What is BitLocker Network Unlock

Windows 8 and Windows Server 2012 include a new BitLocker protector option for operating system volumes called Network Unlock.  Network Unlock enables easier management for BitLocker enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network.  This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware.

Without Network Unlock, operating system volumes protected by TPM+PIN protectors require a PIN to be entered when a machine reboots or resumes from hibernation (e.g. by Wake on LAN).  This can make it difficult for enterprises to roll out software patches to unattended desktops and headless servers.

Network Unlock allows BitLocker-enabled systems with TPM+PIN and that meet the hardware requirements to boot into Windows without user intervention.  Network Unlock works in a similar fashion to the TPM+StartupKey at boot.  Rather than needing to read the StartupKey from USB media, however, the key for Network Unlock is composed from a key stored in the TPM and an encrypted network key that is sent to the server, decrypted and returned to the client in a secure session.


How to tell if your computer has been configured for network unlock

Open the registry editor (regedit). If your computer has a Network Unlock certificate identified in the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\FVE_NKP key then network unlock has been configured.

More information

What's New in BitLocker
BitLocker Frequently Asked Questions (FAQ)
BitLocker: How to enable Network Unlock