Information Technology Reference
In-Depth Information
enabling and disabling auto-unlock of a BitLocker volume
Data volumes and removable drives that are encrypted by BitLocker can be automatically un-
locked whenever they are present in the host computer. You can't automatically unlock the oper-
ating system volume. After a user unlocks the operating system volume, BitLocker uses encrypted
information in the registry and volume metadata to unlock any data volumes that have automatic
unlocking enabled. To enable auto-unlock of a BitLocker volume, use the BitLocker Drive En-
cryption control panel item or use the Enable-BitLockerAutoUnlock cmdlet. You can disable the
auto-unlock feature of one or more BitLocker volumes by using the Disable-BitLockerAutoUnlock
cmdlet. You can clear all automatic unlocking keys on a server with the Clear-BitLockerAutoUnlock
cmdlet. Clear BitLocker automatic unlocking keys prior to disabling BitLocker on a volume.
Disabling BitLocker encryption on a volume
When you want to remove the BitLocker encryption on a volume, you can disable BitLocker
on that volume by using the BitLocker Drive Encryption control panel item or by using
the Disable-BitLocker cmdlet. Disabling BitLocker encryption on a volume removes all key
protectors on the volume and begins decrypting the data on the volume.
Beginning with Windows Server 2012 and Windows 8, BitLocker supports a new protector
option for operating system volumes called Network Unlock. Network Unlock allows for
automatic unlocking of operating system volumes on domain-joined servers and desktops
that are connected over a wired corporate network.
Network Unlock requires the server or desktop to have a Dynamic Host Configuration
Protocol (DHCP) driver implemented in Unified Extensible Firmware Interface (UEFI) firmware.
Without Network Unlock, computers protected with TPM+PIN require a PIN to be entered
whenever the computer restarts or resumes from hibernation. Therefore, enabling TPM+PIN
without Network Unlock prevents remote updating with unattended distribution of software
updates. With Network Unlock enabled, BitLocker-protected systems that use TPM+PIN can
be remotely started or restarted without direct interaction at the console.
The Network Unlock feature requires the following:
■
Computers running Windows 8, Windows 8.1, Windows Server 2012, or Windows
Server 2012 R2 with UEFI DHCP drivers
■
Windows Deployment Services (WDS) role installed on Windows Server 2012 or
Windows Server 2012 R2
■
BitLocker Network Unlock optional feature installed on Windows Server 2012 or
Windows Server 2012 R2
■
DHCP server
■
Properly configured public/private key pairing
■
Network Unlock Group Policy settings configured
