Troubleshooting Windows activation failures on Azure VMs

Azure VMs will activate using the Azure KMS service if all of the following are true: Windows is configured with the appropriate KMS client setup key for that version of Windows. Windows is configured to use the Azure KMS service kms.core.windows.net:1688. VM has network connectivity to kms.core.windows.net:1688. For example, if the guest firewall or Azure network security group (NSG) rule does…

18

Azure Disk Encryption – How to recover KEK from Azure Key Vault

If you have encrypted the VHD using Azure Disk Encryption with KEK, use the below steps to Unwrap the BEK Key. Pre-requisites: The user who is running the commands must have the ‘unwrap‘ permission on the Keys within Key Vault use the Set-AzureRmKeyVaultAccessPolicy Example: Replace below parameters with your KeyVault and UPN Name $keyVaultName = “KeyVaultName”…

0

Azure Disk Encryption – How to recover BEK file from Azure Key Vault

In today’s blog, we will demonstrate behavior of Azure Disk Encryption Extension and how it integrates with Key Vault and the Azure Platform to create and read the (BEK) secrets. It will also describe how you can recover the BEK file from the Key Vault in a scenario where you need to recover the data…

2

Microsoft Azure: How to execute a synchronous Azure PowerShell cmdlet multiple times at once, using a single PowerShell session

  Overview Often times, Microsoft Azure customers have requirements to create multiple resources of the same type, and they wish to have these resources created as quickly as possible in a scripted solution. Many of the Azure PowerShell cmdlets are synchronous in nature, where the cmdlet will not return until provisioning is complete. Synchronous operations…


Cross-subscription circuit links that cross the ARM/classic boundary

(contributed by Michael Jolley) While enabling an ARM circuit for use with classic deployments is fairly straightforward on its own, it can be confusing to do so as part of creating cross-subscription circuit links with classic deployments. To do the circuit links, you have to switch between ARM and classic mode while simultaneously switching subscriptions….

2

VM stuck in “Updating” when NSG rule restricts outbound internet connectivity

An Azure VM may experience the following symptoms if you have a network security group (NSG) rule configured to deny outbound internet connectivity: When you create a new VM the status remains on Updating. When you update a VM agent extension on an existing VM, the VM status remains on Updating. When you update a…

0

Sending E-mail from Azure Compute Resource to External Domains

Sending outbound e-mail to external domains (such as outlook.com, gmail.com, etc) directly from an e-mail server hosted in Azure compute services is not supported due to the elastic nature of public cloud service IPs and the potential for abuse.  As such, the Azure compute IP address blocks are added to public block lists (such as…


Impact of Cisco March 2016 Vulnerabilities on Azure

Microsoft evaluates the security of its infrastructure on an ongoing basis and part of this evaluation includes working with our vendors, the open source community and internal test labs to identify and mitigate critical security issues. On March 2nd, Cisco released its bi-annual security bulletin which included advisories affecting equipment used by many Cloud Service…

0

Azure networking – Public IP addresses in Classic vs ARM

This post was contributed by Stefano Gagliardi, Pedro Perez, Telma Oliveira, and Leonid Gagarin As you know, we recently introduced the Azure Resource Manager deployment model as an enhancement of the previous Classic deployment model. Read here for more details on them https://azure.microsoft.com/en-us/documentation/articles/resource-manager-deployment-model/ There are important differences between the two models on several aspects spanning…

2