none
BitLocker Network Unlock on Dell Desktops with Windows 10 and TPM 1.2 RRS feed

  • Question

  • Aloha all...

    Has anyone managed to get Bitlocker Network Unlock to work for them? I've been fighting with this turkey for days. 

    I've managed to get everything in place (I think). But I'm getting "Bootmgr failed to obtain the BitLocker volume master key from the network key protector." This is "BitLocker-Driver" Event ID 24645.

    The private and public keys are in place. The GPO is being delivered successfully. I've confirmed this both with GPResult, and by putting my eyeballs on the public key listed in the registry of the computer.

    My test computer is a Dell Optiplex 7010, with the latest firmware (21). 

    What I *think* is happening, is that the UEFI is failing to get an IP address from the DHCP server. As a result, it fails to get a master key from the WDS system (separate from the DHCP server.)

    The computer, DHCP, and WDS systems... are all on the same VLAN. So there shouldn't be any "I can't find it!" problems in regards to crossing subnets.

    However, when I turn the computer off - and clear the current leased IP from the DHCP server for this computer - and turn it back on again.. I get 'stuck' on the BitLocker PIN screen, because it fails to get a network key. 

    My assumption is that, by the time I see that screen, UEFI should have attempted to get an IP. And, I should see that IP lease on the DHCP server. But, nothing appears. At least, not until I provide a PIN, and Win10 boots up.

    Any pointers in the right direction would certainly help.

    Many mahalos!

    RLR

    Friday, April 29, 2016 2:03 AM

Answers

All replies

  • Hi RRhodes2AtWHC,

    Here is a link for reference of network unlock.
    BitLocker: How to enable Network Unlock
    https://technet.microsoft.com/en-sg/library/jj574173.aspx

    "What I *think* is happening, is that the UEFI is failing to get an IP address from the DHCP server"
    Is the machine installed from the WDS?
    According to my research, it seems that there is something wrong with the specific machine model`s PXE.
    Here is the link for reference:
    OptiPlex 7010 & 9020 All-in-One (AIO) unable to PXE boot in UEFI mode
    http://www.dell.com/support/article/us/en/04/SLN296756/en

    If it is possible, we could try to install the machine from WDS to verify the PXE boot could work well.

    To troubleshoot whether the issue only occurred with the specific machine model, we could try to test with another model to have  a test if it is possible.

    NOTE: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites.

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Monday, May 2, 2016 3:47 AM
    Moderator
  • Aloha...

    I used "How to enable Network Unlock" as the blueprint to set everything up.

    I'd read that article the other day about the 7010, but failed to test further... 

    So I tried testing PXE today by deliberately choosing a PXE boot option (choosing "F12" while the Dell is booting up).

    PXE failed to boot to any o/s (not suprisingly)... but I do see, on the DHCP server, that the system was given an IP during the boot process.

    So my theory that it is failing to get an IP during boot is in error. 

    Perhaps my problem sits with WDS. I've set it up (on our domain's cert server). Should it be installed on a server by itself?

    How does a booting system know to go to WDS to get the network unlock certificate? Does the DHCP scope need to have Options 66 and 67 filled in with information?

    Much mahalos!

    RLR


    Tuesday, May 3, 2016 2:24 AM
  • Hi RRhodes2AtWHC,

    "PXE failed to boot to any o/s (not suprisingly)... "
    Did the issue only occur with the specific machine model?

    Here is a link for reference of troubleshooting WDS.
    Troubleshooting Windows Deployment Services
    https://technet.microsoft.com/en-us/library/cc771269%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    For the WDS issue, we could try to ask for help from our server forum.

    Server Forum
    https://social.technet.microsoft.com/Forums/windowsserver/en-us/home?category=windowsserver

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, May 3, 2016 7:28 AM
    Moderator
  • I'm still working on this... another project has me tied up, but yes... it looks as though the problem is that I'm unable to receive a PXE boot on the 7010... even though I can confirm that the UEFI PXE boot does get an IP from the DHCP server.

    My next steps will be to confirm that WDS is correctly set up, and can provide a PXE enviornment, on either BIOS or UEFI PXE boots. Once I can confirm that, I can then move into the "why's" of Network Unlock failures. 

    RLR

    Monday, May 9, 2016 11:28 PM
  • I got WDS, installed a boot and install image, and was able to successfully do a Legacy PXE boot to receive the boot/install of Windows 7 Pro.

    However, I've been unable to recreate the same scenario using UEFI PXE boot, even with the newest Dell Optiplex 9020 that we own (only a couple of months old).

    The 9020 has the UEFI Network Stack that, as I understand it, is required for UEFI PXE boots... so I'm now trying to figure out what is missing in this configuration. 

    Unfortunately, if that network stack is required, then it looks as though - unless Dell releases updated BIOS configurations - that all other previous Dell systems we have will be unable to utilize UEFI PXE. And since that seems to be a requirement for BL Network Unlock to function, I don't know that anything can be done for them. Very disappointed right now. 

    RLR


    Wednesday, May 11, 2016 8:00 PM