locked
Bitlocker Network Unlock Only Working w/ IPv6 not IPv4 ? RRS feed

  • Question

  • Hey, o/

    I'm running Windows Server 2016 in VirtualBox, the server is running AD,DNS,WDS services and I got Bitlocker Network Unlock configured, it works ok via link-local auto configuration IPv6, but for some reason it doesn't work when I disable IPv6 on the server and force client to use IPv4.

    Everything seems to look ok, yet via IPv4 client fails to unlock the OS drive and boot, I will get Bitlocker blue screen prompting me to enter PIN manually.

    I went trough WDS logs on the server, activated debug logging and with IPv6 it logs some errors (don't know what those mean) and then logs info about getting keys and sending them back to client in next step.

    IPv4 logs zero errors and also logs info about getting NKP from client and sending it back to client properly, yet fails to unlock.

    I used Wireshark to log what's going on, on server side, and even on Wireshark it seems to look like everything is working correctly, I'm kinda stuck at this point. Any help, ideas or tips would be amazing. Thank you.

    I also tried putting hub right before the test client PC, connect notebook to it and check if the last unlock packet from server actually gets to the client and doesn't get dropped somewhere on the way. It indeed arrives fine and I can sniff it with Wireshark.

    One thing to note is that DHCPv4 service is running on separate Linux server and IP's are being distributed based on the MAC addresses, but that shouldn't be a problem in this case. (Manual for Bitlocker Network Unlock, says that DHCP has to be on different server anyway)

    IPv6 Wireshark logwhich unlocks the client PC correctly.

    fe80::5c29:1256:285c:7ba being the Windows Server 2016 on VirtualBox

    fe80::ec4:7aff:fec9:bb42 being the client, highlighted message is the last packet that contains the final intermediate key that combines with key from TPM and unlocks the OS volume and allows for the network boot.


    WDS debug log :

    [WDSServer] [NetMon] Interfaces Changed.

    [WDSServer] Interfaces visible to WDS Server:

    [WDSServer]   Interface: fe80::5c29:1256:285c:7ba

    WDSServer]   Interface: 192.168.200.40

    [WDSServer]   Interface: ::1

    [WDSServer/WDSPXE] [onecore\base\eco\wds\wdslib\dhcplib\dhcpv6options.cpp:1587] Expression: , Win32 Error=0x2

    [WDSServer/WDSPXE] [base\eco\wds\wdssrv\wdspxe\src\pxeapi.cpp:1691] Expression: , Win32 Error=0x2

    [WDSServer/WDSPXE] [onecore\base\eco\wds\wdslib\dhcplib\dhcpv6options.cpp:1587] Expression: , Win32 Error=0x2

    [WDSServer/WDSPXE] [base\eco\wds\wdssrv\wdspxe\src\pxeapi.cpp:1691] Expression: , Win32 Error=0x2

    [WDSServer/WDSPXE] [onecore\base\eco\wds\wdslib\dhcplib\dhcpv6options.cpp:1587] Expression: , Win32 Error=0x2

    [WDSServer/WDSPXE] [base\eco\wds\wdssrv\wdspxe\src\pxeapi.cpp:1691] Expression: , Win32 Error=0x2

    [WDSServer/WDSPXE] [onecore\base\eco\wds\wdslib\dhcplib\dhcpv6options.cpp:1587] Expression: , Win32 Error=0x2

    [WDSServer/WDSPXE] [base\eco\wds\wdssrv\wdspxe\src\pxeapi.cpp:1691] Expression: , Win32 Error=0x2

    [WDSServer/WDSPXE] [onecore\base\eco\wds\wdslib\dhcplib\dhcpv6options.cpp:1587] Expression: , Win32 Error=0x2

    [WDSServer/WDSPXE] [base\eco\wds\wdssrv\wdspxe\src\pxeapi.cpp:1691] Expression: , Win32 Error=0x2

    [WDSServer/WDSPXE/NKPPROV] Received NKP IPv6 request. Remote address: fe80:0:0:0:ec4:7aff:fec9:bb42, Port: 546, Packet length: 351.

    [WDSServer/WDSPXE/NKPPROV] NKP request processing succeeded. Remote address: fe80:0:0:0:ec4:7aff:fec9:bb42, Link address: 0:0:0:0:0:0:0:0, Port: 546, Reply packet length: 135.

    IPv4 Wireshark log, which looks to me like it's ok, but client just won't unlock and PC will ask me for PIN to unlock the OS volume.

    192.168.200.40 - server

    192.168.200.112 - client


    WDS debug log :

    [WDSServer/WDSPXE/NKPPROV] Received NKP IPv4 request. Remote address: 192.168.200.112:68, Packet length: 630.

    [WDSServer/WDSPXE/NKPPROV] NKP request processing succeeded. Remote address: 192.168.200.112:68, Reply packet length: 316.

    Saturday, April 18, 2020 7:56 AM

All replies

  • Saturday, April 18, 2020 3:45 PM
  • Hi Marcin,

    No, I just disabled IPv6 in Adapter Properties in Network Connections window. But the IPv4 seems to work fine as can be seen on the second Wireshark picture and WDS logs, the Boot Request comes from the client, WDS logs that it was success and sends the Boot Reply back to client.

    You think disabling IPv6 this "manual" way might still have some negative effect in this scenario ?

    Saturday, April 18, 2020 5:24 PM
  • That's a possibility. This is NOT the supported way to disable IPv6 - you should modify registry instead

    hth
    Marcin

    Saturday, April 18, 2020 11:43 PM
  • Ok thank you for the tip, will test it out with the registry mod.
    Sunday, April 19, 2020 8:04 AM
  • Hi ,

    For how to use registry key to disable IPv6, you could refer to the following article:

    Use registry key to configure IPv6

    Note:Before you modify it, back up the registry for restoration in case problems occur.

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Monday, April 20, 2020 3:39 AM
  • I tried the registry method but unfortunately the issue is the same. 
    Monday, April 20, 2020 7:13 PM