When you protect a computer with BitLocker, you can require
additional authentication at startup. Normally, this means a user is required to
have a startup key on a USB flash drive, a startup PIN, or both. The
Network Unlock feature provides this additional layer of protection
without requiring the startup key, startup PIN, or both by
automatically unlocking the operating system drive when a computer
is started. It does this as long as the following conditions are
met:
-
The BitLocker-protected computer has an enabled
TPM.
-
The computer is on a trusted, wired network.
-
The computer is joined to and connected to a
domain.
-
A Network Unlock server with an appropriate Network Unlock
certificate is available.
Because the computer must be joined to and connected to the
domain for Network Unlock to work, user authentication is still
required when a computer is not connected to the domain. When
connected to the domain, the client computer (whether it’s a Windows
desktop or a Windows server) connects to a Network Unlock server to unlock the system drive. You
allow Network Unlock to be used by enabling the Allow Network Unlock At Startup policy, as shown in Figure 15.
Typically, the Network Unlock server is a domain controller
configured to use and distribute Network Unlock certificates to
clients. The Network Unlock certificates, in turn, are used to
create the Network Unlock keys.
You can configure a domain controller to distribute this
certificate to clients. To do this, create an X.509 certificate for
the server—for example, by using Certmsg.mc and then using the
BitLocker Driver Encryption Network Unlock Certificate setting to
add this certificate to a GPO applied to the domain controller.
You’ll find this Computer Configuration setting under Windows
Settings\Security Settings\Public Key Policies.
Provisioning BitLocker prior to deployment
Windows allows you to provision BitLocker during operating
system deployment. You can do this from the Windows Pre-Installation
Environment (WinPE). It’s important to point out that Windows
PowerShell includes a Deployment Image Servicing and Management (DISM)
module that you can import. Because this module doesn’t support
wildcards when searching for feature names, you can use the
Get-WindowsOptionalFeatures cmdlet to list feature
names, as shown in this example:
get-windowsoptionalfeature -online | ft
To completely install BitLocker and related management tools,
use the following command:
enable-windowsoptionalfeature -online -featurename bitlocker,
bitlocker-utilities, bitlocker-networkunlock -all
