BitLocker Network Unlock Question
I set up network unlock for two servers in our network as a test for a future deployment of BitLocker. Both HP's. One is a DL 360 Gen9 server with aftermarket TPM, the other is a DL360 Gen11 with onboard/HP TPM. Configured first NIC on both boxes for DHCP. Just to test things, I unplugged NIC1 but kept NIC2 plugged in on the Gen11 server and rebooted. It prompted for a PIN on boot up (expected behavior). Did the same test on the Gen9 server and it boots straight into the OS (unexpected behavior). As a further test, I kept NIC1 unplugged and then unplugged NIC2, rebooted and got prompted for a PIN (as expected since box was completely off network). Does anyone have any ideas why this is happening? Could it have something to do with the aftermarket TPM? From what I've read network unlock requires the first NIC to be DHCP so it can communicate with the WDS server and allow network unlock to work. Could it be something with the NIC's on the Gen9 server? I'm at a loss to explain this behavior. Hoping someone may have some insight. TIABNU, Client Machine not Retrieve IP but can from WDS PXE
I have been trying to troubleshoot BitLocker Network Unlock on my infrastructure but cannot seem to get it to work. On the client system I receive Event ID 24584 and on the WDS server I do not receive any event logs notifying of the client trying to use the certificate to network unlock. The odd part is that, if try to PXE boot on the client, it can receive and IP and go through the steps as if it is going to do an image install using WDS. I followed the steps in the documentation, GPOs have been applied, Certs have been properly placed, it just seems bootmgr cannot retrieve and IP but can from WDS. In addition, IP helper has been setup on the switch. System Info: Virtualized Windows 10 21H2 Machine running on VMWare with a vTPM Virtualized Windows 2022 Server Running on VMWare; same VLAN as the client machine Physical Domain Controller Windows 2016 Server; located on different VLAN than the WDS Server and Client Machine
BitLocker network unlock issue
Hi, I'm struggling a bit with Bitlocker network unlock deployment in my environment. I'm following this guide: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock#bkmk-installnufeature And I have 2 issues overall. First one is the certificate request to CA. I'm able to request certificate and issue it w/o problems. The issue appears later on - the cert looks like it's selfsigned (certificate on the first screenshot is revoked beacuse I didn't want it to stay there since it didn't work like it should). Certificate on the second screenshot is the cert that's popping up in certmgr.msc on the machine that I was sending the cert request from. It is the same cert - yet it is not? It should end up in Personal container signed by CA but instead it goes to Pending container and it looks like its selfsigned.. Am I missing something? I'll be honest - I do not have an experience with CA. I simply followed the guide. I made a workaround by doing a selfsigned in the next part, so it is not that big of a problem - although I'd like to have a signed cert there. The real problem is - GPO settings. I've tried everything. Updated the .ADMX files in SysVol manually, cleared GPO cache on the client machine, tried setting the GPO's from the guide to the multiple containers, even on the root domain level itself (just for testing puropses) - no luck. The policy simply do not apply. There is no error in RSOP or in gpresult. I've tested it on multiple machines and user accounts with Security filtering and without. I tied to split it to 3 separate policies to check if maybe one of them is problematic. None of these 3 policies applied even once. Other poclies are applied without any problems or issues. What should I do now? Anyone had similar issue?