• ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
Are you having HotKey issues? Click here for tips and tricks.
HP Recommended
HP EliteDesk 800 G6 SFF

Good Day, everyone; I am rolling out BitLocker to meet our compliance goals. To access machines after reboots for maintenance and simplify the user experience, I am using BitLocker Network Unlock. All components for BitLocker Network Unlock are installed (GPOs for Clients), and the BitLocker Settings and the Network Unlock Certificate are on all clients. When I use the manage-bde.exe command and show the -protectors option, the BitLocker Drive reports that the Network Certificate is a valid protector along with TPM/PIN. I can also verify the certificate for Network Unlock is installed/functional via the registry. Interestingly, our Dell Workstations happily use the Network Unlock feature without issue; the debug logs on the WDS/Network Unlock Server validate this. At reboot, the Dells do not require a PIN and utilize the Network Unlock Certificate to unlock the drive. However, our HPs don't; even though all of the above is true and Network Unlock is a valid protector, and the certificate is installed and valid, the HPs ignore Network Unlock and require a PIN. The network environment is identical, and the firmware and all drivers on the HP Workstations are up to date. During packet captures in our Cisco Environment, the traffic from the Dell's flows as expected, and the HPs never initiate contact with the WDS/Network Unlock Server. The Network Unlock feature requires native UEFI and the ability to PXE Boot, which the HPs possess and are configured for. The HPs will PXE Boot as we image all workstations to a corporate standard, but there appears to be a very brief drop in network connectivity on the HPs at boot; it is less than a second, but this causes the HP Workstations to "ignore" the Network Unlock and require a PIN. All client ports on the switches have portfast edge, and BPDU Gaurd enabled; our Layer 3 environment has the appropriate IP Helper-Address and associated servers listed, and the environment is configured correctly, as evidenced by the Dell Workstations functioning with Network Unlock. I believe this to be an issue with the HPs UEFI Firmware boot sequence; I am open to any ideas on correcting this, as it is a critical part of our required security.

† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.