BitLocker Network Unlock Question

Hello,

This behaviour is expected and not related to the aftermarket TPM.

BitLocker Network Unlock operates in UEFI pre boot using a specific NIC that supports the Network Unlock stack. It does not use any available network interface. It uses the adapter whose driver is exposed to the UEFI firmware and bound during BitLocker provisioning.

On the Gen11 server, NIC1 is likely the adapter whose UEFI driver was used when Network Unlock was configured. When you unplug NIC1, no eligible pre boot network interface is available, so BitLocker falls back to TPM plus PIN.

On the Gen9 server, NIC2 is probably also UEFI capable and supported for Network Unlock. Even if NIC1 is unplugged, NIC2 still provides a valid pre boot network path, so the protector is released and the OS boots without PIN. When both NICs are unplugged, no DHCP response is possible and PIN is required.

Network Unlock decision flow is:

1. TPM validates PCR
2. UEFI network stack initialises supported NIC
3. DHCP request sent
4. WDS Network Unlock server responds with key protector
5. VMK is unsealed
   
   

If you want to understand which adapter BitLocker is actually relying on, start by checking the protectors configured on the volume.

Run:

manage bde protectors get C:

Look for a Network Unlock protector in the output. If it is present, the machine is capable of releasing the VMK over the network during pre boot.

After that, move to the firmware level. Open the server UEFI settings and review which NICs are enabled for the UEFI network stack or pre boot network. Network Unlock only works with adapters that expose a UEFI driver and are available during early boot, not simply any NIC that works inside Windows.

In short, confirm the protector exists at the BitLocker layer, then confirm the NIC is actually available at the firmware layer.

Conclusion:

This is a difference in UEFI NIC capability and firmware configuration between Gen9 and Gen11, not a TPM issue.