@CarmeloLoPresti-2973
Thank you for your post!
A VM's BitLocker Encryption Key, when leveraging Azure Disk Encryption, is stored in the Key Vault as a Secret. The 48-character BitLocker Key can only be generated by leveraging the GenerateBEKFileForDiskUnlock.ps1 along with the Secret URL taken from the Key Vault.
Executing the PowerShell script:
#Note: This outputs to the C: drive
#If everything worked correctly, you can open up the file and you will see "BitLocker Extension Key Protector".
C:\Scripts\RetreiveEncryptionSecretViaUrl.ps1 -secretUrl https://<<myVault>>.vault.azure.net/secrets/70F ... -secretFilePath C:\BEK\Test
Using the PowerShell script when unlocking an encrypted VM - you'll be taking a manual process of creating a Rescue VM, attaching a copy of the encrypted OS disk as a data disk to that rescue VM (during creation), and manually retrieving the BEK to unlock the disk. However, in your specific scenario, prior to manually trying to unlock your VM, you can Repair your Windows VM by using the Azure Virtual Machine repair commands.
Unlocking an Encrypted VM with repair commands:
Note:
VMs using Azure Disk Encryption, only managed disks encrypted with single pass encryption (with or without KEK) are supported.
#If this is the first time you have used the az vm repair commands, add the vm-repair CLI extension.
az extension add -n vm-repair
#If you have previously used the az vm repair commands, apply any updates to the vm-repair extension.
az extension update -n vm-repair
#Run the create command on a encrypted VM.
#This command will create a copy of the OS disk for the non-functional VM, create a repair VM in a new Resource Group, and attach the OS disk copy.
az vm repair create -g MyResourceGroup -n source-vm-name --repair-username username --repair-password 'password!234' --verbose
#If your VM is using Azure Disk Encryption, use --unlock-encrypted-vm to unlock the encrypted disk so that it is accessible when attached to the repair VM.
az vm repair create -g MyResourceGroup -n source-vm-name --repair-username username --repair-password 'password!234' --unlock-encrypted-vm --verbose
#Note: Once the az vm repair create command finishes running, you can login to the new VM and verify that the disk is already unlocked. See below image.
#Run az vm repair restore.
#This command will swap the repaired OS disk with the original OS disk of the VM. The Resource Group and VM name used here are for the non-functional VM.
az vm repair restore -g MyResourceGroup -n MyVM --verbose
Verify and enable boot diagnostics as needed.
I hope this helps!
If you're still having issues, please let me know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.