Solved

Setting up bitlocker network unlock

Posted on 2016-08-24
6
125 Views
Last Modified: 2016-09-12
I'm setting up bitlocker network unlock and on the wds server when a client sends a request I get to errors.

[WDSServer/WDSPXE/NKPPROV] NKP request processing failed while extracting key material. Remote address: ipaddress:68, Packet length: 573.

[WDSServer/WDSPXE/NKPPROV] Could not decrypt data with private key. HRESULT = 0x80090010.

Any ideas.  I verified on the client that the certificate is installed and the thumbprint matches what is installed on the wds server.
0
Comment
Question by:bnussbaum
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 3

Expert Comment

by:Dave
ID: 41773474
Ok, i looked at the above error code. The "0x80090010" error is commonly caused by incorrectly configured system settings or irregular entries in the Windows registry. Just make sure that the private/public keys are in good shape and the above setup is correctly configured for these keys. I guess the error lies there.
0
 
LVL 3

Assisted Solution

by:Dave
Dave earned 500 total points
ID: 41773479
In addition, i would try the following as part of troubleshooting: https://technet.microsoft.com/en-us/library/jj574173(v=ws.11).aspx#BKMK_Troubleshoot
0
 

Author Comment

by:bnussbaum
ID: 41774825
I tried setting the certificate up again but still doesn't work.  I verified the certificate in the FVE_NKP registry on the client matches what is installed on the WDS server, I ran the manage-bde -protectors command and network (Certified Based) is listed and the certificate thumbprint matches the server.  The client is running UEFI and CMS is disabled, network unlock is enabled in the group policy.    The WDS server is server 2012 and has the network unlock feature installed and the DHCP server is on a separate server.

Are there any settings that need to be configured on the DHCP server?  The DHCP server is setup us DHCP only and doesn't have Bootp enabled.   I haven't configured anything with that.  Not sure what else to check or try.
0
The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

 

Author Comment

by:bnussbaum
ID: 41778803
Is create certificate template a step that needs to be done for network unlock?  Some articles I have read have said to set it up, some don't mention it.  I haven't done this step.
0
 

Accepted Solution

by:
bnussbaum earned 0 total points
ID: 41788513
I opened a case with Microsoft and the issue is resolved now.  It ended up the TechNet article that Microsoft had was incorrect and left out some things that needed to be used for the certificate.
0
 

Author Closing Comment

by:bnussbaum
ID: 41793916
Issue is resolved opening a case with Microsoft.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question