1
00:00:00,840 --> 00:00:05,540
Now let's consider troubleshooting Azure VM disk encryption issues.

2
00:00:05,540 --> 00:00:09,190
Before we get into BitLocker and Azure disk encryption though,

3
00:00:09,190 --> 00:00:13,280
let's take a brief look at the Azure Virtual Machine storage subsystem.

4
00:00:13,280 --> 00:00:13,820
First of all,

5
00:00:13,820 --> 00:00:19,630
I want to make sure that you're using managed disks and not unmanaged disks.

6
00:00:19,630 --> 00:00:22,540
In other words, you're VHDs, or virtual hard disks,

7
00:00:22,540 --> 00:00:26,670
that comprise the OS and data disks of your Azure VMs should

8
00:00:26,670 --> 00:00:30,050
not be in the blob service of a storage account, but instead

9
00:00:30,050 --> 00:00:32,850
in the disk's service. Number two,

10
00:00:32,850 --> 00:00:37,930
you may find that you run into issues when performing operations or attempting

11
00:00:37,930 --> 00:00:43,630
to perform operations on those managed disks. Nine times out of 10, that's

12
00:00:43,630 --> 00:00:48,150
normally a lease or a lock issue that's happening where Azure has the disk

13
00:00:48,150 --> 00:00:54,040
locked for exclusive access. If you or a colleague attempts an export, export

14
00:00:54,040 --> 00:00:59,670
is basically where you're downloading a copy of the VHD, until that SAS

15
00:00:59,670 --> 00:01:04,890
expires, that VHD is going to be locked and inaccessible. You won't be able to

16
00:01:04,890 --> 00:01:06,530
delete it, for example.

17
00:01:06,530 --> 00:01:10,330
Also, the run state of the VM is very important. When you're implementing

18
00:01:10,330 --> 00:01:14,180
Azure disk encryption, the VM has to be powered on and the disk has to be

19
00:01:14,180 --> 00:01:18,130
attached. When you're doing server‑side encryption, that's the built‑in,

20
00:01:18,130 --> 00:01:22,460
at‑rest encryption that Microsoft provides in their data centers, and you

21
00:01:22,460 --> 00:01:27,310
want to go, say, from using Microsoft‑managed keys to customer‑managed keys,

22
00:01:27,310 --> 00:01:28,680
there it's just the opposite.

23
00:01:28,680 --> 00:01:38,000
You need to stop and de‑allocate the virtual machine and release all locks on the VHD in order to change the SSC setting.