none
Setting Up "Allow Network Unlock at Startup" for BitLocker (TPM) RRS feed

  • Question

  • I am new to BitLocker, but have been tasked to deploy laptop encyption remotely\automated, via GPO and Powershell.

    I have a mixed environment of both UEFI and Legacy Laptops, thus, my test environment is setup the same.  With that, I have a policy for using TPM, and another for not utilizing TPM, but to just use passwords.  I have setup two GPO's, as well as two different Powershell commands to Enable Bitlocker. 

    With some previous assistance, I have powershell scripts working to enable BitLocker and encrypt the drives.

    My issue now pertains to the Network Unlock Feature within BitLocker for TPM machines.

    I have followed the guide below to setup the Network Unlock Feature

    https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock#bkmk-configuringnetworkunlock

    I have my GPO set, and I have the Certificate setup on the WDS Server.  However, when I boot the machine, it is still booting to BitLocker and asking for the PIN.

    Everything I'm reading seems to reference PXE boot.  I have PXE setup in the Boot Order before the UEFI Hard drive.  Is there something additional that I need to setup\configure to get this working.

    Sorry if I have not provided all of the necessary info needed.  Please let me know any additional details needed.  Thanks.

    Friday, November 22, 2019 10:05 PM

Answers

  • I did see that article previously, but it did not resolve the problem.

    I did stumble on this fix, which just ended up being that I reconfigured my WDS Server by uninstalling WDS and BitLocker Network Unlock, rebooted, then reinstalled.  After doing that, the Network Unlock began working.

    Thanks for all the assistance.

    • Marked as answer by timahh2 Wednesday, December 4, 2019 8:01 PM
    Wednesday, December 4, 2019 8:01 PM

All replies