locked
Bitlocker Network Unlock doesn't work anymore RRS feed

  • Question

  • Hi there, We are experiencing some problems with our Bitlocker Network Unlock for all our clients, we need to enter the PIN after turning on the computers. We have the following infastructure (all of the servers below are virtual machines - Windows Server 2012R2):

    • 2 Domain controllers (one with Bitlocker Infrastructure Encryption feature installed) 
    • 1 Bitlocker server (Bitlocker Drive Encryption and Bitlocker Network Unlocked feature installed + WDS)
    • 6 UniFi switches (PoE)

    What did we do before the problem started?

    1. 
    We updated the firmware of all the UniFi switches to version 4.0.54.10625.     It's possible that the firmware update caused the problem, we see that there is an option to downgrade the firmware to the older version but we want to make sure that it's related to the firmware.

    2. One domain controller was broken, gave a blue screen after a reboot. DHCP, Active directory and replication to the 2<sup>nd</sup> DC was stuck. We don't know what the blue screen caused yet. It gives alot of disk errors like: 'Filter Manager failed to attach to volume "\Device\HarddiskVolume700' and the most problems are solved, except the disk errors in eventviewer. However, the Active Directory, DHCP etc are running as far as we can see. 

    3. We installed Windows Updates on the DC01 and the Bitlocker server. What did we check after the problem started? 1. We repaired the domain controller and the replication to the 2nd domain controller.  2. We checked the Bitlocker certificate to see if it's valid and it is but we see the following information in command prompt (blurred the key information for privacy reasons):

    -Certutil -verifystore FVENKP command:
    ERROR: missing key association property: CERT-KEY_IDENTIFIER_PROP_ID
    Encryption test passed
    Verifies against untrusted root


    We checked the eventlogs of the WDS and see the following information:
    [WDSSERVER/WDSPXE/NKPPROV] Could not find the configuration file section coreresponding to the specified certificate thumbprint. No subnet restrictions will aply to this certificate. Certificate thumbprint =...... HRESULT = 0x80070002.

    We checked the following eventlog on the client side (Error: Bitlocker-Driver / EventID 24682 / EventID 24684):
    "BOOTMGR FAILED TO OBTAIN THE  BITLOCKER VOLUME MASTER KEY FROM THE NETWORK KEY PROTECTOR: FAILED TO GET IP ADDRESS

    5. We de-installed all the recent Windows Updates to make sure it's not related.
    6. The UEFI stack is enabled on all the devices, didn't change anything, also no BIOS updates.
    7. We checked if the Bitlocker group policy applies to the systems, it is.
    8. We checked the Key protectors with the command ‘manage-bde –protectors C: -get on the client side. It shows all key protectors and certificate thumbprint.


    I hope somebody can help us.

    Friday, August 23, 2019 1:13 PM

All replies