Forum Discussion

benlewis12's avatar
benlewis12
Copper Contributor
Feb 04, 2026

BitLocker Network Unlock Question

I set up network unlock for two servers in our network as a test for a future deployment of BitLocker.  Both HP's.  One is a DL 360 Gen9 server with aftermarket TPM, the other is a DL360 Gen11 with onboard/HP TPM.  Configured first NIC on both boxes for DHCP.  Just to test things, I unplugged NIC1 but kept NIC2 plugged in on the Gen11 server and rebooted.  It prompted for a PIN on boot up (expected behavior). 

 

Did the same test on the Gen9 server and it boots straight into the OS (unexpected behavior).  As a further test, I kept NIC1 unplugged and then unplugged NIC2, rebooted and got prompted for a PIN (as expected since box was completely off network).  

 

Does anyone have any ideas why this is happening?  Could it have something to do with the aftermarket TPM?  From what I've read network unlock requires the first NIC to be DHCP so it can communicate with the WDS server and allow network unlock to work.  Could it be something with the NIC's on the Gen9 server?  I'm at a loss to explain this behavior.  Hoping someone may have some insight.

 

TIA

BitLocker
Bitlocker Encryption
network unlock
tpm

1 Reply

  • firatboyan34's avatar
    firatboyan34
    MCT
    Feb 15, 2026

    Hello,

    This behaviour is expected and not related to the aftermarket TPM.

    BitLocker Network Unlock operates in UEFI pre boot using a specific NIC that supports the Network Unlock stack. It does not use any available network interface. It uses the adapter whose driver is exposed to the UEFI firmware and bound during BitLocker provisioning.

    On the Gen11 server, NIC1 is likely the adapter whose UEFI driver was used when Network Unlock was configured. When you unplug NIC1, no eligible pre boot network interface is available, so BitLocker falls back to TPM plus PIN.

    On the Gen9 server, NIC2 is probably also UEFI capable and supported for Network Unlock. Even if NIC1 is unplugged, NIC2 still provides a valid pre boot network path, so the protector is released and the OS boots without PIN. When both NICs are unplugged, no DHCP response is possible and PIN is required.

    Network Unlock decision flow is:

    1. TPM validates PCR
    2. UEFI network stack initialises supported NIC
    3. DHCP request sent
    4. WDS Network Unlock server responds with key protector
    5. VMK is unsealed

    If you want to understand which adapter BitLocker is actually relying on, start by checking the protectors configured on the volume.

    Run:

    manage bde protectors get C:

    Look for a Network Unlock protector in the output. If it is present, the machine is capable of releasing the VMK over the network during pre boot.

    After that, move to the firmware level. Open the server UEFI settings and review which NICs are enabled for the UEFI network stack or pre boot network. Network Unlock only works with adapters that expose a UEFI driver and are available during early boot, not simply any NIC that works inside Windows.

    In short, confirm the protector exists at the BitLocker layer, then confirm the NIC is actually available at the firmware layer.

    Conclusion:

    This is a difference in UEFI NIC capability and firmware configuration between Gen9 and Gen11, not a TPM issue.