locked
Bitlocker Network unlock not working RRS feed

  • Question

  • Hi Guys!

    I am new here to this forum and i hope you can help me with Bitlocker Network unlock.

    I configured Bitlocker with Network unlock on our network as described on this page: https://technet.microsoft.com/en-us/library/jj574173(v=ws.11).aspx. Bitlocker with AD integration works fine, but the network unlock part is not working.

    Every time i reboot a PC (Windows 10, Dell Optiplex 7040) i need to enter a PIN code. Once logged in to Windows i see the following error in my eventvwr:

    EventID: 24645
    Bootmgr failed to obtain the BitLocker volume master key from the network key protector.
    Source: Bitlocker-Driver

    My BIOS is set up to use Network boot with PXE / Network Stack. For booting i use the bootmanager from my Dell Optiplex 7040.
    If i press F12 to boot from network, i directly boot to our WDS server (install Windows 10 menu).

    I used option 66 and 67 in DHCP to point to my WDS server. Option 67 is set to: boot\x64\wdsmgfw.efi.

    What am i doing wrong?

    Kind regards,

    Patrick

    Wednesday, September 28, 2016 12:06 PM

Answers

  • Hi all,

    I found the solution. I hope i can help other people with the same problem.

    The instructions @ https://technet-msft-us1.vtv.stillw.com/en-us/library/jj574173(v=ws.11).aspx   are not correct.

    At step four you need to create in .INF file, but the .INF file is not correct. It took me days to search and troubleshoot.

    [NewRequest]
    Subject="CN=BitLocker Network Unlock certificate"
    Exportable=true
    RequestType=Cert
    KeyUsage="CERT_KEY_ENCIPHERMENT_KEY_USAGE"
    KeyLength=2048
    KeyUsage=0x30
    KeySpec=1
    
    [Extensions]
    Bitlocker Drive Encyption = "{text}"
    _continue_ = "OID=1.3.6.1.4.1.311.67.1.1"
    
    Bitlocker Drive Encryption = "{text}"
    _continue_ = "1.3.6.1.4.1.311.67.1.1"

    After recreating a new certificate with this inf file, it finally works now!



    • Edited by PoCC99 Monday, October 10, 2016 12:40 PM
    • Marked as answer by PoCC99 Monday, October 10, 2016 12:41 PM
    Monday, October 10, 2016 12:37 PM

All replies

  • Hi, 

    Please check that Verify client hardware is UEFI-based and is on firmware version is 2.3.1 and that the UEFI firmware is in native mode without a Compatibility Support Module (CSM) for BIOS mode enabled. Do this by checking that the firmware does not have an option enabled such as "Legacy mode" or "Compatibility mode" or that the firmware does not appear to be in a BIOS-like mode.

    For further troubleshooting, please collect following information for our research, upload them onto OneDrive and share the link here for our research: 

    1. The Windows event logs. Specifically the BitLocker event logs and the Microsoft-Windows-Deployment-Services-Diagnostics-Debug log

      Debug logging is turned off by default for the WDS server role, so you will need to enable it first. You can use either of the following two methods to turn on WDS debug logging.

      1. Start an elevated command prompt and run the following command:

        wevtutil sl Microsoft-Windows-Deployment-Services-Diagnostics/Debug /e:true
        
        
      2. Open Event Viewer on the WDS server.

        In the left pane, click Applications and Services Logs, click Microsoft, click Windows, click Deployment-Services-Diagnostics, and then click Debug.

        In the right pane, click Enable Log.

    2. The DHCP subnet configuration file (if one exists).

    3. The output of the BitLocker status on the volume, this can be gathered into a text file using manage-bde -status or Get-BitLockerVolumein Windows PowerShell

    4. Network Monitor capture on the server hosting the WDS role, filtered by client IP address


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Saturday, October 1, 2016 8:42 AM
  • Is there any update on your issue?

    If the issue was resolved, please mark the helpful post as answer to help other community members find the helpful information quickly. You can also share your own solution here and mark it as answer, and we can learn from each other.

    Please know that you can also reply with current situation, we are always here to help you further.


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 7, 2016 1:35 AM
  • Hi Kate!

    Thanks for helping me. 

    I am running the lastest BIOS from Dell. This contains the latest UEFI firmware.
    I found something in the Deployment-Services-Diagnostics:

    [WDSServer/WDSPXE/NKPPROV] Received NKP IPv4 request. Remote address: 192.168.0.151:68, Packet length: 573.

    [WDSServer/WDSPXE/NKPPROV] NKP request processing failed while extracting key material. Remote address: 192.168.0.151:68, Packet length: 573.

    [WDSServer/WDSPXE/NKPPROV] Could not decrypt data with private key. HRESULT = 0x80090010.

    My BDE status looks like this:

    Disk volumes that can be protected with
    BitLocker Drive Encryption:
    Volume C: [Windows]
    [OS Volume]

        Size:                 232.03 GB
        BitLocker Version:    2.0
        Conversion Status:    Fully Encrypted
        Percentage Encrypted: 100.0%
        Encryption Method:    XTS-AES 128
        Protection Status:    Protection On
        Lock Status:          Unlocked
        Identification Field: Ccontent
        Key Protectors:
            Numerical Password
            TPM And PIN
            Data Recovery Agent (Certificate Based)
            Network (Certificate Based)

    And i checked al my thumbprints for the certificates and they are al ok. 

    I looks like something there is an issue with the certificates.

    Friday, October 7, 2016 12:11 PM
  • Hi all,

    I found the solution. I hope i can help other people with the same problem.

    The instructions @ https://technet-msft-us1.vtv.stillw.com/en-us/library/jj574173(v=ws.11).aspx   are not correct.

    At step four you need to create in .INF file, but the .INF file is not correct. It took me days to search and troubleshoot.

    [NewRequest]
    Subject="CN=BitLocker Network Unlock certificate"
    Exportable=true
    RequestType=Cert
    KeyUsage="CERT_KEY_ENCIPHERMENT_KEY_USAGE"
    KeyLength=2048
    KeyUsage=0x30
    KeySpec=1
    
    [Extensions]
    Bitlocker Drive Encyption = "{text}"
    _continue_ = "OID=1.3.6.1.4.1.311.67.1.1"
    
    Bitlocker Drive Encryption = "{text}"
    _continue_ = "1.3.6.1.4.1.311.67.1.1"

    After recreating a new certificate with this inf file, it finally works now!



    • Edited by PoCC99 Monday, October 10, 2016 12:40 PM
    • Marked as answer by PoCC99 Monday, October 10, 2016 12:41 PM
    Monday, October 10, 2016 12:37 PM
  • help me to found and reopen my email gutu07@hotmail.com
    Monday, October 10, 2016 1:17 PM
  • Could you provide your source for creating a different inf file that what is posted in the instructions?
    Friday, February 16, 2018 3:22 PM
  • The instructions for creating the certificates are incorrect, the Certificate needs to be a Computer certificate and not a user.

    DHCP options aere not needed for Network unlock to work, only needed if you intend to use WDS to deliver OS images.

    WDS also needs to be configured.

    Monday, January 14, 2019 11:18 AM