Going down the IT rabbit hole

I’ve read and followed MS documentation available at:
– BitLocker: How to enable Network Unlock
– Bitlocker: Network Unlock (PFE Blog post)

• Client/Server configuration:
  • Clients: Windows 8.1 and up on isolated VLAN
  • SCCM Servers: 2012 R2 SP1
  • SCCM distribution point: dedicated server for network unlock and client deployment
  • change to certificate template used for network unlock: Certification Authority and Certificate recipient fields are Windows Server 2012 R2 and Windows 8.1 respectively

After some initial testing I’ve successfuly deployed this configuration at one of our customer’s sites.
Not sure if it is fully supported from MS side but I didn’t do any “funny” customization to get it working – based on this I would guess it should be supported.

Second link is really useful for understanding how the whole thing works – it even has few screenshots of network trace (good reference for troubleshooting).

Good to know:
– Network unlock by itself doesn’t do PXE boot – unlock happens before that with special DHCP packet (provided, that LAN boot is not first BOOT option – which it shouldn’t be). Check second link for more info.
– This change to BitLocker OS drive unlock process will add few seconds to boot process. Why? Before Windows can successfully start and unlock drive with certificate, boot manager has to get valid IP DHCP address (or not if timeout happens). Only after this happens BootRequest packet is send to WDS server which replies with BootReply. How big can this delay be probably depends on usual network-related configuration.