- Hysolate Free for Sensitive Access: Run sensitive activities in an isolated workspace - Thu, Dec 2 2021
- Manage security baselines and compliance policies using Intune - Mon, Nov 29 2021
- Block the installation of USB devices on Windows PCs using Intune - Tue, Nov 23 2021
- Configure BitLocker Network Unlock
- Install WDS and the BitLocker Network Unlock feature
- Create the certificate template for BitLocker Network Unlock
- Request, issue, and export the BitLocker Network Unlock certificate
- Import the certificate and private key to the WDS server
- Configure the Group Policy for BitLocker Network Unlock
- Wrapping Up
The BitLocker Network Unlock process includes the following steps, according to Microsoft:
- Windows boot manager detects a Network Unlock protector in the BitLocker configuration.
- The client computer uses its DHCP driver in the UEFI to obtain a valid IPv4 IP address.
- The client computer broadcasts a vendor-specific DHCP request that contains:
- A network key (a 256-bit intermediate key) encrypted by the 2048-bit RSA public key of the Network Unlock certificate from the WDS server
- An AES-256 session key for the reply
- The Network Unlock provider on the WDS server recognizes the vendor-specific request.
- The provider decrypts the request by using the WDS server's BitLocker Network Unlock certificate RSA private key.
- The WDS provider returns the network key encrypted with the session key using its own vendor-specific DHCP reply to the client computer. This key is an intermediate key.
- The returned intermediate key is combined with another local 256-bit intermediate key. This key can be decrypted only by the TPM.
- This combined key is used to create an AES-256 key that unlocks the volume.
- The boot sequence continues.
To make this process possible, you need a DHCP Server, WDS Server, UEFI-capable clients, and the BitLocker Network unlock certificate deployed, generally by GPO.
Configure BitLocker Network Unlock ^
To configure BitLocker Network Unlock, perform the following steps:
- Install WDS and the BitLocker Network Unlock feature.
- Create the certificate template for BitLocker Network Unlock.
- Request, issue, and export the BitLocker Network Unlock certificate.
- Import the certificate and private key to the WDS server.
- Configure the Group Policy for BitLocker Network Unlock.
Install WDS and the BitLocker Network Unlock feature ^
On the WDS server, make sure you have the WDS role installed and the BitLocker Network Unlock feature.
Installing the BitLocker Network Unlock component registers the nkpprov.dll as a separate PXE. This provider listens to all DHCP broadcasts on the network and only responds if the request is for Network Unlock. It will not respond to regular DHCP/PXE packets.
Create the certificate template for BitLocker Network Unlock ^
The next step is to create a certificate template that can be used to issue a BitLocker Network Unlock certificate. To do this, use the Certificate Template management console. Once you open the Certificate Template management console, duplicate the existing user template.
For the exact configuration needed in the new BitLocker Network Unlock template, note the tabs and configuration:
- Compatibility Tab—Change the Certification Authority and certificate recipient fields to Windows Server 2012 and Windows 8, respectively. Enable Show resulting changes.
- General Tab—Give the template an intuitive name, something related to "BitLocker Network Unlock." Clear the check box for Publish certificate in Active Directory.
- Request Handling Tab—From the Purpose drop-down menu, select Encryption. Allow the private key to be exported.
- Cryptography Tab—Set the minimum key size to 2048. (For this template, you can use any Microsoft cryptographic provider that supports RSA. But for simplicity and forward compatibility, we recommend using the Microsoft Software Key Storage Provider.)
- Select requests must use one of the following providers. Then, clear all options except for your selected cryptography provider, such as the Microsoft Software Key Storage Provider.
- Subject Name Tab—Supply in the request.
- Issuance Requirements Tab—Select both CA certificate manager approval and Valid existing certificate.
- Extensions Tab—Select Application Policies > Edit.
- In the Edit Application Policies Extension dialog box, click SHIFT+Select Client Authentication, Encrypting File System, and Secure Email. Click Remove.
- In the Edit Application Policies Extension dialog box, select Add.
- In the Add Application Policy dialog box, select New. Enter the following information in the space provided, and then select OK to create the BitLocker Network Unlock application policy.
- Name: BitLocker Network Unlock
- Object Identifier: 126.96.36.199.4.1.3188.8.131.52
- Select the newly created BitLocker Network Unlock application policy, and then click OK.
- Extensions Tab—Edit Key Usage Extension and select Allow key exchange only with key encryption (key encipherment). Select Make this extension critical.
- Security Tab—Confirm that the Domain Admins group has been granted Enroll permissions. Click OK.
Request, issue, and export the BitLocker Network Unlock certificate ^
Since the BitLocker Network Unlock template is created, we can use the template to request a certificate from the WDS server. Open the Certificate Manager (certmgr.msc). Select Personal > Certificates. Right-click, and select All Tasks > Request New Certificate.
After you choose the Active Directory Enrollment Policy, you will see a list, including the new BitLocker Network Unlock option. Enter the subject name and friendly name for the certificate.
After enrolling, you will see the enrollment request sent.
Go to your certificate server and select the pending certificate request. Right-click and choose All Tasks > Issue.
Once the certificate is issued, there are two exports you need to do: the X.509 certificate itself and the certificate and private key.
The X.509 certificate will be used as the public key issued to clients that you want to unlock using the BitLocker Network Unlock functionality.
Import the certificate and private key to the WDS server ^
Now, reimport the PFX file to the BitLocker Drive Encryption Network Unlock node under the Local Computer certificate context. On the WDS server, open a new Microsoft Management Console (MMC) and then add the Certificates snap-in. Select the computer account and local computer.
Import the PFX file exported earlier. Enter the password for the PFX import created on the private key.
Configure the Group Policy for BitLocker Network Unlock ^
Now that the certificate is in place with the private key on the WDS server, you need to configure Group Policy settings for the BitLocker Network Unlock clients. Navigate to \Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption.
Do the following:
- Enable the policy Require additional authentication at startup, and then select Require startup PIN with TPM or Allow startup PIN with TPM.
- Turn on BitLocker with TPM+PIN protectors on all domain-joined computers.
Now, navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption Network Unlock Certificate. Add the .cer file that you exported earlier to the BitLocker Drive Encryption Network Unlock Certificate node in the Group Policy by right-clicking and choosing Add Network Unlock Certificate.
Reboot the client computers to which the Group Policy is applied or update them using
Wrapping Up ^
If BitLocker Network Unlock is correctly configured, domain-joined BitLocker encrypted endpoints will be accessible remotely while connected to the trusted production LAN.
Subscribe to 4sysops newsletter!
This provides a great option for organizations looking to gain the benefits of BitLocker encryption and still service end-user clients remotely.