How to Set Up BitLocker Network Unlock on Windows Server 2025
BitLocker Drive Encryption is a cornerstone of Windows Server security, protecting data at rest against physical theft or unauthorized access. In most BitLocker deployments, servers or workstations require a PIN or USB key at startup to release the encryption key and boot normally. While this is excellent for security, it creates an operational challenge in enterprise environments where servers must reboot unattended — for example, after patch cycles or power events. BitLocker Network Unlock solves this by allowing domain-joined machines to boot automatically without a PIN, provided they are connected to the corporate network and can reach a Windows Deployment Services (WDS) server that holds the unlock certificate. If the machine is off the corporate network, BitLocker falls back to requiring the PIN or recovery key as normal. This tutorial walks you through the complete setup of BitLocker Network Unlock on Windows Server 2025, from installing prerequisites to validating the handshake.
Prerequisites
- Two Windows Server 2025 machines: one to protect with BitLocker (the client) and one to act as the WDS/Network Unlock server
- Both machines joined to the same Active Directory domain
- An Active Directory Certificate Services (AD CS) deployment with an Enterprise CA
- TPM 2.0 chip on the machine to be protected
- UEFI firmware with Secure Boot enabled on the protected machine
- WDS role installed on the Network Unlock server
- Administrative rights on both servers and on the CA
Step 1: Install Required Server Roles and Features
Begin by installing the Windows Deployment Services role on your Network Unlock server. WDS is responsible for receiving the DHCP broadcast from a booting machine and responding with the encrypted unlock key. You also need to ensure the BitLocker feature is installed on the machine you intend to protect.
On the Network Unlock server, run the following in an elevated PowerShell session:
# Install Windows Deployment Services (transport only is sufficient)
Install-WindowsFeature -Name WDS -IncludeManagementTools
# Verify the installation
Get-WindowsFeature -Name WDS
# Initialize WDS if this is a fresh install (use your REMINDS folder or existing share)
wdsutil /initialize-server /reminds:"C:RemoteInstall" /transport
# Start the WDS service
Start-Service -Name WDSServer
Set-Service -Name WDSServer -StartupType AutomaticOn the machine to be protected, ensure BitLocker is installed:
# Install BitLocker and required management tools
Install-WindowsFeature -Name BitLocker -IncludeAllSubFeature -IncludeManagementTools
Install-WindowsFeature -Name RSAT-Feature-Tools-BitLocker
# Confirm TPM status
Get-Tpm
# Check TPM is ready
Initialize-Tpm -AllowClear -AllowPhysicalPresenceStep 2: Create the Network Unlock Certificate Template in AD CS
The Network Unlock certificate is a special X.509 certificate with specific key usage extensions. You must create a custom certificate template in your Enterprise CA before issuing the certificate. Open the Certificate Templates console (certtmpl.msc) on the CA server and perform the following steps manually, or automate parts of it via PowerShell.
# On the CA server — open the Certificate Templates MMC snap-in
# Duplicate the "Computer" template and name it "BitLocker Network Unlock"
# Required settings on the new template:
# - Subject Name tab: Supply in the request
# - Extensions tab → Application Policies: Add "BitLocker Network Unlock" (OID 1.3.6.1.4.1.311.67.1.1)
# - Key Usage: Key Encipherment (must be checked)
# - Cryptography tab: Key size 2048, provider Microsoft RSA SChannel Cryptographic Provider
# - Security tab: Grant "Enroll" to domain computer accounts or a dedicated security group
# After creating the template, publish it on the CA
Add-CATemplate -TemplateName "BitLockerNetworkUnlock"
# Verify the template is published
certutil -CATemplates | Select-String "BitLocker"Step 3: Request and Export the Network Unlock Certificate
With the template published, request a certificate on the WDS server that will serve as the Network Unlock provider. The certificate must be exported with its private key to a PFX file so it can be loaded into WDS.
# On the WDS/Network Unlock server
# Request the certificate from the Enterprise CA using certreq or the Certificates MMC
# Using PowerShell to request via the template
$cert = Get-Certificate -Template "BitLockerNetworkUnlock" `
-CertStoreLocation Cert:LocalMachineMy `
-Url ldap:
# Verify the certificate was issued
Get-ChildItem Cert:LocalMachineMy | Where-Object { $_.Subject -like "*$env:COMPUTERNAME*" }
# Export to PFX (replace thumbprint with your actual value)
$thumb = (Get-ChildItem Cert:LocalMachineMy | Where-Object { $_.EnhancedKeyUsageList -like "*1.3.6.1.4.1.311.67.1.1*" }).Thumbprint
$pwd = ConvertTo-SecureString -String "UnlockExport@2025!" -Force -AsPlainText
Export-PfxCertificate -Cert "Cert:LocalMachineMy$thumb" `
-FilePath "C:BitLockerNetworkUnlockNetworkUnlock.pfx" `
-Password $pwd
# Also export the public certificate (.cer) for GPO distribution
Export-Certificate -Cert "Cert:LocalMachineMy$thumb" `
-FilePath "C:BitLockerNetworkUnlockNetworkUnlock.cer" `
-Type CERTStep 4: Configure WDS with the Network Unlock Certificate
WDS must be configured to use the Network Unlock certificate. This involves importing the PFX into WDS and registering the BitLocker Network Unlock provider DLL with the WDS server using wdsutil and registry configuration.
# Copy the PFX to the WDS server if not already there
# Then import into the WDS certificate store
# Register the Network Unlock certificate with WDS
# The DLL responsible is %windir%System32BitLockerNetworkUnlockAgent.dll
# WDS reads the cert from its own certificate store
# Import PFX into WDS using wdsutil
wdsutil /Set-Server /BcdRefreshPolicy:enabled
wdsutil /Set-Server /Transport
# Import the Network Unlock provider certificate into WDS
$pfxPwd = ConvertTo-SecureString -String "UnlockExport@2025!" -Force -AsPlainText
Import-PfxCertificate -FilePath "C:BitLockerNetworkUnlockNetworkUnlock.pfx" `
-CertStoreLocation Cert:LocalMachineMy `
-Password $pfxPwd
# Register the Network Unlock plugin with WDS via BCDEdit
# This tells WDS to load the BitLocker Network Unlock provider on PXE boot
bcdedit /set {bootmgr} defaultlocktimeout 30
# Enable WDS to respond to Network Unlock requests (set in WDS config)
# Edit WDS configuration to include the certificate thumbprint
$wdsRegPath = "HKLM:SYSTEMCurrentControlSetServicesWDSServerProvidersWDSPXEProvidersBCDSTORE"
Set-ItemProperty -Path $wdsRegPath -Name "NetworkUnlockCert" -Value $thumb
# Restart WDS to apply
Restart-Service -Name WDSServerStep 5: Distribute the Public Certificate via Group Policy
The client machines that will use Network Unlock need to trust and receive the Network Unlock certificate’s public key. This is distributed through Group Policy under the BitLocker Drive Encryption policy settings.
# On a domain controller or machine with GPMC installed
# Create or edit a GPO targeting the OU with your servers
# Navigate in GPMC to:
# Computer Configuration → Policies → Windows Settings → Security Settings
# → Public Key Policies → BitLocker Drive Encryption Network Unlock Certificate
# Import the .cer file you exported in Step 3 into this GPO node
# Alternatively, use PowerShell to add the cert to the GPO registry blob
# (manual GPO edit via GPMC GUI is recommended for the certificate store)
# Force policy refresh on the target machine to receive the certificate
Invoke-GPUpdate -Computer "TargetServer01" -Force -RandomDelayInMinutes 0
# Verify the certificate arrived in the target machine's Network Unlock store
Invoke-Command -ComputerName "TargetServer01" -ScriptBlock {
Get-ChildItem "Cert:LocalMachineFVE" -ErrorAction SilentlyContinue
}Step 6: Enable BitLocker with TPM+PIN and Network Unlock Policy
Configure Group Policy to allow Network Unlock at startup, then enable BitLocker on the target machine with TPM+PIN protectors. Network Unlock supplements the TPM protector — the PIN is only required when the machine is off the corporate network.
# GPO Path (configure via GPMC on a DC):
# Computer Configuration → Administrative Templates → Windows Components
# → BitLocker Drive Encryption → Operating System Drives
# → "Allow Network Unlock at startup" → Enabled
# On the target machine, enable BitLocker with TPM+PIN+NetworkUnlock protectors
# First, ensure TPM is activated
Get-Tpm | Select-Object TpmReady, TpmPresent, TpmEnabled
# Enable BitLocker on the OS drive (C:) with TPM+PIN
$pinSecure = ConvertTo-SecureString -String "Server@PIN2025" -Force -AsPlainText
Enable-BitLocker -MountPoint "C:" `
-EncryptionMethod XtsAes256 `
-TpmAndPinProtector `
-Pin $pinSecure `
-SkipHardwareTest
# Add a recovery password protector (required for AD backup)
Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
# Back up the recovery key to Active Directory
$vol = Get-BitLockerVolume -MountPoint "C:"
$recoveryId = ($vol.KeyProtector | Where-Object { $_.KeyProtectorType -eq "RecoveryPassword" }).KeyProtectorId
Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $recoveryId
# Check encryption status
Get-BitLockerVolume -MountPoint "C:" | Select-Object VolumeStatus, EncryptionPercentage, ProtectionStatusStep 7: Validate the Network Unlock Handshake
After encryption is complete and the machine reboots, you can verify that Network Unlock is functioning correctly. The handshake process works as follows: the booting machine sends a DHCP request tagged with the BitLocker Network Unlock DHCP option; the WDS server intercepts this request and responds with the unlock key encrypted to the machine’s TPM; the machine uses its TPM to decrypt the key and boot without prompting for a PIN.
# On the WDS server, check WDS event log for Network Unlock activity
Get-WinEvent -LogName "Microsoft-Windows-WDS*" -MaxEvents 50 |
Where-Object { $_.Message -like "*Network Unlock*" } |
Select-Object TimeCreated, Id, Message
# On the target machine after reboot, confirm BitLocker protection is active
Get-BitLockerVolume -MountPoint "C:" |
Select-Object VolumeStatus, ProtectionStatus, LockStatus
# Expected output:
# VolumeStatus : FullyEncrypted
# ProtectionStatus : On
# LockStatus : Unlocked
# Verify which key protector unlocked the volume (should show NetworkUnlock)
(Get-BitLockerVolume -MountPoint "C:").KeyProtector |
Select-Object KeyProtectorType, AutoUnlockEnabled
# Test fallback: disconnect from the corporate network and reboot
# The machine should prompt for the PIN configured in Step 6
# Reconnect and reboot again — machine should unlock automaticallyStep 8: Troubleshooting Common Issues
If Network Unlock does not work as expected, use the following diagnostic steps:
# Check that the DHCP server is configured to pass through option 43 (vendor-specific)
# WDS uses DHCP option 43 and 60 for PXE responses including Network Unlock
# On the DHCP server, verify option 60 (PXE Client) is set
Get-DhcpServerv4OptionValue -ScopeId "192.168.10.0" -OptionId 60
# Check that the WDS server and DHCP server are on the same subnet,
# or that DHCP relay (IP Helper) is configured to forward to WDS
# For split DHCP/WDS: configure DHCP option 066 (Boot Server) pointing to WDS IP
# Review BitLocker event log on the target machine
Get-WinEvent -LogName "Microsoft-Windows-BitLocker/BitLocker Operational" -MaxEvents 30 |
Select-Object TimeCreated, Id, Message
# Verify the Network Unlock certificate EKU is correct
Get-ChildItem Cert:LocalMachineFVE |
ForEach-Object { $_.EnhancedKeyUsageList }
# Should include OID 1.3.6.1.4.1.311.67.1.1
# Confirm WDS is listening on UDP 4011
netstat -an | Select-String ":4011"BitLocker Network Unlock is a powerful feature that balances strong at-rest encryption with the operational need for unattended server reboots in a trusted corporate environment. By leveraging the TPM, your Enterprise CA, and WDS as the unlock provider, you ensure that servers are protected from physical theft while remaining fully operational on your network. The fallback to PIN when the machine is off-network provides defense-in-depth, ensuring that a stolen server cannot be booted without the PIN or recovery key. With the configuration complete, review your WDS and BitLocker event logs after each reboot cycle to confirm Network Unlock is operating reliably.
