Unlock Azure Drive locked with Bitlocker BEK Encryption (ARM)

Symptom:

  • Unable to RDP to Azure VM due to being locked with Bitlocker BEK encryption
  • Unable to gather logs off VM due to OS being locked with Bitlock BEK encryption

Resolution:

1) Create a Recovery VM located in the same Resource Group, Storage Account and Location of the impacted VM.

2) Delete the affected VM via the Azure Portal

3) Open PowerShell ISE as an Administrator

4) Run the following modifying each section as needed:

Login-AzureRmAccount
$vmName = “VirtualMachineName”
$vault = “AzureKeyVaultName” # Get the Secret for the C drive from Azure Key Vault
Get-AzureKeyVaultSecret -VaultName $vault | where {($_.Tags.MachineName -eq $vmName) -and ($_.Tags.VolumeLetter -eq “C:\”) -and ($_.ContentType -eq ‘BEK‘)}

# OR Use the below command to get BEK keys for all the Volumes

Get-AzureKeyVaultSecret -VaultName $vault | where {($_.Tags.MachineName -eq   $vmName) -and ($_.ContentType -eq ‘BEK’)}

5) Once you have the Secret Name paste the following script into PowerShell modifying the highlighted sections:

$secretName = 'SecretName'
$keyVaultSecret = Get-AzureKeyVaultSecret -VaultName $vault -Name $secretname
$bekSecretBase64 = $keyVaultSecret.SecretValueText

6) The next step is to convert the Base64 encoded value to Bytes and then Write the output to a file. Please note, the BEK file name must match the original BEK GUID if using USB unlock option. Also, you will need to create a folder on your C drive named BEK before the below steps will work

 New-Item -ItemType directory -Path C:\BEK
$bekFileBytes = [Convert]::FromBase64String($bekSecretbase64)
$path = “c:\BEK\$secretName.BEK”
[System.IO.File]::WriteAllBytes($path,$bekFileBytes)

7) Once the BEK file is created on your PC, copy it to the recovery VM you have the locked OS disk attached to Run the following using the BEK file location

manage-bde -status F:
manage-bde -unlock F: -rk C:\BEKFILENAME.BEK

8) You can gather the logs by navigating to the following path: DRIVE LETTER:\Windows\System32\winevt\Logs

9) Detach the drive from the recovery machine

10) Rebuild the VM using PowerShell using one of the two scripts below:

#Rebuild from Non-Managed Disk
# To login to Azure Resource Manager
Login-AzureRmAccount # To view all subscriptions for your account
Get-AzureRmSubscription

# To select a default subscription for your current session
Get-AzureRmSubscription –SubscriptionID “SubscriptionID” | Select-AzureRmSubscription

$rgname = "RGname"
$loc = "Location"
$vmsize = "VmSize"
$vmname = "VmName"
$vm = New-AzureRmVMConfig -VMName $vmname -VMSize $vmsize;

$nic = Get-AzureRmNetworkInterface -Name ("NicName") -ResourceGroupName $rgname;
$nicId = $nic.Id;

$vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nicId;

$osDiskName = "OSdiskName"
$osDiskVhdUri = "OSdiskURI"

$vm = Set-AzureRmVMOSDisk -VM $vm -VhdUri $osDiskVhdUri -name $osDiskName -CreateOption attach -Windows

New-AzureRmVM -ResourceGroupName $rgname -Location $loc -VM $vm -Verbose

 


#Rebuild from Managed Disk

# To login to Azure Resource Manager
Login-AzureRmAccount

# To view all subscriptions for your account
Get-AzureRmSubscription

# To select a default subscription for your current session
Get-AzureRmSubscription –SubscriptionID "SubscriptionID" | Select-AzureRmSubscription

#Fill in all variables
$subid = "SubscriptionID"
$rgName = "ResourceGroupName";
$loc = "Location";
$vmSize = "VmSize";
$vmName = "VmName";
$nic1Name = "FirstNetworkInterfaceName";
#$nic2Name = "SecondNetworkInterfaceName";
$avName = "AvailabilitySetName";
$osDiskName = "OsDiskName";
$DataDiskName = "DataDiskName"

#This can be found by selecting the Managed Disks you wish you use in the Azure Portal if the format below does not match
$osDiskResouceId = "/subscriptions/$subid/resourceGroups/$rgname/providers/Microsoft.Compute/disks/$osDiskName";
$dataDiskResourceId = "/subscriptions/$subid/resourceGroups/$rgname/providers/Microsoft.Compute/disks/$DataDiskName";

$vm = New-AzureRmVMConfig -VMName $vmName -VMSize $vmSize;

#Uncomment to add Availabilty Set
#$avSet = Get-AzureRmAvailabilitySet –Name $avName –ResourceGroupName $rgName;
#$vm = New-AzureRmVMConfig -VMName $vmName -VMSize $vmSize -AvailabilitySetId $avSet.Id;

#Get NIC Resource Id and add
$nic1 = Get-AzureRmNetworkInterface -Name $nic1Name -ResourceGroupName $rgName;
$vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic1.Id -Primary;

#Uncomment to add a secondary NIC
#$nic2 = Get-AzureRmNetworkInterface -Name $nic2Name -ResourceGroupName $rgName;
#$vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic2.Id;

#Windows VM
$vm = Set-AzureRmVMOSDisk -VM $vm -ManagedDiskId $osDiskResouceId -name $osDiskName -CreateOption Attach -Windows;

#Linux VM
#$vm = Set-AzureRmVMOSDisk -VM $vm -ManagedDiskId $osDiskResouceId -name $osDiskName -CreateOption Attach -Linux;

#Uncomment to add additnal Data Disk
#Add-AzureRmVMDataDisk -VM $vm -ManagedDiskId $dataDiskResourceId -Name $dataDiskName -Caching None -DiskSizeInGB 1024 -Lun 0 -CreateOption Attach;

New-AzureRmVM -ResourceGroupName $rgName -Location $loc -VM $vm;