Allow network unlock at startup

Supported OS tags: Windows8, WindowsServer2012

This policy setting controls whether a BitLocker-protected computer that is connected to a trusted wired Local Area Network (LAN) and joined to a domain can create and use Network Key Protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started. If you enable this policy, clients configured with a BitLocker Network Unlock certificate will be able to create and use Network Key Protectors. To use a Network Key Protector to unlock the computer, both the computer and the BitLocker Drive Encryption Network Unlock server must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create Network Key Protectors, and protects the information exchanged with the server to unlock the computer. You can use the group policy setting "Computer Configuration\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption Network Unlock Certificate" on the domain controller to distribute this certificate to computers in your organization. This unlock method uses the TPM on the computer, so computers that do not have a TPM cannot create Network Key Protectors to automatically unlock with Network Unlock. If you disable or do not configure this policy setting, BitLocker clients will not be able to create and use Network Key Protectors. Note: For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or the server at startup.

This policy has no additional user input fields.

• Computer
  Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.

  At least Windows Server 2016, Windows 10 Version 1703
• Computer
  Allow enhanced PINs for startup

  At least Windows Server 2008 R2 or Windows 7
• Computer
  Allow Secure Boot for integrity validation

  At least Windows Server 2012, Windows 8 or Windows RT
• Computer
  Choose how BitLocker-protected operating system drives can be recovered

  At least Windows Server 2008 R2 or Windows 7
• Computer
  Configure minimum PIN length for startup

  At least Windows Server 2008 R2 or Windows 7
• Computer
  Configure pre-boot recovery message and URL

  At least Windows Server 2016 or Windows 10
• Computer
  Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)

  Windows Server 2008, Windows 7, and Windows Vista