3 Replies Latest reply on Dec 7, 2018 4:39 PM by N.Scott.Pearson

    Does NUC6i7KYB support Bitlocker Network Unlock?  No DHCP requests sent by UEFI.

    sfwrtr

      We have three dozen NUC6i7KYB and we require Bitlocker Network Unlock to work on this hardware so that once disconnected from our network, the information on each in useless to a thief.  The test client NUC6i7KYB has been updated to version 59 of the BIOS.  Windows 10 was installed last week from the most up-to-date Microsoft download and fully patched.  Bitlocker is administered from a NUC6i7KYB Server 2016 server with an AD DS and WDS installed.  The DHCP server is on a different box on the same subnet.  All Bitlocker features and roles are installed.  The self-signed Bitlocker certificate has the correct thumbprint, is trusted, and installed.  The certificate and the Bitlocker GPO configuration is confirmed to have replicated on the client NUC6i7KYB, including the certificate in a trusted store with TPM+PIN key protectors and the proper configuration that includes Network Unlock as enabled.  Our references are linked below.

       

      The client NUC6i7KYB has PTT enabled.  Legacy BIOS is completely off.  UEFI boot is enabled and Windows was installed with UEFI enabled.  The client NUC6i7KYB's TPM shows as ready in Windows (and it does not state "with reduced functionality").    We made attempts to make it work with Secure Boot on and off.  Intel's platform key is installed.  We've cleared the TPM and started over more than once.

       

      The client NUC6i7KYB always requests the Bitlocker PIN.  Bitlocker unlocks the secured drive with the PIN.  The domain server properly stores the recovery key.  A network trace shows no DHCP requests being made from the client following POST.  This is the start of communication to the WDS server that allows the Network Unlock to work in the pre-boot UEFI environment.

       

      Oddly enough, attempts to do a PXE boot using IPv4 and IPv6 will send some requests we can see on the trace, but we don't support network boot.

       

      My questions are: Does the NUC6i7KYB support Network Unlock for Bitlocker?  Is this a NUC6i7KYB or a Microsoft UEFI software issue?  Is it an Intel UEFI ethernet/network driver issue, and, if so, how do you update the UEFI partition?

       

      -Robert

      ----

      References:

      https://blogs.technet.microsoft.com/dubaisec/2016/04/14/bitlocker-network-unlock/

      https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview

      https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.VolumeEncryption::EncryptionMethodNoDiffuser_Name

      https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.VolumeEncryption::EncryptionMethodNoDiffuser_Name