Share via

Bitlocker Network Unlock still askling PIN

Andrei Bondarchuk 1 Reputation point
2022-05-30T04:36:26.863+00:00

Hi
I’m having trouble with getting Network Unlock to work. Bitlocker still asking to enter PIN.
I was following this guide https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock

  1. The configuration is: WDS server is separate from DHCP.
  2. There are three protectors on the OS drive.
  3. Certificate thumbprint is the same as the one deployed to WDS.
  4. Certificate – which is self -signed, installed to Personal Folder (Local Computer) – AND to Trusted Root Certification Authority (Local Computer). Installed there as there was a message requiring doing so, otherwise said the certificate root is not trusted.
  5. I can see that computer is getting the IP address assigned, then sending BOOTP request with vendor-specific information, but no response from WDS. Traced that with Wireshark installed on WDS.
  6. Enabled Debug and Operational logs on WDS. But there are no messages for the time when the Bitlocker machine boots up. It seems like Debug and Operational logs not registering any PXE requests at all. My thought was that “Debug” would be the ultimate level of logging, but it still missing something.

Any ideas how to track a reason why WDS is ignoring BOOTP requests?
Thanks

206545-protectors.png206525-bootp-request.jpg

Windows for business | Windows Server | User experience | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,926 Reputation points
    2022-06-06T07:55:09.443+00:00

    Hello

    Thank you for your question and reaching out. I can understand you are having issues related to Bitlocker Network unlock

    Please follow below general troubleshooting guides as below.

    The Windows event logs. Specifically, get the BitLocker event logs and the Microsoft-Windows-Deployment-Services-Diagnostics-Debug log.

    Debug logging is turned off by default for the WDS server role, so you need to enable it before you can retrieve it. Use either of the following two methods to turn on WDS debug logging.

    Start an elevated command prompt, and then run the following command:

    wevtutil sl Microsoft-Windows-Deployment-Services-Diagnostics/Debug /e:true

    Open Event Viewer on the WDS server:

    In the left pane, select Applications and Services Logs > Microsoft > Windows > Deployment-Services-Diagnostics > Debug.
    In the right pane, select Enable Log.
    The DHCP subnet configuration file (if one exists).

    The output of the BitLocker status on the volume. Gather this output into a text file by using manage-bde -status. Or in Windows PowerShell, use Get-BitLockerVolume.

    The Network Monitor capture on the server that hosts the WDS role, filtered by client IP address.

    Reference :

    https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues

    ------------------------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.