

#$vm = New-AzureRmVMConfig -VMName $vmName -VMSize $vmSize -AvailabilitySetId $avSet.Id;

#Get NIC Resource Id and add

$nic1 = Get-AzureRmNetworkInterface -Name $nic1Name -ResourceGroupName $rgName;

$vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic1.Id -Primary;

#Uncomment to add a secondary NIC

#$nic2 = Get-AzureRmNetworkInterface -Name $nic2Name -ResourceGroupName $rgName;

#$vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic2.Id;

#Windows VM

$vm = Set-AzureRmVMOSDisk -VM $vm -ManagedDiskId $osDiskResouceId -name $osDiskName -CreateOption Attach -Windows;

#Linux VM

#$vm = Set-AzureRmVMOSDisk -VM $vm -ManagedDiskId $osDiskResouceId -name $osDiskName -CreateOption Attach -Linux;

 

#Uncomment to add additnal Data Disk

#Add-AzureRmVMDataDisk -VM $vm -ManagedDiskId $dataDiskResourceId -Name $dataDiskName -Caching None -DiskSizeInGB 1024 -Lun 0 -CreateOption Attach;

New-AzureRmVM -ResourceGroupName $rgName -Location $loc -VM $vm;

Author: micahmckittrick

28 years old. Azure Engineer @Microsoft