The Network Unlock feature is a BitLocker functionality that allows you to automatically unlock your encrypted drives when your server boots up and connects to a trusted network. You can install this feature on your server using either Server Manager or Windows PowerShell. If you choose to use Server Manager, you need to open the Server Manager console and select the BitLocker Network Unlock feature from the list of available features. This will launch the installation wizard that will guide you through the process.
If you prefer to use Windows PowerShell, you need to run the following command as an administrator: Install-WindowsFeature BitLocker-NetworkUnlock. This will install the Network Unlock feature and its dependencies on your server. You can verify the installation by running the Get-WindowsFeature command and checking the status of the BitLocker-NetworkUnlock feature.
After installing the Network Unlock feature, you need to configure some settings on your server and your network to enable it. First, you need to create a certificate that will be used to authenticate your server to the network. You can use the Certificates snap-in in Microsoft Management Console (MMC) or Windows PowerShell to create a self-signed certificate or request one from a certification authority (CA). The certificate must have the following properties: Enhanced Key Usage must include the BitLocker Network Unlock certificate template (126.96.36.199.4.1.3188.8.131.52), Key Usage must include Key Encipherment, and Subject Alternative Name must include DNS name.
Next, you need to install the certificate on your server and export it to a file. You can use the Certificates snap-in or Windows PowerShell to do this. The file must be in Personal Information Exchange (.pfx) format and must include the private key. You also need to copy the file to a removable media device such as a USB flash drive.
Then, you need to configure your network devices to support Network Unlock. You need to have a Windows Deployment Services (WDS) server on your network that can broadcast the Network Unlock certificate to your server. You also need to configure your DHCP server to provide the IP address of the WDS server to your server. You can use the DHCP snap-in or Windows PowerShell to do this. You need to add a new option with the code 249 and the value of the WDS server IP address.
Finally, you need to enable Network Unlock on your server. You can use the BitLocker Drive Encryption snap-in or Windows PowerShell to do this. You need to turn on BitLocker for your operating system drive and any other drives that you want to unlock automatically. You also need to select the option to allow network unlock at startup. This will store the Network Unlock certificate on your server and register it with the WDS server.
Once you have completed these steps, you can test Network Unlock by rebooting your server and verifying that it unlocks without requiring a password or a recovery key. You can also monitor the Network Unlock events in the Event Viewer under Applications and Services Logs\\Microsoft\\Windows\\BitLocker-NetworkUnlock. 061ffe29dd