Rescue VM Azure from Encrypted Disks or Boot Issues

If your Azure VM is experiencing boot issues due to encrypted disks, don't worry, there's a solution. Azure provides a feature called Azure Disk Encryption, which can be used to troubleshoot and resolve boot issues.

Azure Disk Encryption allows you to encrypt and decrypt disks on Azure VMs, but it can also cause boot issues if not configured properly. This is because the encryption process requires a key to decrypt the disk, which can be lost or corrupted.

To rescue your VM from encrypted disks or boot issues, you can use the Azure portal or Azure CLI to troubleshoot and resolve the issue. The Azure portal provides a feature called "Troubleshoot" that can help you identify the root cause of the issue.

Azure CLI provides a command called "az vm troubleshoot" that can be used to troubleshoot and resolve boot issues. This command can help you identify the issue and provide a solution.

Before diving into the rescue VM process, you need to prepare your disk for repair. To do this, you should confirm that Azure Disk Encryption (ADE) is enabled on the disk.

There are a few things to determine before proceeding: whether the OS disk uses ADE version 1 (dual-pass encryption) or ADE version 2 (single-pass encryption). You'll also need to determine whether the OS disk is managed or unmanaged.

Here are the specific steps to take:

You can perform these steps in the Azure portal, PowerShell, or the Azure command-line interface (Azure CLI).

If you're trying to unlock an encrypted disk on a repair VM, you have a few options to consider.

There are three methods to unlock an encrypted disk on a repair VM: Automated, Semi-automated, and Manual.

The automated method uses az vm repair commands to create a repair VM, attach the failed OS disk, and unlock the disk if it's encrypted. This method works only for single-pass-encrypted managed disks and requires a public IP address for the repair VM.

If the automated method fails, you can try the semi-automated method, which is described in Resolution #2.

To manually unlock the disk, you'll need to follow the procedure in Resolution #3, which is best suited for dual-pass-encrypted disks or unmanaged disks.

Here are the steps to create a repair VM and attach the source VM's OS disk:

1. If the source VM's encrypted OS disk is a managed disk, follow steps 1-4 in Method 2 to attach a copy of the locked disk to a repair VM.

2. If the process of creating a new repair VM that has the attached encrypted disk hangs or fails, you can first create the VM without attaching the encrypted disk. After the repair VM is created, attach the encrypted disk to the VM through the Azure portal.

3. If the source VM's encrypted OS disk is an unmanaged disk, see Attach an unmanaged disk to a VM for offline repair.

Note: These steps are crucial in unlocking the encrypted disk on a repair VM, and following them carefully will increase the chances of a successful repair.

When attaching a source VM's OS disk to a repair VM, it's essential to note that if the disk is encrypted, you'll need to follow specific steps. If the disk is a managed disk, you can attach a copy of the locked disk to the repair VM.

If the process of creating a new repair VM with the attached encrypted disk fails, you can create the VM without attaching the encrypted disk and then attach it later through the Azure portal.

To replace the source VM's OS disk, you'll need to repair the disk first. After repairing the disk, detach the copy of the source VM OS disk from the repair VM.

You can then navigate to the source VM, open the Disks blade, and select Swap OS disk to replace the existing OS disk with the repaired one.

If the source VM's encrypted OS disk is a managed disk, you'll need to follow a specific process to attach it to a repair VM. This involves creating a copy of the locked disk and attaching it to the repair VM.

To create a copy of the locked disk, you'll need to follow steps 1-4 in Method 2. If the process of creating a new repair VM with the attached encrypted disk hangs or fails, you can try creating the VM without attaching the encrypted disk first. After the repair VM is created, you can then attach the encrypted disk to the VM through the Azure portal.

If the source VM's encrypted OS disk is an unmanaged disk, you'll need to see the instructions for attaching an unmanaged disk to a VM for offline repair. This process is separate from attaching a managed disk, so make sure to follow the correct procedure.

Replacing the source VM's OS disk is a crucial step in the process of repairing a broken disk. To do this, you'll first need to repair the disk, which we'll cover in a later section.

After repairing the disk, open the Disks blade for the repair VM in the Azure portal and detach the copy of the source VM OS disk. This involves locating the row for the associated disk name under Data Disks, selecting the "X" at the right side of that row, and then selecting Save.

You'll then need to navigate to the source (broken) VM and open the Disks blade. From there, select Swap OS disk to replace the existing OS disk with the one you repaired.

To complete the swap, select the new disk that you repaired, and then enter the name of the VM to verify the change. Be patient, as it may take up to 15 minutes for the disk to appear in the list after detaching it from the troubleshooting VM.

Once you've verified the change, select OK to complete the process.

If you're having trouble with your rescue VM in Azure, don't panic - we've got you covered. The first step is to check the VM's status in the Azure portal.

Make sure the VM is in a state that allows you to troubleshoot, such as Stopped or Deallocated. This will prevent any accidental data loss or corruption.

If the VM is stuck in a "deallocating" state, try restarting the Azure VM. This can often resolve the issue and get your VM back up and running.

Having a firewall active on the storage account associated with the VM's boot diagnostics can cause "Access Forbidden..." errors when loading SAC. This is a common issue many users face.

To resolve this, you can either temporarily turn off the firewall or add your existing location to the list of acceptable IPs. Temporarily turning off the firewall is a quick fix.

To do this, browse to your Azure Storage Account -> Settings and ensure the radio button for "Allow access from" is set to "All Networks". This will allow SAC to access the storage account.

You can now use Azure Virtual Machine repair commands to change the OS disk for a VM, and you no longer need to delete and recreate the VM. This is a game-changer for troubleshooting VM issues.

To troubleshoot the VM issue, you'll need to follow these steps: Launch Azure Cloud ShellRun az extension add/updateRun az vm repair createRun az vm repair run, or perform mitigation steps.Run az vm repair restore

If your VM is inaccessible, displays disk errors, or cannot start, you can run troubleshooting steps on the OS disk by attaching it to a separate repair VM. This process is called offline repair of a virtual disk in Azure.

If you're having trouble accessing your system, you can try booting into Safe Mode. Once SAC has loaded, type in 'cmd' and press enter to access the command line interface.

From here, you can run commands to troubleshoot or get your system up and running again. You can also switch to PowerShell if needed.

Accessing Safe Mode can be a lifesaver when your system is unresponsive or you need to troubleshoot a specific issue.

If you're dealing with a Windows VM that's inaccessible or displaying disk errors, you can try running troubleshooting steps on the OS disk by attaching it to a separate repair VM.

Troubleshooting scenarios that require offline repair of a virtual disk in Azure can be a challenge, but there are solutions available.

If the disk is encrypted using Azure Disk Encryption (ADE), it will remain locked and inaccessible until you unlock it with the same BitLocker encryption key (BEK) that was originally used.

The BEK is typically stored in an Azure key vault managed by your organization, along with an optional key-encrypting key (KEK) that encrypts or "wraps" the BEK.

In Azure, you can now use virtual machine repair commands to change the OS disk for a VM without deleting and recreating the VM. This is a game-changer for troubleshooting VM issues.

To troubleshoot a VM issue, you'll want to follow these steps: launch Azure Cloud Shell, run az extension add/update, and then run az vm repair create. After that, you can either run az vm repair run or perform mitigation steps. Finally, you'll need to run az vm repair restore.

The process of using virtual machine repair commands is straightforward and can be completed in a few steps.