I set up Bitlocker on a 2012R2 VM. I am able to get into it with bitlocker keys stored on a second fat32 partition on the server. I created a certificate and tried to setup Network unlock but it does not work if I remove the keys from the fat32 drive. IS network unlock possible with a VM with no TPM ?
Bitlocker Network Unlock with a VM
Great question, hopefully this will help. When it comes to Network Unlock it requires a TPM as the Network Unlock key is stored in the TPM. You can think of it as BitLocker being implemented with the TPM+Startup Key protectors. This requires the user to have the USB startup key plugged into the PC at boot time. The USB startup key is read and then unlocked with the presence of a valid TPM (and OCR profile which is stored in the TPM). Instead of having to be present to have the USB key read, the Network Unlock key is stored in the TPM and an encrypted network key is sent to the server, decrypted and returned to the user over a secured session. If Network Unlock fails then the next configured authentication method (protectors) are attempted, which is typically TPM+PIN. I hope this helps.