deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 10:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo
2023-10-02 11:13:57 -04:00
parent 76f92579d1
commit 4aef7ec18d
8 changed files with 66 additions and 95 deletions
Download Patch File Download Diff File Expand all files Collapse all files

75
windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md
View File

@ -1,49 +1,42 @@
---
title: BitLocker deployment comparison
description: This article shows the BitLocker deployment comparison chart.
description: Learn about the differences between Microsoft Intune and Microsoft Configuration Manager when managing BitLocker.
ms.topic: conceptual
ms.date: 11/08/2022
ms.date: 10/02/2023
---
# BitLocker deployment comparison
This article depicts the BitLocker deployment comparison chart.
This article compares the BitLocker management options between Microsoft Intune and Microsoft Configuration Manager.
## BitLocker deployment comparison chart
| Requirements | Microsoft Intune | Microsoft Configuration Manager | Microsoft BitLocker Administration and Monitoring (MBAM) |
|--|--|--|--|
| *Minimum client operating system version* | Windows 11 and Windows 10 | Windows 11, Windows 10, and Windows 8.1 | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 10 IoT, and Windows 11 |
| *Supported Windows SKUs* | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise |
| *Minimum Windows version* | 1909 | None | None |
| *Supported domain-joined status* | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory-joined, hybrid Azure AD joined | Active Directory-joined |
| *Permissions required to manage policies* | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access |
| *Cloud or on premises* | Cloud | On premises | On premises |
| Server components required? | | ✅ | ✅ |
| *Additional agent required?* | No (device enrollment only) | Configuration Manager client | MBAM client |
| *Administrative plane* | Microsoft Intune admin center | Configuration Manager console | Group Policy Management Console and MBAM sites |
| *Administrative portal installation required* | | ✅ | ✅ |
| *Compliance reporting capabilities* | ✅ | ✅ | ✅ |
| *Force encryption* | ✅ | ✅ | ✅ |
| *Encryption for storage cards (mobile)* | ✅ | ✅ | |
| *Allow recovery password* | ✅ | ✅ | ✅ |
| *Manage startup authentication* | ✅ | ✅ | ✅ |
| *Select cipher strength and algorithms for fixed drives* | ✅ | ✅ | ✅ |
| *Select cipher strength and algorithms for removable drives* | ✅ | ✅ | ✅ |
| *Select cipher strength and algorithms for operating environment drives* | ✅ | ✅ | ✅ |
| *Standard recovery password storage location* | Azure AD or Active Directory | Configuration Manager site database | MBAM database |
| *Store recovery password for operating system and fixed drives to Azure AD or Active Directory* | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) |
| *Customize preboot message and recovery link* | ✅ | ✅ | ✅ |
| *Allow/deny key file creation* | ✅ | ✅ | ✅ |
| *Deny Write permission to unprotected drives* | ✅ | ✅ | ✅ |
| *Can be administered outside company network* | ✅ | ✅ | |
| *Support for organization unique IDs* | | ✅ | ✅ |
| *Self-service recovery* | Yes (through Azure AD or Company Portal app) | ✅ | ✅ |
| *Recovery password rotation for fixed and operating environment drives* | Yes (Windows 10, version 1909 and later) | ✅ | ✅ |
| *Wait to complete encryption until recovery information is backed up to Azure AD* | ✅ | | |
| *Wait to complete encryption until recovery information is backed up to Active Directory* | | ✅ | ✅ |
| *Allow or deny Data Recovery Agent* | ✅ | ✅ | ✅ |
| *Unlock a volume using certificate with custom object identifier* | | ✅ | ✅ |
| *Prevent memory overwrite on restart* | | ✅ | ✅ |
| *Configure custom Trusted Platform Module Platform Configuration Register profiles* | | | ✅ |
| *Manage auto-unlock functionality* | | ✅ | ✅ |
| Requirements | Microsoft Intune | Microsoft Configuration Manager |
|--|--|--|
| *Supported Windows client editions* | Pro, Enterprise, Pro Education, Education | Pro, Enterprise, Pro Education, Education |
| *Windows server support* | | ✅ |
| *Supported domain-joined status* | Microsoft Entra joined and hybrid joined | Active Directory-joined, Microsoft Entra hybrid joined |
| *Permissions required to manage policies* | Endpoint security manager or custom | Full administrator or custom |
| *Cloud or on premises* | Cloud | On premises |
| *Additional agent required?* | No (device enrollment only) | Configuration Manager client |
| *Administrative plane* | Microsoft Intune admin center | Configuration Manager console |
| *Compliance reporting capabilities* | ✅ | ✅ |
| *Force encryption* | ✅ | ✅ |
| *Allow recovery password* | ✅ | ✅ |
| *Manage startup authentication* | ✅ | ✅ |
| *Select cipher strength and algorithms for fixed drives* | ✅ | ✅ |
| *Select cipher strength and algorithms for removable drives* | ✅ | ✅ |
| *Select cipher strength and algorithms for operating environment drives* | ✅ | ✅ |
| *Standard recovery password storage location* | Microsoft Entra ID or Active Directory | Configuration Manager site database |
| *Store recovery password for operating system and fixed drives to Microsoft Entra ID or Active Directory* | Both | Active Directory only |
| *Customize preboot message and recovery link* | ✅ | ✅ |
| *Allow/deny key file creation* | ✅ | ✅ |
| *Deny Write permission to unprotected drives* | ✅ | ✅ |
| *Can be administered outside company network* | ✅ | ✅ |
| *Support for organization unique IDs* | ✅ | ✅ |
| *Self-service recovery* | ✅ | ✅ |
| *Recovery password rotation for fixed and operating environment drives* | ✅ | ✅ |
| *Wait to complete encryption until recovery information is backed up to Microsoft Entra ID* | ✅ | |
| *Wait to complete encryption until recovery information is backed up to Active Directory* | ✅ | ✅ |
| *Allow or deny Data Recovery Agent* | ✅ | |
| *Unlock a volume using certificate with custom object identifier* | | ✅ |
| *Prevent memory overwrite on restart* | ✅ | ✅ |
| *Manage auto-unlock functionality* | ✅ | ✅ |

20
windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md
View File

@ -4,29 +4,25 @@ description: Learn how to recover BitLocker keys from Microsoft Entra ID and Act
ms.collection:
- highpri
- tier1
ms.topic: howto
ms.topic: how-to
ms.date: 09/29/2023
---
# BitLocker recovery guide
Organizations can use BitLocker recovery information saved in Microsoft Entra ID and Active Directory Domain Services (AD DS) to access BitLocker-protected drives. It's recommended to create a recovery model for BitLocker while planning for BitLocker deployment.
This article describes how to recover BitLocker keys from Microsoft Entra ID and Active Directory Domain Services (AD DS).
Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It's recommended to create a recovery model for BitLocker while planning for BitLocker deployment.
This article assumes that it's understood how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS.
This article doesn't detail how to configure AD DS to store the BitLocker recovery information.
This article assumes that it's understood how to configure devices to automatically backup BitLocker recovery information, and what types of recovery information are saved to Microsoft Entra ID and AD DS.
## What is BitLocker recovery?
BitLocker recovery is the process by which access can be restored to a BitLocker-protected drive if the drive can't be unlocked normally. In a recovery scenario, the following options to restore access to the drive are available:
BitLocker recovery is the process by which access to a BitLocker-protected drive can be restored if the drive can't be unlocked normally. In a recovery scenario, the following options to restore access to the drive are available:
- **The user can supply the recovery password.** If the organization allows users to print or store recovery passwords, the users can enter in the 48-digit recovery password that they printed or stored on a USB drive or with a Microsoft account online. Saving a recovery password with a Microsoft account online is only allowed when BitLocker is used on a PC that isn't a member of a domain.
- **Data recovery agents can use their credentials to unlock the drive.** If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it.
- **A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive.** Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in an organization if needed. This method makes it mandatory to enable this recovery method in the BitLocker group policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker policy settings](policy-settings.md).
- **The user can supply the recovery password**: if the organization allows users to print or store recovery passwords, the users can enter the 48-digit recovery password
- **Data recovery agents can use their credentials to unlock the drive:** if the drive is an operating system drive, the drive must be mounted as a data drive on another device for the data recovery agent to unlock it
- **A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive:** storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in an organization if needed. This method requires to enable the recovery method **Choose how BitLocker-protected operating system drives can be recovered**. For more information, review [BitLocker policy settings](policy-settings.md).
### What causes BitLocker recovery?

41
windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md → windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md
View File

@ -1,26 +1,17 @@
---
title: BitLocker countermeasures
description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Anti-malware (ELAM) to protect against attacks on the BitLocker encryption key.
description: Learn about technologies and features to protect against attacks on the BitLocker encryption key.
ms.topic: conceptual
ms.date: 11/08/2022
ms.date: 10/02/2023
---
# BitLocker countermeasures
Windows uses technologies including *trusted platform module (TPM)*, *Secure Boot*, and *Measured Boot* to help protect BitLocker encryption keys against attacks. BitLocker is part of a strategic approach to securing data against offline attacks through encryption technology. Data on a lost or stolen device is vulnerable. For example, there could be unauthorized access, either by running a software attack tool against the device or by transferring the device's hard disk to a different device.
BitLocker helps mitigate unauthorized data access on lost or stolen devices before the authorized operating system is started. This mitigation is done by:
- **Encrypting volumes.** For example, BitLocker can be turned on for the operating system volume, a volume on a fixed drive, or removable data drive (such as a USB flash drive, SD card, etc.). Turning on BitLocker for the operating system volume encrypts all system files on the volume, including the paging files and hibernation files. The only exception is for the System partition, which includes the Windows Boot Manager and minimal boot collateral required for decryption of the operating system volume after the key is unsealed.
- **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to make data accessible only if the computer's BIOS firmware code and configuration, original boot sequence, boot components, and BCD configuration all appear unaltered and the encrypted disk is located in the original computer. On systems that use TPM PCR[7], BCD setting changes deemed safe are permitted to improve usability.
The next sections provide more details about how Windows protects against various attacks on the BitLocker encryption keys in Windows 11, Windows 10, Windows 8.1, and Windows 8.
For more information about how to enable the best overall security configuration for devices beginning with Windows 10 version 1803, see [Standards for a highly secure Windows device](/windows-hardware/design/device-experiences/oem-highly-secure).
Windows uses hardware solutions and security features that protect BitLocker encryption keys against attacks. These technologies include *Trusted Platform Module (TPM)*, *Secure Boot*, and *Measured Boot*.
## Protection before startup
Before Windows starts, security features implemented as part of the device hardware and firmware must be relied on, including TPM and secure boot. These features help ensure that the device hasn't been tampered with while the system was offline. The following sections provide more details about how Windows uses these features to protect against attacks on the BitLocker encryption keys.
Before Windows starts, security features implemented as part of the device hardware and firmware must be relied on, including TPM and secure boot. These features ensure that the device hasn't been tampered with while the system was offline.
### Trusted Platform Module
@ -59,33 +50,15 @@ On computers with a compatible TPM, operating system drives that are BitLocker-p
- **TPM with startup key and PIN.** In addition to the core component protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it can't be used for access to the drive, because the correct PIN is also required.
In the following group policy example, TPM + PIN is required to unlock an operating system drive:
![Pre-boot authentication setting in Group Policy.](images/pre-boot-authentication-group-policy.png)
Pre-boot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup. Pre-boot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured.
On the other hand, Pre-boot authentication-prompts can be inconvenient to users. In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organization's support team to obtain a recovery key. Pre-boot authentication can also make it more difficult to update unattended desktops and remotely administered servers because a PIN needs to be entered when a computer reboots or resumes from hibernation.
On the other hand, Pre-boot authentication-prompts can be inconvenient to users. In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organization's support team to obtain a recovery key. Pre-boot authentication can also make it more difficult to update unattended desktops and remotely administered servers because a PIN must be entered when a device reboots or resumes from hibernation.
To address these issues, [BitLocker Network Unlock](bitlocker-how-to-enable-network-unlock.md) can be deployed. Network Unlock allows systems within the physical enterprise security perimeter that meet the hardware requirements and have BitLocker enabled with TPM+PIN to boot into Windows without user intervention. It requires direct ethernet connectivity to an enterprise Windows Deployment Services (WDS) server.
### Protecting Thunderbolt and other DMA ports
### Protect DMA ports
There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS.
You can use the System Information desktop app `MSINFO32.exe` to check if a device has kernel DMA protection enabled:
![Kernel DMA protection.](images/kernel-dma-protection.png)
If kernel DMA protection isn't enabled, follow these steps to protect Thunderbolt™ 3 enabled ports:
1. Require a password for BIOS changes
2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Refer to [Intel Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf)
3. Additional DMA security may be added by deploying policy (beginning with Windows 10 version 1607 or Windows 11): [Disable new DMA devices when this computer is locked](policy-settings.md)
For Thunderbolt v1 and v2 (DisplayPort Connector), refer to the **Thunderbolt Mitigation** section in [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d). For SBP-2 and 1394 (also known as Firewire), refer to the **SBP-2 Mitigation** section in [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d).
It's important to protect DMA ports, as external peripherals may gain unauthorized access to memory. Depending on the device capabilities, there are different options to protect DMA ports. To learn more, see the policy setting [Disable new DMA devices when this computer is locked](policy-settings.md?tabs=common#disable-new-dma-devices-when-this-computer-is-locked).
## Attack countermeasures

BIN
windows/security/operating-system-security/data-protection/bitlocker/images/kernel-dma-protection.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 263 KiB

BIN
windows/security/operating-system-security/data-protection/bitlocker/images/pre-boot-authentication-group-policy.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 1.2 MiB

3
windows/security/operating-system-security/data-protection/bitlocker/includes/disable-new-dma-devices-when-this-computer-is-locked.md
View File

@ -15,6 +15,9 @@ Devices that were already enumerated when the device was unlocked will continue
This policy setting is only enforced when BitLocker or device encryption is enabled.
> [!IMPORTANT]
> This policy is not compatible with *Kernel DMA Protection*. It's recommended to disable this policy if the system supports Kernel DMA Protection, as Kernel DMA Protection provides higher security for the system. For more information about Kernel DMA Protection, see [Kernel DMA Protection](../../../../hardware-security/kernel-dma-protection-for-thunderbolt.md).
| | Path |
|--|--|
| **CSP** | Not available |

22
windows/security/operating-system-security/data-protection/bitlocker/index.md
View File

@ -13,32 +13,38 @@ ms.date: 09/25/2023
BitLocker is a Windows security feature that provides encryption for entire volumes.\
BitLocker addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices.
## Practical applications
Data on a lost or stolen device is vulnerable to unauthorized access, either by running a software-attack tool against it, or by transferring the computer's hard drive to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected devices are decommissioned or recycled.
## BitLocker and TPM
BitLocker provides maximum protection when used with a Trusted Platform Module (TPM). A TPM is a hardware component installed in many devices and it works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system is offline.
On devices that don't have a TPM, BitLocker can still be used to encrypt the operating system drive. However, this implementation requires the user to insert a USB key to start the device or when resuming from hibernation. A password can also be used to protect the OS volume on a device without TPM. Both options don't provide the pre-startup system integrity verification offered by BitLocker with a TPM.
In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device (such as a USB drive) that contains a startup key. These additional security measures provide multifactor authentication and assurance that the device won't start or resume from hibernation until the correct PIN or startup key is presented.
## Practical applications
Data on a lost or stolen device is vulnerable to unauthorized access, either by running a software-attack tool against it, or by transferring the computer's hard drive to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected devices are decommissioned or recycled.
## System requirements
BitLocker has the following hardware requirements:
BitLocker has the following requirements:
- For BitLocker to use the system integrity check provided by a TPM, the device must have TPM 1.2 or later versions. If a device doesn't have a TPM, saving a startup key on a removable drive is mandatory when enabling BitLocker
- A device with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM doesn't require TCG-compliant firmware
- The system BIOS or UEFI firmware (for TPM and non-TPM devices) must support the USB mass storage device class, including reading small files on a USB drive in the pre-operating system environment
> [!NOTE]
> TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature.
> TPM 2.0 is not supported in *Legacy* and *Compatibility Support Module (CSM)* modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature.
>
> Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [`mbr2gpt`](/windows/deployment/mbr-to-gpt) before changing the BIOS mode, which prepares the OS and the disk to support UEFI.
> Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [`mbr2gpt.exe`](/windows/deployment/mbr-to-gpt) before changing the BIOS mode, which prepares the OS and the disk to support UEFI.
- The hard disk must be partitioned with at least two drives:
- The *operating system drive* (or boot drive) contains the OS and its support files. It must be formatted with the NTFS file system
- The *system drive* contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker isn't enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. It's recommended that the system drive be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space
- The *system drive* contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker isn't enabled on this drive. For BitLocker to work, the system drive:
- must not be encrypted
- must differ from the operating system drive
- must be formatted with the FAT32 file system on computers that use UEFI-based firmware, or with the NTFS file system on computers that use BIOS firmware
- it's recommended that to be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space
> [!IMPORTANT]
> When installed on a new device, Windows automatically creates the partitions that are required for BitLocker.

211
windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
View File

@ -1,211 +0,0 @@
---
title: Protecting cluster shared volumes and storage area networks with BitLocker
description: This article for IT pros describes how to protect CSVs and SANs with BitLocker.
ms.topic: conceptual
ms.date: 11/08/2022
---
# Protecting cluster shared volumes and storage area networks with BitLocker
**Applies to:**
- Windows Server 2016 and above
This article describes the procedure to protect cluster shared volumes (CSVs) and storage area networks (SANs) by using BitLocker.
BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes provides an extra layer of protection that can be used by administrators wishing to protect sensitive, highly available data. The administrators use this extra layer of protection to increase the security to resources. Only certain user accounts provided access to unlock the BitLocker volume.
## Configuring BitLocker on Cluster Shared Volumes
### Using BitLocker with clustered volumes
Volumes within a cluster are managed with the help of BitLocker based on how the cluster service "views" the volume to be protected. The volume can be a physical disk resource such as a logical unit number (LUN) on a SAN or network attached storage (NAS).
> [!IMPORTANT]
> SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](/windows-hardware/drivers/).
Instead, the volume can be a cluster-shared volume. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. The volumes that are designated for a cluster must do the following tasks:
- It must turn on BitLocker—only after this task is done, can the volumes be added to the storage pool.
- It must put the resource into maintenance mode before BitLocker operations are completed.
Windows PowerShell or the `manage-bde.exe` command-line tool is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points don't require the use of a drive letter. Volumes that lack drive letters don't appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources isn't available in the Control Panel item.
> [!NOTE]
> Mount points can be used to support remote mount points on SMB-based network shares. This type of share is not supported for BitLocker encryption.
If there's a thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. The **`manage-bde.exe -WipeFreeSpace`** command can't be used to transition the volume to full-volume encryption on thinly provisioned storage volumes. The usage of **`manage-bde.exe -WipeFreeSpace`** command is blocked to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space.
### Active Directory-based protector
An Active Directory Domain Services (AD DS) protector can also be used for protecting clustered volumes held within the AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account, or group. When an unlock request is made for a protected volume, the following events take place:
- BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request.
- BitLocker will unlock protected volumes without user intervention by attempting protectors in the following order:
1. Clear key
2. Driver-based auto-unlock key
3. **ADAccountOrGroup** protector
a. Service context protector
b. User protector
4. Registry-based auto-unlock key
> [!NOTE]
> A Windows Server 2012 or later domain controller is required for this feature to work properly.
### Turning on BitLocker before adding disks to a cluster using Windows PowerShell
BitLocker encryption is available for disks before these disks are added to a cluster storage pool.
> [!NOTE]
> The advantage of The BitLocker encryption can even be made available for disks after they are added to a cluster storage pool.
The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource need not be suspended to complete the operation.
To turn on BitLocker for a disk before adding it to a cluster:
1. Install the BitLocker Drive Encryption feature if it isn't already installed.
2. Ensure the disk is an NTFS-formatted one and has a drive letter assigned to it.
3. Identify the name of the cluster with Windows PowerShell.
```powershell
Get-Cluster
```
4. Enable BitLocker on a volume with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as:
```powershell
Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$
```
> [!WARNING]
> An **ADAccountOrGroup** protector must be configured using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster.
5. Repeat the preceding steps for each disk in the cluster.
6. Add the volume(s) to the cluster.
### Turning on BitLocker for a clustered disk using Windows PowerShell
When the cluster service owns a disk resource already, the disk resource needs to be set into maintenance mode before BitLocker can be enabled. To turn on the BitLocker for a clustered disk using Windows PowerShell, perform the following steps:
1. Install the BitLocker drive encryption feature if it isn't already installed.
2. Check the status of the cluster disk using Windows PowerShell.
```powershell
Get-ClusterResource "Cluster Disk 1"
```
3. Put the physical disk resource into maintenance mode using Windows PowerShell.
```powershell
Get-ClusterResource "Cluster Disk 1" | Suspend-ClusterResource
```
4. Identify the name of the cluster with Windows PowerShell.
```powershell
Get-Cluster
```
5. Enable BitLocker a volume with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as:
```powershell
Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$
```
> [!WARNING]
> An **ADAccountOrGroup** protector must be configured using the cluster CNO for a BitLocker-enabled volume to either be shared in a cluster-shared Volume or to fail over properly in a traditional failover cluster.
6. Use **Resume-ClusterResource** to take back the physical disk resource out of maintenance mode:
```powershell
Get-ClusterResource "Cluster Disk 1" | Resume-ClusterResource
```
7. Repeat the preceding steps for each disk in the cluster.
### Adding BitLocker-encrypted volumes to a cluster using `manage-bde.exe`
**`Manage-bde.exe`** can also be used to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster are:
1. Verify that the BitLocker drive encryption feature is installed on the computer.
2. Ensure new storage is formatted as NTFS.
3. Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using **`manage-bde.exe`** in a command prompt window. For example:
```cmd
manage-bde.exe -on -used <drive letter> -RP -sid domain\CNO$ -sync
```
1. BitLocker will check to see if the disk is already part of a cluster. If it is, administrators will encounter a hard block. Otherwise, the encryption continues.
2. Using the -sync parameter is optional. However, using the -sync parameter has the advantage of ensuring the command waits until the encryption for the volume is completed. The volume is then released for use in the cluster storage pool.
4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered.
- Once the disk is clustered, it's enabled for CSV.
5. During the resource online operation, cluster checks whether the disk is BitLocker encrypted.
1. If the volume isn't BitLocker enabled, traditional cluster online operations occur.
2. If the volume is BitLocker enabled, BitLocker checks if the volume is **locked**. If the volume is **locked**, BitLocker impersonates the CNO and unlocks the volume using the CNO protector. If these actions by BitLocker fail, an event is logged. The logged event will state that the volume couldn't be unlocked and the online operation has failed.
6. Once the disk is online in the storage pool, it can be added to a CSV by right-clicking the disk resource, and choosing "**Add to cluster shared volumes**".
CSVs include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption run the `manage-bde.exe -status` command as an administrator with a path to the volume. The path must be one that is inside the CSV namespace. For example:
```cmd
manage-bde.exe -status "C:\ClusterStorage\volume1"
```
### Physical disk resources
Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This condition means that operations such as encrypting, decrypting, locking, or unlocking volumes require a context to perform. For example, a physical disk resource can't unlock or decrypt if it isn't administering the cluster node that owns the disk resource because the disk resource isn't available.
### Restrictions on BitLocker actions with cluster volumes
The following table contains information about both physical disk resources (that is, traditional failover cluster volumes) and cluster shared volumes (CSV) and the actions that are allowed by BitLocker in each situation.
| Action | On owner node of failover volume | On Metadata Server (MDS) of CSV | On (Data Server) DS of CSV | Maintenance Mode |
|--- |--- |--- |--- |--- |
|**`Manage-bde.exe -on`**|Blocked|Blocked|Blocked|Allowed|
|**`Manage-bde.exe -off`**|Blocked|Blocked|Blocked|Allowed|
|**`Manage-bde.exe Pause/Resume`**|Blocked|Blocked**|Blocked|Allowed|
|**`Manage-bde.exe -lock`**|Blocked|Blocked|Blocked|Allowed|
|**`Manage-bde.exe -wipe`**|Blocked|Blocked|Blocked|Allowed|
|**Unlock**|Automatic via cluster service|Automatic via cluster service|Automatic via cluster service|Allowed|
|**`Manage-bde.exe -protector -add`**|Allowed|Allowed|Blocked|Allowed|
|**`Manage-bde.exe -protector -delete`**|Allowed|Allowed|Blocked|Allowed|
|**`Manage-bde.exe -autounlock`**|Allowed (not recommended)|Allowed (not recommended)|Blocked|Allowed (not recommended)|
|**`Manage-bde.exe -upgrade`**|Allowed|Allowed|Blocked|Allowed|
|**Shrink**|Allowed|Allowed|Blocked|Allowed|
|**Extend**|Allowed|Allowed|Blocked|Allowed|
> [!NOTE]
> Although the **`manage-bde.exe -pause`** command is blocked in clusters, the cluster service automatically resumes a paused encryption or decryption from the MDS node.
In the case where a physical disk resource experiences a failover event during conversion, the new owning node detects that the conversion isn't complete and completes the conversion process.
### Other considerations when using BitLocker on CSV2.0
Some other considerations to take into account for BitLocker on clustered storage include:
- BitLocker volumes have to be initialized and begin encryption before they're available to add to a CSV2.0 volume.
- If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put it into disk maintenance mode. The CSV can be added back to the cluster while waiting for decryption to complete.
- If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it into maintenance mode.
- If conversion is paused with encryption in progress and the CSV volume is offline from the cluster, the cluster thread (health check) automatically resumes conversion when the volume is online to the cluster.
- If conversion is paused with encryption in progress and a physical disk resource volume is offline from the cluster, the BitLocker driver automatically resumes conversion when the volume is online to the cluster.
- If conversion is paused with encryption in progress, while the CSV volume is in maintenance mode, the cluster thread (health check) automatically resumes conversion when moving the volume back from maintenance.
- If conversion is paused with encryption in progress, while the disk resource volume is in maintenance mode, the BitLocker driver automatically resumes conversion when the volume is moved back from maintenance mode.