none
Bitlocker Network Unlocker/WDS server not repsonding to requests RRS feed

  • Question

  • For some reason my Bitlocker Network Unlock server is not responding to client unlock requests. The DHCP servers are on the domain controllers The WDS/Bitlocker server is its own VM.  I have tried multiple certificates from Internal CA and self signed they get propagated down to the clients and are set up correctly on the WDS server but I cant get any client to unlock.  The clients report EVENT ID 24684 Bootmgr failed to obtain the BitLocker volume master key from the network key protector: failed to send request and 24645 Bootmgr failed to obtain the BitLocker volume master key from the network key protector.  I can see through wireshark that the client sends a request to DHCP and to the WDS server which it receives but never responds.  The client request is IPV6 which I can see on the WDS server after the IPV6 request goes unanswered the client sends out a IPV4 request which the server does not receive.  Any ideas?
    Tuesday, September 17, 2019 5:42 PM

All replies

  • Hello,
    Thank you for posting in our TechNet forum.

    According to our description, it seems that we did not configure the Bitlocker Network Unlocker successfully.

    Or we have congifured Bitlocker Network Unlocker successfully, but it can not meet software or hardware requirements for client computers or Windows Deployment services or domain controllers about BitLocker Network Unlock.

    For example:

    1. Network Unlock is a relatively new Bitlocker protector (added in Windows 8) that can be used to unlock computers after the reboot without need of entering Bitlocker PIN.

    2. For Network Unlock to work you need to meet some prerequisites mentioned below including having DHCP Server, WDS Server, UEFI and TPM capable clients and special certificate deployed by the GPO. Network unlock uses MS-NKPU protocol encapsulated into DHCP packets.

    3. Clients have to be Windows 8 or above with support for UEFI spec 2.3.1. Clients also have to have TPM enabled, activated and with ownership taken by the system. NKPU protocol (which is used by Bitlocker Network Unlock) can work with both wired and wireless networks, however there are not many platforms supporting PXE/DHCP over Wireless in pre boot environment. As per protocol specification:From Bitlocker perspective, so far Microsoft doesn't support Network Unlock over WiFi.



    We can check whether it meets some prerequisites according to the articles below.
    Then check if we configure it successfully.



    References:
    Bitlocker: Network Unlock
    https://blogs.technet.microsoft.com/dubaisec/2016/04/14/bitlocker-network-unlock/

    BitLocker: How to enable Network Unlock
    https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 18, 2019 6:03 AM
    Moderator
  • Yes all the prerequisites are met. The clients are windows 10 pro 1903 they have UEFI bios with the network stack enabled in the bios I followed Microsoft’s instructions for setting up Bitlocker Network Unlock. The certificates are being passed down to the clients via group policy and verified. And in the the packet trace I can see the clients are passing the public certificates thumbprint with the request to the WDS server via the DHCP server the only issue I can find is that after the WDS server receives the unlock request it does not appear to respond to the clients.
    Wednesday, September 18, 2019 10:06 AM
  • Hi,
    We can check Event Viewer on this client to view if there is any detailed error message description.




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 20, 2019 9:31 AM
    Moderator
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 23, 2019 10:13 AM
    Moderator
  • The errors I am seeing are

    [WDSServer/WDSPXE/WDSDCPXE] [base\eco\wds\wdssrv\pxeprov\binlprovider.cpp:462] Expression: , Win32 Error=0xd

    [WDSServer/WDSPXE/WDSDCPXE] [base\eco\wds\wdssrv\pxeprov\pxeprovider.cpp:328] Expression: , Win32 Error=0xd

    [WDSServer/WDSPXE/WDSDCPXE] [base\eco\wds\wdssrv\pxeprov\pxeprovider.cpp:328] Expression: , Win32 Error=0xd

    Event 32771









    Monday, September 23, 2019 9:02 PM