Enable Soft-Deletion/Purge on a Key vault

To enable via Azure CLI:


az keyvault update --name MyVault --resource-group Test --enable-purge-protection true

Via Azure Portal:

  1. Select the Key vault > Properties blade
  2. Select Soft-delete [Enabled, define retention (default is 90 days) period and purge protection [Enabled]

Removing a Key vault via PowerShell:

  • If soft-deletion/purge protection hasn'tbeen enabled, the Key vault and all secrets/keys cannot be restored!
  • If soft-deletion/purge protection is enabled, the entire vault can be restored within the defined retention period (default is 90 days)

Remove-AzKeyVault -VaultName 'MyVault'

Restoring a deleted Key vault via PowerShell:

Note: When deleted the Key vault has been restored, all secrets/keys upon deletion will also be restored, including access policies.

  1. List the deleted Key vault:

Get-AzKeyVault -InRemovedState
  1. Restore the deleted Key vault:

Undo-AzKeyVaultRemoval -VaultName 'MyVault' -ResourceGroupName 'Test' -Location 'eastus'
  1. Confirm the restore:

Get-AzKeyVault -VaultName MyVault

Deleteing a Key Vault (with purge protect enabled):

Enabling Purge Protection is irreversible; the deleted vault will be purged by its specified purge time.

Disabling BitLocker:

  1. From PowerShell or Azure CloudShell, run:

Disable-AzVMDiskEncryption -ResourceGroupName 'Servers' -VMName 'test1'
  1. If the above fails, uninstall the 'AzureDiskEncryption' extension. If there's a delay and failure in uninstalling this extension, re-try.
  2. Re-run the Disable-AzVMDiskEncryption command, which'll reboot the VM
  3. Run the following command to monitor the BitLocker decryption process:

manage-bde -status

More information can be found here and here.