From 31c849116414ce3f6ddeb27224078d1998bd9dda Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 23 Sep 2020 19:10:34 +0530 Subject: [PATCH 01/16] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...nd-storage-area-networks-with-bitlocker.md | 79 +++++++++---------- 1 file changed, 39 insertions(+), 40 deletions(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index ac7c00f8b6..2dc14bd0e6 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -23,30 +23,29 @@ ms.custom: bitlocker **Applies to** - Windows Server 2016 -This topic for IT pros describes how to protect CSVs and SANs with BitLocker. +This topic describes the procedure to protect CSVs and SANs by using BitLocker. -BitLocker can protect both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes allows for an additional layer of protection for administrators wishing to protect sensitive, highly available data. By adding additional protectors to the clustered volume, administrators can also add an additional barrier of security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume. +BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes allows for an additional layer of protection for administrators wishing to protect sensitive, highly available data. By adding additional protectors to the clustered volume, administrators are adding an additional barrier of security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume. ## Configuring BitLocker on Cluster Shared Volumes -### Using BitLocker with Clustered Volumes +### Using BitLocker with clustered volumes -BitLocker on volumes within a cluster are managed based on how the cluster service "views" the volume to be protected. The volume can be a physical disk resource such as a logical unit number (LUN) on a storage area network (SAN) or network attached storage (NAS). +Volumes within a cluster are managed with the help of BitLocker based on how the cluster service "views" the volume to be protected. The volume can be a physical disk resource such as a logical unit number (LUN) on a storage area network (SAN) or network attached storage (NAS). >**Important**  SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](https://msdn.microsoft.com/library/windows/hardware/dn930814.aspx). -Alternatively, the volume can be a cluster-shared volume, a shared namespace, within the cluster. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. When using BitLocker with volumes designated for a cluster, the volume will need to turn on -BitLocker before its addition to the storage pool within cluster or put the resource into maintenance mode before BitLocker operations will complete. +Alternatively, the volume can be a cluster-shared volume, a shared namespace, within the cluster **Question: Can it be rephrased as the volume can be one that is shared within the cluster?**. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. When using BitLocker with volumes designated for a cluster, the volume must turn on BitLocker before its addition to the storage pool within cluster or put the resource into maintenance mode before BitLocker operations will complete. Windows PowerShell or the manage-bde command line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points do not require the use of a drive letter. Volumes that lack drive letters do not appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources is not available in the Control Panel item. ->**Note:**  Mount points can be used to support remote mount points on SMB based network shares. This type of share is not supported for BitLocker encryption. +>**Note:**  Mount points can be used to support remote mount points on SMB-based network shares. This type of share is not supported for BitLocker encryption. -For thinly provisioned storage, such as a Dynamic Virtual Hard Disk (VHD), BitLocker runs in Used Disk Space Only encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes. This is blocked in order to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. +For thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes **Question: Can "on these types of volumes" be removed?**. This is blocked in order to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. ### Active Directory-based protector -You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account or group. When an unlock request is made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. BitLocker will unlock protected volumes without user intervention by attempting protectors in the following order: +You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account or group. When an unlock request is made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. BitLocker unlocks protected volumes without user intervention by attempting protectors in the following order: 1. Clear key 2. Driver-based auto-unlock key @@ -57,14 +56,14 @@ You can also use an Active Directory Domain Services (AD DS) protector for prote 4. Registry-based auto-unlock key ->**Note:**  A Windows Server 2012 or later domain controller is required for this feature to work properly. +>**Note:**  A Windows Server 2012 or later version's domain controller is required for this feature to work properly. ### Turning on BitLocker before adding disks to a cluster using Windows PowerShell -BitLocker encryption is available for disks before or after addition to a cluster storage pool. The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource does not require suspending the resource to complete the operation. To turn on BitLocker for a disk before adding it to a cluster, do the following: +BitLocker encryption is available for disks before or after addition to a cluster storage pool. The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource does not require suspending the resource to complete the operation **Question: Can it be rephrased as "the disk resource need not be suspended for the volume encryption to be completed?**. To turn on BitLocker for a disk before adding it to a cluster, do the following: 1. Install the BitLocker Drive Encryption feature if it is not already installed. -2. Ensure the disk is formatted NTFS and has a drive letter assigned to it. +2. Ensure the disk is an NTFS-formatted one and has a drive letter assigned to it. 3. Identify the name of the cluster with Windows PowerShell. ```powershell @@ -77,16 +76,16 @@ BitLocker encryption is available for disks before or after addition to a cluste Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$ ``` - >**Warning:**  You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster. + >**Warning:**  You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker-enabled volume either to be shared in a cluster-shared Volume or to fail over properly in a traditional failover cluster. 5. Repeat the preceding steps for each disk in the cluster. 6. Add the volume(s) to the cluster. ### Turning on BitLocker for a clustered disk using Windows PowerShell -When the cluster service owns a disk resource already, it needs to be set into maintenance mode before BitLocker can be enabled. Use the following steps for turning BitLocker on for a clustered disk: +When the cluster service owns a disk resource already, the disk resource needs to be set into maintenance mode before BitLocker can be enabled. Use the following steps for turning BitLocker on for a clustered disk: -1. Install the BitLocker Drive Encryption feature if it is not already installed. +1. Install the BitLocker drive encryption feature if it is not already installed. 2. Check the status of the cluster disk using Windows PowerShell. ```powershell @@ -110,9 +109,9 @@ When the cluster service owns a disk resource already, it needs to be set into m ```powershell Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$ ``` - >**Warning:**  You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster. + >**Warning:**  You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker-enabled volume either to be shared in a cluster-shared Volume or to fail over properly in a traditional failover cluster. -6. Use **Resume-ClusterResource** to take the physical disk resource back out of maintenance mode: +6. Use **Resume-ClusterResource** to take back the physical disk resource out of maintenance mode: ```powershell Get-ClusterResource "Cluster Disk 1" | Resume-ClusterResource @@ -120,44 +119,44 @@ When the cluster service owns a disk resource already, it needs to be set into m 7. Repeat the preceding steps for each disk in the cluster. -### Adding BitLocker encrypted volumes to a cluster using manage-bde +### Adding BitLocker-encrypted volumes to a cluster using manage-bde -You can also use manage-bde to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster includes the following: +You can also use **manage-bde** to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster include the following: -1. Verify the BitLocker Drive Encryption feature is installed on the computer. +1. Verify that the BitLocker drive encryption feature is installed on the computer. 2. Ensure new storage is formatted as NTFS. -3. Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using the manage-bde command line interface (see example): +3. Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using the**manage-bde** command line interface (see example): - `Manage-bde -on -used -RP -sid domain\CNO$ -sync` - 1. BitLocker will check to see if the disk is already part of a cluster. If it is, administrators will encounter a hard block. Otherwise, the encryption will continue. + 1. BitLocker will check to see if the disk is already part of a cluster. If it is, administrators will encounter a hard block. Otherwise, the encryption continues. 2. Using the -sync parameter is optional. Using it ensures the command waits until the encryption for the volume is completed before releasing the volume for use in the cluster storage pool. -4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered +4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered. - - Once the disk is clustered it can also be enabled for CSV. + - Once the disk is clustered, it is enabled for CSV. -5. During the resource online operation, cluster will check to see if the disk is BitLocker encrypted. +5. During the resource online operation, cluster checks whether the disk is BitLocker encrypted. 1. If the volume is not BitLocker enabled, traditional cluster online operations occur. 2. If the volume is BitLocker enabled, the following check occurs: - - If volume is **locked**, BitLocker will impersonate the CNO and unlock the volume using the CNO protector. If this operation fails an event will be logged that the volume could not be unlocked and the online operation will fail. + - If volume is **locked**, BitLocker impersonates the CNO and unlocks the volume using the CNO protector. If this operation fails, an event is logged that the volume could not be unlocked and the online operation has failed. -6. Once the disk is online in the storage pool, it can be added to a CSV by right clicking on the disk resource and choosing "**Add to cluster shared volumes**". -CSVs can include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption, administrators can utilize the manage-bde -status command with a path to the volume inside the CSV namespace as seen in the example command line below. +6. Once the disk is online in the storage pool, it can be added to a CSV by right-clicking the disk resource and choosing "**Add to cluster shared volumes**". +CSVs include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption, administrators must utilize the **manage-bde -status** command with a path to the volume inside the CSV namespace as seen in the example command line below. ```powershell manage-bde -status "C:\ClusterStorage\volume1" ``` -### Physical Disk Resources +### Physical disk resources -Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This means that operations such as encrypting, decrypting, locking or unlocking volumes require context to perform. For example, you cannot unlock or decrypt a physical disk resource if you are not administering the cluster node that owns the disk resource because the disk resource is not available. +Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This means that operations such as encrypting, decrypting, locking or unlocking volumes require a context to perform. For example, you cannot unlock or decrypt a physical disk resource if you are not administering the cluster node that owns the disk resource because the disk resource is not available. ### Restrictions on BitLocker actions with cluster volumes -The following table contains information about both Physical Disk Resources (i.e. traditional failover cluster volumes) and Cluster Shared Volumes (CSV) and the actions that are allowed by BitLocker in each situation. +The following table contains information about both physical disk resources (i.e. traditional failover cluster volumes) and cluster shared volumes (CSV) and the actions that are allowed by BitLocker in each situation. @@ -262,17 +261,17 @@ The following table contains information about both Physical Disk Resources (i.e
->Note:** Although the manage-bde -pause command is Blocked in clusters, the cluster service will automatically resume a paused encryption or decryption from the MDS node +>Note:** Although the **manage-bde -pause** command is blocked in clusters, the cluster service automatically resumes a paused encryption or decryption from the MDS node. -In the case where a physical disk resource experiences a failover event during conversion, the new owning node will detect the conversion is not complete and will complete the conversion process. +In the case where a physical disk resource experiences a failover event during conversion, the new owning node detects that the conversion is not complete and completes the conversion process. ### Other considerations when using BitLocker on CSV2.0 Some other considerations to take into account for BitLocker on clustered storage include the following: -- BitLocker volumes have to be initialized and beginning encryption before they are available to add to a CSV2.0 volume. -- If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put into disk maintenance mode. You can add the CSV back to the cluster while waiting for decryption to complete. -- If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it in maintenance mode. -- If conversion is paused with encryption in progress and the CSV volume is offline from the cluster, the cluster thread (health check) will automatically resume conversion when the volume is online to the cluster. -- If conversion is paused with encryption in progress and a physical disk resource volume is offline from the cluster, the BitLocker driver will automatically resume conversion when the volume is online to the cluster. -- If conversion is paused with encryption in progress, while the CSV volume is in maintenance mode, the cluster thread (health check) will automatically resume conversion when moving the volume back from maintenance. -- If conversion is paused with encryption in progress, while the disk resource volume is in maintenance mode, the BitLocker driver will automatically resume conversion when the volume is moved back from maintenance mode. +- BitLocker volumes have to be initialized and beginning encryption before they are available to add to a CSV2.0 volume **Question: Can it be rephrased as "BitLocker volumes have to be initialized and have encryptions commenced on it?**. +- If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put it into disk maintenance mode. You can add the CSV back to the cluster while waiting for decryption to complete. +- If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it into maintenance mode. +- If conversion is paused with encryption in progress and the CSV volume is offline from the cluster, the cluster thread (health check) automatically resumes conversion when the volume is online to the cluster. +- If conversion is paused with encryption in progress and a physical disk resource volume is offline from the cluster, the BitLocker driver automatically resumes conversion when the volume is online to the cluster. +- If conversion is paused with encryption in progress, while the CSV volume is in maintenance mode, the cluster thread (health check) automatically resumes conversion when moving the volume back from maintenance. +- If conversion is paused with encryption in progress, while the disk resource volume is in maintenance mode, the BitLocker driver automatically resumes conversion when the volume is moved back from maintenance mode. From 5e544be8a97edcdf6bbc23c0d198a06cb809508c Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Mon, 5 Oct 2020 17:41:54 +0530 Subject: [PATCH 02/16] Reviewed protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md (#3918) --- ...nd-storage-area-networks-with-bitlocker.md | 32 +++++++------------ 1 file changed, 12 insertions(+), 20 deletions(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index 2dc14bd0e6..acb4171785 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -23,7 +23,7 @@ ms.custom: bitlocker **Applies to** - Windows Server 2016 -This topic describes the procedure to protect CSVs and SANs by using BitLocker. +This topic describes the procedure to protect cluster shared volumes (CSVs) and storage area networks (SANs) by using BitLocker. BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes allows for an additional layer of protection for administrators wishing to protect sensitive, highly available data. By adding additional protectors to the clustered volume, administrators are adding an additional barrier of security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume. @@ -31,36 +31,34 @@ BitLocker protects both physical disk resources and cluster shared volumes versi ### Using BitLocker with clustered volumes -Volumes within a cluster are managed with the help of BitLocker based on how the cluster service "views" the volume to be protected. The volume can be a physical disk resource such as a logical unit number (LUN) on a storage area network (SAN) or network attached storage (NAS). +Volumes within a cluster are managed with the help of BitLocker based on how the cluster service "views" the volume to be protected. The volume can be a physical disk resource such as a logical unit number (LUN) on a SAN or network attached storage (NAS). >**Important**  SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](https://msdn.microsoft.com/library/windows/hardware/dn930814.aspx). -Alternatively, the volume can be a cluster-shared volume, a shared namespace, within the cluster **Question: Can it be rephrased as the volume can be one that is shared within the cluster?**. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. When using BitLocker with volumes designated for a cluster, the volume must turn on BitLocker before its addition to the storage pool within cluster or put the resource into maintenance mode before BitLocker operations will complete. +Alternatively, the volume can be a cluster shared volume, a shared namespace, within the cluster. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. When using BitLocker with volumes designated for a cluster, the volume must turn on BitLocker before its addition to the storage pool within cluster or put the resource into maintenance mode before BitLocker operations are completed. Windows PowerShell or the manage-bde command line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points do not require the use of a drive letter. Volumes that lack drive letters do not appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources is not available in the Control Panel item. >**Note:**  Mount points can be used to support remote mount points on SMB-based network shares. This type of share is not supported for BitLocker encryption. -For thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes **Question: Can "on these types of volumes" be removed?**. This is blocked in order to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. +For thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on thinly provisioned storage volumes. This is blocked to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. ### Active Directory-based protector -You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account or group. When an unlock request is made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. BitLocker unlocks protected volumes without user intervention by attempting protectors in the following order: +You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account, or group. When an unlock request is made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. BitLocker unlocks protected volumes without user intervention by attempting protectors in the following order: 1. Clear key 2. Driver-based auto-unlock key -3. ADAccountOrGroup protector - - 1. Service context protector - 2. User protector - +3. **ADAccountOrGroup** protector + a. Service context protector + b. User protector 4. Registry-based auto-unlock key >**Note:**  A Windows Server 2012 or later version's domain controller is required for this feature to work properly. ### Turning on BitLocker before adding disks to a cluster using Windows PowerShell -BitLocker encryption is available for disks before or after addition to a cluster storage pool. The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource does not require suspending the resource to complete the operation **Question: Can it be rephrased as "the disk resource need not be suspended for the volume encryption to be completed?**. To turn on BitLocker for a disk before adding it to a cluster, do the following: +BitLocker encryption is available for disks before or after addition to a cluster storage pool. The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource does not require to suspend the resource to complete the operation. To turn on BitLocker for a disk before adding it to a cluster, do the following: 1. Install the BitLocker Drive Encryption feature if it is not already installed. 2. Ensure the disk is an NTFS-formatted one and has a drive letter assigned to it. @@ -69,21 +67,19 @@ BitLocker encryption is available for disks before or after addition to a cluste ```powershell Get-Cluster ``` - 4. Enable BitLocker on the volume of your choice with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as: ```powershell Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$ ``` - - >**Warning:**  You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker-enabled volume either to be shared in a cluster-shared Volume or to fail over properly in a traditional failover cluster. + >**Warning:**  You must configure a **ADAccountOrGroup** protector using the cluster CNO for a BitLocker-enabled volume either to be shared in a cluster-shared Volume or to fail over properly in a traditional failover cluster. 5. Repeat the preceding steps for each disk in the cluster. 6. Add the volume(s) to the cluster. ### Turning on BitLocker for a clustered disk using Windows PowerShell -When the cluster service owns a disk resource already, the disk resource needs to be set into maintenance mode before BitLocker can be enabled. Use the following steps for turning BitLocker on for a clustered disk: +When the cluster service owns a disk resource already, the disk resource needs to be set into maintenance mode before BitLocker can be enabled. To turn the Bitlocker on for a clustered disk using Windows PowerShell, do the following: 1. Install the BitLocker drive encryption feature if it is not already installed. 2. Check the status of the cluster disk using Windows PowerShell. @@ -91,19 +87,16 @@ When the cluster service owns a disk resource already, the disk resource needs t ```powershell Get-ClusterResource "Cluster Disk 1" ``` - 3. Put the physical disk resource into maintenance mode using Windows PowerShell. ```powershell Get-ClusterResource "Cluster Disk 1" | Suspend-ClusterResource ``` - 4. Identify the name of the cluster with Windows PowerShell. ```powershell Get-Cluster ``` - 5. Enable BitLocker on the volume of your choice with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as: ```powershell @@ -116,7 +109,6 @@ When the cluster service owns a disk resource already, the disk resource needs t ```powershell Get-ClusterResource "Cluster Disk 1" | Resume-ClusterResource ``` - 7. Repeat the preceding steps for each disk in the cluster. ### Adding BitLocker-encrypted volumes to a cluster using manage-bde @@ -268,7 +260,7 @@ In the case where a physical disk resource experiences a failover event during c ### Other considerations when using BitLocker on CSV2.0 Some other considerations to take into account for BitLocker on clustered storage include the following: -- BitLocker volumes have to be initialized and beginning encryption before they are available to add to a CSV2.0 volume **Question: Can it be rephrased as "BitLocker volumes have to be initialized and have encryptions commenced on it?**. +- BitLocker volumes have to be initialized and begin encryption before they are available to add to a CSV2.0 volume . - If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put it into disk maintenance mode. You can add the CSV back to the cluster while waiting for decryption to complete. - If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it into maintenance mode. - If conversion is paused with encryption in progress and the CSV volume is offline from the cluster, the cluster thread (health check) automatically resumes conversion when the volume is online to the cluster. From 3b62934480fff611abf5d9867a5ec8f8ea325a3a Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 5 Mar 2021 15:17:28 +0530 Subject: [PATCH 03/16] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...lumes-and-storage-area-networks-with-bitlocker.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index 983ef48df9..32acbff95e 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -25,7 +25,7 @@ ms.custom: bitlocker This topic describes the procedure to protect cluster shared volumes (CSVs) and storage area networks (SANs) by using BitLocker. -BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes allows for an additional layer of protection for administrators wishing to protect sensitive, highly available data. By adding additional protectors to the clustered volume, administrators are adding an additional barrier of security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume. +BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes provides an extra layer of protection that can be used by administrators wishing to protect sensitive, highly available data. By adding this extra layer of protection to the clustered volume, administrators are increasing the security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume. ## Configuring BitLocker on Cluster Shared Volumes @@ -41,7 +41,7 @@ Windows PowerShell or the manage-bde command-line interface is the preferred met >**Note:**  Mount points can be used to support remote mount points on SMB-based network shares. This type of share is not supported for BitLocker encryption. -For thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on thinly provisioned storage volumes. This is blocked to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space.. +For thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on thinly provisioned storage volumes. The usage of **manage-bde -WipeFreeSpace** command is blocked to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. ### Active Directory-based protector @@ -79,7 +79,7 @@ BitLocker encryption is available for disks before or after addition to a cluste ### Turning on BitLocker for a clustered disk using Windows PowerShell -When the cluster service owns a disk resource already, the disk resource needs to be set into maintenance mode before BitLocker can be enabled. To turn the Bitlocker on for a clustered disk using Windows PowerShell, do the following: +When the cluster service owns a disk resource already, the disk resource needs to be set into maintenance mode before BitLocker can be enabled. To turn on the Bitlocker for a clustered disk using Windows PowerShell, perform the following steps: 1. Install the BitLocker drive encryption feature if it is not already installed. 2. Check the status of the cluster disk using Windows PowerShell. @@ -113,7 +113,7 @@ When the cluster service owns a disk resource already, the disk resource needs t ### Adding BitLocker-encrypted volumes to a cluster using manage-bde -You can also use **manage-bde** to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster include the following: +You can also use **manage-bde** to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster are: 1. Verify that the BitLocker drive encryption feature is installed on the computer. 2. Ensure new storage is formatted as NTFS. @@ -149,11 +149,11 @@ manage-bde -status "C:\ClusterStorage\volume1" ### Physical disk resources -Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This means that operations such as encrypting, decrypting, locking or unlocking volumes require a context to perform. For example, you cannot unlock or decrypt a physical disk resource if you are not administering the cluster node that owns the disk resource because the disk resource is not available. +Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This condition means that operations such as encrypting, decrypting, locking or unlocking volumes require a context to perform. For example, you cannot unlock or decrypt a physical disk resource if you are not administering the cluster node that owns the disk resource because the disk resource is not available. ### Restrictions on BitLocker actions with cluster volumes -The following table contains information about both physical disk resources (i.e. traditional failover cluster volumes) and cluster shared volumes (CSV) and the actions that are allowed by BitLocker in each situation. +The following table contains information about both physical disk resources (that is, traditional failover cluster volumes) and cluster shared volumes (CSV) and the actions that are allowed by BitLocker in each situation. From c8550e5e36f3f62abd8145f3cf6313bc0df9fe4c Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 5 Mar 2021 15:23:00 +0530 Subject: [PATCH 04/16] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...r-shared-volumes-and-storage-area-networks-with-bitlocker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index 32acbff95e..d3ea4a6ba2 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -25,7 +25,7 @@ ms.custom: bitlocker This topic describes the procedure to protect cluster shared volumes (CSVs) and storage area networks (SANs) by using BitLocker. -BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes provides an extra layer of protection that can be used by administrators wishing to protect sensitive, highly available data. By adding this extra layer of protection to the clustered volume, administrators are increasing the security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume. +BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes provides an extra layer of protection that can be used by administrators wishing to protect sensitive, highly available data. The administrators use this extra layer of protection to increase the security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume. ## Configuring BitLocker on Cluster Shared Volumes From 21b1e166d0f32dd558e92f8ac6ed74987fa5c2b5 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 5 Mar 2021 15:28:11 +0530 Subject: [PATCH 05/16] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...r-shared-volumes-and-storage-area-networks-with-bitlocker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index d3ea4a6ba2..ae0507a14d 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -25,7 +25,7 @@ ms.custom: bitlocker This topic describes the procedure to protect cluster shared volumes (CSVs) and storage area networks (SANs) by using BitLocker. -BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes provides an extra layer of protection that can be used by administrators wishing to protect sensitive, highly available data. The administrators use this extra layer of protection to increase the security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume. +BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes provides an extra layer of protection that can be used by administrators wishing to protect sensitive, highly available data. The administrators use this extra layer of protection to increase the security to resources. Only certain user accounts provided access to unlock the BitLocker volume. ## Configuring BitLocker on Cluster Shared Volumes From 8623f6afa0c04db9fff8840210a7d974085bcfbb Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Sun, 7 Mar 2021 12:49:50 +0530 Subject: [PATCH 06/16] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...hared-volumes-and-storage-area-networks-with-bitlocker.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index ae0507a14d..dd8155bcdd 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -35,7 +35,10 @@ Volumes within a cluster are managed with the help of BitLocker based on how the >**Important**  SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](https://msdn.microsoft.com/library/windows/hardware/dn930814.aspx). -Alternatively, the volume can be a cluster shared volume, a shared namespace, within the cluster. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. When using BitLocker with volumes designated for a cluster, the volume must turn on BitLocker before its addition to the storage pool within cluster or put the resource into maintenance mode before BitLocker operations are completed. +Alternatively, the volume can be a cluster shared volume, a shared namespace, within the cluster. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. The volumes that are designated for a cluster must do the following: + +- It must turn on BitLocker - Only after this done, the volumes can be added into the storage pool +- It must put the resource into maintenance mode before BitLocker operations are completed. Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points do not require the use of a drive letter. Volumes that lack drive letters do not appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources is not available in the Control Panel item. From b78d49c9fed05efd47fd3d0069898dd7e2a74581 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Sun, 7 Mar 2021 13:00:04 +0530 Subject: [PATCH 07/16] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...nd-storage-area-networks-with-bitlocker.md | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index dd8155bcdd..7d35481c85 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -48,14 +48,17 @@ For thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLo ### Active Directory-based protector -You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account, or group. When an unlock request is made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. BitLocker will unlock protected volumes without user intervention by attempting protectors in the following order: +You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account, or group. When an unlock request is made for a protected volume, the following events take place: -1. Clear key -2. Driver-based auto-unlock key -3. **ADAccountOrGroup** protector - a. Service context protector - b. User protector -4. Registry-based auto-unlock key +- BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. +- BitLocker will unlock protected volumes without user intervention by attempting protectors in the following order: + + 1. Clear key + 2. Driver-based auto-unlock key + 3. **ADAccountOrGroup** protector + a. Service context protector + b. User protector + 4. Registry-based auto-unlock key >**Note:**  A Windows Server 2012 or later version's domain controller is required for this feature to work properly. @@ -125,7 +128,8 @@ You can also use **manage-bde** to enable BitLocker on clustered volumes. The st - `Manage-bde -on -used -RP -sid domain\CNO$ -sync` 1. BitLocker will check to see if the disk is already part of a cluster. If it is, administrators will encounter a hard block. Otherwise, the encryption continues. - 2. Using the -sync parameter is optional. Using it ensures the command waits until the encryption for the volume is completed before releasing the volume for use in the cluster storage pool. + 2. Using the -sync parameter is optional. However, using -sync parameter has the following advantage: + - The -sync parameter ensures the command waits until the encryption for the volume is completed before releasing the volume for use in the cluster storage pool. 4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered. From 3c350893b42d6bbc99511682d7345e6eaec6ab36 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Sun, 7 Mar 2021 13:10:29 +0530 Subject: [PATCH 08/16] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...volumes-and-storage-area-networks-with-bitlocker.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index 7d35481c85..16782434b3 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -129,7 +129,7 @@ You can also use **manage-bde** to enable BitLocker on clustered volumes. The st 1. BitLocker will check to see if the disk is already part of a cluster. If it is, administrators will encounter a hard block. Otherwise, the encryption continues. 2. Using the -sync parameter is optional. However, using -sync parameter has the following advantage: - - The -sync parameter ensures the command waits until the encryption for the volume is completed before releasing the volume for use in the cluster storage pool. + - The -sync parameter ensures the command waits until the encryption for the volume is completed. The volume is then released for use in the cluster storage pool. 4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered. @@ -143,10 +143,14 @@ You can also use **manage-bde** to enable BitLocker on clustered volumes. The st 2. If the volume is BitLocker enabled, the following check occurs: - - If volume is **locked**, BitLocker impersonates the CNO and unlocks the volume using the CNO protector. If this operation fails, an event is logged that the volume could not be unlocked and the online operation has failed. + - If volume is **locked**, BitLocker impersonates the CNO and unlocks the volume using the CNO protector. If these actions by Bitlocker fail, an event is logged. The logged event will state that the volume could not be unlocked and the online operation has failed. 6. Once the disk is online in the storage pool, it can be added to a CSV by right-clicking the disk resource and choosing "**Add to cluster shared volumes**". -CSVs include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption, administrators must utilize the **manage-bde -status** command with a path to the volume inside the CSV namespace as seen in the example command line below. +CSVs include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption: administrators must do the following task: + +- Utilize the **manage-bde -status** command with a path to the volume. + + The path must be one that is inside the CSV namespace as seen in the example command line below. ```powershell From 8180887bf8fecc42effd88bc3d24e5b099fab5ee Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Sun, 7 Mar 2021 14:41:52 +0530 Subject: [PATCH 09/16] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...lumes-and-storage-area-networks-with-bitlocker.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index 16782434b3..06c283bba1 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -35,16 +35,16 @@ Volumes within a cluster are managed with the help of BitLocker based on how the >**Important**  SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](https://msdn.microsoft.com/library/windows/hardware/dn930814.aspx). -Alternatively, the volume can be a cluster shared volume, a shared namespace, within the cluster. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. The volumes that are designated for a cluster must do the following: +Instead, the volume can be a cluster-shared volume. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. The volumes that are designated for a cluster must do the following: - It must turn on BitLocker - Only after this done, the volumes can be added into the storage pool - It must put the resource into maintenance mode before BitLocker operations are completed. -Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points do not require the use of a drive letter. Volumes that lack drive letters do not appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources is not available in the Control Panel item. +Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points don't require the use of a drive letter. Volumes that lack drive letters don''t appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources isn't available in the Control Panel item. >**Note:**  Mount points can be used to support remote mount points on SMB-based network shares. This type of share is not supported for BitLocker encryption. -For thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on thinly provisioned storage volumes. The usage of **manage-bde -WipeFreeSpace** command is blocked to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. +In the case of thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You can't use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on thinly provisioned storage volumes. The usage of **manage-bde -WipeFreeSpace** command is blocked to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. ### Active Directory-based protector @@ -64,7 +64,11 @@ You can also use an Active Directory Domain Services (AD DS) protector for prote ### Turning on BitLocker before adding disks to a cluster using Windows PowerShell -BitLocker encryption is available for disks before or after addition to a cluster storage pool. The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource does not require suspending the resource to complete the operation. To turn on BitLocker for a disk before adding it to a cluster: +BitLocker encryption is available for disks before these disks are added to a cluster storage pool. +> [!NOTE] +> The advantage of The Bitlocker encryption can even be made available for disks after they are added to a cluster storage pool. +The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource need not be suspended to complete the operation. +To turn on BitLocker for a disk before adding it to a cluster: 1. Install the BitLocker Drive Encryption feature if it is not already installed. 2. Ensure the disk is an NTFS-formatted one and has a drive letter assigned to it. From 60b0b59b3e73bb71f030c264caa7d12febc95af6 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 14 Sep 2022 10:40:15 +0530 Subject: [PATCH 10/16] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...nd-storage-area-networks-with-bitlocker.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index d3b6788152..53e04dc61e 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -31,9 +31,9 @@ Volumes within a cluster are managed with the help of BitLocker based on how the > [!IMPORTANT] > SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](/windows-hardware/drivers/). -Instead, the volume can be a cluster-shared volume. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. The volumes that are designated for a cluster must do the following: +Instead, the volume can be a cluster-shared volume. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. The volumes that are designated for a cluster must do the following tasks: -- It must turn on BitLocker - Only after this done, the volumes can be added into the storage pool +- It must turn on BitLocker - Only after this task is done, the volumes can be added into the storage pool - It must put the resource into maintenance mode before BitLocker operations are completed. Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points don't require the use of a drive letter. Volumes that lack drive letters don''t appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources isn't available in the Control Panel item. @@ -41,7 +41,7 @@ Windows PowerShell or the manage-bde command-line interface is the preferred met > [!NOTE] > Mount points can be used to support remote mount points on SMB-based network shares. This type of share is not supported for BitLocker encryption. -In the case of thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You can't use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on thinly provisioned storage volumes. The usage of **manage-bde -WipeFreeSpace** command is blocked to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. +If there's a thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You can't use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on thinly provisioned storage volumes. The usage of **manage-bde -WipeFreeSpace** command is blocked to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. ### Active Directory-based protector @@ -68,7 +68,7 @@ BitLocker encryption is available for disks before these disks are added to a cl The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource need not be suspended to complete the operation. To turn on BitLocker for a disk before adding it to a cluster: -1. Install the BitLocker Drive Encryption feature if it is not already installed. +1. Install the BitLocker Drive Encryption feature if it isn't already installed. 2. Ensure the disk is an NTFS-formatted one and has a drive letter assigned to it. 3. Identify the name of the cluster with Windows PowerShell. @@ -91,7 +91,7 @@ To turn on BitLocker for a disk before adding it to a cluster: When the cluster service owns a disk resource already, the disk resource needs to be set into maintenance mode before BitLocker can be enabled. To turn on the Bitlocker for a clustered disk using Windows PowerShell, perform the following steps: -1. Install the BitLocker drive encryption feature if it is not already installed. +1. Install the BitLocker drive encryption feature if it isn't already installed. 2. Check the status of the cluster disk using Windows PowerShell. ```powershell @@ -140,16 +140,16 @@ You can also use **manage-bde** to enable BitLocker on clustered volumes. The st 4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered. - - Once the disk is clustered, it is enabled for CSV. + - Once the disk is clustered, it's enabled for CSV. 5. During the resource online operation, cluster checks whether the disk is BitLocker encrypted. - 1. If the volume is not BitLocker enabled, traditional cluster online operations occur. + 1. If the volume isn't BitLocker enabled, traditional cluster online operations occur. 2. If the volume is BitLocker enabled, the following check occurs: - - If volume is **locked**, BitLocker impersonates the CNO and unlocks the volume using the CNO protector. If these actions by Bitlocker fail, an event is logged. The logged event will state that the volume could not be unlocked and the online operation has failed. + - If volume is **locked**, BitLocker impersonates the CNO and unlocks the volume using the CNO protector. If these actions by BitLocker fail, an event is logged. The logged event will state that the volume couldn't be unlocked and the online operation has failed. 6. Once the disk is online in the storage pool, it can be added to a CSV by right-clicking the disk resource and choosing "**Add to cluster shared volumes**". CSVs include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption: administrators must do the following task: @@ -166,7 +166,7 @@ manage-bde -status "C:\ClusterStorage\volume1" ### Physical disk resources -Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This condition means that operations such as encrypting, decrypting, locking or unlocking volumes require a context to perform. For example, you cannot unlock or decrypt a physical disk resource if you are not administering the cluster node that owns the disk resource because the disk resource is not available. +Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This condition means that operations such as encrypting, decrypting, locking or unlocking volumes require a context to perform. For example, you can't unlock or decrypt a physical disk resource if you aren't administering the cluster node that owns the disk resource because the disk resource isn't available. ### Restrictions on BitLocker actions with cluster volumes @@ -277,12 +277,12 @@ The following table contains information about both physical disk resources (tha >Note:** Although the **manage-bde -pause** command is blocked in clusters, the cluster service automatically resumes a paused encryption or decryption from the MDS node. -In the case where a physical disk resource experiences a failover event during conversion, the new owning node detects that the conversion is not complete and completes the conversion process. +In the case where a physical disk resource experiences a failover event during conversion, the new owning node detects that the conversion isn't complete and completes the conversion process. ### Other considerations when using BitLocker on CSV2.0 -Some other considerations to take into account for BitLocker on clustered storage include the following: -- BitLocker volumes have to be initialized and begin encryption before they are available to add to a CSV2.0 volume . +Some other considerations to take into account for BitLocker on clustered storage include: +- BitLocker volumes have to be initialized and begin encryption before they're available to add to a CSV2.0 volume. - If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put it into disk maintenance mode. You can add the CSV back to the cluster while waiting for decryption to complete. - If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it into maintenance mode. - If conversion is paused with encryption in progress and the CSV volume is offline from the cluster, the cluster thread (health check) automatically resumes conversion when the volume is online to the cluster. From 5e157e3a92a65c9849ef8d4abebd88348028dfa2 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 16 Sep 2022 12:50:19 +0530 Subject: [PATCH 11/16] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...nd-storage-area-networks-with-bitlocker.md | 121 +++--------------- 1 file changed, 17 insertions(+), 104 deletions(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index 53e04dc61e..afa604d207 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -172,110 +172,23 @@ Unlike CSV2.0 volumes, physical disk resources can only be accessed by one clust The following table contains information about both physical disk resources (that is, traditional failover cluster volumes) and cluster shared volumes (CSV) and the actions that are allowed by BitLocker in each situation. -
------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Action

On owner node of failover volume

On Metadata Server (MDS) of CSV

On (Data Server) DS of CSV

Maintenance Mode

Manage-bde –on

Blocked

Blocked

Blocked

Allowed

Manage-bde –off

Blocked

Blocked

Blocked

Allowed

Manage-bde Pause/Resume

Blocked

Blocked

Blocked

Allowed

Manage-bde –lock

Blocked

Blocked

Blocked

Allowed

manage-bde –wipe

Blocked

Blocked

Blocked

Allowed

Unlock

Automatic via cluster service

Automatic via cluster service

Automatic via cluster service

Allowed

manage-bde –protector –add

Allowed

Allowed

Blocked

Allowed

manage-bde -protector -delete

Allowed

Allowed

Blocked

Allowed

manage-bde –autounlock

Allowed (not recommended)

Allowed (not recommended)

Blocked

Allowed (not recommended)

Manage-bde -upgrade

Allowed

Allowed

Blocked

Allowed

Shrink

Allowed

Allowed

Blocked

Allowed

Extend

Allowed

Allowed

Blocked

Allowed

- ->Note:** Although the **manage-bde -pause** command is blocked in clusters, the cluster service automatically resumes a paused encryption or decryption from the MDS node. +| Action | On owner node of failover volume | On Metadata Server (MDS) of CSV | On (Data Server) DS of CSV | Maintenance Mode | +|--- |--- |--- |--- |--- | +|**Manage-bde –on**|Blocked|Blocked|Blocked|Allowed| +|**Manage-bde –off**|Blocked|Blocked|Blocked|Allowed| +|**Manage-bde Pause/Resume**|Blocked|Blocked**|Blocked|Allowed| +|**Manage-bde –lock**|Blocked|Blocked|Blocked|Allowed| +|**manage-bde –wipe**|Blocked|Blocked|Blocked|Allowed| +|**Unlock**|Automatic via cluster service|Automatic via cluster service|Automatic via cluster service|Allowed| +|**manage-bde –protector –add**|Allowed|Allowed|Blocked|Allowed| +|**manage-bde -protector -delete**|Allowed|Allowed|Blocked|Allowed| +|**manage-bde –autounlock**|Allowed (not recommended)|Allowed (not recommended)|Blocked|Allowed (not recommended)| +|**Manage-bde -upgrade**|Allowed|Allowed|Blocked|Allowed| +|**Shrink**|Allowed|Allowed|Blocked|Allowed| +|**Extend**|Allowed|Allowed|Blocked|Allowed| + +> [!NOTE] +> Although the **manage-bde -pause** command is blocked in clusters, the cluster service automatically resumes a paused encryption or decryption from the MDS node. In the case where a physical disk resource experiences a failover event during conversion, the new owning node detects that the conversion isn't complete and completes the conversion process. From a684dbd5829aeb6042b75ca8c23c81cce112850f Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 3 Oct 2022 16:56:21 +0530 Subject: [PATCH 12/16] Update prepare-your-organization-for-bitlocker-planning-and-policies.md --- ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index 4cda103d80..ded42ee1ee 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -23,7 +23,7 @@ ms.custom: bitlocker - Windows 11 - Windows Server 2016 and above -This topic for the IT professional explains how can you plan your BitLocker deployment. +This topic for the IT professional explains how to plan BitLocker deployment. When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following sections will help you collect information. Use this information to help with your decision-making process about deploying and managing BitLocker systems. From 8b1c3c1b2431db480857cded47c6750928a62c5f Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 7 Oct 2022 15:30:52 +0530 Subject: [PATCH 13/16] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...r-shared-volumes-and-storage-area-networks-with-bitlocker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index afa604d207..1507661978 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -18,7 +18,7 @@ ms.custom: bitlocker **Applies to** - Windows Server 2016 -This topic describes the procedure to protect cluster shared volumes (CSVs) and storage area networks (SANs) by using BitLocker. +This article describes the procedure to protect cluster shared volumes (CSVs) and storage area networks (SANs) by using BitLocker. BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes provides an extra layer of protection that can be used by administrators wishing to protect sensitive, highly available data. The administrators use this extra layer of protection to increase the security to resources. Only certain user accounts provided access to unlock the BitLocker volume. From 81d0e59f9cfd257e38bab217a6371045c1e37a98 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Tue, 18 Oct 2022 15:05:20 -0600 Subject: [PATCH 14/16] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md Line 39: don''t > don't --- ...-shared-volumes-and-storage-area-networks-with-bitlocker.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index 5e52289f83..ecd80d741d 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -36,7 +36,7 @@ Instead, the volume can be a cluster-shared volume. Windows Server 2012 expanded - It must turn on BitLocker - Only after this task is done, the volumes can be added into the storage pool - It must put the resource into maintenance mode before BitLocker operations are completed. -Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points don't require the use of a drive letter. Volumes that lack drive letters don''t appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources isn't available in the Control Panel item. +Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points don't require the use of a drive letter. Volumes that lack drive letters don't appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources isn't available in the Control Panel item. > [!NOTE] > Mount points can be used to support remote mount points on SMB-based network shares. This type of share is not supported for BitLocker encryption. @@ -202,4 +202,3 @@ Some other considerations to take into account for BitLocker on clustered storag - If conversion is paused with encryption in progress and a physical disk resource volume is offline from the cluster, the BitLocker driver automatically resumes conversion when the volume is online to the cluster. - If conversion is paused with encryption in progress, while the CSV volume is in maintenance mode, the cluster thread (health check) automatically resumes conversion when moving the volume back from maintenance. - If conversion is paused with encryption in progress, while the disk resource volume is in maintenance mode, the BitLocker driver automatically resumes conversion when the volume is moved back from maintenance mode. - From 53344faa94016544a05f7cc46612cebc61b8c942 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Tue, 18 Oct 2022 15:18:35 -0600 Subject: [PATCH 15/16] Update windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md Line 36: Replace hyphen with emdash and add period. --- ...r-shared-volumes-and-storage-area-networks-with-bitlocker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index ecd80d741d..a20558db31 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -33,7 +33,7 @@ Volumes within a cluster are managed with the help of BitLocker based on how the Instead, the volume can be a cluster-shared volume. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. The volumes that are designated for a cluster must do the following tasks: -- It must turn on BitLocker - Only after this task is done, the volumes can be added into the storage pool +- It must turn on BitLocker—only after this task is done, can the volumes be added to the storage pool. - It must put the resource into maintenance mode before BitLocker operations are completed. Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points don't require the use of a drive letter. Volumes that lack drive letters don't appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources isn't available in the Control Panel item. From b6a2c50d732534ce2a634fb4d901b2bebf80ad97 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Tue, 18 Oct 2022 15:55:54 -0600 Subject: [PATCH 16/16] Apply suggestions from code review Lines 55-58: Separate lines in step items. --- ...-shared-volumes-and-storage-area-networks-with-bitlocker.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index a20558db31..8a767976cc 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -53,8 +53,11 @@ You can also use an Active Directory Domain Services (AD DS) protector for prote 1. Clear key 2. Driver-based auto-unlock key 3. **ADAccountOrGroup** protector + a. Service context protector + b. User protector + 4. Registry-based auto-unlock key > [!NOTE]