none
Bitlocker network unlock certificate expires soon RRS feed

  • Question

  • Hi,

    Our BNU certificate expires soon, and I'm wondering what is best practise to renew this? Generate new certificate, or renew existing?

    Since we have to change the cert on the server and workstation simultaneously, there will be some issues where some workstations don't get the GPO with the new certificate, and  will get prompt for the PIN. Is there a way to get around this?

    And what will happen when this expires? As far as I can tell, there is no check for the validation of the certificate in the network unlock process. 

    • Edited by ta-for Tuesday, August 13, 2019 6:14 AM
    Tuesday, August 13, 2019 6:13 AM

All replies

  • Hi,

    Did you check below?

    https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock

    Tuesday, August 13, 2019 7:56 AM
  • Hello,
    Thank you for posting in our TechNet forum.

    According to our description, I think we can generate new certificate, or renew existing certificate.

    If we generate new certificate, we can install this new certificate on the server and all the workstations.

    If we renew existing certificate, we can renew the existing certificate on the server manually, and other workstations will renew BNU certificate through GPO automatically if we have already configured the automatic certificate enrollment for computers.


    Usually, the issued certificate validity period depends upon least value of below.

    a)The expiry date of issuing CA certificate

    b)The validity period that is defined in the registry affects all certificates that are issued by Stand-alone and     
            Enterprise CA. For Enterprise CA, the default registry setting is two years.
            For Stand-alone CA, the default registry setting is one year     


    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\CertSvc\Configuration\CA Name\ValiddityPeriodUnits

    c)The template validity period in case of Enterprise (AD integrated) CA



    Example 1
    Assume that the CA root certificate is valid for 10 years (2010/8/14-2020/8/14), but the registry value is 20 years and the certificate template is 15 years. Therefore, the certificate issued by the CA is valid for about 1 year.

    Example 2
    Assume that the CA root certificate is valid for 10 years (2019/8/14-2029/8/14), but the registry value is 20 years and the certificate template is 15 years. Therefore, the certificate issued by the CA is valid for about 10 years.


    And we can understand that when the cetificates will auto-enroll if we configure the automatic certificate enrollment policy GPO, based on this article Tips for Certificate Auto-Enrollment Issuance, we can see:

    Renewal. This is the most misunderstood part of the auto-enroll process. Every certificate issued has a renewal period as part of the template. This does not necessarily mean that the certificate will renew at the exact beginning of that period. For renewal of auto-enrolled certificates, two time frames exist before the action is taken.

    First the certificate has to have completed 80% of its validity period and be within the renewal period. So as an example, a certificate that is valid for 1 year reaches the 80% mark at around 41.5 weeks and if the cert has a 6 week renewal period, then the renewal would happen at the 46 week period. SO this would happen during the renewal period.

    If the validity period is 6 months, the 80% mark would be week 21, but the renewal period would begin week 20.


    >>And what will happen when this expires? As far as I can tell, there is no check for the validation of the certificate in the network unlock process. 

    If the BNU certificate expires, all the machines will not unlick with network, or if we configure PIN unlock, we can unlock through PIN manually on every machine.

    If anything is unclear, please feel free to let us know. 




    Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, August 14, 2019 8:02 AM
    Moderator
  • Hi,
    If this question has any update? Also, for the question, is there any other assistance we could provide?



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 16, 2019 2:28 AM
    Moderator
  • Hi,
    Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know. 
     
    Again thanks for your time and have a nice day!



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, August 20, 2019 10:02 AM
    Moderator