In this post I’ll be focusing on configuring BitLocker on CSVs where you will be hosting Hyper-V based workloads.

Just do a quick Google search. There are multiple online resources about the configuring of BitLocker and CSVs, but there is only one specific manner in which I have been able to achieve success for this specific scenario, without corrupting the VHDX files.

See here:

https://blogs.msdn.microsoft.com/clustering/2012/07/20/how-to-configure-bitlocker-encrypted-clustered-disks-in-windows-server-2012/

On the first few attempts at configuration, I ended up like “Bill”, so be careful and run through the post checks listed in this document.

clip_image001

So carefully review the following documentation to enable BitLocker on your CSVs in HV CL scenarios. If for any reason you encounter errors or get disk corruptions in post checks, you should suspend the cluster disk resource, Disable bitlocker on the CSV (steps at end of document), format the disk, reboot all cluster nodes, then attempt configuration once more.

Enable-Bitlocker:

*Completely wipe and format disk in diskmgr, then execute the following steps:

Get-ClusterSharedVolume

*Suspend the resource, so we can enable Bitlocker

Get-ClusterSharedVolume “Name of CSV” | Suspend-ClusterResource

*Create a secure string and use it to password protect the volume. This should be documented in your organization’s safe and secured locations for passwords, for the cluster: *NOTE the password in line one below you create MUST conform to your organizations password policies

$SecureString = ConvertTo-SecureString “HotCrossBunz123!@#$%” -AsPlainText -Force

#  Enable-BitLocker “path to CSV” -PasswordProtector -Password $SecureString -UsedSpaceOnly:$true -Verbose

*Grant access to the Cluster Name Object:

$cno = (Get-Cluster).name + “$”

Add-BitLockerKeyProtector “path to CSV” -ADAccountOrGroupProtector -ADAccountOrGroup $cno

*Resume resource:

Get-ClusterSharedVolume “Name of CSV” | Resume-ClusterResource

*Enable recovery password protector:

# Enable-BitLocker "mount-point" -RecoveryPasswordProtector
# $protectorId = (Get-BitLockerVolume "mount-point").Keyprotector | Where-Object {$_.KeyProtectorType -eq "RecoveryPassword”}
# Backup-BitLockerKeyProtector "mount-point" -KeyProtectorId $protectorId.KeyProtectorId

After configuration of Bitlocker, you MUST create new VMs with VHDX on the volume(s) and perform some validations:

VM Creation via VMM – [Pass / Fail]
Mount ISO on Bitlocker based volume – [Pass / Fail]
Boot VM –  [Pass / Fail]
Force migration of CSV owner from node 1 to another node – [Pass / Fail]
Move VM storage from non Bitlocker to Bitlocker CSV –  [Pass / Fail]
VM Quick and Live Migration – [Pass / Fail]

*DO NOT FORGET TO DOCUMENT ALL PASSWORDS in a safe and secure place for your organization, especially the numerical recovery password!

Disable-Bitlocker:

*Ensure BitLocker is enabled on target volume:

Get-BitLockerVolume

*If so, Disable-BitLocker on the mount point and then clear the Key Protector with this:

Disable-BitLocker “mount-point”

$BLV = Get-BitLockerVolume -MountPoint “path to CSV”

Remove-BitlockerKeyProtector -MountPoint “path to CSV” -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId

*Completely wipe and format disk in diskmgr, then it is ready to use again.