<div>
The simple answer is NO as there is no virtual TPM yet and the virtualization of the host and the virtual machines has no practical advantages.<br />
<br />
Source: <a href="http://www.v-front.de/2014/08/do-you-need-disk-encryption-for-hosted.html" rel="ugc">http://www.v-front.de/2014/08/do-you-need-disk-encryption-for-hosted.html</a>
</div>


<div>
I'm not wanting to encrypt the guests, just the physical hosts and their physical drives.<br />
<br />
JamesNT
</div>


<div>
You cannot use bitlocker on the hosts. it must be enabled on the CSVs directly as that's where the data is.<br />
Doing this on existing CSVs can take some time as the entire disk needs to be encrypted offline. Puts a fair load on the SAN so plan for a slow system during the work.<br />
<br />
<a href="https://technet.microsoft.com/en-GB/library/dn383585.aspx" rel="ugc">https://technet.microsoft.com/en-GB/library/dn383585.aspx</a>
</div>


<div>
We actually got this to work by placing the domain controllers on an unencrypted CSV and then by encrypting the host volumes and the other CSVs that contain data. &nbsp;The VM's in the encrypted CSVs were set with a 60 delay for boot.<br />
<br />
Note: &nbsp;When I say host volumes I mean the C:\ drives of the host, not the CSVs. &nbsp;From what I see, the TPM unlocks the c: drives then the HYPVER cluster account can unlock the CSV's once the domain controllers come up.<br />
<br />
This survived a reboot and a mock unplanned outage (system is yet to be deployed).<br />
<br />
One of our requirements is that the system come up safely without someone having to type in a bunch of codes or have a USB stick ready.<br />
<br />
Am I just getting lucky or is this the way it can be done?<br />
<br />
JamesNT
</div>


<div>
That doesn't do anything. The CSVs are mount-points on the C drives, not part of the C drive.<br />
You may have successfully encrypted the Hyper-V hosts local drives but that achieves nothing as no data is on them. There is absolutely no advantage in using bitlocker on the hosts as you are encrypting nothing more than a base Windows installation. <br />
<br />
Concentrate on the CSVs. that's all you need to encrypt/protect.
</div>


<div>
Steve,<br />
<br />
This is starting to make sense so bear with me a bit longer, please.<br />
<br />
You are quite correct there is no data on the host C drives. &nbsp;However, to decrypt the CSV's, doesn't the host drive have to decrypt first so the user will not be prompted for an unlock key or USB stick? &nbsp;Or is that only for other fixed drives like a D drive or something?<br />
<br />
JamesNT
</div>


<div>
Nope. The CSV encryption is at a cluster level and is controlled on an AD authentication basis. no passwords or USB keys are required as its all handled as part of the cluster service. You do not use bitlocker on the 'host' as such, but on the 'cluster'<br />
<br />
This is all managed by powershell on (or connected to) one of the hyper-V nodes (cluster service)<br />
<br />
Have a look a this for some extra info.<br />
<br />
<a href="https://technet.microsoft.com/en-GB/library/dn383585.aspx" rel="ugc">https://technet.microsoft.com/en-GB/library/dn383585.aspx</a>
</div>


<div>
Gotcha. &nbsp;This is where the ADAccountOrGroup setting/protector comes into play. &nbsp;So, this tells me we are going to have to put the Domain Controllers on an un-encrypted CSV by themselves. &nbsp;Otherwise, the HYPERV account will not be able to get to them since it has to unlock their CSV first but can't since it won't be able to reach them. &nbsp;Classic FULL STOP situation.<br />
<br />
JamesNT
</div>


<div>
Steve,<br />
<br />
If you find my last comment acceptable and does not require any further correction, I'll close this question.<br />
<br />
JamesNT
</div>


<div>
Thank you very much for all of your time and assistance.<br />
<br />
JamesNT
</div>


<div>
<div class="content wysiwyg-content">
We have a Dell VRTX with two blade servers and shared storage.<br />
<br />
All physical hosts and all virtual machines are Windows Server 2012 R2. <br />
<br />
The Hyper-V guests are all in a Hyper-V cluster already. &nbsp;We have the quorum, and three CSV's on the VRTX shared storage.<br />
<br />
We would like to enable bitlocker for the hosts to encrypt both their OS drives and the CSV drives. &nbsp;The CSV's do NOT have drive letters assigned to them and are mounted under c:\clustersharedstorage for both hosts.<br />
<br />
The domain controllers are also guests on the VRTX. &nbsp;We do not have a separate domain controller outside the VRTX.<br />
<br />
Can we enable bitlocker on the hosts to be TPM only and save to Active Directory? &nbsp;What would be the best way?<br />
<br />
JamesNT
</div>
</div>


We have a Dell VRTX with two blade servers and shared storage.

All physical hosts and all virtual machines are Windows Server 2012 R2. 

The Hyper-V guests are all in a Hyper-V cluster already.  We have the quorum, and three CSV's on the VRTX shared storage.

We would like to enable bitlocker for the hosts to encrypt both their OS drives and the CSV drives.  The CSV's do NOT have drive letters assigned to them and are mounted under c:\clustersharedstorage for both hosts.

The domain controllers are also guests on the VRTX.  We do not have a separate domain controller outside the VRTX.

Can we enable bitlocker on the hosts to be TPM only and save to Active Directory?  What would be the best way?

JamesNT

Configuring Bitlocker

Hyper-V is a native hypervisor; it can create virtual machines on x86-64 systems and supersedes Windows Virtual PC as the hardware virtualization component of the client editions of Windows NT. A server computer running Hyper-V can be configured to expose individual virtual machines to one or more networks. Hyper-V Server supports remote access via Remote Desktop Connection. Administration and configuration of the host OS and the guest virtual machines is generally done over the network.

Hyper-V

Windows Server 2012 is the server version of Windows 8 and the successor to Windows Server 2008 R2. Windows Server 2012 is the first version of Windows Server to have no support for Itanium-based computers since Windows NT 4.0. Windows Server 2012, now in its second release (Windows Server 2012 Release 2) includes Foundation, Essentials, Standard and Datacenter, and does not support IA-32 or IA-64 processors.

Windows Server 2012

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Active Directory

Since 1984, Dell has been delivering technology to fit your life.
Dell is in Enterprise, Home Office and Consumer sectors of the market, supplying a broad range of customizable desktops, laptops, notebooks, servers, storage, and network devices.