How to Automatically Unlock BitLocker Protected Devices Connected to Wired Networks

BitLocker is a full-disk encryption tool that is built-in to Windows. Full disk encryption prevents someone who gets physical access to a disk reading data. BitLocker is most commonly used with a Trusted Platform Module (TPM), a hardware cryptoprocessor that is responsible for securing and managing the release of encryption keys. For better security, organizations often require the use of TPM+PIN, which requires physical intervention as a device boots or resumes from hibernation.

Configuring BitLocker to use TPM+PIN improves security but makes it harder to remotely service endpoints if they need to be booted or resume from hibernation using Wake on LAN. For example, IT might want to install software updates or perform other remote maintenance. To solve this problem, Microsoft introduced Network Unlock in Windows 8 and Windows Server 2012. Network Unlock allows devices in a domain environment, which are connected to a wired network, to automatically unlock BitLocker-protected operating system drives.

BitLocker Network Unlock prerequisites

There are several requirements endpoints must meet before they can be used with BitLocker Network Unlock. Endpoints must have UEFI DHCP drivers. UEFI endpoints should be in native mode and not configured for compatibility support. There must be a TPM chip and BitLocker must be configured with at least one protector, like a PIN or startup key. The network must also have a DHCP server and a separate server with Windows Deployment Services (WDS). WDS needs to be running but not configured.

Endpoints with more than one network adapter must be configured with the onboard adapter to receive an IP address using DHCP. Network Unlock uses a server component that can be installed on Windows Server 2012 or later. It must be able to contact a WDS server. Installing the BitLocker Network Unlock feature on Windows Server will automatically install WDS if it is not found on the server. Using the WDS Configuration Wizard (wdsmgmt.msc), you just need to make sure that it can communicate with DHCP and client computers.

Configuring certificates

You have two options for configuring certificates for Network Unlock. The first is to import certificates from your existing public key infrastructure (PKI). You can request a certificate from your certification authority (CA) using Certificate Manager (certmgr.msc) on the WDS server. Alternatively, it’s possible to use a self-signed certificate. If you decide to use a self-signed certificate, you can generate the certificate using the certreq command-line tool or PowerShell (New-SelfSignedCertificate). You will need to import the self-signed certificate on the WDS server manually.

Once the certificate has been configured on WDS, deploy the public key certificate to endpoints that will be unlocked automatically using BitLocker Network Unlock. The easiest way to deploy certificates is using Group Policy. You can import the .cer certificate file into Group Policy using the Add Network Unlock Certificate setting under Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption Network Unlock Certificate.

Image #1 Expand
Figure1 5
Automatically Unlock BitLocker Protected Devices Connected to Wired Networks Using Network Unlock (Image Credit: Russell Smith)

 

Add the certificate to the Group Policy Object (GPO) directly on a domain controller (DC) operating with a domain functional level of at least Windows Server 2012. In addition to the certificate, you’ll also need to enable the Allow Network Unlock at startup setting, which you’ll find under Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives.

For more information on creating and deploying settings using Group Policy, see How to Create and Link a Group Policy Object in Active Directory on Petri.

Once the Group Policy Object is configured and applied to endpoints, they should be rebooted. If everything is setup correctly, the WDS server should start responding to Network Unlock requests and unlock BitLocker-protected devices. To disable Network Unlock, uninstall the Network Unlock server component and set the Allow Network Unlock at startup Group Policy setting to Disabled.

For more detailed information on configuring BitLocker Network Unlock, see Microsoft’s website here.