02-09-2018 06:19 AM
I am trying to setup bitlocker network unlock on me current domain, however I am getting stuck with the follwing issue;
"Bootmgr failed to obtain the BitLocker volume master key from the network key protector: failed to send request."
Looking at it, the device fails to send the request for a DHCP address; does anyone know why this would happen; there has been several references to a network stack but looking into the BIOS/UEFI there is nothing that relates to a "network stack". I am able to PXE boot the machines though.
Any help would be great.
02-15-2018 01:02 AM
I haven't worked with this model before but are you running boot mode as UEFI Native (Without CSM) ?
If you can successfully PXE boot and your boot mode is set to the above setting, you are successfully getting an IP from DHCP.
Another thing to check would be TPM, from the OS, run "TPM.msc" and the status is "The TPM is ready for use with reducd functionality", you may need to look into clearing the TPM.
I used these two articles and they are very helpful in understanding and implementing Bitlocker Network Unlock:
Let me know how it works out for you.
02-15-2018 07:02 AM
I have checked the TMP status and it was set to "ready to use"
I did think that the PXE was working and that it was able to get a DHCP address;
However when I run wireshark to capture the packets on WDS nothing shows up until the machine boots into windows.
Hence why I though that something is stopping the connection.
I have followed both articles and neither advise how to troubleshoo the client.
I take it works on your network, can I ask how yours is setup?
Currently my setup is as follows;
I installed Wireshark on all serves and still only picks up anything after windows boots.
I have a firewall between clients and servers but this has IP helpers on and DHCP is configured to look at WDS for PXE.
Completely lost, there is no comprehensive guide.
02-18-2018 05:47 AM
Sorry to hear that it's still not working, I have it configured as follows:
IP Helpers for DHCP servers and WDS server
DHCP options for WDS server
CA signed certificate with private key in the Computer\Bitlocker Drive Encryption Network Unlock store
The certificate without the key is in the GPO that applies the "Bitlocker drive encryption Network Unlock certificate" and enables network unlock at startup.
Client boot mode is set to UEFI native (Not BIOS or Hybrid (With CSM))
It sounds like your IP Helper is only for the DHCP server and not the WDS server. I tested and without the IP helper, the machine will not send the DHCP packet to the WDS server.