BitLocker network unlock issue

%3CLINGO-SUB%20id%3D%22lingo-sub-1480722%22%20slang%3D%22en-US%22%3EBitLocker%20network%20unlock%20issue%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1480722%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20struggling%20a%20bit%20with%20Bitlocker%20network%20unlock%20deployment%20in%20my%20environment.%3CBR%20%2F%3EI'm%20following%20this%20guide%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Finformation-protection%2Fbitlocker%2Fbitlocker-how-to-enable-network-unlock%23bkmk-installnufeature%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Finformation-protection%2Fbitlocker%2Fbitlocker-how-to-enable-network-unlock%23bkmk-installnufeature%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20I%20have%202%20issues%20overall.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EFirst%20one%20is%20the%20certificate%20request%20to%20CA.%20I'm%20able%20to%20request%20certificate%20and%20issue%20it%20w%2Fo%20problems.%20The%20issue%20appears%20later%20on%20-%20the%20cert%20looks%20like%20it's%20selfsigned%20(certificate%20on%20the%20first%20screenshot%20is%20revoked%20beacuse%20I%20didn't%20want%20it%20to%20stay%20there%20since%20it%20didn't%20work%20like%20it%20should).%20Certificate%20on%20the%20second%20screenshot%20is%20the%20cert%20that's%20popping%20up%20in%20%3CSTRONG%3Ecertmgr.msc%3C%2FSTRONG%3E%20on%20the%20machine%20that%20I%20was%20sending%20the%20cert%20request%20from.%20It%20is%20the%20same%20cert%20-%20yet%20it%20is%20not%3F%20It%20should%20end%20up%20in%20Personal%20container%20signed%20by%20CA%20but%20instead%20it%20goes%20to%20Pending%20container%20and%20it%20looks%20like%20its%20selfsigned..%20Am%20I%20missing%20something%3F%20I'll%20be%20honest%20-%20I%20do%20not%20have%20an%20experience%20with%20CA.%20I%20simply%20followed%20the%20guide.%3C%2FP%3E%3CP%3EI%20made%20a%20workaround%20by%20doing%20a%20selfsigned%20in%20the%20next%20part%2C%20so%20it%20is%20not%20that%20big%20of%20a%20problem%20-%20although%20I'd%20like%20to%20have%20a%20signed%20cert%20there.%3C%2FP%3E%3CP%3EThe%20real%20problem%20is%20-%20GPO%20settings.%3C%2FP%3E%3CP%3EI've%20tried%20everything.%20Updated%20the%20.ADMX%20files%20in%20SysVol%20manually%2C%20tried%20setting%20the%20GPO's%20from%20the%20guide%20to%20the%20multiple%20containers%2C%20even%20on%20the%20root%20domain%20level%20itself%20(just%20for%20testing%20puropses)%20-%20no%20luck.%20The%20policy%20simply%20do%20not%20apply.%20There%20is%20no%20error%20in%20RSOP%20or%20in%20gpresult.%20I've%20tested%20it%20on%20multiple%20machines%20and%20user%20accounts%20with%20Security%20filtering%20and%20without.%20I%20tied%20to%20split%20it%20to%203%20separate%20policies%20to%20check%20if%20maybe%20one%20of%20them%20is%20problematic.%20None%20of%20these%203%20policies%20applied%20even%20once.%3CBR%20%2F%3EWhat%20should%20I%20do%20now%3F%20Anyone%20had%20similar%20issue%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1480722%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EBitlocker%20Encryption%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ecertification%20authority%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Occasional Visitor

Hi,

 

I'm struggling a bit with Bitlocker network unlock deployment in my environment.
I'm following this guide:

 

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-...

 

And I have 2 issues overall.


First one is the certificate request to CA. I'm able to request certificate and issue it w/o problems. The issue appears later on - the cert looks like it's selfsigned (certificate on the first screenshot is revoked beacuse I didn't want it to stay there since it didn't work like it should). Certificate on the second screenshot is the cert that's popping up in certmgr.msc on the machine that I was sending the cert request from. It is the same cert - yet it is not? It should end up in Personal container signed by CA but instead it goes to Pending container and it looks like its selfsigned.. Am I missing something? I'll be honest - I do not have an experience with CA. I simply followed the guide.

I made a workaround by doing a selfsigned in the next part, so it is not that big of a problem - although I'd like to have a signed cert there.

The real problem is - GPO settings.

I've tried everything. Updated the .ADMX files in SysVol manually, cleared GPO cache on the client machine, tried setting the GPO's from the guide to the multiple containers, even on the root domain level itself (just for testing puropses) - no luck. The policy simply do not apply. There is no error in RSOP or in gpresult. I've tested it on multiple machines and user accounts with Security filtering and without. I tied to split it to 3 separate policies to check if maybe one of them is problematic. None of these 3 policies applied even once. Other poclies are applied without any problems or issues.
What should I do now? Anyone had similar issue?

0 Replies