Last month, Microsoft released a KnowledgeBase article regarding BitLocker Network Unlock. Basically, Windows 8-based and Windows Server 2012-based client computers sometimes may not receive or use the Network Unlock Protector feature, depending on whether the client receives unrelated BOOTP replies from a DHCP server or WDS server.
About BitLocker Network Unlock
A new feature in BitLocker Drive Encryption in Windows 8 and Windows Server 2012 is BitLocker Network Unlock. This feature allows for automatic unlock of the Operating System drive when a Windows 8 Pro, Windows 8 Enterprise, Windows Server 2012 Standard or Windows Server 2012 Datacenter machine is booted while connected to the corporate network. This feature allows for desktops and servers to be secure, but not burdening the user with security protocol.
This feature requires the client hardware to have a DHCP driver implemented in its UEFI 2.3.1 firmware. To properly support DHCP within UEFI, the UEFI-based system should be in native mode without a BIOS Compatibility Mode or Legacy Mode enabled.
On a Windows 8-based client computer or Windows Server 2012-based server, you are prompted to enter the BitLocker PIN to start Windows. This occurs even though the computer is connected through an Ethernet cable to the physical corporate Local Area Network (LAN) and the BitLocker Network Unlock feature is enabled and implemented.
Windows 8-based and Windows Server 2012-based client computers sometimes may not receive or use the Network Unlock Protector feature, depending on whether the client receives unrelated BOOTP replies from a DHCP server or WDS server.
Any message that is received by a DHCP server that includes a DHCP message option type 51 is assumed to have been sent by a DHCP client. Messages that do not have the DHCP Message Type option are assumed to have been sent by a BOOTP client. Windows Server-based DHCP/BOOTP servers will return packets based on the protocol it thinks is in use by the client, accordingly.
When looking at BitLocker Network Unlock, the first two packets sent by the BitLocker Network Unlock client have the message type option. These DHCP DISCOVER\REQUEST requests are DHCP protocol based.
The DHCP request (that is, the third request) that is sent by client does not have the Message Type option. This means that the request is considered BOOTP protocol based.
According to RFC 951, a DHCP server that supports BOOTP clients must interact with BOOTP clients according to the BOOTP protocol. The server must create a BOOTP BOOTREPLY message instead of a DHCP DHCPOFFER message. (That is, the server must not include the DHCP message option type and must not exceed the size limit for BOOTREPLY messages.)
The server marks a binding for a BOOTP client as BOUND after the server sends the BOOTP BOOTREPLY message. A non-DHCP client will not send a DHCPREQUEST message, nor will that client expect a DHCPACK message.
DHCP servers may send any DHCP options to a BOOTP client as allowed by the DHCP options and BOOTP vendor extensions.
This means that as long as a DHCP server supports BOOTP clients, the DHCP server will reply to BOOTP requests.
If a DHCP server that is not configured to support BOOTP clients receives a BOOTREQUEST message from a BOOTP client, that server silently discards the BOOTREQUEST message.
To resolve this issue, turn off the BOOTP option on the DHCP server:
- Log on to the DHCP server or WDS Server in the network using an account with sufficient privileges to modify scopes.
- Start the DHCP management console by either pressing Win + R and specifying dhcpmgmt.msc as the command to run, followed by OK, or picking DHCP from the tools menu within Server Manager, or picking DHCP from the Administrative Tools folder from the Start Screen.
- In the left pane, drill down to the IPv4 DHCP scope of the network from which the affected machines get their IPv4 addressing.
- Right-click the IPv4 scope and select Properties from the context menu.
- On the Advanced tab, change the DHCP option from DHCP and BOOTP or Both to DHCP.
BOOTP can mess up your BitLocker Network Unlock deployment. Although disabling BOOTP is the resolution in this case, take care of proper IPv4 addressing for older devices that may still require or prefer BOOTP (by placing them on a different subnet; these devices won’t be able to run BitLocker Network Unlock, anyway).
Related knowledgebase articles
2891694 A Windows 8-based client computer does not use the BitLocker Network Unlock feature
928202 How to use the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool to view recovery passwords for Windows Vista