Introduction to BitLocker Network Unlock on Windows Server 2019
BitLocker Network Unlock is a feature in Windows Server 2019 and Windows 10/11 Enterprise that allows BitLocker-encrypted drives to automatically unlock when a computer boots on the corporate network, without requiring user interaction to enter a PIN or insert a USB key. This is particularly useful for servers and workstations that need to reboot unattended (for updates, power failures, etc.) while still maintaining BitLocker drive encryption protection when the device is off-premises.
Network Unlock works by storing a copy of the BitLocker volume master key (VMK) encrypted with an RSA certificate published via the WDS (Windows Deployment Services) server. When a BitLocker-protected system boots on the corporate network, DHCP delivers the WDS server IP, and the client downloads and decrypts the VMK using UEFI-based network boot. If the WDS server is unreachable (the machine is off the corporate network), the machine falls back to requiring the normal BitLocker unlock mechanism (PIN or recovery key).
Prerequisites for BitLocker Network Unlock
Before configuring Network Unlock, ensure all requirements are met. Client machines must have UEFI firmware (not legacy BIOS), TPM 1.2 or 2.0, and run Windows 8 Enterprise or later (Windows 10/11 or Windows Server 2012 R2 or later). The server side requires Windows Server 2019 with the WDS role installed, an Active Directory domain, DHCP, and a PKI (Active Directory Certificate Services) to issue the Network Unlock certificate.
Install the WDS role on the server that will handle Network Unlock responses:
Install-WindowsFeature -Name WDS -IncludeManagementToolsConfigure WDS (it does not need to be a full PXE deployment server — it just needs to respond to Network Unlock requests):
wdsutil /initialize-server /reminst:"C:RemoteInstall"Creating the Network Unlock Certificate
You need an RSA certificate with the BitLocker Network Unlock OID (1.3.6.1.4.1.311.67.1.1) for the Network Unlock provider. Create the certificate using a custom certificate template in ADCS, or create a self-signed certificate for testing:
# Create a self-signed certificate for Network Unlock (testing only; use ADCS in production)
$cert = New-SelfSignedCertificate -Subject "CN=BitLocker Network Unlock Cert" -KeyUsage KeyEncipherment -KeyAlgorithm RSA -KeyLength 2048 -HashAlgorithm SHA256 -NotAfter (Get-Date).AddYears(5) -CertStoreLocation Cert:LocalMachineMy -TextExtension @("2.5.29.37={text}1.3.6.1.4.1.311.67.1.1")Export the certificate (public key only) to a CER file for distribution via Group Policy:
Export-Certificate -Cert $cert -FilePath "C:BitLockerNetworkUnlock.cer" -Type CERTExport the full certificate including the private key to PFX for the WDS server:
Export-PfxCertificate -Cert $cert -FilePath "C:BitLockerNetworkUnlock.pfx" -Password (ConvertTo-SecureString "PfxPassword!" -AsPlainText -Force)Deploying the Certificate to WDS
Copy the PFX to the WDS server and install it in the correct certificate store. Network Unlock on WDS requires the certificate in a specific location:
Import-PfxCertificate -FilePath "C:BitLockerNetworkUnlock.pfx" -CertStoreLocation Cert:LocalMachineBitlockerProviderStore -Password (ConvertTo-SecureString "PfxPassword!" -AsPlainText -Force)If the BitlockerProviderStore does not exist, create it:
certutil -csp "Microsoft Software Key Storage Provider" -v -enterprise -importpfx "C:BitLockerNetworkUnlock.pfx"Restart the WDS service to load the certificate:
Restart-Service -Name WDSServerConfiguring Group Policy for Network Unlock
Deploy the Network Unlock public certificate to client machines via Group Policy. Open the Group Policy Management Console and edit the relevant GPO. Navigate to:
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > BitLocker Drive Encryption Network Unlock CertificateImport the CER file exported earlier. This deploys the certificate to all machines in the GPO scope. The clients use this certificate to encrypt the VMK before sending it to WDS for Network Unlock.
Also ensure the following Group Policy settings are configured:
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup
Set "Allow BitLocker without a compatible TPM" to Enabled if needed, and configure the TPM + Network Unlock startup key policy.Enabling BitLocker with Network Unlock Protector
On a client machine, enable BitLocker. The TPM protector and Network Unlock protector are added automatically when Group Policy is applied:
Enable-BitLocker -MountPoint "C:" -TpmProtector
Enable-BitLockerAutoUnlock -MountPoint "C:"Add the Network Unlock protector specifically:
Add-BitLockerKeyProtector -MountPoint "C:" -TpmNetworkProtectorVerify all key protectors on the drive:
Get-BitLockerVolume -MountPoint "C:" | Select -ExpandProperty KeyProtectorYou should see protectors including TPM, TpmNetwork (for Network Unlock), and RecoveryPassword. Save the recovery password to Active Directory:
Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId (Get-BitLockerVolume "C:").KeyProtector | Where-Object {$_.KeyProtectorType -eq "RecoveryPassword"} | Select -ExpandProperty KeyProtectorIdOnce configured, the BitLocker-encrypted machine will automatically unlock on reboot when connected to the corporate network, while remaining locked and requiring a recovery key when rebooted off-site.
