Windows 10: How to config WDS in a way that bitlocker network unlock work properly?

Hi Pals,

I have client system with UEFI enabled dhcp, system drive encrypted with PIN+TPM and network protector certificate is deployed!


At boot time, valid ip obtained by dhcp but no drive key acquired! and bit-locker blue screen appeared to enter key manually!


any one can help me about correct configuration of WDS?


Best Regards!

:)

 

BitLocker Network Unlock

Everything is straight forward in setting up and configuring this. However we have a question pertaining to the set up with the WDS server for the 'bypass'.

Our concern:

* the WDS server is essentially the single point of failure. If it ever went down all of the network workstations would prompt our users for the PIN to unlock the drive

Our question

* Is there any way to set up a secondary WDS server or some form of failover to build resilency? If our concern ever manifested itself, all of our workstation users would be locked out because they wouldn't have the PIN and this would result in a flood
of support calls.

Alternative

* As far as I'm aware this is not possible but I'll ask anyways - can Bitlocker employ the AD password to unlock similar Symantec PGP disk encryption?

 

Bitlocker Network Unlock - DHCP/PXE Question

We are rolling out Network Unlock for Bitlocker on Win10 Enterprise machines.

Clients are on VLAN1

DHCP Server is on VLAN10

WDS Server is on VLAN10

WDS and DHCP are on different servers.

Everything looks correct. Clients are getting the Certificate from GPO. Subnet BDE file has been created.

Clients are UEFI and correct - protectors TPMandPIN have been installed.

From WDS we can verify the cert in the cert store "certutil.exe -verifystore FVENKP"

From client we can verify the cert and protectors "manage-bde -protectors -get C:"

Our switching fabric uses IP helpers for DHCP which is working correctly.

But we still get the prompt for PIN.

I have enabled Debug logging for WDS Server. I am getting an error,

[WDSServer] [base\eco\wds\wdsmgmt\src\wdsdirectoryservicesusepolicy.cpp:306] Expression: , Win32 Error=0x2

Have not found what this error means.

Do I need to configure anything on DHCP server clients to communicate w. WDS server during boot to bypass PIN?

or

Do I need to configure anything on WDS server for DHCP?

Client can communicate w/ DHCP and WDS server -> network access is good.

From MS Docs on Bitlocker Network Unlock. I am assuming the issues is on phase 3&4 of the unlock process.

Any help on troubleshooting to ID the issue would be appreciated.

Thanks,

 

HELP: Automatic BitLocker Unlock.

Thank you sir, ill try your solution.

Windows Auto unlock ONLY works in case you have Bitlocker on your system drive, because if your system drive is not encrypted auto unlocking other drives means loss of security.
But in my case my system drive is Encrypted with hardware encryption that i password unlock during boot. So auto unlocking Bitlocker drives will do fine for me.