TPM+PIN decryption with BitLocker requires physical access to the device when the endpoint boots or resumes from sleep. This feature can be a challenge for remote helpdesk technicians attempting to remotely access the endpoint, install software, and perform other tasks using Wake on LAN. For this reason, Microsoft created BitLocker Network Unlock.

The BitLocker Network Unlock process includes the following steps, according to Microsoft:

  1. Windows boot manager detects a Network Unlock protector in the BitLocker configuration.
  2. The client computer uses its DHCP driver in the UEFI to obtain a valid IPv4 IP address.
  3. The client computer broadcasts a vendor-specific DHCP request that contains:
    • A network key (a 256-bit intermediate key) encrypted by the 2048-bit RSA public key of the Network Unlock certificate from the WDS server
    • An AES-256 session key for the reply
  4. The Network Unlock provider on the WDS server recognizes the vendor-specific request.
  5. The provider decrypts the request by using the WDS server's BitLocker Network Unlock certificate RSA private key.
  6. The WDS provider returns the network key encrypted with the session key using its own vendor-specific DHCP reply to the client computer. This key is an intermediate key.
  7. The returned intermediate key is combined with another local 256-bit intermediate key. This key can be decrypted only by the TPM.
  8. This combined key is used to create an AES-256 key that unlocks the volume.
  9. The boot sequence continues.

To make this process possible, you need a DHCP Server, WDS Server, UEFI-capable clients, and the BitLocker Network unlock certificate deployed, generally by GPO.

Configure BitLocker Network Unlock ^

To configure BitLocker Network Unlock, perform the following steps:

  1. Install WDS and the BitLocker Network Unlock feature.
  2. Create the certificate template for BitLocker Network Unlock.
  3. Request, issue, and export the BitLocker Network Unlock certificate.
  4. Import the certificate and private key to the WDS server.
  5. Configure the Group Policy for BitLocker Network Unlock.

Install WDS and the BitLocker Network Unlock feature ^

On the WDS server, make sure you have the WDS role installed and the BitLocker Network Unlock feature.

Installing the Windows Deployment Services WDS role

Installing the Windows Deployment Services WDS role

Installing the BitLocker Network Unlock component registers the nkpprov.dll as a separate PXE. This provider listens to all DHCP broadcasts on the network and only responds if the request is for Network Unlock. It will not respond to regular DHCP/PXE packets.

Installing the BitLocker Network Unlock

Installing the BitLocker Network Unlock

Create the certificate template for BitLocker Network Unlock ^

The next step is to create a certificate template that can be used to issue a BitLocker Network Unlock certificate. To do this, use the Certificate Template management console. Once you open the Certificate Template management console, duplicate the existing user template.

Duplicate the existing user certificate template

Duplicate the existing user certificate template

For the exact configuration needed in the new BitLocker Network Unlock template, note the tabs and configuration:

  • Compatibility Tab—Change the Certification Authority and certificate recipient fields to Windows Server 2012 and Windows 8, respectively. Enable Show resulting changes.
  • General Tab—Give the template an intuitive name, something related to "BitLocker Network Unlock." Clear the check box for Publish certificate in Active Directory.
  • Request Handling Tab—From the Purpose drop-down menu, select Encryption. Allow the private key to be exported.
  • Cryptography Tab—Set the minimum key size to 2048. (For this template, you can use any Microsoft cryptographic provider that supports RSA. But for simplicity and forward compatibility, we recommend using the Microsoft Software Key Storage Provider.)
    • Select requests must use one of the following providers. Then, clear all options except for your selected cryptography provider, such as the Microsoft Software Key Storage Provider.
  • Subject Name Tab—Supply in the request.
  • Issuance Requirements Tab—Select both CA certificate manager approval and Valid existing certificate.
  • Extensions Tab—Select Application Policies > Edit.
    • In the Edit Application Policies Extension dialog box, click SHIFT+Select Client Authentication, Encrypting File System, and Secure Email. Click Remove.
    • In the Edit Application Policies Extension dialog box, select Add.
    • In the Add Application Policy dialog box, select New. Enter the following information in the space provided, and then select OK to create the BitLocker Network Unlock application policy.
      • Name: BitLocker Network Unlock
      • Object Identifier: 1.3.6.1.4.1.311.67.1.1
    • Select the newly created BitLocker Network Unlock application policy, and then click OK.
  • Extensions Tab—Edit Key Usage Extension and select Allow key exchange only with key encryption (key encipherment). Select Make this extension critical.
  • Security Tab—Confirm that the Domain Admins group has been granted Enroll permissions. Click OK.
Duplicating the user template and customizing the BitLocker Network Unlock template

Duplicating the user template and customizing the BitLocker Network Unlock template

Request, issue, and export the BitLocker Network Unlock certificate ^

Since the BitLocker Network Unlock template is created, we can use the template to request a certificate from the WDS server. Open the Certificate Manager (certmgr.msc). Select Personal > Certificates. Right-click, and select All Tasks > Request New Certificate.

Request a new certificate for BitLocker Network Unlock

Request a new certificate for BitLocker Network Unlock

After you choose the Active Directory Enrollment Policy, you will see a list, including the new BitLocker Network Unlock option. Enter the subject name and friendly name for the certificate.

Select the BitLocker Network Unlock Active Directory Enrollment Policy

Select the BitLocker Network Unlock Active Directory Enrollment Policy

After enrolling, you will see the enrollment request sent.

Enrollment request sent and enrollment pending

Enrollment request sent and enrollment pending

Go to your certificate server and select the pending certificate request. Right-click and choose All Tasks > Issue.

Issuing the pending BitLocker Network Unlock certificate

Issuing the pending BitLocker Network Unlock certificate

Once the certificate is issued, there are two exports you need to do: the X.509 certificate itself and the certificate and private key.

Export the certificate from the personal store of the current user

Export the certificate from the personal store of the current user

The X.509 certificate will be used as the public key issued to clients that you want to unlock using the BitLocker Network Unlock functionality.

Export the issued certificate as a PFX containing both the certificate and the private key

Export the issued certificate as a PFX containing both the certificate and the private key

Import the certificate and private key to the WDS server ^

Now, reimport the PFX file to the BitLocker Drive Encryption Network Unlock node under the Local Computer certificate context. On the WDS server, open a new Microsoft Management Console (MMC) and then add the Certificates snap-in. Select the computer account and local computer.

Import the PFX file exported earlier. Enter the password for the PFX import created on the private key.

Import the PFX into the Computer certificates node

Import the PFX into the Computer certificates node

Configure the Group Policy for BitLocker Network Unlock ^

Now that the certificate is in place with the private key on the WDS server, you need to configure Group Policy settings for the BitLocker Network Unlock clients. Navigate to \Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption.

Do the following:

  • Enable the policy Require additional authentication at startup, and then select Require startup PIN with TPM or Allow startup PIN with TPM.
  • Turn on BitLocker with TPM+PIN protectors on all domain-joined computers.
Require additional authentication at startup

Require additional authentication at startup

Allow startup PIN with TPM

Allow startup PIN with TPM

Now, navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption Network Unlock Certificate. Add the .cer file that you exported earlier to the BitLocker Drive Encryption Network Unlock Certificate node in the Group Policy by right-clicking and choosing Add Network Unlock Certificate.

Select the Network Unlock Certificate exported from the WDS server

Select the Network Unlock Certificate exported from the WDS server

Reboot the client computers to which the Group Policy is applied or update them using

gpupdate /force

Wrapping Up ^

If BitLocker Network Unlock is correctly configured, domain-joined BitLocker encrypted endpoints will be accessible remotely while connected to the trusted production LAN.

Subscribe to 4sysops newsletter!

This provides a great option for organizations looking to gain the benefits of BitLocker encryption and still service end-user clients remotely.

+1
2 Comments
  1. Marc 2 months ago

    Ah you still need to be on-prem for this to work sad. I was hoping it was fully remote (client and helpdesk). Still an interesting solution worth looking into.

    0

  2. vartaxe 2 months ago

    I suppose there no way to get this working with 802.1x

    0

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account