1 00:00:01,140 --> 00:00:06,220 Now Azure disk encryption for Windows Server VMs in Azure is 2 00:00:06,220 --> 00:00:08,940 basically an Azure‑hosted BitLocker solution. 3 00:00:08,940 --> 00:00:09,360 Now, 4 00:00:09,360 --> 00:00:12,190 what do you need to know about this from a troubleshooting 5 00:00:12,190 --> 00:00:16,020 lens and for success on your AZ‑801 exam? 6 00:00:16,020 --> 00:00:19,560 Well, number one, ADE isn't available for Azure VM sizes. 7 00:00:19,560 --> 00:00:22,290 I mentioned in the previous module, the importance of 8 00:00:22,290 --> 00:00:25,270 staying on top of not only the Azure docs, 9 00:00:25,270 --> 00:00:29,200 but also what Microsoft calls ACOM, or azure.com. 10 00:00:29,200 --> 00:00:32,180 I also call those the marketing pages. 11 00:00:32,180 --> 00:00:35,570 This is where you can look up pricing and see what 12 00:00:35,570 --> 00:00:38,840 availability is there for each of those VM sizes. 13 00:00:38,840 --> 00:00:43,310 And frankly, again to repeat for review what I said in the previous module, 14 00:00:43,310 --> 00:00:48,140 not every Azure service or feature may be available in all regions as well. 15 00:00:48,140 --> 00:00:51,040 You should know that as of this recording in Summer 2022, 16 00:00:51,040 --> 00:00:56,510 ADE supports only Generation 1 and not Generation 2 VHDs. 17 00:00:56,510 --> 00:00:59,050 If you're doing hybrid administration, 18 00:00:59,050 --> 00:01:03,420 particularly if you're joining your Windows Server Azure VMs to an 19 00:01:03,420 --> 00:01:05,890 on‑premises Active Directory domain through, 20 00:01:05,890 --> 00:01:09,720 say, an ExpressRoute circuit or a site‑to‑site VPN, please, 21 00:01:09,720 --> 00:01:10,330 please, please, 22 00:01:10,330 --> 00:01:16,740 be careful not to push Group Policy Objects that enforce BitLocker protectors, 23 00:01:16,740 --> 00:01:21,540 particularly the Trusted Platform Module, or TPM. Why? 24 00:01:21,540 --> 00:01:25,050 Well, you might know if you've ever implemented Azure Disk Encryption, 25 00:01:25,050 --> 00:01:29,050 you're storing that encryption key in Azure Key Vault. And there's 26 00:01:29,050 --> 00:01:33,130 actually another layer of abstraction, the, well, it's changed its name. 27 00:01:33,130 --> 00:01:36,460 I'll show you in the demo; I can't remember what the new name is off the 28 00:01:36,460 --> 00:01:38,800 top of my head. Microsoft, as you know, 29 00:01:38,800 --> 00:01:43,050 especially in Azure, tends to change these product names pretty regularly, but 30 00:01:43,050 --> 00:01:49,350 bottom line is, make sure that you leave Azure to control the state of volume 31 00:01:49,350 --> 00:01:53,140 encryption in those Azure VMs, very important. 32 00:01:53,140 --> 00:01:55,550 And then lastly, from a firewall standpoint, 33 00:01:55,550 --> 00:01:58,500 those Azure VMs need to be able to reach the Azure 34 00:01:58,500 --> 00:02:03,710 virtual IP or wire server, 168.63.129.16. 35 00:02:03,710 --> 00:02:06,780 That shouldn't be a problem because it's through that virtual 36 00:02:06,780 --> 00:02:10,310 IP that your Azure VMs do their agent heartbeat and a whole 37 00:02:10,310 --> 00:02:12,200 bunch of other network services. 38 00:02:12,200 --> 00:02:16,590 But, if for whatever reason, the Azure VMs can't get to the wire server 39 00:02:16,590 --> 00:02:21,700 endpoint, that's big problems here for disk encryption and VM access. 40 00:02:21,700 --> 00:02:25,830 Also, you'll need the VM to be able to reach the instance metadata 41 00:02:25,830 --> 00:02:32,110 service endpoint. This is a mechanism that allows the VM to gain access 42 00:02:32,110 --> 00:02:33,750 tokens on its own behalf. 43 00:02:33,750 --> 00:02:37,900 You know how in Azure AD, we have the system‑assigned managed 44 00:02:37,900 --> 00:02:41,540 identities and user‑assigned managed identities. 45 00:02:41,540 --> 00:02:49,000 Now that's a link‑local IPv4 address. Access shouldn't be a problem, but just for completeness, I want to mention that here.