While you can enable BitLocker Encryption using the Azure Disk Encryption Extension, you can also disable it. There are two steps to this; disabling BitLocker at the VM-level and finally removing the extension.
Azure will prevent you from reversing the order as volume(s) must be completely decrypted before removing the extension.
The worse that can happen to a VM regarding BitLocker is the associated secret(s) for the volume(s) are deleted from the Azure Key vault; these must be available for the VM at start up for decryption to occur.
At a minimum, I would strongly recommend enabling soft-key deletion on your Azure Key vault to recover from accidental, or malicious, deletion. The steps below will guide you on effectively removing BitLocker on an Azure VM:
Note: Before proceeding, be sure to plan an outage as removing the Azure Disk Encryption requires a system reboot, and also ensure you have a backup.
- From PowerShell or Azure CloudShell, run the following command to disable Azure Disk Encryption:
Disable-AzVMDiskEncryption -ResourceGroupName 'Servers' -VMName 'MyVM'
- When the VM restarts, log into the VM and monitor the BitLocker decryption process:
- When BitLocker has completed decrypting all volume(s), run the following command to remove the AzDiskEncryption: