locked
Setting Up "Allow Network Unlock at Startup" for BitLocker (TPM) RRS feed

  • Question

  • I am new to BitLocker, but have been tasked to deploy laptop encyption remotely\automated, via GPO and Powershell.

    I have a mixed environment of both UEFI and Legacy Laptops, thus, my test environment is setup the same.  With that, I have a policy for using TPM, and another for not utilizing TPM, but to just use passwords.  I have setup two GPO's, as well as two different Powershell commands to Enable Bitlocker. 

    With some previous assistance, I have powershell scripts working to enable BitLocker and encrypt the drives.

    My issue now pertains to the Network Unlock Feature within BitLocker for TPM machines.

    I have followed the guide below to setup the Network Unlock Feature

    https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock#bkmk-configuringnetworkunlock

    I have my GPO set, and I have the Certificate setup on the WDS Server.  However, when I boot the machine, it is still booting to BitLocker and asking for the PIN.

    Everything I'm reading seems to reference PXE boot.  I have PXE setup in the Boot Order before the UEFI Hard drive.  Is there something additional that I need to setup\configure to get this working.

    Sorry if I have not provided all of the necessary info needed.  Please let me know any additional details needed.  Thanks.

    Friday, November 22, 2019 10:05 PM

Answers

  • I did see that article previously, but it did not resolve the problem.

    I did stumble on this fix, which just ended up being that I reconfigured my WDS Server by uninstalling WDS and BitLocker Network Unlock, rebooted, then reinstalled.  After doing that, the Network Unlock began working.

    Thanks for all the assistance.

    • Marked as answer by timahh2 Wednesday, December 4, 2019 8:01 PM
    Wednesday, December 4, 2019 8:01 PM

All replies

  • Hi,

     

    Please open the registry editor.

    If your computer has a Network Unlock certificate identified in the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\FVE_NKP key then network unlock has been configured.

     

    If not, here are some posts with the similar issue with yours, just for your reference, you can try the method mentioned in them:

    https://social.technet.microsoft.com/Forums/windows/en-US/df1feab4-4ff5-41f8-a251-97935b6083ab/bitlocker-network-unlock-not-working?forum=win10itprosecurity

    https://social.technet.microsoft.com/Forums/windows/en-US/08fe5e13-dcb6-4b45-bfba-be8bfb9f4b68/bitlocker-network-unlock-with-different-subnet?forum=win10itprosecurity

     

    Hope above information can help you.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 25, 2019 2:47 AM
  • Thanks for that info.

    I guess I must have missed some important info regarding setting up PXE boot with WDS?.

    I have a WDS server setup and I have a Powershell script to encrypt the drive.

    For the Network Unlock feature, I just followed this article:

    https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock#bkmk-configuringnetworkunlock

    After I run my script and the workstation encrypts the drive, and also gets it's GPO's from the DC.  After that, the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\FVE_NKP key is created, but my certificate is not contained within the key.

    I will keep looking, but if you know of an article that can point me in the right direction, I would be most thankful.

    Thanks.

    Monday, November 25, 2019 3:33 PM
  • Some more info on my setup.

    The GPO objects that are necessary for BitLocker, TPM-PIN, Password Recovery, etc, are all enabled on the client machine.

    Regarding the Certificate GPO info, under Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption Network Unlock Certificate, the certificate exists to be pushed to the client machines.

    When I run RSOP on one of the workstations receiving this policy, within that same path, it shows "No BitLocker Drive Encryption Network Unlock Certificate Defined"

    Perhaps I need to just start over with the Certificate setup.

    Monday, November 25, 2019 4:48 PM
  • Hi,

     

    Did you follow the steps of creating the certificate template for Network Unlock?

     

    You could check the WDS Event Viewer to see if there have error message.

     

    Best Regards,

    Farena


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, November 26, 2019 7:09 AM
  • Yes, I followed those steps.

    I have Debugging enabled on my WDS server.

    One error is:

    [WDSServer/WDSPXE/NKPPROV] Could not find configuration by thumbprint = <Alpha Numeric Thumbprint>

    That exact thumbprint exists as a key under:

    HKLM/Software/Policies/Microsoft/SystemCertificate/FVE_NKP/Certificates.

    Within that key there is a DWORD Value called "Blob" with a long Binary string of Value Data.

    Tuesday, November 26, 2019 2:03 PM
  • I can also add to this that, on the client machine with BitLocker enabled, when I load Certificates, via MMC, and I search for my BitLocker Certificate, it locates it, and says that it is located in the FVE_NKP Store.
    Tuesday, November 26, 2019 6:58 PM
  • Hi,

     

    Please check the fix in this thread:

    https://social.technet.microsoft.com/Forums/ie/en-US/d1609dff-9990-412c-b7e0-d15493231e8e/bitlocker-network-unlock-certificate-error?forum=winserversecurity

     

    Best Regards,

    Farena


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 28, 2019 8:22 AM
  • I did see that article previously, but it did not resolve the problem.

    I did stumble on this fix, which just ended up being that I reconfigured my WDS Server by uninstalling WDS and BitLocker Network Unlock, rebooted, then reinstalled.  After doing that, the Network Unlock began working.

    Thanks for all the assistance.

    • Marked as answer by timahh2 Wednesday, December 4, 2019 8:01 PM
    Wednesday, December 4, 2019 8:01 PM