How to Set Up BitLocker Network Unlock on Windows Server 2016
BitLocker Drive Encryption protects data at rest by encrypting entire volumes. In environments where servers need to restart automatically without manual PIN entry — such as after patching or power restoration — BitLocker Network Unlock provides a solution. Network Unlock allows a server to automatically unlock its BitLocker-protected drives during boot by receiving the unlock key over the network from a WDS (Windows Deployment Services) server acting as a Network Unlock provider. The server only unlocks automatically when it is on the trusted corporate network; if booted on an untrusted network or taken off-premises, BitLocker requires manual key entry, maintaining data security.
Network Unlock requires several components working together: the server being protected (client) must have a TPM 1.2 or 2.0 chip, a UEFI firmware with DHCPv4 capability in the pre-boot environment, and BitLocker must be configured with the Network Unlock protector. The WDS server provides the unlock key delivery mechanism. Active Directory is required for certificate distribution and key storage. All machines must be on the same network segment or the DHCP helper must be configured to forward DHCP requests to the WDS server.
Installing BitLocker and WDS
Install the BitLocker feature with management tools on the client server:
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -RestartOn the WDS server, install Windows Deployment Services and the BitLocker Network Unlock feature:
Install-WindowsFeature WDS -IncludeManagementToolsInstall-WindowsFeature BitLocker-NetworkUnlockCreating the Network Unlock Certificate
Network Unlock uses a certificate-based key exchange. You need to create an X.509 certificate for the Network Unlock provider. Create a self-signed certificate or use your enterprise CA. The following creates a self-signed certificate with the correct key usage:
$cert = New-SelfSignedCertificate -Subject "CN=BitLocker Network Unlock" -KeyUsage KeyEncipherment -KeySpec KeyExchange -NotAfter (Get-Date).AddYears(5) -TextExtension "2.5.29.37={text}1.3.6.1.4.1.311.67.1.1"Export the certificate with its private key to install on the WDS server (use a strong password):
$certPath = "C:BitLockerNetworkUnlock.pfx"
Export-PfxCertificate -Cert $cert -FilePath $certPath -Password (ConvertTo-SecureString "P@ssw0rd123" -AsPlainText -Force)Export only the public certificate (.cer) for distribution via Group Policy:
Export-Certificate -Cert $cert -FilePath "C:BitLockerNetworkUnlock.cer"Configuring the WDS Server for Network Unlock
Copy the PFX file to the WDS server. Import the certificate into the WDS server certificate store. The WDS service reads Network Unlock certificates from the WDS provider key store:
Import-PfxCertificate -FilePath "C:BitLockerNetworkUnlock.pfx" -CertStoreLocation "Cert:LocalMachineMy" -Password (ConvertTo-SecureString "P@ssw0rd123" -AsPlainText -Force)Place the certificate in the WDS Network Unlock certificate directory, which WDS monitors for Network Unlock provider certificates. The default path is:
%windir%System32RemoteInstallOSImagesBitlockerNetworkUnlockKeysCreate the directory if it does not exist and copy the PFX there:
$wdsPath = "$env:windirSystem32RemoteInstallOSImagesBitlockerNetworkUnlockKeys"
New-Item -Path $wdsPath -ItemType Directory -Force
Copy-Item "C:BitLockerNetworkUnlock.pfx" -Destination $wdsPathRestart the WDS service to load the new certificate:
Restart-Service WDSServerDistributing the Certificate via Group Policy
The public certificate must be deployed to client machines so they can use it for Network Unlock. In Group Policy Management, navigate to Computer Configuration, Windows Settings, Security Settings, Public Key Policies, BitLocker Drive Encryption Network Unlock Certificate. Import the .cer file there. This deploys the public certificate to all computers in the GPO scope at next Group Policy refresh:
gpupdate /forceEnabling BitLocker with Network Unlock on the Client
Enable BitLocker on the system drive, adding both a TPM protector and the Network Unlock protector. The Network Unlock protector is identified by the certificate thumbprint:
Enable-BitLocker -MountPoint "C:" -TpmProtectorAdd-BitLockerKeyProtector -MountPoint "C:" -TpmNetworkKeyProtector -KeyPackage (Get-Item "C:BitLockerNetworkUnlock.cer")Back up the BitLocker recovery key to Active Directory (always do this before encryption):
Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId (Get-BitLockerVolume -MountPoint "C:").KeyProtector[0].KeyProtectorIdVerify BitLocker protectors on the volume:
Get-BitLockerVolume -MountPoint "C:" | Select-Object -ExpandProperty KeyProtectorWith Network Unlock configured, servers will automatically unlock during boot when they receive a DHCP response from the WDS server on the corporate network. Test the configuration by rebooting the server and monitoring that it completes the boot process without prompting for a PIN. If unlock fails, the server will prompt for a recovery key, ensuring the data remains protected. Always store recovery keys in Active Directory and verify they are accessible before removing physical access to servers.
