Bitlocker Network Unlock with Hyper-V virtual machines?

Jo L 11 Reputation points
2022-02-22T19:17:47.287+00:00

I am testing Bitlocker Network Unlock, following https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.

I installed a Windows Server 2022 (evaluation copy, virtual machine on Hyper-V) with WDS and a certificate.

I installed a clean Windows 10 system also as a virtual machine, Gen 2, with TPM enabled, and joined my domain.

I created a group policy with a certificate and bitlocker require Pin+TPM, and assigned it to the new client above. I ran gpupdate /force and also checked gpupdate /r that the policy is applied.

Also the certificate at HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\FVE_NKP does exist.

manage-bde -protectors -get c: shows a protector TPM and PIN. Network certificate is missing.

However, there is no network unlock protector no matter how often I reboot. There is also no BOOTP traffic visible during system start.

Is network unlock not supported with Hyper-V virtual machines?

There is an old debate on that in https://social.msdn.microsoft.com/Forums/en-US/259715c3-7ca7-40d6-b9dc-b35bd4acd0bb/bitlocker-network-unlock-on-hyperv-gen2-virtual-machines?forum=winserver8gen, but definitely I do have a Gen 2 VM with TPM enabled.

Is there a definite answer?

Regards,
Joachim

Hyper-V
Hyper-V
A Windows technology providing a hypervisor-based virtualization solution enabling customers to consolidate workloads onto a single server.
2,717 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Limitless Technology 39,646 Reputation points
    2022-03-01T22:10:02.907+00:00

    Hi @Jo L

    Yes, you can use Bitlocker Network Unlock on VM.

    The debate on the thread you shared is outdated and the official Microsoft states that Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (via Settings > Accounts > Access work or school > Connect) to receive policy.

    Below is the link for the official article where it has been stated.

    Can I use BitLocker with virtual machines (VMs)?
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831507(v=ws.11)?redirectedfrom=MSDN#can-i-use-bitlocker-with-virtual-machines-vms

    Hope this resolves your Query!!

    ----------

    --If the reply is helpful, please Upvote and Accept it as an answer–


  2. Jo L 11 Reputation points
    2022-03-04T21:14:52.807+00:00

    More steps:

    1. I was running Wireshark and it only showed DHCP DISCOVER/OFFER, not REQUEST/ACK. The ultimate issue was that I was running isc-dhcp-server on linux, and that by default does a ping that one has to turn off. Also it is totally unclear in MS documentation what information is expected via DCHP and what might cause issues. After that I was also seeing the BOOTP request asking for the unlock key, but didn´t see a reply.
    2. To figure out why WDS is not responding, check https://2pintsoftware.com/enabling-wds-debug-logging/ and https://social.technet.microsoft.com/Forums/windowsserver/en-US/c336eb7b-ef5a-4eca-a7b1-4220b730eaf3/bitlocker-network-unlock-event-id-24645-on-client. In my case the certificate was not in the correct store.
      Definitely the guides are confusing, inconsistent, and spread over so many different places..
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.