none
Can you change/define the BEK volume? RRS feed

  • Question

  • Currently when an OS is encrypted, the BEK drive in Windows will automagically deploy with the next available drive letter.  Is it possible to control the drive letter?  Currently I have clients who do multi-pass provisioning:  they deploy a server then use a tool like Ansible to make application updates to the base.  This means there`s a risk that the BEK volume will occupy a desired drive letter.  Is it possible to update the drive letter safely?
    Saturday, February 16, 2019 5:04 AM

All replies

  • Hello Justin,

    "Bek volume" for Windows is a local data volume that securely stores the encryption keys for Encrypted Azure IaaS VMs.

    Note:- We recommend do not delete or edit any contents in this disk. Do not unmount or edit the disk since the encryption key presence is needed for any encryption operations on the IaaS VM.

    If the disk is encrypted, you need this key to boot up your VM. During the VM Startup, the BEK is needed to decrypt the OS disk. Kindly let us know if you need any further assistnace on this.


    Sunday, February 17, 2019 8:08 AM
    Moderator
  • @Justin, Just checking in to see if the above answer helped. If this answers your query, do click “Mark as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
    Wednesday, February 27, 2019 9:56 AM
    Moderator
  • Hi,

    Let me highlight the question:

     Is it possible to control the drive letter for BEK volume?

    A simple yes/no is considered as an answer. Not some technical description about the BEK volume.

    Tuesday, June 18, 2019 7:41 AM
  • Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.

    Is it possible to control the drive letter for BEK volume?  Yes

    Kindly let us know if the above helps or you need further assistance on this issue.

    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" and “upvote” on the post that helps you, this can be beneficial to other community members.


     

    Wednesday, July 17, 2019 5:00 PM
    Moderator
  • Hi,

    We currently have a support case with Microsoft in regards to the Azure BEK volume's letter being allocated randomly. Could you provide details or link to the documentation which allows you to specify the drive letter?

    I understand you're trying to help as many people as possible but YASWANTHM's reply is offtopic definition of a BEK volume and yours was the word "Yes".

    This thread  and the one below  are the top two resources when searching for the terms: "azure bek volume drive letter specify". None of which have any useful information so far.

    https://feedback.azure.com/forums/216843-virtual-machines/suggestions/31917856-encrypting-windows-vms-add-the-ability-to-set-a

    Thanks

    Friday, July 19, 2019 2:12 PM
  • Thanks for raising this question! Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused. Kindly try the following steps to isolate the issue:  

    This is highly recommended to test out on a TestVM first.

    Go to:

    -Disk Management

    -Right click the drive

    -Select "Change Drive Letters and Paths" 

    -Update the drive letter

    -Restart the VM and make sure it's operational

     

    In my scenario, I restarted my testVM and the BEK volume kept the drive letter. However, the BEK volume typically will be assigned the next available drive letter if this happens just change the BEK volume back to the designated drive letter.

     

    Lastly, this isn't recommended since the BEK volume holds the VM's encryption settings and if this volume is compromised in anyway this could cause a loss of the VM or a non-boot issue.



    I just stopped/Deallocated my VM and the BEK volume went back to E

    Kindly let us know if the above helps or you need further assistance on this issue.

    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" and “upvote” on the post that helps you, this can be beneficial to other community members

    Wednesday, July 24, 2019 5:39 AM
    Moderator
  • Just checking in to see if the above answer helped. If this answers your query, do click “Mark as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
    Tuesday, July 30, 2019 10:02 AM
    Moderator
  • Is there any update on the issue?

    If the suggested answer helped for your issue, do click on "Mark as Answer" and “Vote as Helpful” on the post that helps you, this can be beneficial to other community members
    Wednesday, July 31, 2019 5:06 AM
    Moderator
  • Thank you for the comprehensive reply. However this response doesn't allow us to specify the Bek volume safely at startup (as requested by the original poster).

    "However, the BEK volume typically will be assigned the next available drive letter if this happens just change the BEK volume back to the designated drive letter."

    The solution presented isn't feasible as its just restarting the VM and hoping the Bek volume/ other drive letters are assigned correctly. We can't have a portion of our machines restarting/deallocating repeatedly until the drives happen to be configured as we want.

    Monday, August 12, 2019 11:11 AM
  • Hi Yaswanthm,

    The VM's all the drive has monitoring SCOM. So that i get alert no free space from "Bek Volume Drive".

    How can i control?

    Can i remove the Drive letter but not delete?supposed i remove that letter any issue come?

    Sunday, August 25, 2019 12:35 PM
  • I suggest you block D and E for Temporary storage and BEK respectively for all Azure VMs to have a consistent environment and exclude these two from SCOM monitoring.
    Thursday, September 5, 2019 1:25 PM
  • I would not touch the BEK volume, it's not recommended by MS. You can go for any of the following options - 

    1. Define a standard in your environment to block the required drive letters for Azure system, such as C:\ - OS, D:\ - Temporary Storage, E:\ - BEK etc. Then use next available drive letters to host application or DB via Ansible automation.

    2. If you really need E:\ to be used for application/DB, create the drives post VM build via Ansible automation before applying disk encryption.

    I would prefer the first option as the 2nd one would make your environment inconsistent having different BEK volume letters on different VMs.

    • Proposed as answer by Rohan Islam Thursday, September 5, 2019 1:33 PM
    Thursday, September 5, 2019 1:32 PM
  • Thankfully the IaaS team have fixed this now.

    https://feedback.azure.com/forums/216843-virtual-machines/suggestions/31917856-encrypting-windows-vms-add-the-ability-to-set-a

    Wednesday, October 9, 2019 9:27 AM