Exercise - Use a Resource Manager template to decrypt the VM
In this unit, you'll use an Azure Resource Manager template to decrypt the Windows VM you created earlier. We encrypted the OS drive on our Windows VM. However, the OS drive won't have any confidential information on it, so we could leave it unencrypted. Let's use a template to decrypt the OS drive.
Decrypt a VM using an Azure Resource Manager template
You're going to use a template that Microsoft published on GitHub that's specifically designed to decrypt a running Windows VM.
Sign in to the Azure portal with the same account you used to activate the sandbox.
On the Azure portal menu or from the Home page, select Create a resource.
In the search box, enter Template deployment.
From the resulting list, select Template deployment (deploy using custom templates). The Template deployment (deploy using custom templates) appears.
Select Create. The Custom deployment pane appears.
On the Select a template tab, enter the following values for each setting.
Setting Value Start with a quickstart template or template spec Template source Quickstart template Quickstart template (disclaimer) Select the field, then enter decrypt-running-windows-vm-without-aad and select the decrypt-running-windows-vm-without-aad template To launch the template runner, select Select template. The Disable encryption on Windows VM encrypted without AAD pane appears.
On the Basics tab, enter the following values for each setting.
Setting Value Project details Subscription Concierge Subscription Resource group Select sandbox resource group Sandbox RG . This autoselects the region as well.Instance details Region Autoselected from Resource group selection Vm Name Enter fmdata-vm01 Volume Type Accept default All Force Update Tag Accept default Location Accept default Select Review + create.
After validation passes, select Create.
The deployment may take a few minutes to complete.
Verify the encryption status of the VM
In Cloud Shell, check the encryption status.
$vmName = "fmdata-vm01"
$rgName = "<rgn>[sandbox Resource Group]</rgn>"
Get-AzVmDiskEncryptionStatus -ResourceGroupName $rgName -VMName $vmName
Now, the OS disk isn't encrypted.
OsVolumeEncrypted : NotEncrypted
DataVolumesEncrypted : NoDiskFound
OsVolumeEncryptionSettings : Microsoft.Azure.Management.Compute.Models.DiskEncryptionSettings
ProgressMessage : [2.2.0.36] Disable Encryption completed successfully