Q: What is BitLocker Network Unlock?

A: Windows 8 introduces BitLocker Network Unlock, which provides an additional protector method for BitLocker.

Typically with BitLocker, in addition to the Trusted Platform Module (TPM), using it in certain modes requires user intervention, such as authentication mode, where a startup key must be typed when booting the BitLocker-protected machine, and USB key mode, where the user must insert a USB drive.

BitLocker Network Unlock allows automatic access to the BitLocker key needed to unlock the volume. That automatic access occurs over the network when the machine boots, avoiding any manual steps. It essentially works in a very similar way to the TPM+startup key BitLocker method, except the key is being sent over the network.

There are several requirements for this functionality:

  • The computer must have UEFI firmware and UEFI DHCP capability.
  • Any UEFI Compatibility Support Modules (CSM)/Legacy modes must be disabled.
  • The BitLocker-NetworkUnlock feature must be installed on a Windows Deployment Server (which does not have to be configured--the WDSServer service just needs to be running).
  • A separate DHCP server must be available to provide an IP address.
  • The client computer must be running Windows 8.
  • The necessary certificates for the public/private key pairing must be configured.
  • Group Policy settings to configure Network Unlock must be configured.

At the time of its release, Microsoft will have step-by-step documentation for this process. For now, however, a beta document "Understand and Troubleshoot BitLocker in Windows Server "8" Beta"  also walks through the process. 

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.